Archive | WLC RSS for this section

Downgrading LWAPP to Autonomous with WLC

In a previous article I was telling about restoring the LWAPP to autonomous, but it’s also possible if you got access to the WLC.

(Cisco Controller) >config ap tftp-downgrade c1250-k9w7-tar.124-21a.JA1.tar L1252-1
And you won’t see anything at the WLC, but you can see at the AP :

examining image…
Loading c1250-k9w7-tar.124-21a.JA1.tar from (via GigabitEthernet0): !
extracting info (287 bytes)
Image info:
Version Suffix: k9w7-.124-21a.JA1
Image Name: c1250-k9w7-mx.124-21a.JA1
Version Directory: c1250-k9w7-mx.124-21a.JA1
Ios Image Size: 5693952
Total Image Size: 6431232
Image Feature: WIRELESS LAN
Image Family: C1250
Wireless Switch Management Version:
Extracting files…

Wireless Guest Access

There are some good documentation about configuring Guest Access for two controllers, so I won’t explain it.

If you know the first (Forneign) is pointing to the second WLC (Anchor) and you’ll know that the anchor controls everything, it’s easy.

Here are some screenshots :

AP Authentication / MAC

When you do an AP Authentication with the ACS, there are different was to show the MAC of the AP to the ACS.

You can configure it at :

When you play with the settings, you’ll see at the ACS the diffent kind of formats :

If you’re creating a user, make sure that the format is exactly the same.
Password is the same as the username…

Option 7 at IOS DHCP

Ofcourse you want all logging goto a syslog server. (It’s also a Cisco recommendation. See WLC Configu Guide)
You can configure a IOS DHCP Scope like :

ip dhcp exclude
ip dhcp pool VLAN1
network /24
option 7 ip
option 43 hex f1040a0a0a0a

In my own lab the option 7 wasn’t working !
I had tested the WLC with versions 4.2.130 and 4.2.176.

Then I saw :
%LWAPP-3-CLIENTEVENTLOG: Did not get any DNS options from DHCP.
That’s not good..

After changing it to 4.2.209 the option 7 is working and you’ll see at the LWAPP :

%LWAPP-3-CLIENTEVENTLOG: Got log server settings( from DHCP.


There is default a TFTP server at the WCS server which I’m using a lot….

When you do a restore of the WCS server with no controller configured, the TFTP server isn’t working.
You need to add atleast one Controller before the TFTP service is active (It’s a WCS service and not a windows service, so you can’t start it manually.).

Then you can upload/download files from the WCS TFTP Service.

AP Groups

When your SSID Domain is much greater that is will span multiple vlan’s, you can use AP Groups.

First configure the needed interfaces.

Create an AP Group with the correct VLAN Mappings.

Configure the AP the use this AP Group.

Reset the AP.

Test the config and you’ll see it’s working.

Rogue Detection

To dectect Rogue access points, make sure the AP’s are at monitor or local mode.

The Protection Type should be AP Authentication.

(See WLC Config Guide Page 453)