Cisco ASA 5506X-W: LWAP setup

In this post I’ll go over initial setup of Cisco ASA 5506X-W Wireless Access Point (WAP) on  Wireless Lan Controller (WLC).

Cisco ASA: 9.6.1-10
Cisco WLC:

ASA build-in WAP model C702 is associated to internal interface GigabitEthernet1/9. Most likely your wireless setup is leveraging AP groups and FlexConnect groups where AP group controls SSID assignment and Flex group has SSID’s associated to specific Vlans. In order to support Flex design you’ll need to subinteface GigabitEthernet1/9 with Vlans to match Flex group mappings. Main interface IP is untagged and can be used for AP management. Here is sample interface config.

interface GigabitEthernet1/9
nameif wifi-mgmt
security-level 100
ip address

interface GigabitEthernet1/9.10
vlan 10
nameif wifi
security-level 100
ip address

Next, make sure all NAT’s are in place. Based the location of your FTP server and WLC you may need several NAT statements. For public FTP create PAT rule for faster image download

nat (wifi-mgmt,outside) source dynamic OG_wifi-mgmt interface

and if WLC is only accessible over VPN add NAT bypass in orders to reach it.

nat (wifi-mgmt,outside) source static OG_wifi-mgmt OG_wifi-mgmt destination static OG_RFC-1918 OG_RFC-1918

Pre-load proper LWAP image on FTP. At the time of writing I used ap1g1-k9w8-tar.153-3.JC2.tar. When selecting FTP username/password avoid special characters and keep it simple.

Configure proper DHCP settings for LWAP to find WLC. DHCP option 43 is the most common one to configure. Take note that value for WLC IP address is in HEX. Look for “IP Address to Hex Converter” on Google.

dhcpd option 43 hex ###################
dhcpd address wifi-mgmt
dhcpd enable wifi-mgmt

Now it is time to configure WAP.  Console into it from ASA

session wlan console

Login with cisco/Cisco, enable password Cisco. With DHCP configured, WAP should have IP address assigned. Ping to FTP server to confirm connectivity and if successful execute the following command:

archive download-sw /force-reload /overwrite ftp://<ftp_username>:<ftp_pass>@<FTP_IP_ADDR>/ap1g1-k9w8-tar.153-3.JC2.tar

Image verification will take a bit, for me it was about 15 minutes so just be patience. Eventually it will start extracting and installing.

After install completes AP will start looking for WLC. Confirm WLC IP address as it is derived from option 43 HEX string.

*Mar  1 00:01:03.003: %CAPWAP-5-DHCP_OPTION_43: Controller address obtained through DHCP

My WAP did not find WLC right away and I had to reboot it. After reboot, WLC was discovered and WAP started image upgrade.

Once image updated and LWAP reboots you will find  it on WLC under Wireless Tab. Give it a meaningful name and change Mode to FlexConnect to make it visible under Flex group settings.


Next Assign LWAP to AP group and FlexConnect group and it will start advertising proper wireless networks.



Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar