Cisco WiFi 6 (802.11ax) Access Points enablement (APoS)
Cisco goes all in on WiFi 6!
Welcome to the Wireless-First world !
In this article Pheniix will give you some introduction into WiFi 6 and show you some great workarounds how to leverage 802.11ax even NOW !!
First and foremost you have to know WHY 802.11ax ?!
Cisco has taken the wraps off a family of WiFi 6 access points, roaming technology and developer-community support all to make wireless a solid enterprise equal with the wired world.
Bringing a wireless-first enterprise world together is one of the drivers behind a new family of WiFi 6-based access points (AP) for Cisco’s Catalyst and Meraki portfolios. WiFi 6 (802.11ax) is designed for high-density public or private environments. But it also will be beneficial in internet of things (IoT) deployments, and in offices that use bandwidth-hogging applications like videoconferencing.
The Cisco Catalyst 9100 family and Meraki MR 45/55 WiFi-6 access points are built on Cisco silicon and communicate via pre-802.1ax protocols. The silicon in these access points now acts a rich sensor providing IT with insights about what is going on the wireless network in real-time, and that enables faster reactions to problems and security concerns.
Cisco has announced new 802.11ax- Wi-Fi 6 APs which could probably introduce new issues for those on the bleeding edge of doing Wi-Fi designs – specifically if you rely on empirical data for your AP locations before hanging your APs. Cisco has a tendency to get gear out the door and usually enables site survey through autonomous (on 802.11ac wave 1 or earlier APs) or Mobility Express at a later date.
The new Catalyst 9115, 9117, and 9120 APs are no exception. We know that Mobility Express is coming on these platforms, but between now and the time that we get Mobility Express for site survey mode we have to find the best best way to adapt.
I had a couple of customers who rely on validation of their APs using APoS so I had to come up with a workaround which works but it's not the best practice or graceful.
This methode can be used until Cisco launches fully baked Mobility Express,
Requirements for implementation of this workaround
A physical WLC ( AireOS 8.9 code to support 802.11ax hardware (temporarily))
2x Site survey batteries
A console cable
network cables to hook it all up
A wave 2 AP that can be dedicated to Mobility Express
This article will walk you though configuring your 802.11ac wave 2 AP as a Mobility Express controller, then joining your 802.11ax AP to it so you can bring it’s radios up. Leveraging the built in WLC on the wave 2 APs running AireOS based Mobility Express, you can then configure channels, radio power levels, etc .Everything as requiered for your AP on a Stick designs. You’ll need to carry two APs and site survey batteries with you too.
Start with a WLC running 8.9.100.0 (or even a newer build that supports 802.11ax APs) and join your two APs to it. Ensure that your APs have the build on your WLC as both their primary and secondary images. Verify this using the ‘show ap image all’ command. This is crucial to do because once you have this all built out, you’re not going to have a lot of time playing with AP release images and you could save yourself a headache if one of your APs decides to boot off of it’s secondary image. If your image numbers are different use this command to force it to update properly and reboot.
archive download-sw capwap <ap_image>
when you get your AP image versions matched, take your 802.11ac wave 2 AP and use it as Mobility Express for site survey. There are one or two things you should pay attention to when you’re doing this.
We’ll be finally using 802.11ax AP as a subordinate AP to the one you’re now converting to Mobility Express and it won’t start it’s CAPWAP process without a pingable default-gateway. In this example , we’ll have to make sure that while building our DHCP scope, we tell the scope option for the default gateway to be the IP address of the WLC,even though the WLC can’t actually route packets!
This will trick the subordinate AP into thinking that the default gateway is reachable and will let it complete its eventual CAPWAP join. You’ll also want to make doubly sure that you’re converting it to the same release version of Mobility Express as is on your APs.
When you have your converted 802.11ac wave 2 AP working,then plug it in to your first site survey battery, then hook your second site survey battery to your first using the ethernet (non-POE) interfaces.
Once you do this, you can hook your 802.11ax AP onto your second site survey battery POE interface to allow it to boot up.
You’re effectively creating a chain ⛓️ that looks like this:
AP <-> battery <-> battery <-> AP
and using the ethernet passthrough for the master AP running Mobility Express to talk to the subordinate AP. Once all of your APs are up and talking to the Mobility Express controller, I’d recommend renaming the Mobility Express AP to WLC and the 802.11ax AP to ‘ap’.
If you’re worried about battery performance of your WLC AP, you can also issue the this command after you’ve renamed it properly
config ap disable WLC
in order to save some power and to make it’s radios not show up in your survey!
There you go! Pheniix hopes this was at least a great temporary workaround for WiFi6 enablement.
TRADEMARK LEGAL NOTICE
All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used in this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed in Pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.
#IPSEC #SecurityCenter #InfoSec #ASASecurityDeviceManagerASDM #CCNASecurity #NationalCyberSecurityAwarenessMonth #Cisco #MikeGhahremani #Pheniix #WIfI6 #Wireless #80211ax #Cybersecurity #CloudSecurity #Security #radio #ServiceProvider #security #IBMSecurity #CiscoSecurity #securityflaw #CyberSecurity #wprkaround #CCNARoutingandSwitching #CCNAWireless #CCNAIndustrial #CCNACollaboration #CCNACloud #CCNA #CCNAServiceProvider #CCNP #CCIE #CCIELab