Cisco AireOS Controller to Cisco Catalyst 9800 Series Wireless Controller, Command Reference Mapping Guide

Cisco AireOS Controller to Cisco Catalyst 9800 Series Wireless Controller - CLI Mapping

Interface Configuration

Table 1. Interface Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config interface create vlan-name vlan-number

config interface vlan vlan-name vlan-number

config interface address dynamic-interface vlan-name primary-ip-address subnet-mask

config interface dhcp dynamic-interface vlan-name primary primary-ip-address secondary secondary-ip-address

vlan vlan-number

no shutdown

interface vlan vlan-number

description "vlan-name"

ip address ip-address subnet-mask

ip helper-address primary-ip-address

ip helper-address secondary-ip-address

no shutdown

config interface create 001-wifi 3001
config interface vlan 001-wifi 3001
config interface address dynamic-interface 001-wifi 10.1.224.2 255.255.224.0 10.1.224.1
config interface dhcp dynamic-interface 001-wifi primary 10.240.208.31 secondary 10.240.208.33
vlan 3001
    no shutdown
interface vlan 3001
    description "001-wifi"
    ip address 10.1.224.2 255.255.224.0
    ip helper-address 10.240.208.31
    ip helper-address 10.240.208.33
    no shutdown

Interface Configuration - IOS Global Parameters

Table 2. Interface Configuration - IOS Global Parameters

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config sysname hostname

config logging syslog host ip-address

config logging syslog level critical

config logging syslog level level

config time ntp server 1 ip-address

config prompt hostname

config sessions timeout timeout-value

hostname hostname

logging host ip-address

logging trap level

ntp server ip-address

prompt hostname

line console 0

exec-timeout timeout-value

config sysname CORE_8540
config logging syslog host 10.240.222.27
config logging syslog level critical
config logging syslog level 2
config time ntp server 1 10.240.222.1
config prompt CORE_8540
config sessions timeout 60
hostname CORE_8540
logging host 10.240.222.27
logging trap 2
ntp server 10.240.222.1
prompt CORE_8540
line console 0
exec-timeout 60

Radius Global Parameters

Table 3. Radius Global Parameters

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config radius auth call-station-type ap-name-ssid

config radius acct mac-delimiter delimiter

aaa new-model

radius-server attribute wireless authentication call-station-id ap-name-ssid

delimiter radius-server attribute wireless accounting mac-delimiter


config radius auth callstationidtype ap-name-ssid
config radius acct mac-delimiter colon
aaa new-model
radius-server attribute wireless authentication call-station-id ap-name-ssid
radius-server attribute wireless accounting mac-delimiter colon

Authentication TACACS Server

Table 4. Authentication TACACS Server

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config tacacs auth add encrypt 1 ip-address password 1 password

config tacacs auth server-timeout 1 timeout-value

tacacs server authentication-sever

address ipv4 ip-address

port port-number

timeout timeout-value

config tacacs auth add encrypt 1 192.16.176.96 49 password 1 *** *** 16 ***
config tacacs auth server-timeout 1 5
tacacs server TACACS_SERVER_AUTH_1
    address ipv4 192.16.176.96
    port 49
    timeout 5
    

Accounting TACACS Server

Table 5. Accounting TACACS Server

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config tacacs acct add encrypt 1 ip-address 49 password password

config tacacs acct server-timeout 1 timeout-value

tacacs server accounting-server

address ipv4 ip-address

port port-number

timeout timeout-value

config tacacs acct add encrypt 1 192.16.176.96 49 password 1 *** *** 16 ***
config tacacs acct server-timeout 1 5
tacacs server TACACS_SERVER_ACCT_1
    address ipv4 192.16.176.96
    port 49
    timeout 5

Authorization TACACS Server

Table 6. Authorization TACACS Server

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config tacacs athr add encrypt 1 ip-address49 password 1 password

config tacacs athr server-timeout 1 ip-address


tacacs server authorization-server

address ipv4 ip-address

port-number port

timeout timeout-value

config tacacs athr add encrypt 1 192.16.176.96 49 password 1 *** *** 16 ***
config tacacs athr server-timeout 1 5
tacacs server TACACS_SERVER_ATHR_1
    address ipv4 192.16.176.96
    port 49
    timeout 5

Authentication Radius Server

Table 7. Authentication Radius Server

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config radius auth add encrypt 4 ip-address 1812 password 1 password

config radius auth retransmit-timeout 4 timeout-value

aaa new-model

radius server radius-authentication-server

address ipv4 ip-addressauth-port authentication-portacct-port accounting-port

config radius auth add encrypt 4 10.240.222.72 1812 password 1 *** *** 16 ***
config radius auth retransmit-timeout 4 5
aaa new-model
radius server RADIUS_SERVER_AUTH_4
    address ipv4 10.240.222.72 auth-port 1812 acct-port 1813

Accounting Radius Server

Table 8. Accounting Radius Server

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config radius acct add encrypt 1 ip-address1813 password 1 password

config radius acct retransmit-timeout 1 timeout-value

aaa new-model

radius server radius-accounting-server

address ipv4 ip-address auth-port authentication-port acct-port accounting-port

config radius acct add encrypt 1 10.240.222.15 1813 password 1 *** *** 16 ***
config radius acct retransmit-timeout 1 2
aaa new-model
radius server RADIUS_SERVER_ACCT_1
    address ipv4 10.240.222.15 auth-port 1812 acct-port 1813

FlexConnect ACL

Table 9. FlexConnect ACL

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config flexconnect acl apply Secured-Wireless-Networks

config flexconnect acl create Secured-Wireless-Networks

config flexconnect acl rule add Secured-Wireless-Networks 1

config flexconnect acl rule action Secured-Wireless-Networks 1 permit

config flexconnect acl rule protocol Secured-Wireless-Networks 1 17

config flexconnect acl rule destination port range Secured-Wireless-Networks 1 1812 1813

ip access-list extended Secured-Wireless-Networks

1 permit 17 any any range 1812 1813

2 permit 17 any range 67 68

3 permit ip any ip-address 0.0.0.0

4 permit ip ip-address 0.0.0.0 any

config flexconnect acl apply Secured-Wireless-Networks
config flexconnect acl create Secured-Wireless-Networks
config flexconnect acl rule add Secured-Wireless-Networks 1
config flexconnect acl rule action Secured-Wireless-Networks 1 permit
config flexconnect acl rule protocol Secured-Wireless-Networks 1 17
config flexconnect acl rule destination port range Secured-Wireless-Networks 1 1812 1813
ip access-list extended Secured-Wireless-Networks
    1 permit 17 any any range 1812 1813
    2 permit 17 any range 67 68 any range 67 68
    3 permit ip any 168.213.64.215 0.0.0.0
    4 permit ip 168.213.64.215 0.0.0.0 any

ACL

Table 10. ACL

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config acl apply Apply_All

config acl create Allow_All

config acl rule add Allow_All 1

config acl rule action Allow_all 1 permit

config acl rule source port range Allow_All 1 permit Allow_All 1 0 65535

config acl rule destination port range Allow_All 1 0 65535

ip access-list extended Allow_All

1 permit ip any any

config acl apply Allow_All
config acl create Allow_All
config acl rule add Allow_All 1
config acl rule action Allow_All 1 permit
config acl rule source port range Allow_All 1 0 65535
config acl rule destination port range Allow_All 1 0 65535
ip access-list extended Allow_All
    1 permit ip any any

Multicast Parameters

Table 11. Multicast Parameters

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config network multicast global enable/disable

config network multicast igmp snooping enable/disable

config network multicast mode multicast ip-address

wireless multicast

ip igmp snooping querier

wireless multicast ip-address

config network multicast global enable
config network multicast igmp snooping enable
config network multicast mode multicast 239.240.222.41
wireless multicast
ip igmp snooping
ip igmp snooping querier
wireless multicast 239.240.222.41

Mobility Configuration

Table 12. Mobility Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config mobility group domain BISD

config mobility group member add mac-address ip-address BISD

wireless mobility group name BISD

wireless mobility group member ip ip-address public-ip ip-address group BISD

config mobility group domain BISD
config mobility group member add 54:4a:00:32:b7:80 10.240.222.45 BISD
wireless mobility group name BISD
wireless mobility group member ip 10.240.222.45 public-ip 10.240.222.45 group BISD

Rogue Global Configuration

Table 13. Rogue Global Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config rogue ap rldp enable alarm-only monitor-ap-only

config rogue detection report-interval time

config rogue detection monitor-ap report-interval time

config rogue detection min-rssi time

config rogue ap classify friendly state internal mac-address

config rogue ap friendly add mac-address

config rogue client mse enable

wireless wps rogue ap rldp alarm-only monitor-ap-only

wireless wps rogue detection report-interval time

wireless wps rogue detection monitor-ap report-interval time

wireless wps rogue detection min-rssi -time

wireless wps rogue ap friendly mac-address state internal

wireless wps rogue client mse

config rogue ap rldp enable alarm-only monitor-ap-only
config rogue detection report-interval 30
config rogue detection monitor-ap report-interval 30
config rogue detection min-rssi -70
config rogue ap classify friendly state internal 68:72:51:2c:b5:85
config rogue ap friendly add 2c:3e:cf:3c:a5:a0
config rogue client mse enable
wireless wps rogue ap rldp alarm-only monitor-ap-only
wireless wps rogue detection report-interval 30
wireless wps rogue detection monitor-ap report-interval 30
wireless wps rogue detection min-rssi -70
wireless wps rogue ap friendly 6872.512c.b585 state internal
wireless wps rogue client mse

Rogue Rules Configuration

Table 14. Rogue Rules Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config rogue rule add ap priority priority classify friendly notify none state external 128_Ignore

config rogue rule condition ap set rssi -128 128_Ignore

config rogue rule enable 128_Ignore

config rogue rule match any 128_Ignore

wireless wps rogue rule 128_Ignore priority priority

shutdown

classify friendly state external

condition rssi -128

match any

no shutdown

config rogue rule add ap priority 3 classify friendly notify none state external 128_Ignore
config rogue rule condition ap set rssi -128 128_Ignore
config rogue rule enable 128_Ignore
config rogue rule match any 128_Ignore
wireless wps rogue rule 128_Ignore priority 3
    shutdown
    classify friendly state external
    condition rssi -128
    match any
    no shutdown

SNMP Trap Receiver Global Configuration

Table 15. SNMP Trap Receiver Global Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config snmp trapreceiver create ip-aaddress ip-address

snmp-server host ip-address version 2c ip-address

config snmp trapreceiver create 10.240.222.40 10.240.222.40
snmp-server host 10.240.222.40 version 2c 10.240.222.40

SNMP Community Global Configuration

Table 16. SNMP Community Global Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config snmp community ipaddr ip-address ip-aaddress read2008bisd

config snmp community create read2008bisd

config snmp community mode enable read2008bisd

rw read2008bisd config snmp community accessmode

ip access-list extended read2008bisd_ACL

permit udp any host ip-address eq snmp

snmp-server community read2008bisd rw read2008bisd_ACL

config snmp community ipaddr 10.240.222.0 255.255.255.0 read2008bisd
config snmp community create read2008bisd
config snmp community mode enable read2008bisd
config snmp community accessmode rw read2008bisd
ip access-list extended read2008bisd_ACL
   permit udp any host 10.240.222.0 eq snmp
snmp-server community read2008bisd rw read2008bisd_ACL

SNMP Syscontact and Syslocation Global Configuration

Table 17. SNMP Syscontact and Syslocation Global Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config snmp syslocation NOC

snmp-server contact NOC

config snmp syslocation NOC
snmp-server contact NOC

Location Global Configuration - Trapflags

Table 18. Location Global Configuration - Trapflags

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config trapflags 802.11-security ids-sig-attack disable

no trapflags client dot11 ids-sig-attack

config trapflags 802.11-security ids-sig-attack disable
no trapflags client dot11 ids-sig-attack

Wireless Global Parameters

Table 19. Wireless Global Parameters

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config exclusionlist add 58:3f:54:c8:04:8f "IDS EAPOL Flood Attack "

config exclusionlist add 2c:8a:72:b6:da:4b MDNSInterfere

config exclusionlist add f0:f7:55:75:f0:f0 OE-AP

config advanced fra enable

config wps client-exclusion 802.11-assoc disable

config wps client-exclusion ip-theft disable

config wps client-exclusion 802.11-auth disable

config wps client-exclusion 802.1x-auth disable

config network mgmt-via-wireless enable

config rfid status enable

config rfid timeout 1200

config advanced probe limit 2 500

config network rf-network-name RF1

config country US

load-balancing window 20

config load-balancing window 20

wireless exclusionlist 583f.54c8.048f description "IDS EAPOL Flood Attack "

wireless exclusionlist 2c8a.72b6.da4b description MDNSInterfere

wireless exclusionlist f0f7.5575.f0f0 description OE-AP

ap fra

no wireless wps client-exclusion ip-theft

no wireless wps client-exclusion dot11-assoc

no wireless wps client-exclusion dot11-auth

no wireless wps client-exclusion dot1x-auth

wireless mgmt-via-wireless

wireless rfid

wireless rfid timeout 1200

wireless probe limit 2 500

wireless rf-network

RF1

ap country US

wireless load-balancing window 20

config exclusionlist add 58:3f:54:c8:04:8f "IDS EAPOL Flood Attack "
config exclusionlist add 2c:8a:72:b6:da:4b MDNSInterfere
config exclusionlist add f0:f7:55:75:f0:f0 OE-AP
config advanced fra enable
config wps client-exclusion 802.11-assoc disable
config wps client-exclusion ip-theft disable
config wps client-exclusion 802.11-auth disable
config wps client-exclusion 802.1x-auth disable
config network mgmt-via-wireless enable
config rfid status enable
config rfid timeout 1200
config advanced probe limit 2 500
config network rf-network-name RF1
config country US
load-balancing window 20
config load-balancing window 20
wireless exclusionlist 583f.54c8.048f description "IDS EAPOL Flood Attack "
wireless exclusionlist 2c8a.72b6.da4b description MDNSInterfere
wireless exclusionlist f0f7.5575.f0f0 description OE-AP
ap fra
no wireless wps client-exclusion ip-theft
no wireless wps client-exclusion dot11-assoc
no wireless wps client-exclusion dot11-auth
no wireless wps client-exclusion dot1x-auth
wireless mgmt-via-wireless
wireless rfid
wireless rfid timeout 1200
wireless probe limit 2 500
wireless rf-network RF1
ap country US
wireless load-balancing window 20

Media-stream Configuration

Table 20. Media-stream Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

media-stream multicast-direct disable

media-stream multicast-direct enable

wireless media-stream multicast-direct

media-stream multicast-direct disable
media-stream multicast-direct enable
wireless media-stream multicast-direct

Mac-Filtering at WLAN level

Table 21. Mac-Filtering at WLAN level

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config macfilter add mac-address 4 240-sysops Roku

config wlan radius_server auth add 4 5

config wlan create 4 SYSOPS SYSOPS

config wlan enable 4

config wlan broadcast-ssid enable 4

config wlan security wpa disable 4

wpa2 disable 4 config wlan security wpa

config wlan security wpa wpa2 ciphers aes disable 4

config wlan security wpa akm 802.1x disable 4

config wlan wmm allow 4

config wlan mac-filtering enable 4

aaa new-model

aaa attribute list ATTR_LIST_SYSOPS

attribute type ssid SYSOPS

username b0ee7b3ff473 mac aaa attribute list ATTR_LIST_SYSOPS

config macfilter add b0:ee:7b:3f:f4:73 4 240-sysops Roku
config wlan radius_server auth add 4 5
config wlan create 4 SYSOPS SYSOPS
config wlan enable 4
config wlan broadcast-ssid enable 4
config wlan security wpa disable 4
config wlan security wpa wpa2 disable 4
config wlan security wpa wpa2 ciphers aes disable 4
config wlan security wpa akm 802.1x disable 4
config wlan wmm allow 4
config wlan mac-filtering enable 4
aaa new-model
aaa attribute list ATTR_LIST_SYSOPS
    attribute type ssid SYSOPS
username b0ee7b3ff473 mac aaa attribute list ATTR_LIST_SYSOPS

WLAN Profile Configuration

Table 22. WLAN Profile Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config wlan radius_server auth add 1 4

config wlan radius_server acct add 1 1

config wlan create 1 BISD-5G BISD-5G

config wlan security wpa akm 802.1x enable 1

config wlan security wpa akm 802.1x enable 1

config wlan security wpa enable 1

config wlan security wpa akm ft 802.1x enable 1

config wlan enable 1

config wlan broadcast-ssid enable 1

config wlan band-select allow enable 1

config wlan security wpa wpa1 enable 1

config wlan security wpa wpa1 ciphers aes enable 1

config wlan wmm allow 1

config wlan ccx aironetiesupport disable 1

config wlan radio 1 802.11a-only

aaa new-model

aaa group server radius RADIUS_SERVER_GROUP_AUTH_BISD-5G

server name RADIUS_SERVER_AUTH_4

server name RADIUS_SERVER_AUTH_5

aaa authentication dot1x DOT1X_RADIUS_AUTH_LIST_BISD-5G group RADIUS_SERVER_GROUP_AUTH_RADIUS_SERVER_GROUP_AUTH_BISD-5G

aaa group server radius RADIUS_SERVER_GROUP_ACCT_BISD-5G

server name RADIUS_SERVER_ACCT_1

aaa accounting identity RADIUS_ACCT_LIST_BISD-5G start-stop group RADIUS_SERVER_GROUP_ACCT_BISD-5G

wlan BISD-5G 1 BISD-5G

security wpa

security wpa wpa1

security wpa wpa1 ciphers aes

security wpa akm dot1x

security wpa akm ft dot1x

security dot1x authentication-list DOT1X_RADIUS_AUTH_LIST_BISD-5G

broadcast-ssid

band-select

wmm allowed

no ccx aironet-iesupport

radio dot11a

no shutdown

config wlan radius_server auth add 1 4
config wlan radius_server auth add 1 5
config wlan radius_server acct add 1 1
config wlan create 1 BISD-5G BISD-5G
config wlan security wpa akm 802.1x enable 1
config wlan security wpa enable 1
config wlan security wpa akm ft 802.1x enable 1
config wlan enable 1
config wlan broadcast-ssid enable 1
config wlan band-select allow enable 1
config wlan security wpa wpa1 enable 1
config wlan security wpa wpa1 ciphers aes enable 1
config wlan wmm allow 1
config wlan ccx aironetiesupport disable 1
config wlan radio 1 802.11a-only
aaa new-model
aaa group server radius RADIUS_SERVER_GROUP_AUTH_BISD-5G
    server name RADIUS_SERVER_AUTH_4
    server name RADIUS_SERVER_AUTH_5
aaa authentication dot1x DOT1X_RADIUS_AUTH_LIST_BISD-5G group RADIUS_SERVER_GROUP_AUTH_RADIUS_SERVER_GROUP_AUTH_BISD-5G
aaa group server radius RADIUS_SERVER_GROUP_ACCT_BISD-5G
    server name RADIUS_SERVER_ACCT_1
aaa accounting identity RADIUS_ACCT_LIST_BISD-5G start-stop group RADIUS_SERVER_GROUP_ACCT_BISD-5G
wlan BISD-5G 1 BISD-5G
    security wpa
    security wpa wpa1
    security wpa wpa1 ciphers aes
    security wpa akm dot1x
    security wpa akm ft dot1x
    security dot1x authentication-list DOT1X_RADIUS_AUTH_LIST_BISD-5G
    broadcast-ssid
    band-select
    wmm allowed
    no ccx aironet-iesupport
    radio dot11a
    no shutdown

Flow Exporter Configuration

Table 23. Flow Exporter Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config flow create exporter "Cisco Prime" mac-address port port-number

flow exporter "Cisco Prime" destination mac-addresstransport udp port-number

config flow create exporter "Cisco Prime" 10.240.222.40 port 9991
flow exporter "Cisco Prime"
 destination 10.240.222.40
 transport udp 9991

Flow Monitor Configuration

Table 24. Flow Monitor Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config flow create monitor "Cisco Prime"

config flow add monitor "Cisco Prime" exporter "Cisco Prime"

flow monitor "Cisco Prime"

flow exporter "Cisco Prime"

flow monitor "Cisco Prime"

exporter "Cisco Prime"

config flow create monitor "Cisco Prime"
config flow add monitor "Cisco Prime" exporter "Cisco Prime"
flow monitor "Cisco Prime"
flow exporter "Cisco Prime"
flow monitor "Cisco Prime"
exporter "Cisco Prime"

Class Map Configuration for AVC Profile

Table 25. Class Map Configuration for AVC Profile

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config avc profile Sample rule add application application-name drop

class-map match-any CM_AVC_1_1

description Class-map for AVC-Profile - Sample, Action - police cir 8000 conform-action drop exceed-action drop match protocol application-name

config avc profile Sample rule add application facebook drop
class-map match-any CM_AVC_1_1
    description Class-map for AVC-Profile - Sample, Action - police cir 8000 conform-action drop exceed-action drop
    match protocol facebook

Policy Map Configuration for AVC Profile

Table 26. Policy Map Configuration for AVC Profile

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config avc profile sample-create

config avc profile Sample rule add application application-name drop

policy-map sample

description Policy-map for AVC-Profile - sample

class CM_AVC_1_1

police cir 8000 conform-action drop exceed-action drop

config avc profile Sample create
config avc profile Sample rule add application facebook drop
policy-map Sample
    description Policy-map for AVC-Profile - Sample
    class CM_AVC_1_1
        police cir 8000 conform-action drop exceed-action drop

Policy Profile Configuration

Table 27. Policy Profile Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config wlan aaa-override enable/disable 1

config wlan apgroup interface-mapping add vlan-number vlan-id vlan-name

config interface vlan vlan-name vlan-number

config wlan interface vlan-id vlan-interface

config wlan session-timeout 1 timeout-value

config wlan user-idle-threshold threshold-value 1

config wlan qos 1 qos-profile

config wlan avc 1 visibility enable

config wlan exclusionlist 1 60

config wlan profiling local dhcp enable 1

config wlan profiling local http enable 1

config wlan nac radius enable 1

wireless profile policy POLICY_PROFILE_1

description "Policy profile for wlan-ids=['vlan-id']"

shutdown

aaa-override vlan vlan-number

session-timeout timeout-value

idle-threshold threshold-value

service-policy output qos-profile

ipv4 flow monitor wireless-avc-basic input

ipv4 flow monitor wireless-avc-basic output

exclusionlist timeout timeout-value

local-dhcp-profiling

local-http-profiling

nac

config wlan aaa-override enable 1
config wlan apgroup interface-mapping add 119 1 119-wifi
config interface create 119-wifi 3119
config interface vlan 119-wifi 3119
config wlan interface 1 012-wifi
config wlan session-timeout 1 28800
config wlan user-idle-threshold 70 1
config wlan qos 1 platinum
config wlan avc 1 visibility enable
config wlan exclusionlist 1 60
config wlan profiling local dhcp enable 1
config wlan profiling local http enable 1
config wlan nac radius enable 1
wireless profile policy POLICY_PROFILE_1
    description "Policy profile for wlan-ids=['1']"
    shutdown
    aaa-override
    vlan 3119
    session-timeout 28800
    idle-threshold 70
    service-policy input platinum-up
    service-policy output platinum
    ipv4 flow monitor wireless-avc-basic input
    ipv4 flow monitor wireless-avc-basic output
    exclusionlist timeout 60
    local-dhcp-profiling
    local-http-profiling
    nac

Policy Tag Configuration

Table 28. Policy Tag Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config wlan apgroup add 001 "group-name"

config wlan apgroup description 001 "group-name"

config wlan apgroup interface-mapping add 001 2 guest-wifi

config wlan apgroup interface-mapping add 001 3 001-wifi

config wlan apgroup interface-mapping add 001 1 001-wifi

wireless tag policy APG_001

description "Policy tag for wlan-ids=set(['1', '3', '2'])"

wlan BISD-5G policy POLICY_PROFILE_34

wlan BISD-Guest policy POLICY_PROFILE_38

wlan BISD policy POLICY_PROFILE_62

config wlan apgroup add 001 "Haltom HS"
config wlan apgroup description 001 "Haltom HS"
config wlan apgroup interface-mapping add 001 2 guest-wifi
config wlan apgroup interface-mapping add 001 3 001-wifi
config wlan apgroup interface-mapping add 001 1 001-wifi
wireless tag policy APG_001
    description "Policy tag for wlan-ids=set(['1', '3', '2'])"
    wlan BISD-5G policy POLICY_PROFILE_34
    wlan BISD-Guest policy POLICY_PROFILE_38
    wlan BISD policy POLICY_PROFILE_62

Global Radio Parameters

Table 29. Global Radio Parameters

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config 802.11a cac voice sip bandwidth 64 sample-interval interval

config advanced 802.11a channel add channel-id

config advanced 802.11a channel dca chan-width channel-width

config 802.11a cleanair enable

config advanced 802.11a channel cleanair-event enable

config advanced 802.11a profile foreign global 60

config advanced 802.11a profile clients global 30

ap dot11 5ghz cac voice sip bandwidth 64 sample-interval interval

ap dot11 5ghz rrm channel dca add channel-id

ap dot11 5ghz rrm channel dca chan-width channel-width

ap dot11 5ghz cleanair

ap dot11 5ghz cleanair

no ap dot11 5ghz rrm channel cleanair-event

ap dot11 5ghz rrm channel cleanair-event

config 802.11a cac voice sip bandwidth 64 sample-interval 20
config advanced 802.11a channel add 140
config advanced 802.11a channel dca chan-width 40
config 802.11a cleanair enable
config advanced 802.11a channel cleanair-event enable
config advanced 802.11a profile foreign global 60
config advanced 802.11a profile clients global 30
ap dot11 5ghz cac voice sip bandwidth 64 sample-interval 20
ap dot11 5ghz rrm channel dca add 140
ap dot11 5ghz rrm channel dca chan-width 40
ap dot11 5ghz cleanair
ap dot11 5ghz cleanair
no ap dot11 5ghz rrm channel cleanair-event
ap dot11 5ghz rrm channel cleanair-event

RF Profile Configuration

Table 30. RF Profile Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config rf-profile create 802.11a rf-profile-name

config rf-profile data-rates 802.11a mandatory 1 2 rf-profile-name

config rf-profile trap-threshold clients threshold-value rf-profile-name

config rf-profile trap-threshold interference 60 rf-profile-name

config rf-profile load-balancing window 20 rf-profile-name

config rf-profile channel add channel-width rf-profile-name

config rf-profile channel chan-width channel-width rf-profile-name

ap dot11 5ghz rf-profile rf-profile-name

shutdown

rate RATE_12M mandatory

rate RATE_6M mandatory

rate RATE_24M mandatory

rate RATE_48M supported

rate RATE_36M supported

rate RATE_9M supported

rate RATE_18M supported

rate RATE_54M supported

trap threshold clients threshold-value

trap threshold interference 60

load-balancing window 20

channel add channel-number

channel chan-width channel-width

no shutdown

config rf-profile create 802.11a A_Profile
config rf-profile data-rates 802.11a mandatory 12 A_Profile
config rf-profile trap-threshold clients 30 A_Profile
config rf-profile trap-threshold interference 60 A_Profile
config rf-profile load-balancing window 20 A_Profile
config rf-profile channel add 112 A_Profile
config rf-profile channel chan-width 80 A_Profile
ap dot11 5ghz rf-profile A_Profile
    shutdown
    rate RATE_12M mandatory
    rate RATE_6M mandatory
    rate RATE_24M mandatory
    rate RATE_48M supported
    rate RATE_36M supported
    rate RATE_9M supported
    rate RATE_18M supported
    rate RATE_54M supported
    trap threshold clients 30
    trap threshold interference 60
    load-balancing window 20
    channel add 112
    channel chan-width 80
    no shutdown

RF Tag Configuration

Table 31. RF Tag Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config wlan apgroup profile-mapping add ap-group-profile

 

wireless tag rf ap-group-profile

description "RF-Tag for AP-Group - BISDOEAP"

5ghz-rf-policy A_Profile

config wlan apgroup profile-mapping add BISDOEAP A_Profile
wireless tag rf BISDOEAP
    description "RF-Tag for AP-Group - BISDOEAP"
    5ghz-rf-policy A_Profile

Flex Profile Configuration

Table 32. Flex Profile Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config flexconnect group flex-group-name add

config flexconnect group default-flex-group radius ap authority id group-id

config flexconnect group default-flex-group radius ap authority info "group-info"

config flexconnect group default-flex-group radius ap server-key encrypt 1 *** *** ***

eap method fast profile EF_default-flex-group

description "Eap-Fast profile: fc-grp=default-flex-group"

authority-id identity id

authority-id information "info"

pac-password unencrypted/hidden server-key

wireless profile flex flex-profile-name

description flex-group-name

no local-auth ap eap-fast EF_default-flex-group

config flexconnect group default-flex-group add
config flexconnect group default-flex-group radius ap authority id 436973636f0000000000000000000000
config flexconnect group default-flex-group radius ap authority info "Cisco A_ID"
config flexconnect group default-flex-group radius ap server-key encrypt 1 *** *** ***
eap method fast profile EF_default-flex-group
    description "Eap-Fast profile: fc-grp=default-flex-group"
    authority-id identity 436973636f0000000000000000000000
    authority-id information "Cisco A_ID"
    pac-password <UNENCRYPTED/HIDDEN> <SERVER_KEY>
wireless profile flex default-flex-group
    description default-flex-group
    no local-auth ap eap-fast EF_default-flex-group

AP Profile Configuration

Table 33. AP Profile Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config advanced backup-controller primary WISM-Central4 mac-address

config ap packet-dump ftp serverip mac-address path / username username password password

config ap packet-dump buffer-size buffer-size

config ap packet-dump capture-time duration

config ap packet-dump truncate 0

config ap packet-dump classifier control enable

config ap packet-dump classifier management enable

config ap packet-dump classifier ip enable

config ap packet-dump classifier data enable

config ap packet-dump classifier udp enable

config ap ssh enable all

wireless profile ap packet-capture pc_default-ap-profile

ftp serverip mac-address

ftp username usename

ftp password 0 password

ftp path /

buffer-size buffer-size

duration duration

classifier control

classifier management

classifier data

classifier udp

ap profile default-ap-profile

packet-capture pc_default-ap-profile

capwap backup primary WISM-Central4 mac-address

ssh

config advanced backup-controller primary WISM-Central4 10.240.222.44
config ap packet-dump ftp serverip 10.240.222.27 path / username ncsadmin password @dmin2015
config ap packet-dump buffer-size 3000
config ap packet-dump capture-time 10
config ap packet-dump truncate 0
config ap packet-dump classifier control enable
config ap packet-dump classifier management enable
config ap packet-dump classifier ip enable
config ap packet-dump classifier data enable
config ap packet-dump classifier udp enable
config ap ssh enable all
wireless profile ap packet-capture pc_default-ap-profile
    ftp serverip 10.240.222.27
    ftp username ncsadmin
    ftp password 0 @dmin2015
    ftp path /
    buffer-size 3000
    duration 10
    classifier control
    classifier management
    classifier ip
    classifier data
    classifier udp
ap profile default-ap-profile
    packet-capture pc_default-ap-profile
    capwap backup primary WISM-Central4 10.240.222.44
   ssh

Site Tag Configuration

Table 34. Site Tag Configuration

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

flexconnect group NACHA ap add mac-address

wireless tag site NACHA

flex-profile NACHA

flexconnect group NACHA ap add 6c:41:6a:29:5b:cf
wireless tag site NACHA flex-profile NACHA

Attaching tags to AP

Table 35. Attaching tags to AP

AireOS CLIs

Cisco Catalyst 9800 Series Wireless Controller CLIs

config flexconnect group SIN-SingaporeChangi ap add mac-address

ap mac-address

policy-tag FCG_SIN-SingaporeChangi

site-tag SIN-SingaporeChangi

config flexconnect group SIN-SingaporeChangi ap add 00:06:f6:16:c2:5b
ap 0006.f616.c25b
    policy-tag FCG_SIN-SingaporeChangi
    site-tag SIN-SingaporeChangi