SDA and wireless Part III - understanding AP configurations on the 9800

The configurations pushed to a 9800 WLC (for an AP) can be a little convoluted. This post aims at demystifying that.

At present, the following APs have registered with this WLC:

Let’s consider an AP that has been provisioned already; the following configuration is present under the AP:

Three major things are pushed for the AP – a policy-tag, a rf-tag and a site-tag. We’ll take a look at each of these individually.

A policy-tag essentially ties together a WLAN and a wireless profile policy. As we can see from the above, we have a policy-tag called ‘Test2_aninchat’ called under the AP. This is configured as follows:

You can verify this using the following command:

The WLAN configuration is where you define the SSID, the kind of authentication you want to do for that SSID and so on. This can be confirmed as follows:

As you can see, we’re doing a simple pre-shared key authentication with a password of ‘C1sc0123’ and the SSID is called Test2_aninchat. To quickly look at all WLANs and their associated SSIDs, you can use the command ‘show wlan summary’:

The wireless profile policy is where you define AAA parameters, QoS and netflow policies, an IP pool (from a fabric perspective, a L2 VNID) and so on. This can be confirmed using the following:

The wireless profile for fabric will tell you what L2VNID was mapped to this wireless profile policy:

Thus, at a high level, both the WLAN and wireless profile policy feed into the policy-tag:

The site-tag is used to determine the AP profile that will be used for the APs. A quick summary of all site-tags can be seen using the following command:

We are using ‘default-site-tag-fabric’ for the APs, so let’s look at that in detail (this site tag is created automatically by DNAC once the WLC is provisioned to join the fabric):

As you can see, an AP profile is called within the site-tag. The AP profile can be confirmed as below:

Among other things, the AP profile is where you set login information for your AP as well.

Finally, the RF tag is where you set your RF parameters. A summary of all RF tags can be seen using the following command:

We are using a RF tag of ‘TYPICAL’. You can view this in detail using:

Remember, an un-provisioned AP will not have any of these configurations pushed for it on the WLC. For example, we just brought up another AP in the lab:

This has not been provisioned yet:

Since this is not provisioned, the WLC has no configuration for this AP. Compare this to a provisioned AP, which has all the relevant configuration:

This is why it is very important to verify if these commands were pushed correctly on AP provision. If there is an issue here, then you can see varying problems – clients not working after connecting to this AP, clients having issues roaming to this AP and so on.

We’ve looked at all of this information via the CLI, however, for completeness sake, you can confirm the same via the GUI as follows. Login to the GUI and Configuration -> Tags will give you an overview of all tags (policy, site and rf) created for this WLC:

As you can see, there are tabs for each of the different types of tags. From here, you can click on any of these to fetch more details around this. For example, click on the policy tag ‘Test2_aninchat’ and you get:

This shows you the same information we saw on the CLI – the WLAN and the profile policy associated to this tag. To get details about the profile policy itself, you can go to Configuration -> Policy:

This will list all policies created on the WLC:

From here, you can click on any of the profile policies to get more details around this:

Back under the configuration option, you can go to Configuration -> WLAN to see all WLANs created for the WLC:

From here, you can click on any of the WLANs to get more details around it:

The ‘Security’ tab allows you to see all the security aspects of this WLAN:

This concludes part III of the SDA and wireless series. I hope this was informative!

For any queries, concerns or conversations, please email