In this post I’ll go over initial setup of Cisco ASA 5506X-W Wireless Access Point (WAP) on Wireless Lan Controller (WLC).
Components:
Cisco ASA: 9.6.1-10
Cisco WLC: 8.3.102.0
ASA build-in WAP model C702 is associated to internal interface GigabitEthernet1/9. Most likely your wireless setup is leveraging AP groups and FlexConnect groups where AP group controls SSID assignment and Flex group has SSID’s associated to specific Vlans. In order to support Flex design you’ll need to subinteface GigabitEthernet1/9 with Vlans to match Flex group mappings. Main interface IP is untagged and can be used for AP management. Here is sample interface config.
interface GigabitEthernet1/9
nameif wifi-mgmt
security-level 100
ip address 10.1.1.249 255.255.255.252
interface GigabitEthernet1/9.10
vlan 10
nameif wifi
security-level 100
ip address 10.1.1.129 255.255.255.192
Next, make sure all NAT’s are in place. Based the location of your FTP server and WLC you may need several NAT statements. For public FTP create PAT rule for faster image download
nat (wifi-mgmt,outside) source dynamic OG_wifi-mgmt interface
and if WLC is only accessible over VPN add NAT bypass in orders to reach it.
nat (wifi-mgmt,outside) source static OG_wifi-mgmt OG_wifi-mgmt destination static OG_RFC-1918 OG_RFC-1918
Pre-load proper LWAP image on FTP. At the time of writing I used ap1g1-k9w8-tar.153-3.JC2.tar. When selecting FTP username/password avoid special characters and keep it simple.
Configure proper DHCP settings for LWAP to find WLC. DHCP option 43 is the most common one to configure. Take note that value for WLC IP address is in HEX. Look for “IP Address to Hex Converter” on Google.
dhcpd option 43 hex ###################
dhcpd address 10.1.1.250-10.1.1.250 wifi-mgmt
dhcpd enable wifi-mgmt
Now it is time to configure WAP. Console into it from ASA
session wlan console
Login with cisco/Cisco, enable password Cisco. With DHCP configured, WAP should have IP address assigned. Ping to FTP server to confirm connectivity and if successful execute the following command:
archive download-sw /force-reload /overwrite ftp://<ftp_username>:<ftp_pass>@<FTP_IP_ADDR>/ap1g1-k9w8-tar.153-3.JC2.tar
Image verification will take a bit, for me it was about 15 minutes so just be patience. Eventually it will start extracting and installing.
After install completes AP will start looking for WLC. Confirm WLC IP address as it is derived from option 43 HEX string.
*Mar 1 00:01:03.003: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.2.1.10 obtained through DHCP
My WAP did not find WLC right away and I had to reboot it. After reboot, WLC was discovered and WAP started image upgrade.
Once image updated and LWAP reboots you will find it on WLC under Wireless Tab. Give it a meaningful name and change Mode to FlexConnect to make it visible under Flex group settings.
Next Assign LWAP to AP group and FlexConnect group and it will start advertising proper wireless networks.