Converged access wireless

1- Mobility Controller(MC) and Mobility Agent (MA) structure where MC is keeps all
the licenses and manges mobility PMK key distribution for
fast roaming.
2- 5760 is the CAW controller but doesnt have ports
3- Other CAW options are 3850, 4500, 3650 which combine swith ports/functionality
with wireless controller functionality
4- An MA needs all AP ports to be on management vlan otherwise the AP will go back
to MC for CAPWAP absorption.
5- An AP cannot be trunked to an MA. It needs directly to be connected to the swith
(on management vlan)
6- If the connection between MC and MA goes down, AP licenses will keep working
untill AP reboots. In that case MA needs to use AP license on
MC to allow APs to join.
7- MA will never have AP license
8- MC function can be added to an MA but only one MC&MA can be in one domain.
9- Multiple MA switches can be added in one SPG (Switch Peer Group) where the
roaming can be very fast due to PMK shared by MC to all members
10-Multiple SPGs can be added a single subdomain
11- The MC distributes the PMK to all members in one SPG but can send PMK to other
SPG if the MA in that SPG recieves a roaming client from
first SPG and requests PMK.

Show Commands:

show ap summary
show ap config
show ap general <ap mac> --- will show AP config detail as we see on wlc along with
some details
show client summary ....
show client ap <radio>
show boot
show inventory
show license all
show sysinfo (controller info)
show run-config commands (will show running configuration (which can be used to
copy to other controller... running-config is deprecated whic only show the status
of everything)
show run-config startup-commands
show run-config no-ap (will only show controller config not ap ... not usable for
copying to other device or recover config
show tech-support
show traplog (logs you can see in GUI... but from CLI you can send the traplogs to
someone... which you cant from the GUI)
show port summary (show all interface info)
show interface summary (IP addresses)
show interface detail <int name>
show 802.11<a,b or g>
show wlan summary
show wlan <wlan ID>
show mobility summary
show mobility ap list (will show all tunneling of AP to controllers)
debug capwap errors enable (will only show output when there is a problem with
CAPWAP)
*the DTLS handshake failure... encrypted message failure on AP..... the cause would
be certificate unrecognised. Even though the certificate is
from Cisco the time if changed to default may be several years back, Then the WLC
is sending its recent certificate with time stamp of 2000 for
example, so that would make AP not join the controller. This is because AP is
getting time from WLC

* Country code could be another reason where AP discovers WLC but doesnt join it.

* Certificate validity is important for clients, AP and WLC i.e they are still
valid. If the authentication involve TLS or PEAP etc. certificates
need to verified. NTP server is best option to sync time across all the devices.

debug

From Lightweight AP

show capwap client rcb (will show capwap details and controller the AP has joined)
show capwap ip config (shows the controller IP configured... the controller IP can
be manually configured on LW AP to join a specific controller)
show capwap client
show cdp neighbors (very usefull to see the switch AP is connected to)

on switch commands:

show power inline gig1/0/8 (for power to AP i.e 802.3af..15.1 watt and 802.3at ..31
watt)
show ip int brief (to verify vlan for AP)
show running-config | beg ip dhcp pool <vlan 23> to verify if the option 43
controller IP is being sent to the AP
ping <controller IP>