** UPDATE:  Carrier Busy is also enabled on a CAPWAP / LWAPP AP **

Back in the day when I couldn’t afford a spectrum or packet analyzer I would often use the next best free thing available. Its called the "carrier busy" test and it’s built into the Cisco Autonomous Access Point and can be used from a CAPWAP / LWAPP Access Point.

The carrier busy test will allow you to see what is going on in an environment from 50,000 feet, but that’s about where it ends. It doesn’t have details like a professional analyzer will provide. You could incorporate other commands like frame retries etc to help better interpret “carrier busy”.

Needless to say, it’s a fun command and if you don’t have the proper tools could help you in a pinch. If you do outdoor bridges, you may already use this command to assist on channel assignment.

What is "Carrier Busy"

On a Cisco autonomous access point you can run a command called 'carrier busy'. The AP will shutdown the respected radio interface and will scan all respected channels and report back with a percentage of channel activity. The channel activity collected includes activity from both 802.11 traffic and interference also sometimes called RFI (Radio Frequency Interference).

What this means, if there is 802.11 traffic and suppose there is interference it will compute a  (percentage) to this value. Things to note when you run the carrier busy test the radio will do a shut and all associated clients will lose connectivity between 5 - 8 seconds during the test. After the test the radio will no shut itself and return to production allowing clients to associate again.

I have not found any detailed documentation stating exactly how the access point computes these values. If you have any info please do share!

Autonomous Command for "Carrier Busy"

If your access point has both 802.11g <dot11Radio 0> and 802.11a <dot11Radio 1> radios you can run busy test on either the 2.4 GHz or the 5 GHz spectrums.

ap#dot11 <Radio Interface> carrier busy

ap#show dot11 carrier busy

802.11g = dot11Radio 0
802.11a = dot11Radio 1

ap#dot11 dot11Radio 0 carrier busy

WLC: CAPWAP / LWAPP Command for "Carrier Busy"

wlc-ap#debug dot11 <Radio Interface> carrier busy

802.11g = dot11Radio 0
802.11a = dot11Radio 1

wlc-ap#debug dot11 dot11Radio 0 carrier busy

Example # 1 - Carrier Busy (Normal)

This example is a neighboring access point on channel 11 only sending management frames

ap#dot11 dot11Radio 0 carrier busy

*Mar  2 09:07:33.173: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar  2 09:07:34.173: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

Frequency  Carrier Busy %
---------  --------------
2412          0
2417          3
2422          0
2427          0
2432          0
2437          0
2442          0
2447          4
2452          5
2457          2
2462          5

*Mar  2 09:07:38.695: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  2 09:07:39.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

Example # 2 - Carrier Busy (Microwave)

 I introduced a microwave oven into the mix. You can see there is a significant increase in channel activity from 2447 - 2462. 

ap#dot11 dot11Radio 0 carrier busy

*Mar  2 09:05:52.664: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar  2 09:05:53.664: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

Frequency  Carrier Busy %
---------  --------------
2412          1
2417          7
2422          5
2427          1
2432          11
2437          13
2442          10
2447          31
2452          36
2457          42
2462          45

*Mar  2 09:05:58.186: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  2 09:05:59.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

ap#

Example # 3 - Carrier Busy (ISO Download)

In this example I introduced 2 laptops and conducted an ISO download for the purpose of creating 802.11 traffic.

ap#dot11 dot11Radio 0 carrier busy

*Mar  2 09:07:33.173: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar  2 09:07:34.173: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

Frequency  Carrier Busy %
---------  --------------
2412          0
2417          3
2422          0
2427          0
2432          0
2437          0
2442          3
2447          9
2452          19
2457          21
2462          23

*Mar  2 09:07:38.695: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  2 09:07:39.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

Conclusion

If you don’t have tools and you are in a pinch the carrier busy test may be a tool you might find helpful. Keep in mind, you will need to incorporate other commands to interpret the carrier busy results.

So when you jump between different SSIDs on your WLC are you noticing a delay connecting right away to the new SSID? If you answered, YES.... Do you have fast ssid enabled?

When fast SSID changing is enabled, the controller allows clients to move between SSIDs quicker. When the client sends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID.

When fast SSID changing is disabled, the controller enforces a delay before clients are allowed to move to a new SSID.

Keep in mind this is a global setting.

CLI COMMAND:

config network fast-ssid-change {enable | disable}

GUI COMMAND:

I wanted to share this in case you may have a use for it. I've used it in the past, its a little hit or miss on what is supported and how the code is sometimes read. It was recently updated to support the Cisco WLCs show & debug commands

Output Interpreter is a troubleshooting tool that reports potential problems by analyzing supported "show" command output. Output Interpreter supports various "show" command output from your router, switch, PIX/ASA firewall, IOS® wireless access point, or Meeting Place Platform.

The Output Interpreter continues to support new features to better serve you. This month's list of new features includes support for GOLD diagnostics and other outputs, including:

• Cisco 12000 IOS XR Firmware, Hardware and Software Readiness Assessment (Up to version 3.8)
• Wireless LAN Controller - show & debug commands
• GOLD diagnostics - show diagnostic result
• ASA Commands - show tech-support, show running-config

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl 

If you ever did a show run-config on a WLC with a 100 access points then you know where I am going! 

A show run config [no-ap] will omit the access point information. Why is this important? Well suppose you have a WiSM with a 150 access points joined to a controller do you want to see 400 pages of configs of APs when you only want to see the run-config ? BINGO!

(Cisco_2006_WLC) >show run-config ?

[no-ap]        Display running configuration of controller without AP configuration

In coming weeks I will share with you a number of QoS labs with LWAPP/CAPWAP and autonomous access points and controllers. In advance to that, I wanted to share this LWAPP/CAPWAP QoS Tagging slide. 

This slide comes from the config guide. 

Did you know that the Cisco WiSM doesnt support CDP (Cisco Discovery Protocol)? Odd, isn't, but it doesn't.

CDP is not supported on the controllers that are integrated into Cisco switches and routers, including those in the Catalyst 3750G Integrated Wireless LAN Controller Switch, the Cisco WiSM, and the Cisco 28/37/38xx Series Integrated Services Router. However, you can use the show ap cdp neighbors detail {Cisco_AP | all} command on these controllers in order to see the list of CDP neighbors for the access points that are connected to the controller. - (Cisco 6.0 Config Guide)

What this means is that if you do a CDP on the CAT that houses the WiSM you won't see the WISMs as
a neighbor. Here is an example of a CAT with WiSMs and the CDP command is entered: 

6509#show cdp neighbors

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

6509LAB1

                 Gig 1/1            166         R S I     6504LAB  Gig 1/1

6509LAB2

                 Gig 1/2            150         R S I     6504LAB  Gig 1/2  

How you can see the WiSMs is with the show module command. See below:

6509#show module

Mod Ports Card Type                              Model              Serial No.

--- ----- -------------------------------------- ------------------ -----------

  1    2  Supervisor Engine 720 (Active)         WS-SUP720-3B        XXXXXXXXXX

  2   16  SFM-capable 16 port 10/100/1000mb RJ45 WS-X6516-GE-TX     XXXXXXXXXX

  3   10  WiSM WLAN Service Module               WS-SVC-WISM-1-K9             XXXXXXXX

  4   10  WiSM WLAN Service Module               WS-SVC-WISM-1-K9             XXXXXXXX

How to add / delete /change a user in the WLC via the CLI and apply your permissions.

To add a new user with READ or READ/WRITE permissions. First drop into the CLI of the WLC. Next, lead with the following:

CONFIG MGMTUSER  <ADD> <USERNAME> <PASSWORD> <READ-WRITE or READ-ONLY>

You have other options such as delete, description, and password.

(Cisco-2006) >config mgmtuser ?

add            Creates a local management user.
delete         Delete an existing management user.
description    Sets the description for a management user.
password       Configures a password for a management user.

When you add a user you have 3 permissions:

(Cisco-2006) config>mgmtuser add username password ?

read-write      Creates a management user with read-write access.
read-only        Creates a management user with read-only access.
lobby-admin    Creates a management user with lobby ambassador priviledges.

If you need to change the password of an existing user lead with the following:

CONFIG MGMTUSER  <PASSWORD> <USERNAME><PASSWORD>

To display your existing users use the show mgmtuser command:

(Cisco-2006) >show mgmtuser
User Name                 Permissions    Description
-----------------------   ------------   --------------------------------
cisco                     read-write
george                  read-write
lobby                    lobby-admin

NOTE -- User Names and Passwords are CASE SENSITIVE

Enabling / Disabling HTTP or HTTPS on a Cisco WLC is simple. Keep in mind, if you enable/disable HTTPS you need to do a WLC reboot (ouch for you change control folks!). 

(Cisco-2006) >config network webmode enable

WLC How to enable webmode (HTTP) or secureweb (HTTPS)

You may already be very familiar with changing the host / prompt name of a Cisco Router or Switch. Config T --> hostname --> abc123

(WiSM-slot3-1) >config prompt ?|

There can be countless reasons why you may want to block a wireless client from accessing the WLAN. One real world scenario happened a few months back where I was contacted by a customer who's enterprise was just hit with a virus. As they quarantined and identified infected hosts they could not account for 50+ wireless clients, which were infected and online.

As they cleaned infected machines, these machines became infected again due to these 50+ devices. They needed a way to disable them from the WLAN,  but didn't have time to locate the 50+ nor did they know their exact location.Here is how to disable clients blocking access to the WLAN.

NOTE: WHEN A CLIENT IS ON THE EXCLUSION LIST, THE WLC IGNORES PROBE REQUEST FROM THE CLIENT. SEE DEBUG BELOW

 

CONFIG CLIENT EXCLUSION

(Cisco Controller) >config exclusionlist ?              
add               Creates a local exclusion-list entry
delete           Deletes a local exclusion-list entry
description    Sets the description for an exclusion-list entry

(Cisco Controller) >config exclusionlist add 00:25:d3:8b:00:13

REMOVE CLIENT EXCLUSION (ALLOWS CLIENT ACCESS TO WLAN)

(Cisco Controller) >config exclusionlist delete 00:25:d3:8b:00:13

DEBUG CLIENT WHILE EXCLUDED

NOTE: THE WLC IS IGNORING THE CLIENTS PROBE REQUEST

(Cisco Controller) debug>client 00:25:d3:8b:00:13
Fri Jan  1 17:57:04 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:08 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:09 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:12 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:13 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:17 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:21 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:22 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:25 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:26 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:27 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:29 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:29 2010: 00:25:d3:8b:00:13 Association request(2): Exclusion-listed!!

DHCP address assignment required is one of those check boxes that make you go huh, while you scratch your head, if you don't know how it works. Cisco's best pratice for voice is to disable this feature. However, keep in mind,  if DHCP Addr. Assignment Required is selected, clients must obtain an IP address via DHCP. Any client with a static IP address is not allowed on the network.

request/renew every time they associate to the WLAN before they are allowed to send or receive other

After having worked on countless Cisco WLAN VoIP deployments a general rule of thumb from Cisco TAC is to disable TKIP countermeasure on ALL voice WLANs and lessen the timer for DATA WLANs. Again this is all subject to your comfort level and performance requirements. Personally, I can't say I have ever seen this to be an issue or had an issue that was directly related to the countermeasure. But something to chew on!

TKIP countermeasure mode can occur if the Access Point receives 2 message integrity check (MIC) errors within a 60 second period. When this occurs, the Access Point will de-authenticate ALL TKIP clients associated to that 802.11 radio and holdoff any clients for the countermeasure holdoff time (default = 60 seconds).

(Cisco Controller)config wlan security <tkip> hold-down <seconds> <wlan id>

Note:  Configures TKIP MIC countermeasures hold-down timer (0-60 seconds)

The following command disables TKIP countermeasure on WLAN 1 

(Cisco Controller) >config wlan security tkip hold-down 0 1

We've all been there... You need to drop the show-run command and you get the "Press Enter to continue Or <Ctl Z> to abort" or "--More-- or (q)uit". All you want is to drop the entire config. Wells here is how.

If you are fimilar with Cisco IOS routers and switches then you may have used the "term length 0"command. This eliminates the the page breaks. Under the WLC "Airespace OS" the equivalent is the "config paging disabled" 

(Cisco Controller) >config paging ?

enable         enable paging

disable        disable paging 

DISABLE CONFIG PAGING

The following command will allow the entire show command drop in one piece:

(Cisco Controller) >config paging disable

ENABLE CONFIG PAGING

The following command will allow paging:

(Cisco Controller) >config paging enable

So you forgot your WLC password, eh? WLC version 5.1 and later, you can use the CLI from the controller's serial console in order to configure a new user name and password. Complete these steps in order to configure a new user name and password.

       1. After the controller boots up, enter Restore-Password at the user prompt.
       Note: For security reasons, the text that you enter does not appear on the controller       console.

       2. At the Enter User Name prompt, enter a new user name.

       3. At the Enter Password prompt, enter a new password.

       4. At the Re-enter Password prompt, re-enter the new password.
       note: The controller validates and stores your entries in the database.

       5. When the User prompt reappears, enter your new username.

       6. When the Password prompt appears, enter your new password.
 

Note: For WLCs that run earlier versions of firmware (prior to 5.1), there is no way to recover the password.

If you use the Cisco Wireless Control System (WCS) in order to manage the WLC, wireless LAN controller Module (WLCM) or Wireless Services Module (WiSM), you should be able to access the WLC from the WCS and create a new administrative user without logging into the WLC itself.

Or, if you did not save the configuration on the WLC after you deleted the user, then a reboot (power cycling) of the WLC should bring it back up with the deleted user still in the system. If you do not have the default admin account or another user account with which you can log in, your only option is to default the WLC to factory settings and reconfigure it from scratch.

Mac filtering was popular back when WEP was the only means of wireless security. Mac filtering added an additional layer of authentication by validating the wireless NIC mac address prior to authenticating to a wireless network. Although, mac filtering is still used today, it is a management burden for larger deployments and it is very easy for a hacker to spoof the mac address with a sniffer since the mac is sent in the clear.

What you need know about local authentication on the Cisco WLC. By default, the WLC local database supports 512 entries and can be configured up to a total of 2048 max entries. This is a hard limitation and can not be exceeded unless you use a Radius server for MAC authentication.

When using EAP-FAST you want to insure you give the client enough time to obtain the PAC. By default the WLC is set to only 2 seconds. However I noticed with code 6.0.188.0 it is set to 30 seconds by default. This command can only be configed from the CLI of the WLC.

When using EAP-FAST, the IEEE 802.1X timeout on the controller must be increased (default = 2 seconds) in order for the client to obtain the PAC via automatic provisioning. The default timeout on the Cisco ACS server is 20 seconds, which is the recommended value.

Did you know if you don’t set the time on a WLC it is very likely your access points won't join your WLC. Why do you ask!?  LWAPP/CAPWAP access points contain certificates. If your controller's time is set outside of the access points certificate validity they wont join the WLC.

You can check your access points certificate validity with the following command from the AP CLI. A lot of information will be displayed with this syntax. You are interested in the section that states "Certificate". You need to insure your WLC time is set within the APs validity time frame.

(Cisco Controller) >show crypto ca certificates

Certificate
  Status: Available

  Certificate Serial Number: 3BC24B9600000012211221
  Certificate Usage: General Purpose
  Issuer:
  cn=Cisco Manufacturing CA
  o=Cisco Systems

  Subject:
   Name: C1130-001c58734445
   ea=support@cisco.com
   cn=C1130-001c58734445
   o=Cisco Systems
    l=San Jose
   st=California
     c=US

  CRL Distribution Points:

    http://www.cisco.com/security/pki/crl/cmca.crl

  Validity Date:

    start date: 12:56:31 UTC Jun 30 2007
    end   date: 13:06:31 UTC Jun 30 2017
    Associated Trustpoints: Cisco_IOS_MIC_cert

Lets set the time on the WLC. You can set the time manually which is locally stored on the WLC or via NTP server.

(Cisco Controller) >config time ?

manual         Configures the system time.
ntp               Configures the Network Time Protocol.
timezone      Configures the system's timezone

Lets look at the manual config:

(Cisco Controller) >config time manual ?
(Cisco Controller) >config time manual <MM/DD/YY> <HH:MM:SS>
(Cisco Controller) >config time manual 12/21/09 23:30:00

Lets now look at the NTP config:

(Cisco Controller) >config time ntp ?
interval       Configures the Network Time Protocol Polling Interval.
server         Configures the Network Time Protocol Servers. 

<Interval> is the polling interval the WLC will sync with the NTP server - between 3600 and 604800 (in seconds).
<Server> is the NTP server ip address. You also can index the NTP servers. By this it means you can add multple servers.

(Cisco Controller) >config time ntp server <index> <ip address>
(Cisco Controller) >config time ntp server 1 192.168.1.1 

Note: If you want to delete your NTP entry use 0.0.0.0 as your IP address.

The last part of the config is to set the time zone

Here is another nugget to put in the bag and only can be done in the CLI of a WLC. Suppose you want to modify the duplex and speed of the ethernet side of an AP or all the APs for that matter. By default both the duplex and speed are set to auto.

The more you experiment and live in the CLI of a WLC you will find little nuggets that you can’t do in the GUI. This little find is just one of them. The AP USERNAME command allows you to change the username and password for ALL of the access points that are connected to the controller.Why is this important you might wonder? The obvious of course. Even if your AP is lightweight someone can still telnet, ssh or console into the AP with Cisco / Cisco.  

This command allows you to change ALL or individual APs usernames and passwords. This comes in handy after a new deployment.   

(Cisco Controller) config>ap <username> GEORGE <password> MY80211 <ALL or name of individual ap>

When installing WiSMs in the past I would do it the old fashion way. You know, create my 4 port channels (2 for management) (2 for the controllers), configure the 8 gig interfaces (these come up once the WiSM is installed), and assign these to the port channels.

Software release 12.2(18)SXF5(Sup 720) has a new WiSM feature call "auto-lag". I am always cautions with anything with the word "auto" when it comes to networking. However I was pleasantly surprised with the new feature.  So what is auto-lag --  auto-lag allows you to configure a controller with 3 simple commands rather then doing the multiple steps.

Lets walk through the steps of auto-lag. In this example we will configure a WiSM in MOD 3 controller 1. We will be have native vlan 100 and allow vlans 200,201,202 and 203. These are my wired interfaces which tie to SSIDs.

#> wism module 3 controller 1 native an 100 <--- This creates a native vlan. This is used for your controller management (untagged)

#>wism module 3 controller 1 allowed-vlan native 100, 200, 201,202,203 <--- This allows which vlans are allowed

#>wism module 3 controller 1 qos-trust dscp <--- Good ol' QoS

 This is the output of the show run with auto lag. Note you will not see the gig interfaces and the port channel in the show run output, as you would normally expect to. But don’t worry they are there.

#>show run

wism module 3 controller 1 allowed-vlan 100,200-203

wism module 3 controller 1 native-vlan 100

wism module 3 controller 1 qos-trust dscp

If you want to see the etherchannel you can

#>show etherchannel      

          Channel-group listing:

        -----------------------

 Group: 287

----------

Group state = L2

Ports: 4   Maxports = 8

Port-channels: 1 Max Port-channels = 1

Protocol:    -

Minimum Links: 0