Convert Catalyst 9100 Access Points to Embedded Wireless Controller

Introduction

This document describes how to convert a lightweight Cisco Catalyst 9000 Series Access Point (AP) to an Embedded Wireless Controller (EWC)

Prerequisites

Requirements

The steps outlined in this article assume that the AP runs a lightweight CAPWAP image and that a functional TFTP server is reachable to this AP. A serial connection to the AP is also a requirment.

Components Used

Other guides are available on the smartphone app or the web UI wizard that explain how to easily deploy Cisco EWC on Catalyst APs. This document focuses mainly on the CLI approach as well as conversion tips and tricks.

Note: EWC is not supported on Cisco 9105AXW and all Wi-Fi 6E access points

Components used:

• 9120 AP
• EWC image version 17.1.1s
• TFTP server
• Console cable

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

About an EWC on a Catalyst AP

The Cisco EWC on Catalyst APs provides an option for your Wi-Fi 6 network that is easy to deploy and manage. The control function is built into the Cisco Catalyst AP, so no added physical appliance is required.

This means you get enterprise-class capabilities, which includes robust security, Cisco reliability, and Wi-Fi 6 capacity and performance right out of the box. The deployment and management of your new wireless network requires little network knowledge or IT support, which makes it ideal for single-site or multisite deployments for organizations with minimal IT resources. Just set it and forget it.

The Cisco EWC on Catalyst APs runs a similar Cisco IOS^® XE code as the Cisco Catalyst 9800 Series Wireless Controller, that makes it resilient, secure, and intelligent. With the EWC, you get the benefit of enterprise features without the need to invest in a controller appliance.

Additionally, your investment in Cisco Catalyst APs is protected as your needs evolve. The EWC can be migrated to cloud-based or physical controller-based deployments as needed.

EWC on Catalyst AP Limitations

• The EWC cannot have its Gig 0 interface configured as trunk.
• The EWC does not support Switch Virtual Interfaces (SVIs).
• The EWC cannot perform central switching.
• Gig 0 is the only interface that can be used as a Wireless Manager.
• All of the EWC traffic has to be sourced from Gig 0 interface (which includes RADIUS, Control and Provisioning of Wireless Access Points (CAPWAP) control, licensing traffic, and so on).
• The EWC cannot perform embedded packet captures.
• The EWC does not support APs in sniffer mode.
• The EWC image does not boot up if there is another EWC, AireOS, or 9800 Wireless LAN Controller (WLC) in the same broadcast domain. The AP continues to function as a normal lightweight CAPWAP AP until the other WLCs are removed from the network.
• When you convert or upgrade the EWC in a deployment with mixed AP models, it is required to have a functioning TFTP server.
• EWC is not able to fragment packets (See Cisco bug id CSCwc95321 ).

Deploy

Switch Configuration

The port where the EWC AP is connected to must be a trunk port with the native VLAN that of the management VLAN.

Example switch configuration:

configure terminal
  interface gigabitEthernet 0/1
  switchport mode trunk
  switchport trunk native vlan 10

Factory Reset

Before you convert the AP, it is best practice to perform a factory reset, even if it is brand new:

1. Unplug the AP from its power source.
2. Plug the console cable in and open a serial session on your PC.
3. Press and hold the Mode/Reset button on the AP.
4. Plug the AP back to its power source while you continue to hold the Mode/Reset button.
5. Continue to hold the Mode/Reset button until the prompt on your serial session is displayed.

The console session writes out how long the Mode/Reset button has been pressed for. At least 20 seconds are required for a full restart. The AP boots up and the default credentials Cisco/Cisco can be used to log in the CLI (the web interface credentials are webui/Cisco).

Network Topology

EWC images are provided in the form of a zip file. The zip file contains:

• EWC .bin image (example: C9800-AP-iosxe-wlc.bin)
• AP image for all APs that can join EWC (example: ap1g4, ap1g7)
• Readme.txt file that specifies which image corresponds to which AP model

Note: Make sure to extract the contents of the zip archive to your TFTP server. The AP needs access to these files directly, as it is not able to get them if they are still in an archive.

This table lists all the images and corresponding AP models:

Note: Only Cisco Catalyst 9000 Series APs can run the EWC code. All other APs in the previous table are capable of only joining EWC.

Contents of the extracted zip file must be copied to a TFTP server.

Before you upgrade the image, the image is renamed and assigned a static IP address, netmask, and default gateway:

Username: Cisco
Password: Cisco
AP2CF8.9B5F.8628>enable
Password: Cisco
AP2CF8.9B5F.8628#capwap ap hostname AP1
Please note that if AP is already associated to WLC,
the new hostname will only reflect on WLC after AP
 dis-associates and rejoins.
AP1#capwap ap ip 192.168.1.14 255.255.255.0 192.168.1.1

The TFTP server is located on IP address 192.168.1.25. Unlike Mobility Express, it is required to specify two different images: one for the AP and one for the EWC. Conversion of the image is done with this command:

AP1#ap-type ewc-ap tftp://192.168.1.25/ap1g7 tftp://192.168.1.25/C9800-AP-iosxe-wlc.bin
Starting download eWLC image tftp://192.168.1.25/C9800-AP-iosxe-wlc.bin ...
It may take a few minutes. If longer, please abort command, check network and try again.
It may take a few minutes. If longer, please abort command, check network and try again.
######################################################################## 100.0%
Upgrading ...

AP CLI suggestions (the use of ?) only mention TFTP and SFTP as supported protocols. However, others like HTTP and HTTPS are also supported (and a lot faster than the most commonly used TFTP). At the time this document was written, an upgrade over FTP is not possible. Cisco bug ID CSCvy36161 - "9100 APs ap-type ewc command only shows tftp and sftp as supported protocols" has been filed to change CLI suggestions to include HTTP and HTTPS.

AP-1#ap-type ewc-ap ?
WORD URL of AP image <tftp|sftp>://<server_ip>/<file_path>

Once the image is upgraded, the AP reboots. Log in with the default credentials Cisco/Cisco. If the upgrade has been successful, output of the show version command contains:

AP1#show version
.
...
AP Image type    : EWC-AP IMAGE
AP Configuration : EWC-AP CAPABLE

The EWC portion of the code boots up. It can take up to 15 minutes to boot up the first time.

Important: The EWC process of the AP never boots if there is an existing AireOS, 9800 or Mobility Express or EWC controller in the same broadcast domain (VLAN).

Option 1. Initial CLI Configuration

Once the EWC partition boots up, a prompt offers to start up an initial configuration wizard. This article covers manual configuration from scratch, without the use of Catalyst Wireless app or web browser wizard:

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Would you like to terminate autoinstall? [yes]: no

WLC2CF8.9B5F.8628#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
WLC2CF8.9B5F.8628(config)#hostname EWC

######## Cteates local user admin ######## 
EWC(config)#user-name admin
EWC(config-user-name)#privilege 15
EWC(config-user-name)#password 0 Cisco123
EWC(config-user-name)#exit

######## Specifies credentials used to log into APs joined to this EWC ######## 
EWC(config)#ap profile default-ap-profile
EWC(config-ap-profile)#mgmtuser username admin password 0 Cisco123 secret 0 Cisco123
EWC(config-ap-profile)#exit

######## Configures management interface IP address and subnet######## 
EWC(config)#interface gigabitEthernet 0
EWC(config-if)#ip address 192.168.1.15 255.255.255.0
EWC(config-if)#exit

######## Default gateway IP address ######## 
EWC(config)#ip default-gateway 192.168.1.1

######## Enables web interface of EWC ######## 
EWC(config)#ip http server
EWC(config)#ip http secure-server

######## Write to memory ########
EWC(config)#end
EWC#write memory

Note: You must enter the write memory command in order to save the configuration and also to clear the preinstalled day-zero configuration. If this is not done, the GUI of the EWC becomes inaccessibe as explained later in this guide.

Unlike a 9800 controller, the EWC flash memory does not have enough space to store all AP images. All the AP images need to be hosted on an external TFTP or SFTP server. When a second AP tries to join, the EWC points it to the external server. Without these commands, no other AP is able to join it:

EWC(config)#wireless profile image-download default
EWC(config-wireless-image-download-profile)#image-download-mode tftp
EWC(config-wireless-image-download-profile-tftp)#tftp-image-server 192.168.1.25
EWC(config-wireless-image-download-profile-tftp)#tftp-image-path /

EWC#write memory
Building configuration...
[OK]

Web interface can now be accessed at https://<EWC management IP address>.

Note: If both HTTP and HTTPs are enabled, the EWC always serves the user with its HTTPS web interface. It is crucial to have HTTP enabled for some features such as web authentication and it is recommended to have it enabled.

Option 2. Web UI Wizard

Once the AP has rebooted in EWC mode, it broadcasts a provisioning Service Set Identifier (SSID) that ends with the last digits of its MAC address. You can connect to it with the PSK "password".

You can then open your browser and you are redirected to mywifi.cisco.com which takes you to the AP web UI. Connect with user "webui" and password "cisco".

Note: The web redirection to the EWC configuration portal only works if you are connected to the provisioning SSID. It does not work if your laptop is connected to another wifi network or on the wired network. You cannot configure the AP from the wired network even if you enter the EWC IP address when it is in day0 wizard provisioning mode.

Option 3. Smartphone App

On the Apple Store as well as Android Play Store, you can find the Cisco Catalyst Wireless application. Install it, and the app allows you to easily provision your embedded controller either through manual connection or QR code.

Tips and Tricks

Join Other APs to the EWC

Up to 100 APs can be joined to the EWC. APs joined to the EWC can only function if they are in FlexConnect mode. EWC is not able to host all AP images in its flash memory and it is required to have a TFTP or SFTP server that needs to be specified with the wireless profile image-download default command.

If the site where the EWC is located has no infrastructure to host a permanent TFTP server, a regular laptop can be used temporarily. A TFTP server with AP images only needs to be present on site during the initial deployment and upgrade.

Note: When in EWC mode, the internal AP does not join other controllers in the network. EWC takes priority over any other configured primary WLC.

Access the AP Console From the EWC (former apciscoshell)

When the console cable is plugged into the AP that runs the EWC image, an EWC prompt is shown by default. If, for any reason, access to the underlying AP shell is required, it can be completed with this command:

EWC#wireless ewc-ap ap shell username admin
admin@192.168.129.1's password: Cisco123

Note: If the AP management username and password are not specified in the AP profile, use the default username Cisco and password Cisco instead.

This command is equivalent to apciscoshell that was previously available in Mobility Express controllers.

In order to exit back to the EWC shell, enter:

AP1>logout
Connection to 192.168.129.1 closed.
EWC#

Convert EWC Back To Lightweight CAPWAP Mode

If the AP running in EWC mode needs to be converted back to lightweight CAPWAP mode, it can be done via:

AP1#ap-type capwap
AP is the Master AP, system will need a reboot when ap type is changed to CAPWAP
. Do you want to proceed? (y/N) y

Important: This command performs a complete factory reset of both the AP and EWC partition. Make sure to back up the current EWC configuration before conversion.

Converting EWCs to CAPWAP using option 43

DHCP option 43 is a vendor-specific option and is used for providing WLC IP addresses to the access point. Using option 43 with a specific subtype option, you can have the EWC convert to CAPWAP and join a WLC appliance or virtual controller. After the AP receives DHCP option 43 and subtype 0xF2 at bootup, the AP type will be converted to CAPWAP, and the AP will follow the regular joining process.

The DHCP configuration on the switch is shown below.

Switch(dhcp-config)#option 43 hex F2056464645801

Factory Reset from the EWC CLI

In order to reset the EWC back to factory defaults you can use this command from the EWC CLI prompt:

EWC#wireless ewc-ap factory-reset

Access Expert Mode

By default, the web interface of the EWC does not show all of its advanced functions. In order to enable the advanced function, click the gear icon in the top-right corner and turn on Expert mode:

Generate the Management Interface Certificate and Trustpoint

The EWC uses a Manufacturer Installed Certificate (MIC) for all of its functions. At no point must a Self Signed Certificate be generated. All the commands specified in this article are enough to have the EWC up and running and have APs joined to it.

Create VLANs

The EWC does not support the configuration of more than one SVI in the Cisco IOS XE code of the EWC. If you need to add VLANs for use in your WLANs, create them in the flex profile on the member APs and not on the controller part.

Related Information

• Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guides
• Technical Support & Documentation - Cisco Systems