WLAN Commands

show Commands

This section lists the show commands to display information about your WLAN configuration settings.

show advanced fra sensor

To display detailed information about the FRA configurations of the sensor, use the show advanced fra sensor command.

show advanced fra sensor

Syntax Description


advanced	Displays advanced configuration and statistics.
fra	Displays FRA configurations.
sensor	Displays FRA configurations for sensor

Command Default

None

Command History


Release	Modification
8.5	This command was introduced.

Examples

The following example shows how to display information about the FRA sensor:

FRA State........................................ Enabled
FRA Operation State.............................. Up
FRA Sensitivity.................................. low (100%)
FRA Interval..................................... 1 Hour(s)
  Last Run....................................... 3563 seconds ago
  Last Run Time.................................. 0 seconds
Service Priority................................. Coverage



AP Name                          MAC Address       Slot Current Band   COF %      Sensor %   Suggested Mode
-------------------------------- ----------------- ---- -------------- ---------- ---------- -------------------------

show client detail

To display detailed information for a client on a Cisco lightweight access point, use the show client detail command.

show client detail mac_address

Syntax Description


`mac_address`	Client MAC address.

Command Default

None

Usage Guidelines

The show client ap command may list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list (blacklisted).

Examples

The following example shows how to display the client detailed information:

(Cisco Controller) >show client detail 00:0c:41:07:33:a6
Policy Manager State..............................POSTURE_REQD
Policy Manager Rule Created.......................Yes
Client MAC Address............................... 00:16:36:40:ac:58
Client Username.................................. N/A
Client State..................................... Associated
Client NAC OOB State............................. QUARANTINE
Guest LAN Id..................................... 1
IP Address....................................... Unknown
Session Timeout.................................. 0
QoS Level........................................ Platinum
802.1P Priority Tag.............................. disabled
KTS CAC Capability............................... Yes
WMM Support...................................... Enabled
Power Save....................................... ON
Diff Serv Code Point (DSPC)...................... disabled
Mobility State................................... Local
Internal Mobility State.......................... apfMsMmInitial
Security Policy Completed........................ No
Policy Manager State............................. WEBAUTH_REQD
Policy Manager Rule Created...................... Yes
NPU Fast Fast Notified........................... Yes
Last Policy Manager State........................ WEBAUTH_REQD
Client Entry Create Time......................... 460 seconds
Interface........................................ wired-guest
FlexConnect Authentication....................... Local
FlexConnect Data Switching....................... Local
VLAN............................................. 236
Quarantine VLAN.................................. 0
Client Statistics:
	 Number of Bytes Received................... 66806
      
      Number of  Bytes Sent....................... 23436
      
      Number of  Packets Received................. 592
      
      Number of  Packets Sent..................... 131
      
      Number of EAP Id Request Msg Timeouts...... 0
      Number of EAP Request Msg Timeouts......... 0
      Number of EAP Key Msg Timeouts............. 0
      Number of Data Retries..................... 0
      Number of RTS Retries...................... 0
      Number of Duplicate Received Packets....... 3
      Number of Decrypt Failed Packets........... 0
      Number of Mic Failured Packets............. 0
      Number of Mic Missing Packets.............. 0
	 Number of RA Packets Dropped............... 6
      Number of Policy Errors.................... 0
      Radio Signal Strength Indicator............ -50 dBm
      Signal to Noise Ratio...................... 43 dB
...

show client location-calibration summary

To display client location calibration summary information, use the show client location-calibration summary command.

show client location-calibration summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Examples

The following example shows how to display the location calibration summary information:

(Cisco Controller) >show client location-calibration summary
MAC Address Interval
----------- ----------
10:10:10:10:10:10 60
21:21:21:21:21:21 45

show client probing

To display the number of probing clients, use the show client probing command.

show client probing

Syntax Description

This command has no arguments or keywords.

Command Default

None

Examples

The following example shows how to display the number of probing clients:


(Cisco Controller) >show client probing
Number of Probing Clients........................ 0

show client roam-history

To display the roaming history of a specified client, use the show client roam-history command.

show client roam-history mac_address

Command Default

None

Examples

The following is a sample output of the show client roam-history command:


(Cisco Controller) > show client roam-history 00:14:6c:0a:57:77

show client summary

To display a summary of clients associated with a Cisco lightweight access point, use the show client summary command.

show client summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Usage Guidelines

Use show client ap command to list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list (blacklisted).

Examples

The following example shows how to display a summary of the active clients:

(Cisco Controller) > show client summary
Number of Clients................................ 24
Number of PMIPV6 Clients......................... 200
MAC Address       AP Name           Status        WLAN/GLAN/RLAN Auth Protocol         Port Wired  PMIPV6
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----		------

00:00:15:01:00:01 NMSP-TalwarSIM1-2 Associated    1              Yes  802.11a          13   No      Yes
00:00:15:01:00:02 NMSP-TalwarSIM1-2 Associated    1              Yes  802.11a          13   No      No
00:00:15:01:00:03 NMSP-TalwarSIM1-2 Associated    1              Yes  802.11a          13   No      Yes
00:00:15:01:00:04 NMSP-TalwarSIM1-2 Associated    1              Yes  802.11a          13   No      No

show client wlan

To display the summary of clients associated with a WLAN, use the show client wlan command.

show client wlan wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier from 1 to 512.

Command Default

None

Examples

The following are sample outputs of the show client wlan command:

(Cisco Controller) > show client wlan 1

Number of Clients in WLAN........................ 0

show guest-lan

To display the configuration of a specific wired guest LAN, use the show guest-lan command.

show guest-lan guest_lan_id

Syntax Description


`guest_lan_id`	ID of the selected wired guest LAN.

Command Default

None

Usage Guidelines

To display all wired guest LANs configured on the controller, use the show guest-lan summary command.

Examples

The following is a sample output of the show guest-lan guest_lan_id command:


(Cisco Controller) >show guest-lan 2
Guest LAN Identifier........................... 1
Profile Name................................... guestlan
Network Name (SSID)............................ guestlan
Status......................................... Enabled
AAA Policy Override............................ Disabled
Number of Active Clients....................... 1
Exclusionlist Timeout.......................... 60 seconds
Session Timeout................................ Infinity
Interface...................................... wired
Ingress Interface.............................. wired-guest
WLAN ACL....................................... unconfigured
DHCP Server.................................... 10.20.236.90
DHCP Address Assignment Required............... Disabled
Quality of Service............................. Silver (best effort)
Security
	Web Based Authentication................... Enabled
	ACL........................................ Unconfigured
	Web-Passthrough............................ Disabled
	Conditional Web Redirect................... Disabled
	Auto Anchor................................ Disabled
Mobility Anchor List
GLAN ID IP Address Status

show pmk-cache

To display information about the pairwise master key (PMK) cache, use the show pmk-cache command.

show pmk-cache { all | MAC}

Syntax Description


all	Displays information about all entries in the PMK cache.
`MAC`	Information about a single entry in the PMK cache.

Command Default

None

Examples

The following example shows how to display information about a single entry in the PMK cache:


(Cisco Controller) >show pmk-cache xx:xx:xx:xx:xx:xx

The following example shows how to display information about all entries in the PMK cache:


(Cisco Controller) >show pmk-cache all
PMK Cache
                    Entry
Station             Lifetime   VLAN Override          IP Override
-----------------   --------   --------------------   ---------------

show rf-profile summary

To display a summary of RF profiles in the controller, use the show rf-profile summary command.

show rf-profile summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Examples

The following is the output of the show rf-profile summary command:


(Cisco Controller) >show rf-profile summary
Number of RF Profiles............................ 2
Out Of Box State................................. Disabled
RF Profile Name            Band     Description                 Applied
-------------------------  -------  -------------------------   -------
T1a                        5 GHz    <none>                      No
T1b                        2.4 GHz  <none>                      No

show rf-profile details

To display the RF profile details in the Cisco wireless LAN controller, use the show rf-profile details command.

show rf-profile details rf-profile-name

Syntax Description


`rf-profile-name`	Name of the RF profile.

Command Default

None

Examples

The following is the output of the show rf-profile details command: :


(Cisco Controller) >show rf-profile details T1a
Description...................................... <none>
Radio policy..................................... 5 GHz
Transmit Power Threshold v1...................... -70 dBm
Transmit Power Threshold v2...................... -67 dBm
Min Transmit Power............................... -10 dBm
Max Transmit Power............................... 30 dBm

802.11a Operational Rates
    802.11a 6M Rate.............................. Mandatory
    802.11a 9M Rate.............................. Supported
    802.11a 12M Rate............................. Mandatory
    802.11a 18M Rate............................. Supported
    802.11a 24M Rate............................. Mandatory
    802.11a 36M Rate............................. Supported
    802.11a 48M Rate............................. Supported
    802.11a 54M Rate............................. Supported
Max Clients...................................... 200
Client Trap Threshold............................ 50
Multicast Data Rate.............................. 0
Rx Sop Threshold................................. 0 dBm
Cca Threshold.................................... 0 dBm
Slot Admin State:................................ Enabled
Band Select Probe Response....................... Disabled
Band Select Cycle Count.......................... 2 cycles
Band Select Cycle Threshold...................... 200 milliseconds
Band Select Expire Suppression................... 20 seconds
Band Select Expire Dual Band..................... 60 seconds
Band Select Client Rssi.......................... -80 dBm
Load Balancing Denial............................ 3 count
Load Balancing Window............................ 5 clients
Coverage Data.................................... -80 dBm
Coverage Voice................................... -80 dBm
Coverage Exception............................... 3 clients
Coverage Level................................... 25 %

show wlan

To display configuration information for a specified wireless LAN or a foreign access point, or to display wireless LAN summary information, use the show wlan command.

show wlan { apgroups | summary | wlan_id | foreignAp | lobby-admin-access}

Syntax Description


apgroups	Displays access point group information.
summary	Displays a summary of all wireless LANs.
`wlan_id`	Displays the configuration of a WLAN. The Wireless LAN identifier range is from 1 to 512.
foreignAp	Displays the configuration for support of foreign access points.

Command Default

None

Usage Guidelines

For 802.1X client security type, which creates the PMK cache, the maximum session timeout that can be set is 86400 seconds when the session timeout is disabled. For other client security such as open, WebAuth, and PSK for which the PMK cache is not created, the session timeout value is shown as infinite when session timeout is disabled.

Examples

The following example shows how to display a summary of wireless LANs for wlan_id 1:


(Cisco Controller) >show wlan 1 
WLAN Identifier.................................. 1
Profile Name..................................... aicha
Network Name (SSID).............................. aicha
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
   

   Radius-NAC State.............................. Enabled
   SNMP-NAC State................................ Enabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ 300 seconds
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... Talwar1
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured

DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Enabled

Quality of Service............................... Silver (best effort)

Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Global Servers
   Accounting.................................... Global Servers
   Interim Update............................. Disabled
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Enabled (Profile 'Controller_Local_EAP')

Security
   802.11 Authentication:........................ Open System
    FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Enabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
									
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled
      CCKM TSF Tolerance......................... 1000
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
   IP Security................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Enabled
   
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
			
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------

The following example shows how to display a summary of all WLANs:


(Cisco Controller) >show wlan summary
Number of WLANs.................................. 1

WLAN ID  WLAN Profile Name / SSID               Status    Interface Name        
-------  -------------------------------------  --------  --------------------  
1        apsso / apsso                          Disabled  management

The following example shows how to display the configuration for support of foreign access points:


(Cisco Controller) >show wlan foreignap
Foreign AP support is not enabled.

The following example shows how to display the AP groups:


(Cisco Controller) >show wlan apgroups 
Total Number of AP Groups........................ 1
Site Name........................................ APuser
Site Description................................. <none>
Venue Name....................................... Not configured
Venue Group Code..................................Unspecified
Venue Type Code...................................Unspecified
Language Code.................................... Not configured
AP Operating Class............................... 83,84,112,113,115,116,117,118,123
RF Profile
----------
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID          Interface          Network Admission Control          Radio Policy
-------          -----------        --------------------------         ------------
 14              int_4                Disabled                          All
AP Name             Slots  AP Model             Ethernet MAC       Location          Port  Country  Priority
------------------  -----  -------------------  -----------------  ----------------  ----  -------  --------
Ibiza                2     AIR-CAP2602I-A-K9    44:2b:03:9a:8a:73  default location  1     US       1
Larch                2     AIR-CAP3502E-A-K9    f8:66:f2:ab:23:95  default location  1     US       1

Zest                 2     AIR-CAP3502I-A-K9    00:22:90:91:6d:b6               ren  1     US       1

Number of Clients................................ 1

config Commands

This section lists the config commands to configure WLANs.

config 802.11 dtpc

To enable or disable the Dynamic Transmit Power Control (DTPC) setting for an 802.11 network, use the config 802.11 dtpc command.

config 802.11{ a|b} dtpc { enable|disable}

Syntax Description


a	Specifies the 802.11a network.
b	Specifies the 802.11b/g network.
enable	Enables the support for this command.
disable	Disables the support for this command.

Command Default

The default DTPC setting for an 802.11 network is enabled.

Examples

The following example shows how to disable DTPC for an 802.11a network:


(Cisco Controller) > config 802.11a dtpc disable

config advanced fra interval

To auto-configure voice deployment in WLANs, use the config auto-configure voice command.

config advanced fra interval value

Syntax Description


advanced	Advanced configuration.
fra	To configure FRA parameters.
interval	To configure FRA interval in hours.
`value`	Value of the FRA interval in house.

Command Default

None

Command History


Release	Modification
8.5	This command was introduced.

config client deauthenticate

To disconnect a client, use the config client deauthenticate command.

config client deauthenticate MAC

Syntax Description


`MAC`	Client MAC address.

Command Default

None

Examples

The following example shows how to deauthenticate a client using its MAC address:


(Cisco Controller) >config client deauthenticate 11:11:11:11:11

config rf-profile band-select

To configure the RF profile band selection parameters, use the config rf-profile band-select command.

config rf-profile band-select { client-rssi rssi | cycle-count cycles | cycle-threshold value | expire { dual-band value | suppression value} | probe-response { enable | disable}} profile_name

Syntax Description


client-rssi	Configures the client Received Signal Strength Indicator (RSSI) threshold for the RF profile.
`rssi`	Minimum RSSI for a client to respond to a probe. The range is from -20 to -90 dBm.
cycle-count	Configures the probe cycle count for the RF profile. The cycle count sets the number of suppression cycles for a new client.
`cycles`	Value of the cycle count. The range is from 1 to 10.
cycle-threshold	Configures the time threshold for a new scanning RF Profile band select cycle period. This setting determines the time threshold during which new probe requests from a client come in a new scanning cycle.
`value`	Value of the cycle threshold for the RF profile. The range is from 1 to 1000 milliseconds.
expire	Configures the expiration time of clients for band select.
dual-band	Configures the expiration time for pruning previously known dual-band clients. After this time elapses, clients become new and are subject to probe response suppression.
`value`	Value for a dual band. The range is from 10 to 300 seconds.
suppression	Configures the expiration time for pruning previously known 802.11b/g clients. After this time elapses, clients become new and are subject to probe response suppression.
`value`	Value for suppression. The range is from 10 to 200 seconds.
probe-response	Configures the probe response for a RF profile.
enable	Enables probe response suppression on clients operating in the 2.4-GHz band for a RF profile.
disable	Disables probe response suppression on clients operating in the 2.4-GHz band for a RF profile.
`profile name`	Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

The default value for client RSSI is –80 dBm.

The default cycle count is 2.

The default cycle threshold is 200 milliseconds.

The default value for dual-band expiration is 60 seconds.

The default value for suppression expiration is 20 seconds.

Usage Guidelines

When you enable band select on a WLAN, the access point suppresses client probes on 2.4-GHz and moves the dual band clients to the 5-Ghz spectrum. The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running.

Examples

The following example shows how to configure the client RSSI:

(Cisco Controller) >config rf-profile band-select client-rssi -70

config rf-profile client-trap-threshold

To configure the threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller, use the config rf-profile client-trap-threshold command.

config rf-profile client-trap-threshold threshold profile_name

Syntax Description


`threshold`	Threshold value of the number of clients that associate with an access point, after which an SNMP trap is sent to the controller. The range is from 0 to 200. Traps are disabled if the threshold value is configured as zero.
`profile_name`	Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

None

Examples

The following example shows how to configure the threshold value of the number of clients that associate with an access point:

(Cisco Controller) >config rf-profile client-trap-threshold 150

config rf-profile create

To create a RF profile, use the config rf-profile create command.

config rf-profile create { 802.11a | 802.11b/g} profile-name

Syntax Description


802.11a	Configures the RF profile for the 2.4GHz band.
802.11b/g	Configures the RF profile for the 5GHz band.
`profile-name`	Name of the RF profile.

Command Default

None

Examples

The following example shows how to create a new RF profile:

(Cisco Controller) >config rf-profile create 802.11a RFtestgroup1

config rf-profile fra client-aware

To configure the RF profile client-aware FRA feature, use the config rf-profile fra client-aware command.

config rf-profile fra client-aware { client-reset percent rf-profile-name | client-select percent rf-profile-name | disable rf-profile-name | enable rf-profile-name}

Syntax Description


client-reset	Configures the RF profile AP utilization threshold for radio to switch back to Monitor mode.
`percent`	Utilization percentage value ranges from 0 to 100. The default is 5%.
`rf-profile-name`	Name of the RF Profile.
client-select	Configures the RF profile utilization threshold for radio to switch to 5GHz.
`percent`	Utilization percentage value ranges from 0 to 100. The default is 50%.
disable	Disables the RF profile client-aware FRA feature.
enable	Enables the RF profile client-aware FRA feature.

Command Default

The default percent value for client-select and client-reset is 50% and 5% respectively.

Command History


Release	Modification
8.5	This command was introduced.

Examples

The following example shows how to configure the RF profile utilization threshold for redundant dual-band radios to switch back from 5GHz client-serving role to Monitor mode:

(Cisco Controller) >config rf-profile fra client-aware client-reset 15 profile1

The following example shows how to configure the RF profile utilization threshold for redundant dual-band radios to switch from Monitor mode to 5GHz client-serving role:

(Cisco Controller) >config rf-profile fra client-aware client-select 20 profile1

The following example shows how to disable the RF profile client-aware FRA feature:

(Cisco Controller) >config rf-profile fra client-aware disable profile1

The following example shows how to enable the RF profile client-aware FRA feature:

(Cisco Controller) >config rf-profile fra client-aware enable profile1

config rf-profile data-rates

To configure the data rate on a RF profile, use the config rf-profile data-rates command.

config rf-profile data-rates { disabled | mandatory | supported} data-rate profile-name

Syntax Description


disabled	Disables a rate.
mandatory	Sets a rate to mandatory.
supported	Sets a rate to supported.
`data-rate`	802.11 operational rates, which are 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48 and 54, where * denotes 802.11b only rates.
`profile-name`	Name of the RF profile.

Command Default

Default data rates for RF profiles are derived from the controller system defaults, the global data rate configurations. For example, if the RF profile's radio policy is mapped to 802.11a then the global 802.11a data rates are copied into the RF profiles at the time of creation.

The data rates set with this command are negotiated between the client and the Cisco wireless LAN controller. If the data rate is set to mandatory, the client must support it in order to use the network. If a data rate is set as supported by the Cisco wireless LAN controller, any associated client that also supports that rate may communicate with the Cisco lightweight access point using that rate. It is not required that a client is able to use all the rates marked supported in order to associate.

Examples

The following example shows how to set the 802.11b transmission of an RF profile at a mandatory rate at 12 Mbps:

(Cisco Controller) >config rf-profile 802.11b data-rates mandatory 12 RFGroup1

config rf-profile delete

To delete a RF profile, use the config rf-profile delete command.

config rf-profile delete profile-name

Syntax Description


`profile-name`	Name of the RF profile.

Command Default

None

Examples

The following example shows how to delete a RF profile:


(Cisco Controller) >config rf-profile delete RFGroup1

config rf-profile description

To provide a description to a RF profile, use the config rf-profile description command.

config rf-profile description description profile-name

Syntax Description


`description`	Description of the RF profile.
`profile-name`	Name of the RF profile.

Command Default

None

Examples

The following example shows how to add a description to a RF profile:

(Cisco Controller) >config rf-profile description This is a demo desciption RFGroup1

config rf-profile load-balancing

To configure load balancing on an RF profile, use the config rf-profile load-balancing command.

config rf-profile load-balancing { window clients | denial value} profile_name

Syntax Description


window	Configures the client window for load balancing of an RF profile.
`clients`	Client window size that limits the number of client associations with an access point. The range is from 0 to 20. The default value is 5. The window size is part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations: load-balancing window + client associations on AP with lightest load = load-balancing threshold Access points with more client associations than this threshold are considered busy, and clients can associate only to access points with client counts lower than the threshold. This window also helps to disassociate sticky clients.
denial	Configures the client denial count for load balancing of an RF profile.
`value`	Maximum number of association denials during load balancing. The range is from 1 to 10. The default value is 3. When a client tries to associate on a wireless network, it sends an association request to the access point. If the access point is overloaded and load balancing is enabled on the controller, the access point sends a denial to the association request. If there are no other access points in the range of the client, the client tries to associate the same access point again. After the maximum denial count is reached, the client is able to associate. Association attempts on an access point from any client before associating any AP is called a sequence of association. The default is 3.
`profile_name`	Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

None

Examples

The following example shows how to configure the client window size for an RF profile:

(Cisco Controller) >config rf-profile load-balancing window 15

config rf-profile max-clients

To configure the maximum number of client connections per access point of an RF profile, use the config rf-profile max-clients commands.

config rf-profile max-clients clients

Syntax Description


`clients`	Maximum number of client connections per access point of an RF profile. The range is from 1 to 200.

Command Default

None

Usage Guidelines

You can use this command to configure the maximum number of clients on access points that are in client dense areas, or serving high bandwidth video or mission critical voice applications.

Examples

The following example shows how to set the maximum number of clients at 50:

(Cisco Controller) >config rf-profile max-clients 50

config rf-profile multicast data-rate

To configure the minimum RF profile multicast data rate, use the config rf-profile multicast data-rate command.

config rf-profile multicast data-rate value profile_name

Syntax Description


`value`	Minimum RF profile multicast data rate. The options are 6, 9, 12, 18, 24, 36, 48, 54. Enter 0 to specify that access points will dynamically adjust the data rate.
`profile_name`	Name of the RF profile. The profile name can be up to 32 case-sensitive, alphanumeric characters.

Command Default

The minimum RF profile multicast data rate is 0.

Examples

The following example shows how to set the multicast data rate for an RF profile:

(Cisco Controller) >config rf-profile multicast data-rate 24

config rf-profile out-of-box

To create an out-of-box AP group consisting of newly installed access points, use the config rf-profile out-of-box command.

config rf-profile out-of-box { enable | disable}

Syntax Description


enable	Enables the creation of an out-of-box AP group. When you enable this command, the following occurs: Newly installed access points that are part of the default AP group will be part of the out-of-box AP group and their radios will be switched off, which eliminates any RF instability caused by the new access points. All access points that do not have a group name become part of the out-of-box AP group. Special RF profiles are created per 802.11 band. These RF profiles have default-settings for all the existing RF parameters and additional new configurations.
disable	Disables the out-of-box AP group. When you disable this feature, only the subscription of new APs to the out-of-box AP group stops. All APs that are subscribed to the out-of-box AP group remain in this AP group. You can move APs to the default group or a custom AP group upon network convergence.

Command Default

None

Usage Guidelines

When an out-of-box AP associates with the controller for the first time, it will be redirected to a special AP group and the RF profiles applicable to this AP Group will control the radio admin state configuration of the AP. You can move APs to the default group or a custom group upon network convergence.

Examples

The following example shows how to enable the creation of an out-of-box AP group:

(Cisco Controller) >config rf-profile out-of-box enable

config rf-profile tx-power-control-thresh-v1

To configure Transmit Power Control version1 (TPCv1) to an RF profile, use the config rf-profile tx-power-control-thresh-v1 command.

config rf-profile tx-power-control-thresh-v1 tpc-threshold profile_name

Syntax Description


`tpc-threshold`	TPC threshold.
`profile-name`	Name of the RF profile.

Command Default

None

Examples

The following example shows how to configure TPCv1 on an RF profile:

(Cisco Controller) >config rf-profile tx-power-control-thresh-v1 RFGroup1

config rf-profile tx-power-control-thresh-v2

To configure Transmit Power Control version 2 (TPCv2) to an RF profile, use the config rf-profile tx-power-control-thresh-v2 command.

config rf-profile tx-power-control-thresh-v2 tpc-threshold profile-name

Syntax Description


`tpc-threshold`	TPC threshold.
`profile-name`	Name of the RF profile.

Command Default

None

Examples

The following example shows how to configure TPCv2 on an RF profile:

(Cisco Controller) >config rf-profile tx-power-control-thresh-v2 RFGroup1

config rf-profile tx-power-max

To configure maximum auto-rf to an RF profile, use the config rf-profile tx-power-max command.

config rf-profile tx-power-max profile-name

Syntax Description


`tx-power-max`	Maximum auto-rf tx power.
`profile-name`	Name of the RF profile.

Command Default

None

Examples

The following example shows how to configure tx-power-max on an RF profile:

(Cisco Controller) >config rf-profile tx-power-max RFGroup1

config rf-profile tx-power-min

To configure minimum auto-rf to an RF profile, use the config rf-profile tx-power-min command.

config rf-profile tx-power-min tx-power-min profile-name

Syntax Description


`tx-power-min`	Minimum auto-rf tx power.
`profile-name`	Name of the RF profile.

Command Default

None

Examples

The following example shows how to configure tx-power-min on an RF profile:


(Cisco Controller) >config rf-profile tx-power-min RFGroup1

config watchlist add

To add a watchlist entry for a wireless LAN, use the config watchlist add command.

config watchlist add { mac MAC | username username}

Syntax Description


mac `MAC`	Specifies the MAC address of the wireless LAN.
username `username`	Specifies the name of the user to watch.

Command Default

None

Examples

The following example shows how to add a watchlist entry for the MAC address a5:6b:ac:10:01:6b:


(Cisco Controller) >config watchlist add mac a5:6b:ac:10:01:6b

config watchlist delete

To delete a watchlist entry for a wireless LAN, use the config watchlist delete command.

config watchlist delete { mac MAC | username username}

Syntax Description


mac `MAC`	Specifies the MAC address of the wireless LAN to delete from the list.
username `username`	Specifies the name of the user to delete from the list.

Command Default

None

Examples

The following example shows how to delete a watchlist entry for the MAC address a5:6b:ac:10:01:6b:


(Cisco Controller) >config watchlist delete mac a5:6b:ac:10:01:6b

config watchlist disable

To disable the client watchlist, use the config watchlist disable command.

config watchlist disable

Syntax Description

This command has no arguments or keywords.

Command Default

None

Examples

The following example shows how to disable the client watchlist:


(Cisco Controller) >config watchlist disable

config watchlist enable

To enable a watchlist entry for a wireless LAN, use the config watchlist enable command.

config watchlist enable

Syntax Description

This command has no arguments or keywords.

Command Default

None

Examples

The following example shows how to enable a watchlist entry:


(Cisco Controller) >config watchlist enable

config wlan

To create, delete, enable, or disable a wireless LAN, use the config wlan command.

config wlan { enable|disable|create|delete}wlan_id[ name|foreignAp name ssid|all]

Syntax Description


enable	Enables a wireless LAN.
disable	Disables a wireless LAN.
create	Creates a wireless LAN.
delete	Deletes a wireless LAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.
`name`	(Optional) WLAN profile name up to 32 alphanumeric characters.
foreignAp	(Optional) Specifies the third-party access point settings.
`ssid`	SSID (network name) up to 32 alphanumeric characters.
all	(Optional) Specifies all wireless LANs.

Command Default

None

Usage Guidelines

When you create a new WLAN using the config wlan create command, it is created in disabled mode. Leave it disabled until you have finished configuring it.

If you do not specify an SSID, the profile name parameter is used for both the profile name and the SSID.

If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.

An error message appears if you try to delete a WLAN that is assigned to an access point group. If you proceed, the WLAN is removed from the access point group and from the access point’s radio.

Examples

The following example shows how to enable wireless LAN identifier 16:

(Cisco Controller) >config wlan enable 16

config wlan 7920-support

To configure support for phones, use the config wlan 7920-support command.

config wlan 7920-support { client-cac-limit | ap-cac-limit} { enable | disable} wlan_id

Syntax Description


ap-cac-limit	Supports phones that require client-controlled Call Admission Control (CAC) that expect the Cisco vendor-specific information element (IE).
client-cac-limit	Supports phones that require access point-controlled CAC that expect the IEEE 802.11e Draft 6 QBSS-load.
enable	Enables phone support.
disable	Disables phone support.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Usage Guidelines

You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.

Examples

The following example shows how to enable the phone support that requires client-controlled CAC with wireless LAN ID 8:

(Cisco Controller) >config wlan 7920-support ap-cac-limit enable 8

config wlan 802.11e

To configure 802.11e support on a wireless LAN, use the config wlan 802.11e command.

config wlan 802.11e { allow | disable | require} wlan_id

Syntax Description


allow	Allows 802.11e-enabled clients on the wireless LAN.
disable	Disables 802.11e on the wireless LAN.
require	Requires 802.11e-enabled clients on the wireless LAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Usage Guidelines

802.11e provides quality of service (QoS) support for LAN applications, which are critical for delay sensitive applications such as Voice over Wireless IP (VoWIP).

802.11e enhances the 802.11 Media Access Control layer (MAC layer) with a coordinated time division multiple access (TDMA) construct, and adds error-correcting mechanisms for delay sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability and is especially well suited for use in networks that include a multimedia capability.

Examples

The following example shows how to allow 802.11e on the wireless LAN with LAN ID 1:

(Cisco Controller) >config wlan 802.11e allow 1

config wlan aaa-override

To configure a user policy override via AAA on a wireless LAN, use the config wlan aaa-override command.

config wlan aaa-override { enable | disable} { wlan_id | foreignAp}

Syntax Description


enable	Enables a policy override.
disable	Disables a policy override.
`wlan_id`	Wireless LAN identifier between 1 and 512.
foreignAp	Specifies third-party access points.

Command Default

AAA is disabled.

Usage Guidelines

When AAA override is enabled and a client has conflicting AAA and Cisco wireless LAN controller wireless LAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system will move clients from the default Cisco wireless LAN VLAN to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system will also use QoS, DSCP, 802.1p priority tag values, and ACLs provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as Identity Networking.)

If the corporate wireless LAN uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.

When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is performed by the AAA server if the controller wireless LAN does not contain any client-specific authentication parameters.

The AAA override values might come from a RADIUS server.

Examples

The following example shows how to configure user policy override via AAA on WLAN ID 1:


(Cisco Controller) >config wlan aaa-override enable 1

config wlan band-select allow

To configure band selection on a WLAN, use the config wlan band-select allow command.

config wlan band-select allow { enable | disable} wlan_id

Syntax Description


enable	Enables band selection on a WLAN.
disable	Disables band selection on a WLAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Usage Guidelines

Examples

The following example shows how to enable band selection on a WLAN:

(Cisco Controller) >config wlan band-select allow enable 6

config wlan broadcast-ssid

To configure an Service Set Identifier (SSID) broadcast on a wireless LAN, use the config wlan broadcast-ssid command.

config wlan broadcast-ssid { enable | disable} wlan_id

Syntax Description


enable	Enables SSID broadcasts on a wireless LAN.
disable	Disables SSID broadcasts on a wireless LAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Broadcasting of SSID is disabled.

Examples

The following example shows how to configure an SSID broadcast on wireless LAN ID 1:

(Cisco Controller) >config wlan broadcast-ssid enable 1

config wlan chd

To enable or disable Coverage Hole Detection (CHD) for a wireless LAN, use the config wlan chd command.

config wlan chd wlan_id { enable | disable}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
enable	Enables SSID broadcasts on a wireless LAN.
disable	Disables SSID broadcasts on a wireless LAN.

Command Default

None

Examples

The following example shows how to enable CHD for WLAN 3:


(Cisco Controller) >config wlan chd 3 enable

config wlan ccx aironet-ie

To enable or disable Aironet information elements (IEs) for a WLAN, use the config wlan ccx aironet-ie command.

config wlan ccx aironet-ie { enable | disable}

Syntax Description


enable	Enables the Aironet information elements.
disable	Disables the Aironet information elements.

Command Default

None

Examples

The following example shows how to enable Aironet information elements for a WLAN:

(Cisco Controller) >config wlan ccx aironet-ie enable

config wlan channel-scan defer-priority

To configure the controller to defer priority markings for packets that can defer off channel scanning, use the config wlan channel-scan defer-priority command.

config wlan channel-scan defer-priority priority [ enable | disable] wlan_id

Syntax Description


`priority`	User priority value (0 to 7).
enable	(Optional) Enables packet at given priority to defer off channel scanning.
disable	(Optional) Disables packet at gven priority to defer off channel scanning.
`wlan_id`	Wireless LAN identifier (1 to 512).

Command Default

None

Usage Guidelines

The priority value should be set to 6 on the client and on the WLAN.

Examples

The following example shows how to enable the controller to defer priority markings that can defer off channel scanning with user priority value 6 and WLAN id 30:

(Cisco Controller) >config wlan channel-scan defer-priority 6 enable 30

config wlan channel-scan defer-time

To assign the channel scan defer time in milliseconds, use the config wlan channel-scan defer-time command.

config wlan channel-scan defer-time msecs wlan_id

Syntax Description


`msecs`	Deferral time in milliseconds (0 to 60000 milliseconds).
`wlan_id`	Wireless LAN identifier from 1 to 512.

Command Default

None

Usage Guidelines

The time value in milliseconds should match the requirements of the equipment on your WLAN.

Examples

The following example shows how to assign the scan defer time to 40 milliseconds for WLAN with ID 50:


(Cisco Controller) >config wlan channel-scan defer-time 40 50

config wlan custom-web

To configure the web authentication page for a WLAN, use the config wlan custom-web command.

config wlan custom-web{ { ext-webauth-url ext-webauth-url wlan_id } | { global { enable | disable}} | { login-page page-name } | { loginfailure-page { page-name | none}} | { logout-page { page-name | none}} | { { webauth-type { internal | customized | external} wlan_id}}

Syntax Description


ext-webauth-url	Configures an external web authentication URL.
`ext-webauth-url`	External web authentication URL.
`wlan_id`	WLAN identifier. Default range is from 1 to 512.
global	Configures the global status for a WLAN.
enable	Enables the global status for a WLAN.
disable	Disables the global status for a WLAN.
login-page	Configures the name of the login page for an external web authentication URL.
`page-name`	Login page name for an external web authentication URL.
loginfailure-page	Configures the name of the login failure page for an external web authentication URL.
none	Does not configure a login failure page for an external web authentication URL.
logout-page	Configures the name of the logout page for an external web authentication URL.
webauth-type	Configures the type of web authentication for the WLAN.
internal	Displays the default login page.
customized	Displays a customized login page.
external	Displays a login page on an external web server.

Command Default

None

The following example shows how to configure web authentication type in the WLAN.

Examples

Cisco Controller config wlan custom-web webauth-type external

config wlan dtim

To configure a Delivery Traffic Indicator Message (DTIM) for 802.11 radio network config wlan dtim command.

config wlan dtim { 802.11a | 802.11b} dtim wlan_id

Syntax Description


802.11a	Configures DTIM for the 802.11a radio network.
802.11b	Configures DTIM for the 802.11b radio network.
`dtim`	Value for DTIM (between 1 to 255 inclusive).
`wlan_id`	Number of the WLAN to be configured.

Command Default

The default is DTIM 1.

Examples

The following example shows how to configure DTIM for 802.11a radio network with DTIM value 128 and WLAN ID 1:


(Cisco Controller) >config wlan dtim 802.11a 128 1

config wlan exclusionlist

To configure the wireless LAN exclusion list, use the config wlan exclusionlist command.

config wlan exclusionlist { wlan_id [ enabled | disabled | time] |  foreignAp [ enabled | disabled | time]}

Syntax Description


`wlan_id`	Wireless LAN identifier (1 to 512).
enabled	(Optional) Enables the exclusion list for the specified wireless LAN or foreign access point.
disabled	(Optional) Disables the exclusion list for the specified wireless LAN or a foreign access point.
`time`	(Optional) Exclusion list timeout in seconds. A value of zero (0) specifies infinite time.
foreignAp	Specifies a third-party access point.

Command Default

None

Usage Guidelines

This command replaces the config wlan blacklist command.

Examples

The following example shows how to enable the exclusion list for WLAN ID 1:


(Cisco Controller) >config wlan exclusionlist 1 enabled

config wlan flexconnect learn-ipaddr

To enable or disable client IP address learning for the Cisco WLAN controller, use the config wlan flexconnect learn-ipaddr command.

config wlan flexconnect learn-ipaddr wlan_id { enable|disable}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
enable	Enables client IPv4 address learning on a wireless LAN.
disable	Disables client IPv4 address learning on a wireless LAN.

Command Default

Disabled when the config wlan flexconnect local-switching command is disabled.  Enabled when the config wlan flexconnect local-switching command is enabled.

Usage Guidelines

If the client is configured with Layer 2 encryption, the controller cannot learn the client IP address, and the controller will periodically drop the client. Disable this option to keep the client connection without waiting to learn the client IP address.

Note

This command is valid only for IPv4.

Note

The ability to disable IP address learning is not supported with FlexConnect central switching.

Examples

The following example shows how to disable client IP address learning for WLAN 6:


(Cisco Controller) >config wlan flexconnect learn-ipaddr disable 6

Related Commands

show wlan

config wlan flexconnect local-switching

To configure local switching, central DHCP, NAT-PAT, or the override DNS option on a FlexConnect WLAN, use the config wlan flexconnect local switching command.

config wlan flexconnect local-switching wlan_id{ enable |disable}{{ central-dhcp { enable |disable}nat-pat { enable |disable}}|{ override option dns {enable |disable}}}

Syntax Description


`wlan_id`	Wireless LAN identifier from 1 to 512.
enable	Enables local switching on a FlexConnect WLAN.
disable	Disables local switching on a FlexConnect WLAN.
central-dhcp	Configures central switching of DHCP packets on the local switching FlexConnect WLAN. When you enable this feature, the DHCP packets received from the AP are centrally switched to the controller and forwarded to the corresponding VLAN based on the AP and the SSID.
enable	Enables central DHCP on a FlexConnect WLAN.
disable	Disables central DHCP on a FlexConnect WLAN.
nat-pat	Configures Network Address Translation (NAT) and Port Address Translation (PAT) on the local switching FlexConnect WLAN.
enable	Enables NAT-PAT on the FlexConnect WLAN.
disable	Disables NAT-PAT on the FlexConnect WLAN.
override	Specifies the DHCP override options on the FlexConnect WLAN.
option dns	Specifies the override DNS option on the FlexConnect WLAN. When you override this option, the clients get their DNS server IP address from the AP, not from the controller.
enable	Enables the override DNS option on the FlexConnect WLAN.
disable	Disables the override DNS option on the FlexConnect WLAN.

Command Default

This feature is disabled.

Usage Guidelines

When you enable the config wlan flexconnect local-switching command, the config wlan flexconnect learn-ipaddr command is enabled by default.

Note

This command is valid only for IPv4.

Note

The ability to disable IP address learning is not supported with FlexConnect central switching.

Examples

The following example shows how to enable WLAN 6 for local switching and enable central DHCP and NAT-PAT:


(Cisco Controller) >config wlan flexconnect local-switching 6 enable central-dhcp enable nat-pat enable

The following example shows how to enable the override DNS option on WLAN 6:


(Cisco Controller) >config wlan flexconnect local-switching 6 override option dns enable

config wlan interface

To configure a wireless LAN interface or an interface group, use the config wlan interface command.

config wlan interface { wlan_id | foreignAp} { interface-name | interface-group-name}

Syntax Description


`wlan_id`	(Optional) Wireless LAN identifier (1 to 512).
foreignAp	Specifies third-party access points.
`interface-name`	Interface name.
`interface-group-name`	Interface group name.

Command Default

None

Examples

The following example shows how to configure an interface named VLAN901:


(Cisco Controller) >config wlan interface 16 VLAN901

config wlan kts-cac

To configure the Key Telephone System-based CAC policy for a WLAN, use the config wlan kts-cac command.

config wlan kts-cac { enable | disable} wlan_id

Syntax Description


enable	Enables the KTS-based CAC policy.
disable	Disables the KTS-based CAC policy.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Usage Guidelines

To enable the KTS-based CAC policy for a WLAN, ensure that you do the following:

Configure the QoS profile for the WLAN to Platinum by entering the following command:

config wlan qos wlan-id platinum
Disable the WLAN by entering the following command:

config wlan disable wlan-id
Disable FlexConnect local switching for the WLAN by entering the following command:

config wlan flexconnect local-switching wlan-id disable

Examples

The following example shows how to enable the KTS-based CAC policy for a WLAN with the ID 4:


(Cisco Controller) >config wlan kts-cac enable 4

config wlan load-balance

To override the global load balance configuration and enable or disable load balancing on a particular WLAN, use the config wlan load-balance command.

config wlan load-balance allow { enable | disable} wlan_id

Syntax Description


enable	Enables band selection on a wireless LAN.
disable	Disables band selection on a wireless LAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Load balancing is enabled by default.

Examples

The following example shows how to enable band selection on a wireless LAN with WLAN ID 3:


(Cisco Controller) >config wlan load-balance allow enable 3

config wlan max-associated-clients

To configure the maximum number of client connections on a wireless LAN, guest LAN, or remote LAN, use the config wlan max-associated-clients command.

config wlan max-associated-clients max_clients wlan_id

Syntax Description


`max_clients`	Maximum number of client connections to be accepted.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to specify the maximum number of client connections on WLAN ID 2:


(Cisco Controller) >config wlan max-associated-clients 25 2

config wlan max-radio-clients

To configure the maximum number of WLAN client per access point, use the config wlan max-radio-clients command.

config wlan max-radio-clients max_radio_clients wlan_id

Syntax Description


`max_radio_clients`	Maximum number of client connections to be accepted per access point radio. The valid range is from 1 to 200.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to specify the maximum number of client connections per access point radio on WLAN ID 2:


(Cisco Controller) >config wlan max-radio-clients 25 2

config wlan media-stream

To configure multicast-direct for a wireless LAN media stream, use the config wlan media-stream command.

config wlan media-stream multicast-direct { wlan_id | all} { enable | disable}

Syntax Description


multicast-direct	Configures multicast-direct for a wireless LAN media stream.
`wlan_id`	Wireless LAN identifier between 1 and 512.
all	Configures the wireless LAN on all media streams.
enable	Enables global multicast to unicast conversion.
disable	Disables global multicast to unicast conversion.

Command Default

None

Usage Guidelines

Media stream multicast-direct requires load based Call Admission Control (CAC) to run. WLAN quality of service (QoS) needs to be set to either gold or platinum.

Examples

The following example shows how to enable the global multicast-direct media stream with WLAN ID 2:


(Cisco Controller) >config wlan media-stream multicast-direct 2 enable

config wlan profiling

To configure client profiling on a WLAN, use the config wlan profiling command.

config wlan profiling { local | radius} { all | dhcp | http} { enable | disable} wlan_id

Syntax Description


local	Configures client profiling in Local mode for a WLAN.
radius	Configures client profiling in RADIUS mode on a WLAN.
all	Configures DHCP and HTTP client profiling in a WLAN.
dhcp	Configures DHCP client profiling alone in a WLAN.
http	Configures HTTP client profiling in a WLAN.
enable	Enables the specific type of client profiling in a WLAN. When you enable HTTP profiling, the Cisco WLC collects the HTTP attributes of clients for profiling. When you enable DHCP profiling, the Cisco WLC collects the DHCP attributes of clients for profiling.
disable	Disables the specific type of client profiling in a WLAN.
`wlan_id`	Wireless LAN identifier from 1 to 512.

Usage Guidelines

Ensure that you have disabled the WLAN before configuring client profiling on the WLAN.

Command Default

Client profiling is disabled.

Usage Guidelines

Only clients connected to port 80 for HTTP can be profiled. IPv6 only clients are not profiled.

If a session timeout is configured for a WLAN, clients must send the HTTP traffic before the configured timeout to get profiled.

This feature is not supported on the following:

FlexConnect Standalone mode
FlexConnect Local Authentication

Examples

The following example shows how to enable both DHCP and HTTP profiling on a WLAN:

(Cisco Controller) >config wlan profiling radius all enable 6
										HTTP Profiling successfully enabled.
										DHCP Profiling successfully enabled.

config wlan qos

To change the quality of service (QoS) for a wireless LAN, use the config wlan qos command.

config wlan qos wlan_id { bronze | silver | gold | platinum}

config wlan qos foreignAp { bronze | silver | gold | platinum}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
bronze	Specifies the bronze QoS policy.
silver	Specifies the silver QoS policy.
gold	Specifies the gold QoS policy.
platinum	Specifies the platinum QoS policy.
foreignAp	Specifies third-party access points.

Command Default

The default QoS policy is silver.

Examples

The following example shows how to set the highest level of service on wireless LAN 1:


(Cisco Controller) >config wlan qos 1 gold

config wlan radio

To set the Cisco radio policy on a wireless LAN, use the config wlan radio command.

config wlan radio wlan_id { all | 802.11a | 802.11bg | 802.11g | 802.11ag}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
all	Configures the wireless LAN on all radio bands.
802.11a	Configures the wireless LAN on only 802.11a.
802.11b g	Configures the wireless LAN on only 802.11b/g (only 802.11b if 802.11g is disabled).
802.11g	Configures the wireless LAN on 802.11g only.

Command Default

None

Examples

The following example shows how to configure the wireless LAN on all radio bands:


(Cisco Controller) >config wlan radio 1 all

config wlan radius_server acct

To configure RADIUS accounting servers of a WLAN, use the config wlan radius_server acct command.

config wlan radius_server acct { enable | disable} wlan_id | add wlan_id server_id | delete wlan_id { all | server_id} }

Syntax Description


enable	Enables RADIUS accounting for the WLAN.
disable	Disables RADIUS accounting for the WLAN.
`wlan_id`	Wireless LAN identifier from 1 to 512.
add	Adds a link to a configured RADIUS accounting server.
`server_id`	RADIUS server index.
delete	Deletes a link to a configured RADIUS accounting server.

Command Default

None

Examples

The following example shows how to enable RADIUS accounting for the WLAN 2:


(Cisco Controller) >config wlan radius_server acct enable 2

The following example shows how to add a link to a configured RADIUS accounting server:


(Cisco Controller) > config wlan radius_server acct add 2 5

config wlan radius_server acct interim-update

To configure the interim update of a RADIUS accounting server of a WLAN, use the config wlan radius_server acct interim-update command.

config wlan radius_server acct interim-update { enable | disable | interval } wlan_id

Syntax Description


interim-update	Configures the interim update of the RADIUS accounting server.
enable	Enables interim update of the RADIUS accounting server for the WLAN.
disable	Disables interim update of the RADIUS accounting server for the WLAN.
`interval`	Interim update interval that you specify. The valid range is 180 seconds to 3600 seconds.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Interim update of a RADIUS accounting sever is set at 600 seconds.

Examples

The following example shows how to specify an interim update of 200 seconds to a RADIUS accounting server of WLAN 2:


(Cisco Controller) >config wlan radius_server acct interim-update 200 2

config wlan radius_server auth

To configure RADIUS authentication servers of a WLAN, use the config wlan radius_server auth command.

config wlan radius_server auth { enable wlan_id | disable wlan_id} { add wlan_id server_id | delete wlan_id { all | server_id}}

Syntax Description


auth	Configures a RADIUS authentication
enable	Enables RADIUS authentication for this WLAN.
`wlan_id`	Wireless LAN identifier from 1 to 512.
disable	Disables RADIUS authentication for this WLAN.
add	Adds a link to a configured RADIUS server.
`server_id`	RADIUS server index.
delete	Deletes a link to a configured RADIUS server.
all	Deletes all links to configured RADIUS servers.

Command Default

None

Examples

The following example shows how to add a link to a configured RADIUS authentication server with WLAN ID 1 and Server ID 1:


(Cisco Controller) >config wlan radius_server auth add 1 1

config wlan radius_server acct interim-update

To configure the interim update of a RADIUS accounting server of a WLAN, use the config wlan radius_server acct interim-update command.

config wlan radius_server acct interim-update { enable | disable | interval } wlan_id

Syntax Description


interim-update	Configures the interim update of the RADIUS accounting server.
enable	Enables interim update of the RADIUS accounting server for the WLAN.
disable	Disables interim update of the RADIUS accounting server for the WLAN.
`interval`	Interim update interval that you specify. The valid range is 180 seconds to 3600 seconds.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Interim update of a RADIUS accounting sever is set at 600 seconds.

Examples

The following example shows how to specify an interim update of 200 seconds to a RADIUS accounting server of WLAN 2:


(Cisco Controller) >config wlan radius_server acct interim-update 200 2

config wlan security 802.1X

To change the state of 802.1X security on the wireless LAN Cisco radios, use the config wlan security 802.1X command.

config wlan security 802.1X { enable { wlan_id | foreignAp} | disable { wlan_id | foreignAp} |   encryption { wlan_id | foreignAp} { 0 | 40 | 104} | on-macfilter-failure { enable | disable}}

Syntax Description

enable

Enables the 802.1X settings.

wlan_id

Wireless LAN identifier between 1 and 512.

foreignAp

Specifies third-party access points.

disable

Disables the 802.1X settings.

encryption

Specifies the static WEP keys and indexes.

Specifies a WEP key size of 0 (no encryption) bits. The default value is 104.

Note

All keys within a wireless LAN must be the same size.

Specifies a WEP key size of 40 bits. The default value is 104.

Note

All keys within a wireless LAN must be the same size.

104

Specifies a WEP key size of 104 bits. The default value is 104.

Note

All keys within a wireless LAN must be the same size.

on-macfilter-failure

Configures 802.1X on MAC filter failure.

enable

Enables 802.1X authentication on MAC filter failure.

disable

Disables 802.1X authentication on MAC filter failure.

Command Default

None

Usage Guidelines

To change the encryption level of 802.1X security on the wireless LAN Cisco radios, use the following key sizes:

0—no 802.1X encryption.
40—40/64-bit encryption.
104—104/128-bit encryption. (This is the default encryption setting.)

Examples

The following example shows how to configure 802.1X security on WLAN ID 16.


(Cisco Controller) >config wlan security 802.1X enable 16

config wlan security ckip

To configure Cisco Key Integrity Protocol (CKIP) security options for the wireless LAN, use the config wlan security ckip command.

config wlan security ckip { enable | disable} wlan_id  [ akm psk set-key { hex | ascii} { 40 | 104} key key_index wlan_id |   mmh-mic { enable | disable} wlan_id |   kp { enable | disable} wlan_id]

Syntax Description


enable	Enables CKIP security.
disable	Disables CKIP security.
`wlan_id`	Wireless LAN identifier from 1 to 512.
akm psk set-key	(Optional) Configures encryption key management for the CKIP wireless LAN.
hex	Specifies a hexadecimal encryption key.
ascii	Specifies an ASCII encryption key.
40	Sets the static encryption key length to 40 bits for the CKIP WLAN. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters.
104	Sets the static encryption key length to 104 bits for the CKIP WLAN. 104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters.
key	Specifies the CKIP WLAN key settings.
`key_index`	Configured PSK key index.
mmh-mic	(Optional) Configures multi-modular hash message integrity check (MMH MIC) validation for the CKIP wireless LAN.
kp	(Optional) Configures key-permutation for the CKIP wireless LAN.

Command Default

None

Examples

The following example shows how to configure a CKIP WLAN encryption key of 104 bits (26 hexadecimal characters) for PSK key index 2 on WLAN 03:


(Cisco Controller) >config wlan security ckip akm psk set-key hex 104 key 2 03

config wlan security cond-web-redir

To enable or disable conditional web redirect, use the config wlan security cond-web-redir command.

config wlan security cond-web-redir { enable | disable} wlan_id

Syntax Description


enable	Enables conditional web redirect.
disable	Disables conditional web redirect.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to enable the conditional web direct on WLAN ID 2:


(Cisco Controller) >config wlan security cond-web-redir enable 2

config wlan security eap-passthru

To configure the 802.1X frames pass through on to the external authenticator, use the config wlan security eap-passthru command.

config wlan security eap-passthru { enable | disable} wlan_id

Syntax Description


enable	Enables 802.1X frames pass through to external authenticator.
disable	Disables 802.1X frames pass through to external authenticator.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to enable the 802.1X frames pass through to external authenticator on WLAN ID 2:


(Cisco Controller) >config wlan security eap-passthru enable 2

config wlan security ft

To configure 802.11r Fast Transition Roaming parameters, use the config wlan security ft command.

config wlan security ft{enable |disable|reassociation-timeout timeout-in-seconds}wlan_id

Syntax Description



enable	Enables 802.11r Fast Transition Roaming support.
disable	Disables 802.11r Fast Transition Roaming support.
reassociation-timeout	Configures reassociation deadline interval.
`timeout-in-seconds`	Reassociation timeout value, in seconds. The valid range is 1 to 100 seconds.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Usage Guidelines

Ensure that you have disabled the WLAN before you proceed.

Examples

The following example shows how to enable 802.11r Fast Transition Roaming support on WLAN 2:


(Cisco Controller) >config wlan security ft enable 2

The following example shows how to set a reassociation timeout value of 20 seconds for 802.11r Fast Transition Roaming support on WLAN 2:


(Cisco Controller) >config wlan security ft reassociation-timeout 20 2

config wlan security ft over-the-ds

To configure 802.11r fast transition parameters over a distributed system, use the config wlan security ft over-the-ds command.

config wlan security ft over-the-ds { enable |disable}wlan_id

Syntax Description


enable	Enables 802.11r fast transition roaming support over a distributed system.
disable	Disables 802.11r fast transition roaming support over a distributed system.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Enabled.

Usage Guidelines

Ensure that you have disabled the WLAN before you proceed.

Ensure that 802.11r fast transition is enabled on the WLAN.

Examples

The following example shows how to enable 802.11r fast transition roaming support over a distributed system on WLAN ID 2:


(Cisco Controller) >config wlan security ft over-the-ds enable 2

config wlan security passthru

To modify the IPsec pass-through used on the wireless LAN, use the config wlan security passthru command.

config wlan security passthru{enable|disable} { wlan_id|foreignAp} [ ip_address]

Syntax Description


enable	Enables IPsec pass-through.
disable	Disables IPsec pass-through.
`wlan_id`	Wireless LAN identifier between 1 and 512.
foreignAp	Specifies third-party access points.
`ip_address`	(Optional) IP address of the IPsec gateway (router) that is terminating the VPN tunnel.

Command Default

None

Examples

The following example shows how to modify IPsec pass-through used on the wireless LAN:


(Cisco Controller) >config wlan security passthru enable 3 192.12.1.1

config wlan security splash-page-web-redir

To enable or disable splash page web redirect, use the config wlan security splash-page-web-redir command.

config wlan security splash-page-web-redir { enable |disable}wlan_id

Syntax Description


enable	Enables splash page web redirect.
disable	Disables splash page web redirect.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

Splash page web redirect is disabled.

Examples

The following example shows how to enable spash page web redirect:

(Cisco Controller) >config wlan security splash-page-web-redir enable 2

config wlan security static-wep-key authentication

To configure static Wired Equivalent Privacy (WEP) key 802.11 authentication on a wireless LAN, use the config wlan security static-wep-key authentication command.

config wlan security static-wep-key authentication { shared-key|open}wlan_id

Syntax Description


shared-key	Enables shared key authentication.
open	Enables open system authentication.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to enable the static WEP shared key authentication for WLAN ID 1:


(Cisco Controller) >config wlan security static-wep-key authentication shared-key 1

config wlan security static-wep-key disable

To disable the use of static Wired Equivalent Privacy (WEP) keys, use the config wlan security static-wep-key disable command.

config wlan security static-wep-key disable wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to disable the static WEP keys for WLAN ID 1:


(Cisco Controller) >config wlan security static-wep-key disable 1

config wlan security static-wep-key enable

To enable the use of static Wired Equivalent Privacy (WEP) keys, use the config wlan security static-wep-key enable command.

config wlan security static-wep-key enable wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to enable the use of static WEK keys for WLAN ID 1:


(Cisco Controller) >config wlan security static-wep-key enable 1

config wlan security static-wep-key encryption

To configure the static Wired Equivalent Privacy (WEP) keys and indexes, use the config wlan security static-wep-key encryption command.

config wlan security static-wep-key encryption wlan_id { 40|104} { hex|ascii}keykey-index

Syntax Description


`wlan_id`	Wireless LAN identifier from 1 to 512.
40	Specifies the encryption level of 40.
104	Specifies the encryption level of 104.
hex	Specifies to use hexadecimal characters to enter key.
ascii	Specifies whether to use ASCII characters to enter key.
`key`	WEP key in ASCII.
`key-index`	Key index (1 to 4).

Command Default

None

Usage Guidelines

One unique WEP key index can be applied to each wireless LAN. Because there are only four WEP key indexes, only four wireless LANs can be configured for static WEP Layer 2 encryption.

Make sure to disable 802.1X before using this command.

Examples

The following example shows how to configure the static WEP keys for WLAN ID 1 that uses hexadecimal character 0201702001 and key index 2:


(Cisco Controller) >config wlan security static-wep-key encryption 1 40 hex 0201702001 2

config wlan security tkip

To configure the Temporal Key Integrity Protocol (TKIP) Message Integrity Check (MIC) countermeasure hold-down timer, use the config wlan security tkip command.

config wlan security tkip hold-down timewlan_id

Syntax Description


hold-down	Configures the TKIP MIC countermeasure hold-down timer.
`time`	TKIP MIC countermeasure hold-down time in seconds. The range is from 0 to 60 seconds.
`wlan_id`	Wireless LAN identifier from 1 to 512.

Command Default

The default TKIP countermeasure is set to 60 seconds.

Usage Guidelines

TKIP countermeasure mode can occur if the access point receives 2 MIC errors within a 60 second period. When this situation occurs, the access point deauthenticates all TKIP clients that are associated to that 802.11 radio and holds off any clients for the countermeasure holdoff time.

Examples

The following example shows how to configure the TKIP MIC countermeasure hold-down timer:

(Cisco Controller) >config wlan security tkip

config wlan security web-auth

To change the status of web authentication used on a wireless LAN, use the config wlan security web-auth command.

config wlan security web-auth{{acl|enable|disable} { wlan_id|foreignAp} [ acl_name|none]} | { on-macfilter-failure wlan_id} | { server-precedence wlan_id|local|ldap|radius} | { flexacl wlan_id[ipv4_acl_name|none]} | { ipv6 acl wlan_id [ ipv6_acl_name|none]} |{mac-auth-server { ip_addresswlan_id}} |{timeout {value_in_secondswlan_id}} |{web-portal-server { ip_addresswlan_id}}

Syntax Description

acl

Configures the access control list.

enable

Enables web authentication.

disable

Disables web authentication.

wlan_id

Wireless LAN identifier from 1 to 512.

foreignAp

Specifies third-party access points.

acl_name

(Optional) ACL name (up to 32 alphanumeric characters).

none

(Optional) Specifies no ACL name.

on-macfilter-failure

Enables web authentication on MAC filter failure.

server-precendence

Configures the authentication server precedence order for Web-Auth users.

local

Specifies the server type.

ldap

Specifies the server type.

radius

Specifies the server type.

flexacl

Configures Flexconnect Access Control List.

ipv4_acl_name

(Optional) IPv4 ACL name. You can enter up to 32 alphanumeric characters.

ipv6_acl_name

(Optional) IPv6 ACL name. You can enter up to 32 alphanumeric characters.

ipv6

Configures IPv6 related parameters.

mac-auth-server

Configures MAC authentication server for the WLAN.

timeout

Configures Local Web authentication Timeout.

Note

The CWA session timeout is fixed to 600 seconds.

value_in_seconds

Timeout value in seconds; valid range is between 300 and 14400 seconds.

web-portal-server

Configures CMCC web portal server for the WLAN.

Command Default

None

Examples

The following example shows how to configure the security policy for WLAN ID 1 and an ACL named ACL03:


(Cisco Controller) >config wlan security web-auth acl 1 ACL03

config wlan security web-passthrough acl

To add an access control list (ACL) to the wireless LAN definition, use the config wlan security web-passthrough acl command.

config wlan security web-passthrough acl { wlan_id|foreignAp} { acl_name|none}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
foreignAp	Specifies third-party access points.
`acl_name`	ACL name (up to 32 alphanumeric characters).
none	Specifies that there is no ACL.

Command Default

None

Examples

The following example shows how to add an ACL to the wireless LAN definition:


(Cisco Controller) >config wlan security web-passthrough acl 1 ACL03

config wlan security web-passthrough disable

To disable a web captive portal with no authentication required on a wireless LAN, use the config wlan security web-passthrough disable command.

config wlan security web-passthrough disable { wlan_id|foreignAp}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
foreignAp	Specifies third-party access points.

Command Default

None

Examples

The following example shows how to disable a web captive portal with no authentication required on wireless LAN ID 1:


(Cisco Controller) >config wlan security web-passthrough disable 1

config wlan security web-passthrough email-input

To configure a web captive portal using an e-mail address, use the config wlan security web-passthrough email-input command.

config wlan security web-passthrough email-input { enable|disable} { wlan_id|foreignAp}

Syntax Description


email-input	Configures a web captive portal using an e-mail address.
enable	Enables a web captive portal using an e-mail address.
disable	Disables a web captive portal using an e-mail address.
`wlan_id`	Wireless LAN identifier between 1 and 512.
foreignAp	Specifies third-party access points.

Command Default

None

Examples

The following example shows how to configure a web captive portal using an e-mail address:


(Cisco Controller) >config wlan security web-passthrough email-input enable 1

config wlan security web-passthrough enable

To enable a web captive portal with no authentication required on the wireless LAN, use the config wlan security web-passthrough enable command.

config wlan security web-passthrough enable { wlan_id|foreignAp}

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.
foreignAp	Specifies third-party access points.

Command Default

None

Examples

The following example shows how to enable a web captive portal with no authentication required on wireless LAN ID 1:


(Cisco Controller) >config wlan security web-passthrough enable 1

config wlan security wpa akm 802.1x

To configure authentication key-management (AKM) using 802.1X, use the config wlan security wpa akm 802.1x command.

config wlan security wpa akm 802.1x { enable|disable}wlan_id

Syntax Description


enable	Enables the 802.1X support.
disable	Disables the 802.1X support.
`wlan_id`	Wireless LAN identifier from 1 to 512.

Command Default

None

Examples

The following example shows how to configure authentication using 802.1X.


(Cisco Controller) >config wlan security wpa akm 802.1x enable 1

config wlan security wpa akm cckm

To configure authentication key-management using Cisco Centralized Key Management (CCKM), use the config wlan security wpa akm cckm command.

config wlan security wpa akm cckm { enable wlan_id|disable wlan_id|timestamp-tolerance}

Syntax Description


enable	Enables CCKM support.
disable	Disables CCKM support.
`wlan_id`	Wireless LAN identifier between 1 and 512.
`timestamp-tolerance`	CCKM IE time-stamp tolerance. The range is between 1000 to 5000 milliseconds; the default is 1000 milliseconds.

Command Default

None

Examples

The following example shows how to configure authentication key-management using CCKM.


(Cisco Controller) >config wlan security wpa akm cckm 1500

config wlan security wpa akm ft

To configure authentication key-management using 802.11r fast transition 802.1X, use the config wlan security wpa akm ft command.

config wlan security wpa akm ft [ over-the-air|over-the-ds |psk|[ reassociation-timeout seconds]] { enable|disable}wlan_id

Syntax Description


over-the-air	(Optional) Configures 802.11r fast transition roaming over-the-air support.
over-the-ds	(Optional) Configures 802.11r fast transition roaming DS support.
psk	(Optional) Configures 802.11r fast transition PSK support.
reassociation-timeout	(Optional) Configures the reassociation deadline interval. The valid range is between 1 to 100 seconds. The default value is 20 seconds.
`seconds`	Reassociation deadline interval in seconds.
enable	Enables 802.11r fast transition 802.1X support.
disable	Disables 802.11r fast transition 802.1X support.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to configure authentication key-management using 802.11r fast transition:


(Cisco Controller) >config wlan security wpa akm ft reassociation-timeout 25 1

config wlan security wpa akm psk

To configure the Wi-Fi protected access (WPA) preshared key mode, use the config wlan security wpa akm psk command.

config wlan security wpa akm psk { enable |disable |set-key key-format key}wlan_id

Syntax Description


enable	Enables WPA-PSK.
disable	Disables WPA-PSK.
set-key	Configures a preshared key.
`key-format`	Specifies key format. Either ASCII or hexadecimal.
`key`	WPA preshared key.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to configure the WPA preshared key mode:


(Cisco Controller) >config wlan security wpa akm psk disable 1

config wlan security wpa disable

To disable WPA1, use the config wlan security wpa disable command.

config wlan security wpa disable wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to disable WPA:


(Cisco Controller) >config wlan security wpa disable 1

config wlan security wpa enable

To enable WPA1, use the config wlan security wpa enable command.

config wlan security wpa enable wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to configure the WPA on WLAN ID 1:


(Cisco Controller) >config wlan security wpa enable 1

config wlan security wpa ciphers

To configure the Wi-Fi protected authentication (WPA1) or Wi-Fi protected authentication (WPA2), use the config wlan security wpa ciphers command.

config wlan security wpa { wpa1 |wpa2}ciphers { aes|tkip}{ enable|disable}wlan_id

Syntax Description


wpa1	Configures WPA1 support.
wpa2	Configures WPA2 support.
ciphers	Configures WPA ciphers.
aes	Configures AES encryption support.
tkip	Configures TKIP encryption support.
enable	Enables WPA AES/TKIP mode.
disable	Disables WPA AES/TKIP mode.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Usage Guidelines

If you are not specifying the WPA versions, it implies the following:

If the cipher enabled is AES, you are configuring WPA2/AES.
If the ciphers enabled is AES+TKIP, you are configuring WPA/TKIP, WPA2/AES,or WPA/TKIP.
If the cipher enabled is TKIP, you are configuring WPA/TKIP or WPA2/TKIP.

Examples

The following example shows how to encrypt the WPA:


(Cisco Controller) >config wlan security wpa wpa1 ciphers aes enable 1

config wlan security wpa gtk-random

To enable the randomization of group temporal keys (GTK) between access points and clients on a WLAN, use the config wlan security wpa gtk-random command.

config wlan security wpa gtk-random { enable |disable}wlan_id

Syntax Description


enable	Enables the randomization of GTK keys between the access point and clients.
disable	Disables the randomization of GTK keys between the access point and clients.
`wlan_id`	WLAN identifier between 1 and 512.

Command Default

None

Usage Guidelines

When you enable this command, the clients in the Basic Service Set (BSS) get a unique GTK key. The clients do not receive multicast or broadcast traffic.

Examples

The following example shows how to enable the GTK randomization for each client associated on a WLAN:

(Cisco Controller) >config wlan security wpa gtk-random enable 3

config wlan security wpa wpa1 disable

To disable WPA1, use the config wlan security wpa wpa1 disable command.

config wlan security wpa wpa1 disable wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to disable WPA1:


(Cisco Controller) >config wlan security wpa wpa1 disable 1

config wlan security wpa wpa1 enable

To enable WPA1, use the config wlan security wpa wpa1 enable command.

config wlan security wpa wpa1 enable wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to enable WPA1:


(Cisco Controller) >config wlan security wpa wpa1 enable 1

config wlan security wpa wpa2 disable

To disable WPA2, use the config wlan security wpa wpa2 disable command.

config wlan security wpa wpa2 disable wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to disable WPA2:


(Cisco Controller) >config wlan security wpa wpa2 disable 1

config wlan security wpa wpa2 enable

To enable WPA2, use the config wlan security wpa wpa2 enable command.

config wlan security wpa wpa2 enable wlan_id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to enable WPA2:


(Cisco Controller) >config wlan security wpa wpa2 enable 1

config wlan security wpa wpa2 cache

To configure caching methods on a WLAN, use the config wlan security wpa wpa2 cache command.

config wlan security wpa wpa2 cache sticky { enable |disable}wlan_id

Syntax Description


sticky	Configures Sticky Key Caching (SKC) roaming support on the WLAN.
enable	Enables SKC roaming support on the WLAN.
disable	Disables SKC roaming support on the WLAN.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Usage Guidelines

In SKC (Sticky Key caching) also known as PKC (Pro Active Key caching), the client stores each Pairwise Master Key (PMK) ID (PMKID) against a Pairwise Master Key Security Association (PMKSA). When a client finds an AP for which it has a PMKSA, it sends the PMKID in the association request to the AP. If the PMKSA is alive in the AP, the AP provides support for fast roaming. In SKC, full authentication is done on each new AP to which the client associates and the client must keep the PMKSA associated with all APs.

Examples

The following example shows how to enable SKC roaming support on a WLAN:

(Cisco Controller) >config wlan security wpa wpa2 cache sticky enable 1

config wlan security wpa wpa2 cache sticky

To configure Sticky PMKID Caching (SKC) on a WLAN, use the config wlan security wpa wpa2 cache sticky command.

config wlan security wpa wpa2 cache sticky { enable | disable}wlan_id

Syntax Description


enable	Enables SKC on a WLAN.
disable	Disables SKC on a WLAN.
`wlan_id`	Wireless LAN identifier between 1 and 512 (inclusive).

Command Default

Stkcky PMKID Caching is disabled.

Usage Guidelines

controller supports Sticky PMKID Caching (SKC). With sticky PMKID caching, the client receives and stores a different PMKID for every AP it associates with. The APs also maintain a database of the PMKID issued to the client. In SKC also known as PKC (Pro Active Key caching), the client stores each Pairwise Master Key (PMK) ID (PMKID) against a Pairwise Master Key Security Association (PMKSA). When a client finds an AP for which it has the PMKSA, it sends the PMKID in the association request to the AP. If the PMKSA is alive in the AP, the AP provides support for fast roaming. In SKC, full authentication is done on each new AP to which the client associates and the client must keep the PMKSA associated with all APs. For SKC, PMKSA is a per AP cache that the client stores and PMKSA is precalculated based on the BSSID of the new AP.

You cannot use SKC for large scale deployments as the controller supports SKC only up to eight APs.
SKC does not work across controllers in a mobility group.
SKC works only on WPA2-enabled WLANs.
SKC works only on local mode APs.

Examples

The following example shows how to enable Sticky PMKID Caching on WLAN 5:

(Cisco Controller) >config wlan security wpa wpa2 cache sticky enable 5

config wlan security wpa wpa2 ciphers

To configure WPA2 ciphers and enable or disable Advanced Encryption Standard (AES) or Temporal Key Integrity Protocol (TKIP) data encryption for WPA2, use the config wlan security wpa wpa2 ciphers command

config wlan security wpa wpa2 ciphers { aes |tkip}{ enable |disable}wlan_id

Syntax Description


(Cisco Controller) > aes	Configures AES data encryption for WPA2.
tkip	Configures TKIP data encryption for WPA2.
enable	Enables AES or TKIP data encryption for WPA2.
disable	Disables AES or TKIP data encryption for WPA2.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

AES is enabled by default.

Examples

The following example shows how to enable AES data encryption for WPA2:

(Cisco Controller) >config wlan security wpa wpa2 ciphers aes enable 1

config wlan session-timeout

To change the timeout of wireless LAN clients, use the config wlan session-timeout command.

config wlan session-timeout{wlan_id|foreignAp}seconds

Syntax Description

wlan_id

Wireless LAN identifier between 1 and 512.

foreignAp

Specifies third-party access points.

seconds

Timeout or session duration in seconds. A value of zero is equivalent to no timeout.

Note

The range of session timeout depends on the security type:

Open system: 0-65535 (sec)
802.1x: 300-86400 (sec)
static wep: 0-65535 (sec)
cranite: 0-65535 (sec)
fortress: 0-65535 (sec)
CKIP: 0-65535 (sec)
open+web auth: 0-65535 (sec)
web pass-thru: 0-65535 (sec)
wpa-psk: 0-65535 (sec)
disable: To disable reauth/session-timeout timers.

Command Default

None

Usage Guidelines

Examples

The following example shows how to configure the client timeout to 6000 seconds for WLAN ID 1:


(Cisco Controller) >config wlan session-timeout 1 6000

config wlan uapsd compliant client enable

To enable WPA1, use the config wlan uapsd compliant-client enable command.

Note

This was introduced for Ascom non-wmm capable phones and is not applicable for Cisco 792x/9971 IP phones.

config wlan uapsd compliant-client enablewlan-id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to enable WPA1:


(Cisco Controller) >config wlan uapsd compliant-client enable 1

Property Type	Property Value	Property Description

config wlan uapsd compliant-client disable

To disable WPA1, use the config wlan uapsd compliant-client disable command.

Note

This was introduced for Ascom non-wmm capable phones and is not applicable for Cisco 792x/9971 IP phones.

config wlan uapsd compliant-client disablewlan-id

Syntax Description


`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

None

Examples

The following example shows how to enable WPA1:


(Cisco Controller) >config wlan uapsd compliant-client disable 1

config wlan usertimeout

To configure the timeout for idle client sessions for a WLAN, use the config wlan usertimeout command.

config wlan usertimeout timeoutwlan_id

Syntax Description


`timeout`	Timeout for idle client sessions for a WLAN. If the client sends traffic less than the threshold, the client is removed on timeout. The range is from 15 to 100000 seconds.
`wlan_id`	Wireless LAN identifier between 1 and 512.

Command Default

The default client session idle timeout is 300 seconds.

Usage Guidelines

The timeout value that you configure here overrides the global timeout that you define using the command config network usertimeout .

Examples

The following example shows how to configure the idle client sessions for a WLAN:

(Cisco Controller) >config wlan usertimeout 100 1

config wlan webauth-exclude

To release the guest user IP address when the web authentication policy time expires and exclude the guest user from acquiring an IP address for three minutes, use the config wlan webauth-exclude command.

config wlan webauth-exclude wlan_id { enable|disable}

Syntax Description


`wlan_id`	Wireless LAN identifier (1 to 512).
enable	Enables web authentication exclusion.
disable	Disables web authentication exclusion.

Command Default

Disabled.

Usage Guidelines

You can use this command for guest WLANs that are configured with web authentication.

This command is applicable when you configure the internal DHCP scope on the controller.

By default, when the web authentication timer expires for a guest user, the guest user can immediately reassociate with the same IP address before another guest user can acquire the IP address. If there are many guest users or limited IP address in the DHCP pool, some guest users might not be able to acquire an IP address.

When you enable this feature on the guest WLAN, the guest user’s IP address is released when the web authentication policy time expires and the guest user is excluded from acquiring an IP address for three minutes. The IP address is available for another guest user to use. After three minutes, the excluded guest user can reassociate and acquire an IP address, if available.

Examples

The following example shows how to enable the web authentication exclusion for WLAN ID 5:


(Cisco Controller) >config wlan webauth-exclude 5 enable

config wlan wifidirect

To configure Wi-Fi Direct Client Policy on a WLAN, use the config wlan wifidirect command.

config wlan wifidirect { allow|disable|not-allow|xconnect-not-allow}wlan_id

Syntax Description


allow	Allows Wi-Fi Direct clients to associate with the WLAN
disable	Ignores the Wi-Fi Direct status of clients thereby allowing Wi-Fi Direct clients to associate
not-allow	Disallows the Wi-Fi Direct clients from associating with the WLAN
xconnect-not-allow	Enables AP to allow a client with the Wi-Fi Direct option enabled to associate, but the client (if it works according to the Wi-Fi standards) will refrain from setting up a peer-to-peer connection
`wlan_id`	Wireless LAN identifier (1 to 16).

Command Default

None

Examples

The following example shows how to allow Wi-Fi Direct Client Policy on WLAN ID 1:


(Cisco Controller) >config wlan wifidirect allow 1

config wlan wmm

To configure Wi-Fi Multimedia (WMM) mode on a wireless LAN, use the config wlan wmm command.

config wlan wmm { allow|disable|require}wlan_id

Syntax Description


allow	Allows WMM on the wireless LAN.
disable	Disables WMM on the wireless LAN.
require	Specifies that clients use WMM on the specified wireless LAN.
`wlan_id`	Wireless LAN identifier (1 to 512).

Command Default

None

Usage Guidelines

When the controller is in Layer 2 mode and WMM is enabled, you must put the access points on a trunk port in order to allow them to join the controller.

Examples

The following example shows how to configure wireless LAN ID 1 to allow WMM:


(Cisco Controller) >config wlan wmm allow 1

The following example shows how to configure wireless LAN ID 1 to specify that clients use WMM:


(Cisco Controller) >config wlan wmm require 1

debug Commands

This section lists the debug commands to manage debugging of WLANs managed by the controller.

Caution

Debug commands are reserved for use only under the direction of Cisco personnel. Do not use these commands without direction from Cisco-certified staff.

debug 11v all

To configure the 802.11v debug options, use the debug 11v all command.

debug 11v all { enable | disable}

Syntax Description


enable	Enables all the debug.
disable	Disables all the debug.

Command Default

None

Examples

The following example shows how to enable all the debug:

(Cisco Controller) >debug 11v all enable

debug 11v detail

To configure the 802.11v debug details, use the debug 11v detail command.

debug 11v detail { enable | disable}

Syntax Description


enable	Enables debug details.
disable	Disables debug details.

Command Default

None

Examples

The following example shows how to enable 802.11v debug details:

(Cisco Controller) >debug 11v detail enable

debug 11v error

To configure the 802.11v error debug options, use the debug 11v errors command.

debug 11v errors { enable | disable}

Syntax Description


enable	Enables error debug.
disable	Disables error debug.

Command Default

None

Examples

The following example shows how to enable 802.11v error debug:

(Cisco Controller) >debug 11v error enable

debug client

To configure the debugging of a passive client that is associated correctly with the access point, use the debug client command.

debug client mac_address

Syntax Description


`mac_address`	MAC address of the client.

Command Default

None

Examples

The following example shows how to debug a passive client with MAC address 00:0d:28:f4:c0:45:

(Cisco Controller) >debug client 00:0d:28:f4:c0:45

debug dhcp

To configure the debugging of DHCP, use the debug dhcp command.

debug dhcp { message|packet} { enable|disable}

Syntax Description


message	Configures the debugging of DHCP error messages.
packet	Configures the debugging of DHCP packets.
enable	Enables the debugging DHCP messages or packets.
disable	Disables the debugging of DHCP messages or packets.

Command Default

None

Examples

The following example shows how to enable the debugging of DHCP messages:

(Cisco Controller) >debug dhcp message enable

debug ft

To configure debugging of 802.11r, use the debug ft command.

debug ft { events|keys} { enable |disable}

Syntax Description


events	Configures debugging of the 802.11r events.
keys	Configures debugging of the 802.11r keys.
enable	Enables debugging of the 802.11r options.
disable	Disables debugging of the 802.11r options.

Command Default

None

Examples

The following example shows how to enable 802.11r debugging:

(Cisco Controller) >debug ft events enable

test Commands

This section lists the test commands for WLANs.

test pmk-cache delete

To delete an entry in the Pairwise Master Key (PMK) cache from all Cisco wireless LAN controllers in the mobility group, use the test pmk-cache delete command.

test pmk-cache delete [ all|mac_address] { local|global}

Syntax Description


all	Deletes PMK cache entries from all Cisco wireless LAN controllers.
`mac_address`	MAC address of the Cisco wireless LAN controller from which PMK cache entries have to be deleted.
local	Deletes PMK cache entries only on this WLC (default)
global	Deletes PMK cache entries, for clients currently connected to this WLC, across the mobility group

Command Default

None

Examples

The following example shows how to delete all entries in the PMK cache:

(Cisco Controller) >test pmk-cache delete all

Cisco Mobility Express Command Reference, Cisco Wireless Release 8.9

Bias-Free Language

Results

Chapter: WLAN Commands

WLAN Commands

show Commands

show advanced fra sensor

Syntax Description

Command Default

Command History

Examples

show client detail

Syntax Description

Command Default

Usage Guidelines

Examples

show client location-calibration summary

Syntax Description

Command Default

Examples

show client probing

Syntax Description

Command Default

Examples

show client roam-history

Command Default

Examples

show client summary

Syntax Description

Command Default

Usage Guidelines

Examples

show client wlan

Syntax Description

Command Default

Examples

show guest-lan

Syntax Description

Command Default

Usage Guidelines

Examples

show pmk-cache

Syntax Description

Command Default

Examples

show rf-profile summary

Syntax Description

Command Default

Examples

show rf-profile details

Syntax Description

Command Default

Examples

show wlan

Syntax Description

Command Default

Usage Guidelines

Examples

config Commands

config 802.11 dtpc

Syntax Description

Command Default

Examples

config advanced fra interval

Syntax Description

Command Default

Command History

config client deauthenticate

Syntax Description

Command Default

Examples

config rf-profile band-select

Syntax Description

Command Default

Usage Guidelines

Examples

config rf-profile client-trap-threshold

Syntax Description

Command Default

Examples