Matt Starling

WN Blog 016 – WiFi Tools


I am putting this blog together to cover some of the wireless tools that we use or are highly recommended in the wireless community.

Many of you might already be aware of some of the tools in this blog but there might be some in here that you have not come across before that you could find quite useful.

We will kick things off with the WiFi tool we use the most, which is Ekahau.


If you are a wireless engineer then this is a must-have in your tool bag – we use it for everything – from designing wireless networks to troubleshooting them.

Ekahau is certainly rich in products & features so we will just cover them here quickly:

Ekahau Pro™ Site Survey Tool

“The industry standard tool for designing, analyzing, optimizing and troubleshooting Wi-Fi networks. It combines professional grade features with unprecedented ease of use and features a new, ultra-fast user interface which works on macOS and Windows. Ekahau Pro site survey supports all Wi-Fi access points, thousands of antennas and every Wi-Fi standard including 802.11ax (Wi-Fi 6).”

Ekahau Sidekick®

“All-in-one, precise Wi-Fi diagnostic and measurement device that contains two Wi-Fi radios and a spectrum analyzer used for professional Wi-Fi site surveys and troubleshooting. It delivers 2x faster site surveys, 4-10x faster spectrum analysis (compared to other Wi-Fi spectrum analyzers) and uses seven factory tested antennas which are placed in the optimum orientation to deliver precise and consistent measurement accuracy. It’s plug-and-plan, works with iPad, MacOS and Windows and supports all Wi-Fi standards, including the new 802.11ax (Wi-Fi 6).”

Ekahau Survey™ for iPad

“Ekahau Survey is the first professional grade Wi-Fi site survey tool for iPad. This solution is 70% lighter than using a laptop which helps you keep going all day. It’s intuitive and easy to use which means both Wi-Fi experts and IT professionals can now perform site surveys with ease. It automatically locates all nearby access points and places them on a map and delivers instant post-survey analysis with easy-to-read, beautiful crystal-clear heatmaps.”

Ekahau Capture™

“With Ekahau Capture you no longer have to invest into dedicated and expensive equipment or fallback on complex and unreliable methods to perform packet capture. Easily collect the data you need to conduct advanced troubleshooting and in-depth analysis of tough to diagnose Wi-Fi problems without waiting for a Wi-Fi expert. Ekahau Capture makes it possible for anyone to quickly capture Wi-Fi packets using Ekahau Sidekick.”

Ekahau Cloud™

“Choose a collaboration method that works best for you and your customers and easily switch between offline and cloud modes. Enjoy seamless collaboration between central office and field sites and make project sharing with your entire team simple and easy. Multiple people in the field can now work concurrently on the same project while critical data can be quickly shared with Wi-Fi experts anywhere in the world so they can help troubleshoot tough to solve problems without ever leaving the office.”

Ekahau works on both Windows & Mac.

With Ekahau Connect you can survey on iPad – iOS.

Link to Ekahau website –

Ekahau does cost money – to get a quote from a reseller in the UK contact Open Reality –


  • @Ekahau
  • @OpenRealityUK

Protocol Analysis Tools




“Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.”

Wireshark works on both Windows & Mac.

Wireshark is a free tool

Wireshark website –

Twitter – @WiresharkNews




Omni Peek is also a protocol analyser and a very nice wireless tool for protocol analysis – but unlike Wireshark this is not a free tool.

Omni Peek Overview:

Real-Time Network Protocol Analyzer

  • Decoding over 1,000 protocols, Omnipeek provides real-time analysis for every type of network segment – 1/10/40/100 Gigabit, 802.11, and voice and video over IP – and for every level of network traffic.

Real-Time Network Protocol Analyzer

  • Intuitive Graphic Displays and Visualization
  • Intuitive Graphic Displays and Visualization
  • Omnipeek network protocol analyzer delivers intuitive visualization and effective forensics for faster resolution of network and application performance issues and security investigations.

Best-In-Class Network Analysis Workflow

  • Widely recognized as the best network analysis workflow in the industry, Omnipeek makes it easy to drill down, look across, compare, discover, and ultimately reduce mean-time-to-resolution (MTTR).

Network Analysis Workflow

  • 3K-top-view
  • Monitor Distributed Networks Remotely
  • Using LiveCapture with Omnipeek extends network monitoring and visibility for troubleshooting of application-level issues at remote sites and branches, WAN links, and data centers.

Easy WiFi Troubleshooting

  • The Omnipeek WiFi adaptor is a USB-connected WLAN device designed for wireless packet capture. The 802.11ac adapter supports 802.11ac capture up to 2 transmit/receive streams (866Mbps wireless traffic) and supports 20MHz, 40MHz, and 80MHz channel operation.

Omnipeek only works on Windows.

Omnipeek Website:

Twitter:  @omnipeek




WinFi Lite is a new networking program and app for Microsoft Windows devices designed to monitor, analyze, and manage wireless networks. The application is available as a Microsoft Store application and as a classic desktop application.

WinFi Lite Overview:

Perfect for quick Wi-Fi troubleshooting. Your dreams of doing Wi-Fi analysis while mobile have come true. WinFi and a Windows 10 tablet of your choice, makes convenient on-the-go analysis.

Familiar element decoding. No steep learning curve. WinFi leverages familiar structure and naming guidelines found in Wireshark.

Networks are analyzed for standards violations and malformed elements. WinFi will let you know if there are inconsistencies. Plus, you can open networks from WinFi directly in Wireshark.

Outstanding grouping, filtering and sorting capabilities. WinFi has powerful and best in class grouping, filtering and sorting capabilities.

Group, filter and sort by any information you want. Set filter and grouping thresholds for signal values, use regular expressions for text searches, and much more.

WiniFi Lite works on Windows only.

There are free & paid versions of this tool.

Twitter: @HelgeKeck


WiFi Explorer

WiFi Explorer


WiFi Explorer gathers configuration and capability information about all the networks it discovers and presents it on an easy-to-use, intuitive user interface. Information includes network name (SSID), BSSID, vendor, country code, channel, band, security configuration, supported data rates, number of streams, and much more.

Additional viewing options in WiFi Explorer Pro let you organize scan results by SSID, access point or access point radio to better visualize multiple networks per access point.

Simple, intuitive user interface

  • WiFi Explorer gathers configuration and capability information about all the networks it discovers and presents it on an easy-to-use, intuitive user interface. Information includes network name (SSID), BSSID, vendor, country code, channel, band, security configuration, supported data rates, number of streams, and much more.

  • Additional viewing options in WiFi Explorer Pro let you organize scan results by SSID, access point or access point radio to better visualize multiple networks per access point.

Resolve Wi-Fi issues

  • With WiFi Explorer, you can find the best channel for your network or determine a better placement for your access point. You can also identify channel conflicts, overlapping or configuration issues that may be affecting the connectivity and performance of your wireless network.

  • Expert information, available in WiFi Explorer Pro, such as per-channel beacon overhead, gives you a general overview of the Wi-Fi environment to better plan your network installation or mitigate existing problems.

Get a full insight into Wi-Fi networks

  • WiFi Explorer has been developed with the support and feedback of Wi-Fi experts. Its ease of use and advanced features, such as the ability to decode network information, access point name discovery or enhanced filtering, give you a full insight into the capabilities and configuration details of wireless networks.

  • Other advanced features include the ability to find and display information about hidden networks, support for external Wi-Fi adapters, Zigbee integration, and much more.

Spectrum Analysis Integration

  • WiFi Explorer Pro’s spectrum analysis integration lets you visualize RF information and correlate it with Wi-Fi data to identify non-802.11 energy sources and better understand the effects of interference and channel utilization on your wireless network. Compatible spectrum analyzers:

  • MetaGeek’s Wi-Spy 2.4x (Version 2) & Wi-Spy DBx
  • Ekahau Spectrum Analyzer
  • RF Explorer Wi-Fi Combo
  • Ubertooth One
  • HackRF One (Experimental)

WiFi Explorer works only on Mac.

There are free & paid versions of this tool.

Download link for WiFi Explorer: Here

Twitter:  @adriangranados 

Wireless Sensors / Packet Capture devices




Kubicon system consists of two components- cloud based dashboard and a hardware Wi-Fi sensor which basically mimics end user Wi-Fi  behaviour.

All that needs to be done in order to deploy the solution is to perform configuration on cloud console which is central point of management and reporting and to deploy sensors across desired environment. 

 The solution monitors number of important factors such as Wi-Fi signal quality , bandwidth capacity, network service, web applications, etc. from wireless end user perspective. Additionally it calculates overall Wi-Fi client experience score, based on these values. All metrics are available in real-time on cloud dashboard or on demand in form of reports which in turn can  be exported to multiple easy to read/use formats. Based on the mentioned architecture and  features, we are able to detect current issues and predict possible problems in the future. 


 One of the most frequent issues we have experienced in Wi-Fi environments was related to Guest Wi-Fi networks, particularly lack of (proactive) monitoring and analytics of Captive Portals.


That’s why we are very proud that we managed to develop comprehensive Wi-Fi captive portal testing and monitoring, with the features such as:


  1. Landing page responsiveness
  2. Identification of excessive time taking to load the landing page
  3. Real time Authentication – which helps to identify backend issues during constant client authentication checks





“The WLAN Pi project started in 2016 at WLPC. The goal was to create a portable, ready-to-use device that could function as a network endpoint for measuring network performance and throughput.

Since then, it has been widely embraced in the awesome wireless community and after many contributions, this tiny box has evolved well beyond a network performance testing device.

Today, it can also be used as a remote Wi-Fi scanner, packet capture tool, portable Wi-Fi signal generator and much more! These capabilities assist wireless professionals with designing better wireless networks, troubleshooting issues more quickly, and validating wireless network performance.”

WLAN Pi | Handheld Edition

What’s included:

  • NanoPi Computer
  • Comfast CF-912AC NIC
  • USB -Micro to USB-C cable
  • USB-C to USB-A Adapter
  • Handheld – custom 3D Printed Case
  • Preloaded with WLAN pi version 1.8.3
  • Assembled and tested
  • Support for WLAN pi team



  • @wlanpi
  • @wifinigel
  • @jolla

Net Ally AirCheck G2

AirCheck G2


AirCheck G2 offers a one-button AutoTest function that quickly provides a pass/fails indication of Wi-Fi network quality and identifies common problems.

Test the latest Wi-Fi standards (including 802.11ax), with a rugged, handheld, purpose-built wireless tester.

See all networks and devices in your location immediately upon power-up.

View test results, including network availability, connectivity, utilization, throughput, security settings, possible rogues, and interferers.

Automate reporting and enable collaboration with upload and management test results via Link-Live Cloud Service.

Twitter: @NetAlly

Website –

Metageek – Wi-Spy



Powerful Dual-Band Spectrum Analysis

Chanalyzer Essential includes Wi-Spy DBx, a powerful dual-band spectrum analyzer that measures WiFi and non-WiFi activity in both the 2.4 GHz and 5 GHz bands. Chanalyzer utilizes radio frequency data from Wi-Spy DBx to provide you with a real-time visual overview of your WiFi network environment.

Locate Sources of Interference

Once you’re able to see interference, the next step is to eliminate it. Unlike the omnidirectional WiFi antenna in your laptop or wireless adapter, a directional antenna is highly focused to pinpoint non-WiFi sources of interference. This allows you to actively seek out and remove loud transmitters from your WiFi environment.

Monitor Channel Saturation and Intermittent Interferers

By graphing every access point within reach and pairing it with the raw RF information provided by Wi-Spy, Chanalyzer provides you with all the information you need to monitor and manage saturated channels. The built-in recording feature even allows you to track the most frustrating WiFi problem – intermittent interference – and come up with a plan to eliminate it for good.

Twitter: @metageek


Mobile devices


WiFi diagnostics with Apple iOS13:

WiFi Diagnostics


We found this through Dan Jones so thank you to Dan! His twitter is: @UKDanJones

You need to install the developer profile from here:

  • Scroll to bottom
  • Find Wi-Fi for iOS
  • log in “as a developer” but you can use your usual Apple account
  • Once you’ve loaded the profile you connect to an SSID, click the ‘i’ icon next to it & choose Diagnostics.

This profile gives you access to previously hidden/inaccessible menus & functions in your iOS.

    • Identifies the Access Point the iPhone is currently connected to
  • Channel
    • Tells you on which channel the Access Point operates and with which channel width (e.g. 80 MHz)
  • Signal Strength
    • Signal Strength (RSSI in dBm) with color indication and written indicator (e.g. Strong, Moderate, Weak)
    • Below you’ll see an indication of how the channel utilization is being rated/seen
  • Security
    • Information on how the wireless network is secured e.g. „WPA3 Personal“
  • Captive
    • Information if you go through a Captive Portal to connect to the network
  • Deployment
    • Information if the Wireless LAN operates with multiple Access Points (Multi AP) or a single AP (Single AP)
  • Motion
    • Stationary (the iPhone doesn’t move e.g. stationary on the desk)
    • Moving (the iPhone is being held in hand)
    • Walking (the iPhone moves with walking speed)
    • Running (the iPhone moves with running speed (also happens if you jump with the device))


  • Gateway
    • Information on how much time it takes to get to your Gateway
  • Internet
    • Information on how much time it takes to get to the internet (


  • AWDL Mode
    • AWDL stands for Apple Wireless Direct Link“ and is used for AirDrop
    • Active or Inactive
  • Bluetooth
    • Idle
  • Scan
    • Active or Inactive
    • Directly below you’ll find an indication which application triggered the last scan e.g. location and when this happened


Airport Utility

This is a great app on iOS to show you the RSSI from the device perspective but once you have installed the application you need to go into the settings and enable the WiFi scanner:

Airport Utility Settings

Example of the information we can see using Airport Utility: 

Airport Utility


Aruba utilities

Aruba Utilities


Aruba Utilities includes a number of tools useful for characterizing and troubleshooting wireless LANs from Aruba Networks. Some tools work with any WLAN, others are clients for Aruba’s AirWave management system, Analytics & Location Engine (ALE) and Mobility Controllers.

Aruba Utilities includes:

• A Wi-Fi Monitor showing the Wi-Fi environment, including the current access point, dynamic signal strength and RSSI measurements, other access points audible to the device and handover events.

• A Telnet/SSH client that works with Aruba mobility controllers, allowing network configuration and monitoring from a mobile platform.

• An AirWave client that downloads the floorplan image and AP details from the network’s AirWave WLAN management system. See where APs are located relative to your position, and touch AP icons for details of current loading, channels and power.

• The AirWave client also offers a locally-generated estimated heatmap and a site survey function that links actual coverage measurements to locations on the floorplan.

• Device information (Wi-Fi, IP, DHCP, cellular status) is displayed along with an implementation of the Airwave Management Client (AMC) that reports device information and scanned APs to your AirWave WLAN management system.

• A Bluetooth Low Energy (BLE) scanner reports nearby iBeacons and other BLE devices with UUID, index values and signal strength measurements.

• Android versions of iPerf, Ping, DNS and mDNS offer network test functionality.

• Measurements are written to a plain-text log file and various csv report files that can be emailed for use later.

WiFi Manager



WiFi Manager is ideal for analyzing nearby Wi-Fi networks and Bluetooth LE devices, device discovery, and network speedtests. These features are conveniently accessed through the sleekly designed UI created by Ubiquiti Networks. WiFiman contains no ads and is free of charge.

WiFiman helps you locate a less crowded channel for your Wi-Fi Access Point. It lists nearby Wi-Fi channels and Bluetooth LE devices and shows you the details of those channels.

With the app, you can easily list and analyze devices connected to your current network. WiFiman scans the whole network subnet and shows you all of the available devices with the applicable details, using Bonjour, SNMP, NetBIOS, and UBNT discovery protocols.

Another core feature is the network speed test. You can test the speed of your internet connection and save the results for later comparison – or quickly share the results.

Revolution WiFi

Capacity Planner

‘How Many APs Do I Need?’

No more guessing based on device counts
or rule-of-thumb cell sizing


Quickly Analyze ‘What-If’ Scenarios

Determine the best design for your network by adjusting AP and client device types, channel width, client mix, and applications on-the-fly


Capacity Analysis (new in version 2.0!)

Visualize capacity utilization and the impact caused by client devices with varying capabilities. Data is shown by:

  • Protocol version

  • Frequency band

  • Application type (data, voip/real-time)

  • Spatial streams

  • Channel width



Mesh Network Planning

Plan 5 GHz single-channel mesh networks to determine how many root nodes are necessary to meet capacity requirements and the per-hop mesh network performance. Use an existing client capacity plan or manually configure mesh network capacity requirements.


Multiple Uses

Use the Capacity Planner for predictive WLAN design, Wi-Fi training and education, RFP proposals, project scoping, and creating a bill of materials (BOM)


Airtime vs Association

Forecast WLAN capacity based on
either client airtime demand or association limits per-AP radio


Iterative Design Approach

Use Capacity Planner in conjunction with RF planning tools in an iterative approach to derive a design that meets both coverage and capacity requirements




Twitter: @revolutionwifi



That’s all the WiFi Tools for now that we are going to cover – if you use any WiFi Tools that we have not included in this blog post please leave a comment or reach out to us and we will update the post to include!


WN Blog 011 – Cisco Catalyst 9800-CL – Redundancy HA SSO (GUI and Basics)


Welcome to another one of our blogs on configuring the new Cisco Catalyst 9800 WLC.

This time we are going to take you through configuring 2 x C9800-CLs for redundancy HA SSO. 

First here is an overview of my home lab setup:

Matts Lab

I currently have 2 x ESXi servers and a C9800CL on each of them – what it is important to point out below here is that I have VLAN 12 configured to use for my L2 redundancy ports between the WLCs.

ESXI Servers vSwitch Config

Interface Gigabit Ethernet 3 will be used for the L2 HA in this setup:

ESXI C9800 Network adapters

Just want to point out here that at this stage we have 3 x interfaces – Gigabit Ethernet 1 – 3:

C9800s Ethernet Interfaces

I then began the redundancy configuration on both of the WLCs.

On the primary WLC I specified the “local IP” as the IP address I had just set up on VLAN 12 and the remote IP address of the secondary WLC that I had just created on VLAN 12.

HA interface I have used Gigabit Ethernet 3.

I wanted the WLC on the left to be the primary WLC so I set the active chassis priority to higher than the secondary WLC on the right:

C9800s Redundancy Config

After I applied the configuration I then saved the config and reloaded both of the WLCs at the same time, crossed my fingers and prayed to the wireless networking gods! 😀

C9800s Save & Reload

A few minutes later…

C9800s Successfully in Redundancy HA SSO 1

We can see now that the WLCs have rebooted and successfully formed an HA SSO pair. You can now also see a new dropdown on the dashboard to flip between active and standby stats:

C9800s Successfully in Redundancy HA SSO 2

Standby stats:

C9800s Successfully in Redundancy HA SSO 3

Note the G3 interface is gone after forming a HA:

C9800 No Gigabit Ethernet 3
C9800 No Gigabit Ethernet 3 GUI

Also note that HA/SSO is required to take advantage of a very nice new featur of the C9800 series WLCs, which is the “always on” feature from its hitless upgrades.

Here is how it works:

  • The controller automatically selects groups of APs that can be upgraded, while other nearby APs will still provide coverage to the clients
    • RRM is used to determine AP neighbors that can provide redundant client coverage
    • The aggressiveness of these groupings is configurable.
      • You can have many groups (few APs per group), with very minimal coverage impact, but it will take a long time to complete.
      • Or you can have fewer groups (more APs per group) with a greater chance for coverage impact but will complete much more quickly
  • The secondary Controller is upgraded to the new software version and rebooted
  • The controller uses 802.11v to shuffle clients away from the APs in the first group so that they can be rebooted without impacting the clients
    • Clients not supporting 802.11v will get ungracefully kicked off the AP
  • The controller moves those APs to the new controller, thus upgrading the AP code when they join
    • Once upgraded and controller-joined, clients may join these APs
  • The same process is automatically repeated for all successive groups of APs
  • Once all APs are moved to the N+1 controller, the code is upgraded on the primary controller and it is rebooted
  • Once the primary controller is back online, the APs can optionally be moved back to the primary controller

There you go – that is how you set up and configure your virtual C9800CLs for HA/SSO – hopefully this blog saves you a bit of time if you ever need to do something similar!

PS. Shout out to Ashley Georgeson who helped with this 🙂

WN Blog 009 – Cisco Catalyst 9800 – Guest MAB CWA ISE Config


Welcome to another one of our blogs on the configuration of the new series of WLC from Cisco the C9800!

In this post, I want to go through with you an issue that I ran into when configuring a Guest SSID which was using MAB with a CWA to redirect to a portal on ISE. 

A high-level overview of the C9800 -40 + 3800i APs – Local mode, Central Switching & Authentication. ISE was configured correctly and was working correctly as it should of the AireOS 5508 that I was replacing and was still working.

I had followed all the steps & configured everything in this Cisco guide apart from the BYOD flow as that was not a requirement for this project.

Cisco guide:

But I was hitting two scenario issues – the first one was that I was not being redirected to the portal when connecting to the SSID but I was authenticated on ISE and had internet. The second was that I was being redirected and could authenticate with ISE by inputting the code but then not getting any internet after.

The configuration for the first scenario where I was not getting redirected but I was authenticated and had internet was that I had created the “Redirect_Webauth_ACL” and that was applied globally on the WLC – very much the same as you would on AireOS.

The configuration for the second scenario where I was being redirected but then not getting any internet was that I had applied the “Redirect_Webauth_ACL” to the “WLAN ACL” in the “Access Policy” of the Guest “Policy Profile”

So even though I had followed the documentation neither scenario was working how I would expect it to. I am going to take you through below in some screenshots the config I had applied and where as well as show you how I managed to get it working even though what I did was not clear from the Cisco guide.

One thing to call out here for when you come to write an ACL on the C9800 is to remember that they use the IOS syntax instead of what you would be used to on the AireOS WLCs.

Cisco 9800 Guide Notes
Cisco 9800 Guide Notes

From the Cisco guide this is an example of how to write the web auth redirect ACL – Cisco ACL example for the C9800:

Cisco Guide ACL
Cisco Guide ACL Example

This is where you configure the ACLs and can see that the ACL that I had configured for the web auth redirect is called “GUEST_REDIRECT_ACL”

9800 ACL Overview of all ACLs highlighting the Guest
9800 ACL Overview of all ACLs highlighting the Guest Redirect

We can have a look at the redirect ACL rule here and can see that I have specified the two ISE servers and DNS (I had previously made the ACL more specific but after many hours of troubleshooting I decided to make it bit more open)

Guest Redirect ACL
Guest Redirect ACL

Now I want to show the WLAN config where you can see the Authorisation & Authentication lists that have been specified are the two ISE servers:

Guest WLAN Security 1
Guest WLAN Security 1
Guest WLAN Security 2
Guest WLAN Security 2

Now in this scenario where I was being authenticated but not redirected, in the policy profile for the guest I had not specified the redirect ACL here.

Guest Policy Profile without ACL
Guest Policy Profile without ACL applied

When I did specify the redirect ACL in the access policy above I was now being redirected but then was not getting any internet.

Checked the guide again to make sure everything was correct which it seemed it was so left me scratching my head at this point as to why was not working as expected.

So I reached out to my security friend Aref who skills far surpass mine when it comes to security & ISE to double-check ACL config & ISE policies for the Guest Wireless MAB.

Here are a few screenshots of how ISE is configured:

ISE Config 1
ISE Config 1
ISE Config 2
ISE Config 2
ISE Config 3
ISE Config 3
ISE Config 4
ISE Config 4
ISE Config 5
ISE Config 5

So Aref confirmed that all looked good from an ISE configuration perspective – so how did we get it working I hear you ask, great question! What we had to do was to specify another ACL which we called “DENY_GUEST_INTERNAL” which in this rule we basically blocked any access to RFC 1918 but then allowed anything else and we applied this ACL to the Guest “access policy” in the “policy profile” with the redirect just applied at a global level and now we finally got redirected as well as internet!

Here are some screenshots of the other ACL, its configuration and where we applied it:

C9800 ACLs overview highlighting Deny Guest Internal
C9800 ACLs overview highlighting Deny Guest Internal
Deny Guest Internal ACL
Deny Guest Internal ACL
Policy Profile with ACL applied
Policy Profile with ACL applied

It was quite a long day of troubleshooting and trying different scenarios before we managed to finally get it working as expected and I feel that the way we did finally manage to get it working was not clear from the Cisco documentation so hopefully this can help save you guys some time if you have to configure a guest network with CWA + MAB and run into the same scenarios as I did.

Hope you enjoyed this blog on another configuration gotcha from the C9800 – as we deploy more of these and find anything else that we think may help others who will be implementing these for the first time we will post more blogs with our findings!


WN Blog 007 – Cisco Catalyst 9800 – Internal DHCP Server Config


A quick short blog on some internal DHCP configuration for the C9800 WLC!

As we are starting to implement the new generation of the wireless controller for customers, we anticipate that we will stumble over a few gotchas with config and plan to share through short blogs with you guys to hopefully save you some time.

One of the requirements for this customer was to use the C9800 as a DHCP server for the guest network. After I had configured the DHCP pool, WLAN, Policy, VLANs, TAGs, etc and I went to test connectivity to the guest WLAN – the 9800 was not giving out DHCP IP address’.

Took me longer than I would have liked to troubleshoot but I eventually found out what was causing the C9800 to not be handing out DHCP IP address’ – it was one button that was enabled by default when creating the DHCP pool! “Reserved only – Enabled” after I disabled the “reserved only” my clients were being given DHCP from the C9800.

I re-created the config for you guys in my lab at home as an example and got some screenshots below for you just in case you have a similar requirement for a customer ????

9800 SVI Example
SVI example for guest VLAN

This is an example of how to and how I have set my SVI for the guest network on the C9800 WLC

9800 DHCP Pool Example
C9800 DHCP pool Reserved only enabled

This is the option on the DHCP pool that caused me hours of troubleshooting why guests were not being given out DHCP IP address 😀

C9800 DHCP pool Reserved only disabled

So I would recommend having this option disabled if you have a requirement to use the internal DHCP server on the C9800

DHCP Pool Advanced
DHCP Pool Advanced Tab

In the DHCP pool advanced tab is where you add the default router and DNS servers

9800 Policy 1
9800 Policy profile and VLAN

This is where you assign the VLAN to your policy profile

9800 Policy
9800 DHCP Server IP

When using the C9800 WLC as an internal DHCP server make sure you use the management IP address here of the C9800

9800 Policy tag
9800 Policy tag

This is where you tie the WLAN profile and policy profile together with a policy tag

9800 DHCP Client
9800 DHCP Client

In this screenshot can see that my client device has been given a DHCP IP address from the DHCP pool successfully

9800 client
9800 client

So remember guys when you are configuring an internal DHCP Server on the C9800 if you are having issues with clients not getting a DHCP IP address make sure “DHCP reserved” is disabled!

WN Blog 002 – Wireshark Filters

Both Mac & Matt are currently studying for their final CWNP exam – CWAP! And have been making notes and tips along the way so we wanted to share some with you guys.

A lot of these Wireshark filters below we got from the guys over at CTS but we have added a few more that we have found useful and we will keep adding along the way of our journey!

Basic filter:

  • wlan.addr == 00:11:22:33:44:55 (Mac address)

Filter on only authentication:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x000b

Filter on only association request:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0000

Filter on only association response:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0001

Filter on only probe request:

  • wlan.addr == 00:11:22:33:44:55 (Mac address)&& wlan.fc.type_subtype == 0x0004

Filter on only probe response: 

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && wlan.fc.type_subtype == 0x0005

4 way handshake filter:

  • wlan.addr == 00:11:22:33:44:55 (Mac address) && eapol

Filter by SSID:

  • wlan_mgmt.SSID == “SSID”

Filter by AP:

  • wlan.bssid == “AP MAC Address”

Power Management:

  • wlan.fc.pwrmgt == 1 (or 0)


  • Retransmissions: wlan.fc.retry==1
  • Retries to DS: wlan.fc.retry==1 && wlan.fc.tods==1
  • Retries from DS: wlan.fc.retry==1 && wlan.fc.fromds==1

Filter Addresses:

  • MAC Address: wlan.addr == 00:11:22:33:44:55 (Mac address)
  • Transmitter address: wlan.ta == 00:11:22:33:44:55 (Mac address)
  • Receiver address: wlan.ra == 00:11:22:33:44:55 (Mac address)
  • Source address: == 00:11:22:33:44:55 (Mac address)
  • Destination address: wlan.da == 00:11:22:33:44:55 (Mac address)

802.11 Management Frames:

  • All management frames: wlan.fc.type == 0
  • Association request: wlan.fc.type_subtype == 0
  • Association response: wlan.fc.type_subtype == 1
  • Re-association request: wlan.fc.type_subtype == 2
  • Re-association response: wlan.fc.type_subtype == 3
  • Probe request: wlan.fc.type_subtype == 4
  • Probe response: wlan.fc.type_subtype == 5
  • Beacons: wlan.fc.type_subtype == 8
  • ATIMs: wlan.fc.type_subtype == 9
  • Disassociations: wlan.fc.type_subtype == 10
  • Authentications: wlan.fc.type_subtype == 11
  • De-authentications: wlan.fc.type_subtype == 12
  • Actions: wlan.fc.type_subtype == 13

802.11 Control Frames:

  • All control frames: wlan.fc.type == 1
  • Block ack requests: wlan.fc.type_subtype == 24
  • Block ACKs: wlan.fc.type_subtype == 25
  • PS-Polls: wlan.fc.type_subtype == 26
  • Ready to Sends: wlan.fc.type_subtype == 27
  • Clear to sends: wlan.fc.type_subtype == 28
  • ACKs: wlan.fc.type_subtype == 29
  • CF-Ends: wlan.fc.type_subtype == 30
  • CF-Ends/CF-ACKs: wlan.fc.type_subtype == 31

802.11 Data Frames:

  •  All Data frames: wlan.fc.type == 2
  • Data: wlan.fc.type_subtype == 32
  • Data + CF-ACK: wlan.fc.type_subtype == 33
  • Data + CF-Poll: wlan.fc.type_subtype == 34
  • Data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 35
  • Null: wlan.fc.type_subtype == 36
  • CF-ACK: wlan.fc.type_subtype == 37
  • CF-Poll: wlan.fc.type_subtype == 38
  • CF-ACK + CF-Poll: wlan.fc.type_subtype == 39
  • QoS data: wlan.fc.type_subtype == 40
  • QoS data + CF-ACK: wlan.fc.type_subtype == 41
  • QoS data + CF-Poll: wlan.fc.type_subtype == 42
  • QoS data + CF-ACK+CF-Poll: wlan.fc.type_subtype == 43
  • QoS Null: wlan.fc.type_subtype == 44
  • Qos CF-Poll: wlan.fc.type_subtype == 46
  • QoS CF-ACK+CF-Poll: wlan.fc.type_subtype == 47

Radio Tap Header Information:

  • Specific Channel: == 5240 (frequency)
  • Specific data rate: radiotap.datarate == 6 (rate in mbps)
  • RSSI: radiotap.dbm_antsignal == -60 (rate in dbm)

Please feel free to comment if any of you guys have some other common useful filters that you use and can share with us ! 🙂

WN Blog 001 – AP Join Issues with Cisco WLC

So you have just deployed your new shiny Cisco WLCs and you have been waiting for weeks for the cablers to install your APs as per your design and you are sitting there all excited as you can finally enable the switch ports that the APs are connected to but… Oh no, no APs are joining the WLC.

I have certainly been there in that situation and I am going to share with you my usual things to check and troubleshoot.

Firstly we need to understand the process and priority for Cisco APs to discover and join the WLC

AP Discovery Process:

  • WLC Discovery
  • DTLS/ Join
  • Image Download
  • Configuration Check
  • Registered

Now we know the process we need to understand the different methods that APs can discover WLCs

AP-to-WLC DISCOVERY Algorithm (find as many WLCs as you can): 

  •  AP goes through the following to compile a list of WLCs 
    • CAPWAP discovery broadcast on local subnet 
    • AP broadcasts CAPWAP discovery message on UDP 5246 
    • WLC responds back with unicast to the AP 
  • Over the Air Provisioning (OTAP) 
    • deprecated 
  • Locally stored controller IP addr 
    • remembers up to 8 previously used controllers and tries to come back to them 
  • DHCP vendor specific option 43 
    • IP addr should be ‘mgmt int IP’ 
    • DHCP has option 43 configured, but an AP sees code ‘241’ (like police code 10-4), which is the WLC IP 
    • Option 43 format 
      • Windows Server: can be standard IP 
      • IOS: hex (‘f1040a0f64fd’) 
  • DNS resolution of ‘CISCO-CAPWAP-CONTROLLER.localdomain’ 
    • should resolve to the ‘mgmt int IP 
  • Manually set: 
    • via CLI: 
      • capwap ap ip address (Example IP & subnet)
      • capwap ap ip default-gateway (Example Gateway)
      • capwap ap controller ip address (Example WLC IP)
        • Alternatively can do the following command:
      • capwap ap primary-base “WLCname” “WLCip”
    • via GUI: 
      • High Availability 
  • In no controller found, start over 

AP goes through ALL disocevry methods to see how many WLCs it could find before moving to join phase 

Now we understand the DISCOVERY phase we can move on to the JOIN phase.

  • Can be hierarhical, hardcoded 
    • Primary, Secondary, Tertiary 
    • Tries the secondary etc. if the primary has no space or has not answered the join request 
  • With many controllers, one might be configured as a master controller 
    • CONTROLLER > Advanced > DHCP > Master Controller Mode 
    • Master controller is prefered to join, if no other controllers are hardcoded 
  • If there are no hardcoded controllers and there is no master configured, AP will join least loaded WLC 
    • Lowest ratio (%) is preferred 
    • If the load is identical, secure DTLS tunnel is preffered over the 5046 UDP port 
  • AP sends a join request message to every WLC, which contains 
    • AP Hardware Version 
    • AP Software Version 
    • AP name 
    • Number and type of radios 
    • Certificate payload 
    • Session payload; test payload 
  • Responding to a Controller Request 
    • WLC responds with 
    • Controller name 
    • Controller type 
    • AP capacity 
    • Current AP load 
    • ‘Master Controller’ status 
    • AP-Manager IP address 
    • Certificate payload 
    • AP waits for its ‘Discovery Interval’ expire, then selects a controller and sends an CAPWAP Join Request to that controller 

Now we understand the JOIN phase we can move on to the CONFIGURATION phase.

  • AP moves to an image data phase 
  • Controller upgrades or downgrades the AP 
  • Code is sent in CAPWAP messages 
  • Config then sent to AP 
  • AP applies config to RAM 
  • AP clears all its parameters upon joining the controller 
  • Controller sends everything over: SSIDs, channels, powers etc. 
  • Controller checks/updates APs config frequently 

Once AP has successfully completed the configuration phase it should join the WLC – but, what if it doesn’t? Where do I start?…

(I am going to make the assumption that you have recorded all of your AP MAC addresses correlating to a hostname in a nice excel sheet.)

Ok lets start with the Olivia Netwon John (Physical):

  • If you are physically on site and able to check your AP – does it have any lights? If so what are they doing – different light statuses can be a good indicator of what is going on with the AP.
  • If you are remote can you access the switch the APs are connected to?
    • Check the following commands:
      • “Show CDP neighbour” – Can you see the AP MAC address? Connected to the port you are expecting?
      • “Show power-inline” – Can you see the AP drawing the correct amount of power from the switch?

Ok so we have verified that Olivia (physical – come on keep up kids) is ok and the AP has power and is most likely flashing red, blue & green on repeat. So what’s next? There is no right or wrong way for what order you do these following steps in but is important that we verify all of them.

If possible console on to the AP and view the output message – there could be some information here that makes it very obvious what the issue is. Whilst consoled onto the AP verify that AP has correct FW code on it. If AP is to be controlled by WLC it should be “lightweight” mode and “K9W8” in the FW version – if AP is to not be controlled by WLC should be “autonomous” mode and “K9W7” in the FW version.

Log on to the CLI of the WLC and do some debugs and look at AP join stats to see if we can get any indicators of what the issue may be.

“Show ap join stats detailed [AP MAC Address]” –

Now lets enable some debugs with the following commands

  • “debug mac address [AP MAC Address]”
  • “debug capwap events enable”
  • “debug capwap errors enable”

With these debugs enabled and filtered on the AP MAC address pay attention to the outputs as there may be some key indicators in there for what the reason the AP is not joining the WLC. Like this example below there was a country code mismatch which will look something like this:

Which leads me on nicely to what we can make sure is configured correctly on the WLC that will cause APs to not join:

  • Regulatory domain
    • If WLC and AP do not match regulatory domains AP will not join WLC
  • Time & Date
    • If the time and date is significantly out on either the WLC or the AP will not join the WLC
  • Licenses
    • If the WLC is not licensed/ does not have enough licenses AP will not join the WLC – check you have the right amount available to how many APs should be on the WLC
  • Add AP to security policy on WLC
    • Recently I had this issue where a 1562i would not connect to the WLC even though everything configured the same as a 3802i connecting on a different port. I added the MAC address to the security policy on the WLC and it successfully joined!

Ok so lets move onto DHCP.

  • Check to make sure that the DHCP scope has not ran out of leases.
    • I have had this issue before when upgrading code on the WLC and APs rebooting or going off to join secondary WLC whilst primary is rebooting and then coming back and there not being enough DHCP leases left.
      • In this situation now what I do is shut down the AP VLANs on the switches to contain the APs during the upgrade.
    • Is your option 43 HEX correct?
      • I would definitely recommend checking this especially if you did not actually enter it yourself – I have seen in the past a customer who I sent a correct option 43 HEX string somehow had managed to change the HEX string so AP was trying to translate a different IP address for the WLC!
  • Slight curve ball here but still kind of relates to DHCP opt 43.
    • Recently I was upgrading a customers WLAN from a single WLC2504 and old 1142 APs to new WLC5520s and 2802 APs. Option 43 was configured correctly (I double checked) – Turned AP on and could not see it trying to join the new WLC. What happened was DNS was configured to point to the old current WLC2504 so AP was joining that one instead of the new WLC5520! Something for you guys to bear in mind if you are ever in a similar scenario 🙂

Last but not least – the firewall:

  • Make sure capwap ports are allowed through the firewall 
    • Capwap ports = 5246-5247 and the protocol is UDP

So that is it – my checklist of what I do if APs are not joining the WLC – I hope this post is useful for you guys!