Release Notes for Cisco Embedded Wireless Controller on Catalyst Access Points, Cisco IOS XE Bengaluru 17.4.x

Introduction to Cisco Embedded Wireless Controller on Catalyst Access Points

The Cisco Embedded Wireless Controller on Catalyst Access Points is a version of the Cisco IOS XE-based controller software on Catalyst access points. In this solution, a Catalyst access point (AP) that is running the Cisco Embedded Wireless Controller on Catalyst Access Points software, is designated as the primary AP. Other APs, referred to as subordinate APs, associate to this primary AP.

The Cisco Embedded Wireless Controller on Catalyst Access Points provides enterprise-level WLAN features while maintaining operational simplicity and affordability. This solution is targeted at small and medium-sized business (SMB) customers or distributed enterprises, and can be run at single site deployments.

  • The controllers come with high availability (HA) and seamless software updates. This keeps your services on always, both during planned and unplanned events.

  • The deployment can be managed using a mobile application, Cisco Digital Network Architecture (DNA) Center, Netconf/Restconf, web-based GUI, or CLI.

What's New in Cisco Embedded Wireless Controller on Catalyst Access Points, Cisco IOS XE Bengaluru 17.4.x

Table 1. Software Features Introduced in Cisco Embedded Wireless Controller on Catalyst Access Points, Cisco IOS XE Bengaluru 17.4.x

Feature Name

Description and Documentation Link

User and Entity Behavior Analysis

The User and Entity Behavior Analysis (UEBA) feature, allows you to profile and track the behavior of normal users and devices, with a number of security techniques, in order to identify potential inside threats and targeted attacks in networks when anomalies occur.

For more information, see the User and Entity Behavior Analysis chapter.

Enabling USB Port on Access Points

With this feature, you can enable a USB port as a power source on access points (APs). Some Cisco APs have a USB port that can act as a source of power for some USB devices. The power can be up to 2.5W; if a USB device draws more than 2.5W of power, the USB port shuts down automatically. The port is enabled when the power drawn is 2.5W or lower.

For more information, see the Enabling USB Port on Access Points chapter.

Table 2. Web UI Features Introduced or Modified in Cisco Embedded Wireless Controller on Catalyst Access Points

Feature Name

Web UI Path

User and Entity Behavior Analysis

Configuration > Security > Threat Defense

Enabling USB Port on Access Points

Configuration > Wireless > Access Points

Option to opt-out of AIR DNA licenses and change in default license level

Licensing > General > Change Wireless License Level

Web UI for Golden Monitor for Packet Drops

  • Monitoring > General > System > CPU Utilization

  • Monitor > General > Ports

Behavior Changes

  • The following APs are not supported from this release.

    • Cisco Aironet 800 Series Access Point

    • Cisco Aironet 1570 Series Access Point

    • Cisco Aironet 1700 Series Access Point

    • Cisco Aironet 2700 Series Access Point

    • Cisco Aironet 3700 Series Access Point

  • The Rogue Location Discovery Protocol (RLDP) feature is not supported from this release, and the following configuration, Privileged EXEC, and show commands are removed.

    RLDP Configuration Commands

    • wireless wps rogue ap rldp alarm-only

    • wireless wps rogue ap rldp alarm-only monitor-ap-only

    • wireless wps rogue ap rldp auto-contain

    • wireless wps rogue ap rldp auto-contain monitor-ap-only

    • wireless wps rogue ap rldp retries

    • wireless wps rogue ap rldp schedule

    • wireless wps rogue ap rldp schedule day

    RLDP EXEC Command

    • wireless wps rogue ap mac-address rldp initiate

    RLDP Show Commands

    • show wireless wps rogue ap rldp detailed

    • show wireless wps rogue ap rldp in-progress

    • show wireless wps rogue ap rldp summary

  • Option to opt-out of AIR DNA licenses and change in default license level -

    For all Cisco Embedded Wireless Controller on Cisco Catalyst 9100 Access Points (EWC-APs), you now have the option to opt-out of purchasing an AIR DNA license. This option is available only through the Cisco Commerce portal.

    When you opt-out, you use only the AIR Network Essentials license. Further, Smart Licensing Using Policy functionality is disabled on the product instance and for your Smart Account and Virtual Account in CSSM. License usage is not recorded, and no reporting requirements apply.

    Starting with this release, the default license (license air level global configuration command) on an EWC-AP is changed from AIR DNA Essentials to AIR Network Essentials.

    For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.

  • Starting from this release, you can reset all the APs associated to the site tag, in one click.

  • You can disable 802.11ax Overlapping BSS Packet Detect (OBSS-PD) spatial reuse globally on a specific band and RF profile.

  • If you configure 802.1x with session timeout between 0 and 299, Pairwise Master Key (PMK) cache is created with a timer of 1 day 84600 seconds.

  • You can use the parameter-map type umbrella custom_pmap command to configure a customized Umbrella Parameter Map.

  • The request for conversion of an EWC non-capable device to EWC mode will be rejected if the access point cannot be converted.

  • Information about Wi-Fi Protected Access 3 (WPA3) Opportunistic Wireless Encryption (OWE) and WPA3 Simultaneous Authentication of Equals (SAE) is included in the rogue encryption description and in the show wireless wps rogue ap detailed command output, if WPA3 rogue is detected.

  • Support is added for Cisco Persistent Device Avoidance feature in the GUI.

  • ACLs that are longer than 32 characters under the WLAN and policy profile may cause issues when you upgrade to Cisco IOS XE Bengaluru 17.4.x or later using ISSU. To avoid this, you should explicitly unconfigure ACLs that are longer than 32 characters from the corresponding WLAN and the policy profile before the upgrade.

  • We recommend that you use CLIs to upgrade embedded wireless on a Catalyst 9000 switch because wireless upgrade through GUI is not supported.

  • From Cisco IOS XE Bengaluru Release 17.4.1 onwards, the AP name will be appended to the AP Cisco Discovery Protocol neighbor information for an upstream switch.

Supported Cisco Access Point Platforms

The following Cisco access points are supported in the Cisco Embedded Wireless Controller on Catalyst Access Points network. Note that the APs listed as primary APs can also function as subordinate APs.

Table 3. Cisco APs Supported in Cisco Embedded Wireless Controller on Catalyst Access Points

Primary AP

Subordinate AP

Cisco Catalyst 9115 Series

Cisco Catalyst 9117 Series

Cisco Catalyst 9120 Series

Cisco Catalyst 9130 Series

Cisco Catalyst 9105AXI

Cisco Aironet 1540 Series

Cisco Aironet 1560 Series

Cisco Aironet 1815i

Cisco Aironet 1815w

Cisco Aironet 1830 Series

Cisco Aironet 1840 Series

Cisco Aironet 1850 Series

Cisco Aironet 2800 Series

Cisco Aironet 3800 Series

Cisco Aironet 4800 Series

Cisco Catalyst 9115 Series

Cisco Catalyst 9117 Series

Cisco Catalyst 9120 Series

Cisco Catalyst 9130 Series

Cisco Catalyst 9105AXW

Cisco Catalyst 9105AXI

Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Points

Cisco 6300 Series Embedded Services Access Points

Table 4. Image Types and Supported APs in Cisco Embedded Wireless Controller on Catalyst Access Points

Image Type

Supported APs

ap1g4

Cisco Aironet 1810 Series

Cisco Aironet 1830 Series

Cisco Aironet 1850 Series

ap1g5

Cisco Aironet 1815i

Cisco Aironet 1815w

Cisco Aironet 1540 Series

Cisco Aironet 1850 Series

ap1g6

Cisco Catalyst 9117 Series

ap1g6a

Cisco Catalyst 9130 Series

ap1g7

Cisco Catalyst 9115 Series

Cisco Catalyst 9120 Series

ap1g8

Cisco Catalyst 9105 Series

ap3g3

Cisco Aironet 2800 Series

Cisco Aironet 3800 Series

Cisco Aironet 4800 Series

Cisco Aironet 1560 Series

Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Points

Cisco 6300 Series Embedded Services Access Points

Maximum APs and Clients Supported

Table 5. Scale Supported in Cisco EWC Network

Primary AP Model

Maximum APs Supported

Maximum Clients Supported

Cisco Catalyst 9105 AWI

50

1000

Cisco Catalyst 9115 Series

50

1000

Cisco Catalyst 9117 Series

50

1000

Cisco Catalyst 9120 Series

100

2000

Cisco Catalyst 9130 Series

100

2000


Note

If 25 to 100 APs have joined the EWC network, the maximum clients on the EWC internal AP is limited to 20.


Compatibility Matrix

The following table provides software compatibility information:

Table 6. Compatibility Information

Cisco Embedded Wireless Controller on Catalyst Access Points

Cisco ISE

Cisco CMX

Cisco DNA Center

Bengaluru 17.4.x

2.6

2.4

2.3

10.6.2

10.6

10.5.1

2.1.260

Supported Browsers and Operating Systems for Web UI


Note

The following list of Supported Browsers and Operating Systems is not comprehensive at the time of writing this document and the behavior of various browser for accessing the GUI of the EWC is as listed below.


Table 7. Supported Browsers and Operating Systems

Browser

Version

Operating System

Status

Workaround

Google Chrome

77.0.3865.120

macOS Mojave Version 10.14.6

Works

Proceed through the browser warning.

Safari

13.0.2 (14608.2.40.1.3)

macOS Mojave Version 10.14.6

Works

Proceed through the browser warning.

Mozilla Firefox

69.0.1

macOS Mojave Version 10.14.6

Works only if exception is added.

Set the exception.

Mozilla Firefox

69.0.3

macOS Mojave Version 10.14.6

Works only if exception is added.

Set the exception.

Google Chrome

77.0.3865.90

Windows 10 Version 1903 (OS Build 18362.267)

Works

Proceed through the browser warning.

Microsoft Edge

44.18362.267.0

Windows 10 Version 1903 (OS Build 18362.267)

Works

Proceed through the browser warning.

Mozilla Firefox

68.0.2

Windows 10 Version 1903 (OS Build 18362.267)

Works

Proceed through the browser warning.

Mozilla Firefox

69.0.3

Windows 10 Version 1903 (OS Build 18362.267)

Works only if exception is added.

Set the exception.

Google Chrome

78.0.3904.108

macOS Catalina 10.15.1

Does not work

NA

Upgrading the Controller Software

This section covers the various aspects of upgrading the controller software.


Note

Before converting from CAPWAP to embedded wireless controller (EWC), ensure that you upgrade the corresponding AP with the CAPWAP image in Cisco AireOS Release 8.10.105.0. If this upgrade is not performed, the conversion will fail.


Finding the Software Version

Finding the Software Version

The following table lists the Cisco IOS XE 17.4.x software for Cisco Embedded Wireless Controller on Catalyst Access Points.

Choose the appropriate AP software based on the following:

  • Cisco Embedded Wireless Controller on Catalyst Access Points software to be used for converting the AP from an unified wireless network CAPWAP lightweight AP to a Cisco Embedded Wireless Controller on Catalyst Access Points-capable AP (primary AP)

  • AP software image bundle to be used either for upgrading the Cisco Embedded Wireless Controller on Catalyst Access Points software on the primary AP or for updating the software on the subordinate APs or both

Prior to ordering Cisco APs, see the corresponding ordering guide for your Catalyst or Aironet access point.

Table 8. Cisco Embedded Wireless Controller on Catalyst Access Points Software

Primary AP

AP Software for Conversion from CAPWAP to Cisco EWC

AP Software Image Bundle for Upgrade

AP Software in the Bundle

Cisco Catalyst 9115 Series

C9800-AP-universalk9.17.04.01.zip

C9800-AP-universalk9.17.04.01.zip

ap1g7

Cisco Catalyst 9117 Series

C9800-AP-universalk9.17.04.01.zip

C9800-AP-universalk9.17.04.01.zip

ap1g6

Cisco Catalyst 9120 Series

C9800-AP-universalk9.17.04.01.zip

C9800-AP-universalk9.17.04.01.zip

ap1g7

Cisco Catalyst 9130 Series

C9800-AP-universalk9.17.04.01.zip

C9800-AP-universalk9.17.04.01.zip

ap1g6a

Guidelines and Restrictions

Internet Group Management Protocol (IGMP)v3 is not supported on Cisco Aironet Wave 2 APs.

Embedded Wireless Controller SNMP configuration is supported in DNAC.

High memory usage on AP running Embedded Wireless Controller. Enabling crash kernel on the AP consumes additional memory on the AP. Hence, if crash kernel is enabled, the overall memory usage of the device will increase and will impact the scale numbers. On Cisco Catalyst 9130 Series Access Points, the memory consumption is a high of 128 MB.


Note

While upgrading EWC, if you have enabled crash kernel on the AP, disable the feature and then enable it again post upgrade. Ensure that you reboot the AP post enable or disable.

Interoperability with Clients

This section describes the interoperability of the controller software with client devices.

The following table describes the configurations used for testing client devices.

Table 9. Test Configuration for Interoperability

Hardware or Software Parameter

Hardware or Software Type

Release

Cisco IOS XE Bengaluru 17.4.1

Access Points

  • Cisco Aironet Series Access Points

    • 1540

    • 1560

    • 1815i

    • 1815w

    • 1830

    • 1840

    • 1850

    • 2800

    • 3800

    • 4800

  • Cisco Catalyst 9115AX Access Points

  • Cisco Catalyst 9117AX Access Points

  • Cisco Catalyst 9120AX Access Points

  • Cisco Catalyst 9130AX Access Points

Radio

  • 802.11ax

  • 802.11ac

  • 802.11a

  • 802.11g

  • 802.11n (2.4 GHz or 5 GHz)

Security

Open, PSK (WPA2-AES), 802.1X (WPA2-AES) (EAP-FAST, EAP-TLS), WPA3.

Cisco ISE

See Compatibility Matrix.

Types of tests

Connectivity, traffic (ICMP), and roaming between two APs

The following table lists the client types on which the tests were conducted. Client types included laptops, hand-held devices, phones, and printers.

Table 10. Client Types

Client Type and Name

Driver / Software Version

Wi-Fi 6 Devices (Mobile Phone and Laptop)

Apple iPhone 11 iOS 14.1

Apple iPhone SE 2020

iOS 14.1
Dell Intel AX1650w Windows 10 ( 21.90.2.1)
DELL LATITUDE 5491 (Intel AX200) Windows 10 Pro (21.40.2)
Samsung S20 Android 10
Samsung S10 (SM-G973U1) Android 9.0 (One UI 1.1)
Samsung S10e (SM-G970U1) Android 9.0 (One UI 1.1)
Samsung Galaxy S10+ Android 9.0

Samsung Galaxy Fold 2

Android 10

Samsung Galaxy Flip Z

Android 10

Samsung Note 20

Android 10

Laptops

Acer Aspire E 15 E5-573-3870 (Qualcomm Atheros QCA9377) Windows 10 Pro (12.0.0.832)
Apple Macbook Air 11 inch OS Sierra 10.12.6
Apple Macbook Air 13 inch OS Catalina 10.15.4
Apple Macbook Air 13 inch OS High Sierra 10.13.4
Macbook Pro Retina OS Mojave 10.14.3
Macbook Pro Retina 13 inch early 2015 OS Mojave 10.14.3

Dell Inspiron 2020 Chromebook

Chrome OS 75.0.3770.129

Google Pixelbook Go

Chrome OS 84.0.4147.136

HP chromebook 11a

Chrome OS 76.0.3809.136

Samsung Chromebook 4+

Chrome OS 77.0.3865.105

DELL Latitude 3480  (Qualcomm DELL wireless 1820) Win 10 Pro (12.0.0.242)
DELL Inspiron 15-7569 (Intel Dual Band Wireless-AC 3165) Windows 10 Home (18.32.0.5)
DELL Latitude E5540 (Intel Dual Band Wireless AC7260) Windows 7 Professional (21.10.1)
DELL XPS 12 v9250 (Intel Dual Band Wireless AC 8260 ) Windows 10 (19.50.1.6)
DELL Latitude 5491 (Intel AX200) Windows 10 Pro (21.40.2)
DELL XPS Latitude12 9250 (Intel Dual Band Wireless AC 8260) Windows 10 Home (21.40.0)

Lenovo Yoga C630 Snapdragon 850 (Qualcomm AC 2x2 Svc)

Windows 10(1.0.10440.0)

Lenovo Thinkpad Yoga 460 (Intel Dual Band Wireless-AC 9260) Windows 10 Pro ( 21.40.0)
Note 
For clients using Intel wireless cards, we recommend you to update to the latest Intel wireless drivers if advertised SSIDs are not visible.

Tablets

Apple iPad Pro iOS 13.5
Apple iPad Air2 MGLW2LL/A iOS 12.4.1
Apple iPad Mini 4 9.0.1 MK872LL/A iOS 11.4.1
Apple iPad Mini 2 ME279LL/A iOS 12.0
Microsoft Surface Pro 3 – 11ac Qualcomm Atheros QCA61x4A
Microsoft Surface Pro 3 – 11ax Intel AX201 chipset. Driver v21.40.1.3
Microsoft Surface Pro 7 – 11ax Intel Wi-Fi chip (HarrisonPeak AX201) (11ax, WPA3)
Microsoft Surface Pro X – 11ac & WPA3 WCN3998 Wi-Fi Chip (11ac, WPA3)

Mobile Phones

Apple iPhone 5 iOS 12.4.1
Apple iPhone 6s iOS 13.5
Apple iPhone 8 iOS 13.5
Apple iPhone X MQA52LL/A iOS 13.5
Apple iPhone 11 iOS 14.1
Apple iPhone SE MLY12LL/A iOS 11.3
ASCOM SH1 Myco2 Build 2.1
ASCOM SH1 Myco2 Build 4.5
ASCOM Myco 3 v1.2.3 Android 8.1
Drager Delta VG9.0.2
Drager M300.3 VG2.4
Drager M300.4 VG2.4
Drager M540 DG6.0.2 (1.2.6)
Google Pixel 2 Android 10
Google Pixel 3 Android 11

Google Pixel 3a

Android 11

Google Pixel 4 Android 11
Huawei Mate 20 pro Android 9.0
Huawei P20 Pro Android 9.0

Huawei P40

Android 10

LG v40 ThinQ Android 9.0

One Plus 8

Android 10

Oppo Find X2

Android 10

Redmi K20 Pro

Android 10

Samsung Galaxy S7 Andriod 6.0.1
Samsung Galaxy S7 SM - G930F Android 8.0
Samsung Galaxy S8 Android 8.0
Samsung Galaxy S9+ - G965U1 Android 9.0
Samsung Galaxy SM - G950U Android 7.0

Sony Experia 1 ii

Android 10

Sony Experia xz3 Android 9.0

Xiaomi Mi10

Android 10

Spectralink 8744 Android 5.1.1
Spectralink Versity Phones 9540 Android 8.1
Vocera Badges B3000n 4.3.2.5
Vocera Smart Badges V5000 5.0.4.30
Zebra MC40 Android 5.0
Zebra MC40N0 Android Ver: 4.1.1
Zebra MC92N0 Android Ver:  4.4.4
Zebra TC51 Android 7.1.2
Zebra TC52 Android 8.1.0
Zebra TC55 Android 8.1.0
Zebra TC57 Android 8.1.0
Zebra TC70 Android 6.1
Zebra TC75 Android 6.1.1
Printers
Zebra QLn320 Printer LINK OS 6.3
Zebra ZT230 Printer LINK OS 6.3
Zebra ZQ310 Printer LINK OS 6.3
Zebra ZD410 Printer LINK OS 6.3
Zebra ZT410 Printer LINK OS 6.3
Zebra ZQ610 Printer LINK OS 6.3
Zebra ZQ620 Printer LINK OS 6.3

Wireless Module

Intel 11ax 200

Driver v22.20.0

Intel AC 9260

Driver v21.40.0

Intel Dual Band Wireless AC 8260

Driver v19.50.1.6

Caveats

Caveats describe unexpected behavior in Cisco IOS releases. Caveats that are listed as Open in a prior release are carried forward to the next release as either Open or Resolved.


Note

All incremental releases will cover fixes from the current release.


Cisco Bug Search Tool

The Cisco Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.

To view the details of a caveat, click the corresponding identifier.

Open Caveats for Cisco IOS XE Bengaluru 17.4.1

Caveat ID

Description

CSCvv66853

TX power of Cisco Catalyst 9120 Access Point remains unchanged while changing the power level at 2.4 GHz.

CSCvv85624

TLS Gateway: Local EWC-Collector TCP gets stuck; this is correlated to the tunnel TLS TCP errors.

CSCvv92772

OBSS-PD configuration from the RF profile (GUI) does not get pushed to the EWC APs.

CSCvv93616

Cisco Catalyst 9130 AP UL OFDMA does not get triggered efficiently with BE AC traffic.

CSCvw08899

Cisco Catalyst 9120 and 9130 APs with SIA Antenna: The configured antenna gain values pull the incorrect gain values.

CSCvw36683

SWIM upgrade on EWC from 17.3.2 to 17.4.1 fails consistently via DNAC2.1.2.4.

CSCvw37503

Cisco Catalyst 9120 and 9115 APs do not process protected NDP from other AP models, except for NDP TX from Cisco Catalyst 9115 AP.

CSCvw41609

While processing the Alpha network file, several APs had a zero data, on 5GHz band.

CSCvw46783

Latency delays observed in EWC PEAP roam with default site tag only.

CSCvw52979

Cisco Catalyst 9120 AP crashes after upgrading from Cisco IOS XE Amsterdam 17.3.1 to Cisco IOS XE Amsterdam 17.3.2a.

CSCvv69143

EWC 17.4 mDNS show commands return Internal Error.

Resolved Caveats for Cisco IOS XE Bengaluru 17.4.1

Caveat ID

Description

CSCvt62142

Client join to EWC fails due to EAP session abandoned by the endpoint.

CSCvt67338

Image upgrade of EWC fails

CSCvu20572

WNCD process crashes: Operation in the DB accessed without a write transaction open.

CSCvu66045

EWC 17.3.1 GUI does not display mDNS services.

CSCvu82884

EWC redundancy peers have the wrong controller image in 17.3.

CSCvu92161

Reloading the EWC from NETCONF/YANG fails.

CSCvv98794

Cisco AP reboots abruptly due to Kernel Panic.

CSCvw04934

APs able to login to Secure Shell (SSH) when SSH is disabled (after session timeout).

Troubleshooting

For the most up-to-date, detailed troubleshooting information, visit the Cisco TAC website at:

https://www.cisco.com/en/US/support/index.html

Go to Product Support and select your product from the list, or enter the name of your product. Look under Troubleshoot and Alerts to find information about the problem that you are experiencing.

Related Documentation

Information about Cisco IOS XE 16 is available at:

https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html

All the support documentation for Cisco Catalyst 9100 Access Points are available at: https://www.cisco.com/c/en/us/support/wireless/catalyst-9100ax-access-points/tsd-products-support-series-home.html

Cisco Validated Designs documents are available at:

https://www.cisco.com/go/designzone

Cisco Embedded Wireless Controller on Catalyst Access Points

For support information, see the following documents:

Installation guides for Catalyst Access Points are available at:

https://www.cisco.com/c/en/us/support/wireless/catalyst-9100ax-access-points/products-installation-guides-list.html

For all Cisco Wireless Controller software-related documentation, see:

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/tsd-products-support-series-home.html

Wireless Products Comparison

Cisco Connected Mobile Experiences

Cisco Connected Mobile Experiences Documentation

Cisco DNA Center

Cisco DNA Center Documentation

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.