Configuring the Controller for Access Point

Discovery
• Finding Feature Information, on page 1
• Prerequisites for Configuring the Controller for Access Point Discovery, on page 1
• Restrictions for Configuring the Controller for Access Point Discovery, on page 2
• Information About Configuring the Controller for Access Point Discovery, on page 2
• How to Configure Access Point Discovery, on page 4
• Configuration Examples for Configuring the Controller for Access Point Discovery, on page 6

Finding Feature Information

Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.

Prerequisites for Configuring the Controller for Access Point

Discovery

Caution You should connect APs directly to the Cisco Catalyst 3850 switch ports to use its wireless functionality.

• Ensure that the Control and Provisioning of Wireless Access Points (CAPWAP) UDP ports 5246 and
5247 (similar to the Lightweight Access Point Protocol (LWAPP) UDP ports 12222 and 12223) are
enabled and are not blocked by an intermediate device that could prevent an access point from joining
the controller.
• If access control lists (ACLs) are in the control path between the controller and its access points, you
must open new protocol ports to prevent access points from being stranded.

Configuring the Controller for Access Point Discovery

1
 Configuring the Controller for Access Point Discovery
Restrictions for Configuring the Controller for Access Point Discovery

• If an access point is in the UP state and its IP address changes, the access point tears down the existing
CAPWAP tunnel and rejoins the controller.
• Access points must be discovered by a controller before they can become an active part of the network.
The lightweight access points support the following controller discovery processes:
• Layer 3 CAPWAP discovery—You can enable this feature on different subnets from the access
point. This feature uses IP addresses and UDP packets rather the MAC addresses used by Layer 2
discovery.
• Locally stored controller IP address discovery—If the access point was previously associated to a
controller, the IP addresses of the primary, secondary, and tertiary controllers are stored in the access
point’s nonvolatile memory. This process of storing controller IP addresses on an access point for
later deployment is called priming the access point.
• DHCP server discovery—This feature uses DHCP option 43 to provide controller IP addresses to
the access points. Cisco switches support a DHCP server option that is typically used for this
capability.
• DNS discovery—The access point can discover controllers through your domain name server (DNS).
You must configure your DNS to return controller IP addresses in response to
CISCO-CAPWAP-CONTROLLER.localdomain, where localdomain is the access point domain
name. When an access point receives an IP address and DNS information from a DHCP server, it
contacts the DNS to resolve CISCO-CAPWAP-CONTROLLER.localdomain. When the DNS sends
a list of controller IP addresses, the access point sends discovery requests to the controllers.

Restrictions for Configuring the Controller for Access Point

Discovery
• Ensure that the controllers are configured with the correct date and time. If the date and time configured
on the controller precedes the creation and installation date of certificates on the access points, the access
point fails to join the controller.
• During the discovery process, access points that are supported by the Cisco controller, such as the 1140,
1260, 3500, 1040,1600, 2600, or 3600 query only for Cisco controllers.
• Do not configure same VLAN for both wireless management and wireless clients.

Information About Configuring the Controller for Access Point

Discovery
In a CAPWAP environment, a lightweight access point discovers a controller by using CAPWAP discovery
mechanisms and then sends a CAPWAP join request to the controller. The controller sends a CAPWAP join
response to the access point that allows the access point to join the controller. When the access point joins
the controller, the controller manages its configuration, firmware, control transactions, and data transactions.

Configuring the Controller for Access Point Discovery

2
 Configuring the Controller for Access Point Discovery
Access Point Communication Protocols

Access Point Communication Protocols

Cisco lightweight access points use the IETF standard CAPWAP to communicate with the controller and
other lightweight access points on the network.
CAPWAP, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to manage
a collection of wireless access points. CAPWAP is implemented in controller for these reasons:
• To provide an upgrade path from Cisco products that use LWAPP to next-generation Cisco products that
use CAPWAP
• To manage RFID readers and similar devices
• To enable controllers to interoperate with third-party access points in the future

Viewing Access Point Join Information

Join statistics for an access point that sends a CAPWAP discovery request to the controller at least once are
maintained on the controller even if the access point is rebooted or disconnected. These statistics are removed
only when the controller is rebooted or when you choose to clear the statistics.

Troubleshooting the Access Point Join Process

Access points can fail to join a controller for many reasons such as a RADIUS authorization is pending,
self-signed certificates are not enabled on the controller, the access point and controller’s regulatory domains
do not match, and so on.
You can configure the access points to send all CAPWAP-related errors to a syslog server. You do not need
to enable any debug commands on the controller because all of the CAPWAP error messages can be viewed
from the syslog server itself.
The state of the access point is not maintained on the controller until it receives a CAPWAP join request from
the access point, so it can be difficult to determine why the CAPWAP discovery request from a certain access
point was rejected. In order to troubleshoot such joining issues without enabling CAPWAP debug commands
on the controller, the controller collects information for all access points that send a discovery message to this
controller and maintains information for any access points that have successfully joined this controller.
The controller collects all join-related information for each access point that sends a CAPWAP discovery
request to the controller. Collection begins when the first discovery message is received from the access point
and ends when the last configuration payload is sent from the controller to the access point.
When the controller is maintaining join-related information for the maximum number of access points, it does
not collect information for any more access points.
You can also configure a DHCP server to return a syslog server IP address to the access point using option 7
on the server. The access point then starts sending all syslog messages to this IP address.
You can configure the syslog server IP address through the access point CLI, if the access point is not connected
to the controller by entering the capwap ap log-server syslog_server_IP_address command.
When the access point joins a controller for the first time, the controller pushes the global syslog server IP
address (the default is 255.255.255.255) to the access point. After that, the access point sends all syslog
messages to this IP address, until it is overridden by one of the following scenarios:

Configuring the Controller for Access Point Discovery

3
 Configuring the Controller for Access Point Discovery
How to Configure Access Point Discovery

• The access point is still connected to the same controller, and you changed the global syslog server IP
address configuration on the controller by using the ap syslog host Syslog_Server_IP_Address
command. In this case, the controller pushes the new global syslog server IP address to the access point.
• The access point is still connected to the same controller, and you configured a specific syslog server IP
address for the access point on the controller by using the ap name Cisco_AP syslog host
Syslog_Host_IP_Address command. In this case, the controller pushes the new specific syslog server IP
address to the access point.
• The access point gets disconnected from the controller, and you configured the syslog server IP address
from the access point CLI by using the capwap ap log-server syslog_server_IP_address command.
This command works only if the access point is not connected to any controller.
• The access point gets disconnected from the controller and joins another controller. In this case, the new
controller pushes its global syslog server IP address to the access point.

Whenever a new syslog server IP address overrides the existing syslog server IP address, the old address is
erased from persistent storage, and the new address is stored in its place. The access point also starts sending
all syslog messages to the new IP address, if the access point can reach the syslog server IP address.

How to Configure Access Point Discovery

Configuring the Syslog Server for Access Points (CLI)
SUMMARY STEPS
1. show ap config global
2. show ap name Cisco_AP config general

DETAILED STEPS

Command or Action Purpose

Step 1 show ap config global Displays the global syslog server settings for all access
points that join the controller.
Example:
Controller# show ap config global

Step 2 show ap name Cisco_AP config general Displays the syslog server settings for a specific access
point.
Example:
Controller# show ap name AP03 config general

Monitoring Access Point Join Information (CLI)

Note The procedure to perform this task using the controller GUI is not currently available.

Configuring the Controller for Access Point Discovery

4
 Configuring the Controller for Access Point Discovery
Monitoring Access Point Join Information (CLI)

SUMMARY STEPS
1. enable
2. show ap join stats summary
3. show ap mac-address mac_address join stats summary
4. show ap mac-address mac_address join stats detailed
5. clear ap join statistics

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enters privileged EXEC mode.
Example:
Controller# enable

Step 2 show ap join stats summary Displays the MAC addresses of all the access points that
are joined to the controller or that have tried to join.
Example:
Controller# show ap join stats summary

Step 3 show ap mac-address mac_address join stats Displays all the statistics for the AP including the last join
summary error detail.
Example:
Controller# show ap mac-address
000.2000.0400 join stats summary

Step 4 show ap mac-address mac_address join stats Displays all join-related statistics collected for a specific
detailed access point.
Example:
Controller# show ap mac-address
000.2000.0400 join stats detailed

Step 5 clear ap join statistics Clears the join statistics for all access points.
Example: Note To clear the join statistics that correspond to
Controller# clear ap join statistics specific access points, enter the clear ap
mac-address mac_address join statistics
command.

Related Topics
Displaying the MAC Addresses of all Access Points: Example, on page 6
DHCP Option 43 for Lightweight Cisco Aironet Access Points Configuration Example, on page 7

Configuring the Controller for Access Point Discovery

5
 Configuring the Controller for Access Point Discovery
Configuration Examples for Configuring the Controller for Access Point Discovery

Configuration Examples for Configuring the Controller for

Access Point Discovery
Displaying the MAC Addresses of all Access Points: Example
This example shows how to display MAC addresses of all the access points that are joined to the controller:
Controller# show ap join stats summary
Number of APs.......................................... 4

Base Mac EthernetMac AP Name IP Address Status

----------------- ----------------- ------- ------------- ----------
00:0b:85:57:bc:c0 00:0b:85:57:bc:c0 AP1130 10.10.163.217 Joined
00:1c:0f:81:db:80 00:1c:63:23:ac:a0 AP1140 10.10.163.216 Not joined
00:1c:0f:81:fc:20 00:1b:d5:9f:7d:b2 AP1 10.10.163.215 Joined
00:21:1b:ea:36:60 00:0c:d4:8a:6b:c1 AP2 10.10.163.214 Not joined

This example shows how to display the last join error details for a specific access point:
Controller# show ap mac-address 000.2000.0400 join stats summary
Is the AP currently connected to controller................ Yes
Time at which the AP joined this
controller last time................................. Aug 21 12:50:36.061
Type of error
that occurred last.................. AP got or has been disconnected
Reason for error
that occurred last........... The AP has been reset by the controller
Time at which the last join error occurred......... Aug 21 12:50:34.374

This example shows how to display all join-related statistics collected for a specific access point:
Controller# show ap mac-address 000.2000.0400 join stats detailed
Discovery phase statistics
- Discovery requests received........................ 2
- Successful discovery responses sent................ 2
- Unsuccessful discovery request processing.......... 0
- Reason for last unsuccessful discovery attempt..... Not applicable
- Time at last successful discovery attempt.......... Aug 21 12:50:23.335
- Time at last unsuccessful discovery attempt........ Not applicable

Join phase statistics

- Join requests received............................. 1
- Successful join responses sent..................... 1
- Unsuccessful join request processing............... 1
- Reason for last unsuccessful join attempt..... RADIUS authorization
is pending
for the AP
- Time at last successful join attempt............... Aug 21 12:50:34.481
- Time at last unsuccessful join attempt............. Aug 21 12:50:34.374

Configuration phase statistics

- Configuration requests received..................... 1
- Successful configuration responses sent............. 1
- Unsuccessful configuration request processing....... 0
- Reason for last unsuccessful configuration attempt.. Not applicable
- Time at last successful configuration attempt....... Aug 21 12:50:34.374
- Time at last unsuccessful configuration attempt..... Not applicable

Last AP message decryption failure details

Configuring the Controller for Access Point Discovery

6
 Configuring the Controller for Access Point Discovery
DHCP Option 43 for Lightweight Cisco Aironet Access Points Configuration Example

- Reason for last message decryption failure.......... Not applicable

Last AP disconnect details

- Reason for last AP connection failure............... The AP has been reset by
the controller
Last join error summary
- Type of error that occurred last.................... AP got or has been
disconnected
- Reason for error that occurred last................. The AP has been reset
by the controller
- Time at which the last join error occurred.......... Aug 21 12:50:34.374

DHCP Option 43 for Lightweight Cisco Aironet Access Points Configuration

Example
For more information about the AP join process, see DHCP OPTION 43 for Lightweight Cisco Aironet Access
Points Configuration Example.

Configuring the Controller for Access Point Discovery

7
 Configuring the Controller for Access Point Discovery
DHCP Option 43 for Lightweight Cisco Aironet Access Points Configuration Example

Configuring the Controller for Access Point Discovery

8