Guest

Cisco Aironet 1200 Series

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

Table Of Contents

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

Upgrade Process Overview

Solution Requirements

Important Notes

Preparing for the Upgrade

Preparing the Infrastructure

Using DHCP Option 43

Obtaining the Upgrade Tool and Upgrade Image

Preparing the Controller for the Upgrade Process

Upgrade Procedure

Installing the Upgrade Tool

Running the Upgrade Tool

Uninstalling the Upgrade Tool

Post-Upgrade Tasks

Importing the Output of the Upgrade Tool into WCS

Converting a Lightweight Access Point Back to Autonomous Mode

Using a Wireless LAN Controller to Return to a Previous Release

Using a TFTP Server to Return to a Previous Release

Caveats

Resolved Caveats in Release 3.4

Resolved Caveats in Release 3.2

Resolved Caveats in Release 3.0

Terms and Acronyms

Related Documents

Appendix A: Configuring DHCP Option 43 for Lightweight Cisco Aironet Access Points on Windows 2003 Enterprise DHCP Server

Appendix B: Configuring Access Points in Cisco LWAPP Mode for Easy Deployment

Obtaining a Password to Enter into EXEC mode on the AP Console

Configuring Static Parameters to Register the Access Point to a Controller

Clearing the Static Parameters

Deleting the LWAPP Configuration File to Redeploy the AP


Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode


April 24, 2008

This application note describes how to upgrade autonomous Cisco Aironet access points to lightweight mode so that they can communicate with wireless LAN controllers on your network. It contains these sections:

Upgrade Process Overview

Solution Requirements

Important Notes

Preparing for the Upgrade

Upgrade Procedure

Post-Upgrade Tasks

Importing the Output of the Upgrade Tool into WCS

Caveats

Terms and Acronyms

Related Documents

Appendix A: Configuring DHCP Option 43 for Lightweight Cisco Aironet Access Points on Windows 2003 Enterprise DHCP Server

Appendix B: Configuring Access Points in Cisco LWAPP Mode for Easy Deployment

Upgrade Process Overview

In the Cisco Centralized Wireless LAN Architecture, access points operate in lightweight mode. The access points associate to a Cisco wireless LAN controller. The controller manages the configuration, firmware, and control transactions such as 802.1x authentications. In addition, all wireless data traffic is tunneled through the controller.

The Lightweight Access Point Protocol (LWAPP) is an IETF draft protocol that defines the control messaging for setup and path authentication and run-time operations. LWAPP also defines the tunneling mechanism for data traffic.

A lightweight access point discovers a controller using LWAPP discovery mechanisms and then sends it an LWAPP join request. The controller sends the access point an LWAPP join response allowing the access point to join the controller. When the access point is joined to the controller, it downloads its software if the revisions on the access point and controller do not match. Subsequently, the access point is completely under the control of the controller.

LWAPP secures the control communication between the access point and controller by means of a secure key distribution, requiring already provisioned X.509 certificates on both the access point and controller. Factory installed certificates are referenced by the term MIC, which is an acronym for Manufacturing Installed Certificate. Cisco Aironet access points shipped before July 18, 2005, do not have MIC, so these access points create a self-signed certificate when upgraded to operate in lightweight mode. Controllers are programmed to accept self-signed certificates for authentication of specific access points.

The upgrade process is as follows. The user runs an upgrade utility that accepts an input file with a list of access points and their credentials. The utility telnets to the access points in the input file a series of IOS commands to prepare the access point for the upgrade, including the commands to create the self-signed certificates. Also, the utility telnets to the controller to program the device to allow authorization of specific self-signed certificate access points. It then loads Cisco IOS Release 12.3(11)JX1 onto the access point so that it can join the controller. After the access point joins the controller, it downloads a complete IOS version from it. The upgrade utility generates an output file that includes the list of access points and corresponding self-signed certificate key-hash values that can be imported into the WCS management software. The WCS can then send this information to other controllers on the network.

After an access point joins a controller, you can reassign the access point to any controller on your network.

Solution Requirements

Migration from autonomous access point mode to lightweight mode is possible on these Cisco Aironet access point platforms:

All 1121G access points

All 1130AG access points

All 1140 access points

All 1240AG access points

All 1250 series access points


Note The Upgrade Utility version 3.2 does not support the conversion of 1140 and 1250 series autonomous access points to lightweight mode. To convert these autonomous access points to lightweight mode, telnet to the access point and issue the following command to upgrade the IOS:
archive download-sw /overwrite /reload tftp: //location/image-name
For more information, see Upgrading Cisco IOS on an Autonomous Access Point at the following URL:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00809f0e94.shtml.


For all IOS-based 1200 series modular access point (1200/1220 Cisco IOS Software Upgrade, 1210 and 1230 AP) platforms, it depends on the radio:

if 802.11G, MP21G and MP31G are supported

if 802.11A, RM21A and RM22A are supported

The 1200 series access points can be upgraded with any combination of supported radios: G only, A only, or both G and A.


Note For an access point that contains dual radios, if one of the two radios is an LWAPP-supported radio, the upgrade tool still performs the upgrade. The tool adds a warning message to the detailed log that indicates which radio is unsupported.


All 1310 AG access points

Cisco C3201 Wireless Mobile Interface Card (WMIC)


Note The second-generation 802.11a radios contain two part numbers.


Access points must be running Cisco IOS Release 12.3(7)JA or later before you can perform the upgrade.


Note For Cisco C3201WMIC, access points must be running Cisco IOS Release 12.3(8)JK or later before you can perform the upgrade.


These Cisco wireless LAN controllers support autonomous access points upgraded to lightweight mode:

2000 series controllers

4400 series controllers

Cisco Wireless Services Modules (WiSMs) for Cisco Catalyst 6500 Series Switches

Controller Network Modules within the Cisco 28/37/38xx Series Integrated Services Routers

Catalyst 3750G Integrated Wireless LAN Controller Switches

Cisco 2500 Series Wireless LAN Controllers

Cisco 5500 Series Wireless LAN Controllers

Cisco Flex 7500 Series Wireless LAN Controllers

Cisco 8500 Series Wireless LAN Controllers

Cisco Virtual Wireless LAN Controllers

Cisco Wireless Controllers for high availability (HA controllers) for 5500 series, WiSM2, Flex 7500 series, and 8500 series controllers

Cisco Wireless Services Module 2 (WiSM2) for Catalyst 6500 Series switches

Cisco Wireless Controller on Cisco Services-Ready Engine (SRE) (controllerM2) running on ISM 300, SM 700, SM 710, SM 900, and SM 910

Cisco 2100 Series Wireless LAN Controllers

Cisco 4400 Series Wireless LAN Controllers

Cisco Wireless Services Module (WiSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Cisco Wireless LAN Controller Network Module for Cisco Integrated Services Routers

Cisco controllers must run a minimum of software version 3.1.

Cisco Wireless Control System (WCS) must run a minimum of version 3.1.

The upgrade utility is supported on the Windows 2000 and Windows XP platforms.

Important Notes

Before using this utility, consider the following important notes:

Access points converted with this tool will not connect to 40xx, 41xx, or 3500 controllers.

You cannot upgrade access points with 802.11b-only or first-generation 802.11a radios.

If you want to retain the static IP address, netmask, hostname, and default gateway of access points after conversion and reboot, you must load one of the following autonomous images on the access points before you covert the access points to LWAPP: 12.3(7)JA, 12.3(7)JA1, 12.3(7)JA2, 12.3(7)JA3, 12.3(7)JA4, 12.3(8)JA, 12.3(8)JA1, 12.3(8)JA2, 12.3(8)JEA, 12.3(8)JEA1, 12.3(8)JEA2, 12.3(8)JEB, 12.3(8)JEB1, 12.4(3g) JA, 12.4(3g) JA1.

If you upgrade access points to LWAPP from one of the following autonomous images, the converted access points do not retain their static IP address, netmask, hostname, and default gateway: 12.3(11)JA, 12.3(11)JA1, 12.3(11)JA2, 12.3(11)JA3.

The LWAPP upgrade tool does not release Windows operating system memory resources when the upgrade process is complete. Memory resources are released only after you exit the upgrade tool. If you upgrade several batches of access points, you must exit the tool in between batches to release memory resources. If you do not exit the tool in between batches, performance of the upgrade station quickly degrades because of excessive memory consumption.

Preparing for the Upgrade

You must complete these tasks before beginning the upgrade from autonomous to lightweight mode:

1. Prepare the infrastructure so that the upgraded lightweight access point discovers a controller.

2. The autonomous access points must be running Cisco IOS Release 12.3(7)JA or later to perform the lightweight mode conversion. If necessary, upgrade the access point to Cisco IOS Release 12.3(7)JA or later. For C3201WMIC, upgrade to 12.3(8)JK or later.

3. Prepare the controller for the upgrade process.

4. Download the Autonomous to Lightweight Mode Upgrade Tool and the upgrade image file from Cisco.com (see the "Obtaining the Upgrade Tool and Upgrade Image" section).

Preparing the Infrastructure

No lightweight access point can operate independently from a WLC. Each lightweight access point must discover a WLC, issue an LWAPP join request, and if successful, receive a join response to become joined to a controller.

The LWAPP discovery algorithm follows these steps:


Step 1 Initiates an IP subnet broadcast of an LWAPP controller discovery message. If the controller management interface is on the same IP subnet as the lightweight access point, this discovery mechanism is successful.

Step 2 Lists the previously joined controllers. This discovery mechanism requires prior success joining an access point and controller.

Step 3 Establishes over-the-air provisioning (OTAP). If OTAP is turned on, access points advertise their controller(s) over the air. New access points discover the controller based on the OTAP messages. OTAP is turned off by default on the controllers. OTAP is not supported for controller discovery during the upgrade process from autonomous to lightweight access point. After an access point is fully migrated to the lightweight mode, OTAP is used to discover controllers.

Step 4 Uses DHCP option 43. This vendor-specific option can return one or more controller IP addresses to an access point in the DHCP offer message. The access point sends an LWAPP join message to the controller.

Step 5 Establishes DNS resolution of CISCO-LWAPP-CONTROLLER.localdomain.

The access point can discover controllers through your domain name server (DNS). For the access point to do so, you must configure your DNS to return controller IP addresses in response to CISCO-LWAPP-CONTROLLER.localdomain or CISCO-CAPWAP-CONTROLLER.localdomain, where localdomain is the access point domain name. When an access point receives an IP address and DNS information from a DHCP server, it contacts the DNS to resolve CISCO-LWAPP-CONTROLLER.localdomain or CISCO-CAPWAP-CONTROLLER.localdomain. When the DNS sends a list of controller IP addresses, the access point sends discovery requests to the controllers.

Step 6 Reboots and repeats starting with Step 1.

After an access point joins a controller, you can reassign the access point to any controller on your network.

The upgrade tool loads the upgrade image (Cisco IOS Release 12.3(11)JX1) onto the access point for two purposes. First, it allows the upgraded access points to discover and join a controller. After joining a controller, the access point downloads a complete LWAPP IOS image from the controller. Secondly, the Cisco IOS Release 12.3(11)JX1 is stored in the access point flash memory to serve as an LWAPP recovery image in case the complete LWAPP IOS image becomes corrupted.

An upgraded access point must find a controller it can join to complete the upgrade process. There are several potential issues to be aware of:

Cisco IOS Release 12.3(11)JX1 does not support OTAP.

An upgraded access point preserves its DNS name server parameter, so CISCO-LWAPP-CONTROLLER.localdomain can be used for controller discovery when the access point is not on the same subnet as the management IP address of the controller.

The appropriate controller discovery mechanism should be in place before upgrading the autonomous access points to lightweight mode. You should follow these rules carefully:

If the access point is on the same IP subnet as the controller, the discovery should use the IP subnet broadcast controller discovery.

If the access point to be upgraded has a static IP address and is not on the same Layer-2 IP subnet as the controller, then DNS resolution of CISCO-LWAPP-CONTROLLER.localdomain is the only guaranteed controller discovery mechanism. The upgrade utility can configure a name server before loading Cisco IOS Release 12.3(11)JX1. Verify the name server can properly resolve CISCO-LWAPP-CONTROLLER.localdomain before beginning the upgrade procedures.

If the access point to be upgraded gets an IP address via DHCP, then either option 43 or DNS resolution of CISCO-LWAPP-CONTROLLER.localdomain can be used to discover the controller.

Verify IP connectivity for the following before beginning the upgrade process:

between the access points to be upgraded and the controller Management Interface IP address

between the PC that is hosting the upgrade tool and the access point

between the PC that is hosting the upgrade tool and the controller

Check for the presence of firewalls that block telnet access between the access point and the upgrade tool's TFTP server (whether an internal or an external server).


Note The access point can discover controllers through your domain name server (DNS). For the access point to do so, you must configure your DNS to return controller IP addresses in response to CISCO-LWAPP-CONTROLLER.localdomain or CISCO-CAPWAP-CONTROLLER.localdomain, where localdomain is the access point domain name. When an access point receives an IP address and DNS information from a DHCP server, it contacts the DNS to resolve CISCO-LWAPP-CONTROLLER.localdomain or CISCO-CAPWAP-CONTROLLER.localdomain. When the DNS sends a list of controller IP addresses, the access point sends discovery requests to the controllers.


Using DHCP Option 43

The IP address that should be configured as DHCP option 43 or be resolved from CISCO-LWAPP-CONTROLLER is the IP address of the controller Management IP address. Consult the specific documentation for the DHCP or DNS platform for details on configuring these parameters correctly.

Cisco 1000 series access points use a string format for DHCP option 43, whereas Cisco Aironet access points use the type-length-value (TLV) format for DHCP option 43. DHCP servers must be programmed to return the option based on the access point's DHCP Vendor Class Identifier (VCI) string (DHCP option 60). The VCI strings for Cisco access points capable of operating in lightweight mode are:

Table 1 VCI String

Access Point
VCI String

Cisco Aironet 1000 series

Airespace.AP1200

Cisco Aironet 1100 series

Cisco AP c1100

Cisco Aironet 1130 series

Cisco AP c1130

Cisco Aironet 1200 series

Cisco AP c1200

Cisco Aironet 1240 series

Cisco AP c1240

Cisco Aironet 1250 series

Cisco AP c1250

Cisco Aironet 1300 series

Cisco AP c1300

Cisco Aironet 1500 series

Cisco AP c15001
Cisco AP.OAP15002
Cisco AP.LAP15053
Cisco AP.LAP15104
Cisco AP c1520
Airespace.AP12005

Cisco 3201 Lightweight Access Point (LAP)

Cisco AP C3201WMIC

1 Any 1500 Series AP that runs 4.1 software

2 1500 OAP AP that runs 4.0 software

3 1505 Model AP that runs 4.0 software

4 1510 Model AP that runs 4.0 software

5 Any 1500 Series AP that runs 3.2 software


The format of the TLV block is:

Type: 0xf1 (decimal 241)

Length: Number of controller IP addresses * 4

Value: List of WLC management interfaces

See the "Appendix A: Configuring DHCP Option 43 for Lightweight Cisco Aironet Access Points on Windows 2003 Enterprise DHCP Server" section for details on configuring these options in combination with the appropriate VCI string. The appendix applies to Windows 2000 and 2003 DHCP servers. After the infrastructure is prepared for the upgrade process, IP connectivity between the access points to be upgraded and the WLC Management Interface IP address should be verified.

Obtaining the Upgrade Tool and Upgrade Image

The autonomous mode to lightweight mode access point upgrade process is only supported for access point running Cisco IOS Releases 12.3(7)JA and later. The access points must be upgraded to this version or a later version before they can be converted to lightweight mode. Consult the Cisco Aironet documentation on upgrade procedures for autonomous access points.

You can find the upgrade tool and the upgrade image at the Download Software page on Cisco.com.


Note You must register or be a registered user of Cisco.com to download software.


To find the tool and the software image, follow these steps:


Step 1 Browse to the wireless downloads page:

http://www.cisco.com/cisco/software/navigator.html

Step 2 Click Wireless Software.

Step 3 Log into Cisco.com.

Step 4 Click Access Points.

Step 5 Click the type of access point that you want to upgrade (for example, Cisco Aironet 1240 AG Series). When you click the access point type, the access point folder expands.

Step 6 Click the access point that you want to upgrade in the expanded list. The Downloads page appears.

Step 7 For the upgrade tool, click the Autonomous to Lightweight Mode Upgrade Tool link.

Step 8 Click the latest tool release and follow the prompts to download the tool to your PC.

Step 9 For the recovery software upgrade image, click the Autonomous to Lightweight Mode Upgrage Image link.

Step 10 Click the latest upgrade image name and follow the prompts to download the upgrade image to your PC.



Note The recovery software image for the upgrade has "rcv" in the image name—for example, c1200-rcvk9w8-tar.123-11JX1.tar.



Note For Cisco C3201WMIC, use Cisco IOS Release 12.3(11)JA1, which is available in the Software Center tables on Cisco.com


Preparing the Controller for the Upgrade Process

There are several key tasks that must be completed to prepare the controller for the upgrade process:

1. Upgrading the controller to version 3.1 or later

2. Configuring the controller to accept telnet connections

3. Synchronizing the controller time with the machine that hosts the upgrade tool

Consult the Cisco Wireless LAN Controller Configuration Guide for upgrade procedures for the controller.

The controller can be configured to accept telnet connections through the controller console or the controller web-interface. To configure telnet on the controller through the controller console, attach a console to the controller, log into the CLI, and enter this command:

config network telnet enable

Note You must enable Telnet service on all access points and on the controller, Secure Shell (SSH) is not supported.


The WLC time should be synchronized with the machine that hosts the upgrade utility. The upgrade utility configures the access point to generate a self-signed certificate with a validity interval, beginning with the machine time of the utility host or a time specified at run-time. If the WLC time is outside the validity interval of the SSC, the access point cannot join the controller. To configure the WLC time, use the WLC web-interface found by choosing Commands > Set Time (see Figure 1).

Figure 1 Set Time Page

The time can also be configured through the WLC CLI using the config time command. The WLC time should be set to account for any offset from GMT.

Upgrade Procedure

The upgrade from autonomous to lightweight mode is accomplished with the upgrade tool. The upgrade tool performs the basic tasks necessary to upgrade from autonomous to lightweight mode:

Basic condition checking—verifies whether the access point is a supported one, whether it is running a minimum software revision, and whether the radio types are supported.

Preparation of the autonomous access point for conversion—adds the PKI configuration and certificate hierarchy so access point authentication to the Cisco controllers can occur and self-signed certificates can be generated for the access point.

Loads the upgrade image (Cisco IOS Release 12.3(11)JX1), which allows the access point to join a controller.

On successful download, reboots the access point.

Generates an output file consisting of access point MAC addresses, certificate type, and secure key-hash and automatically updates the controller. The output file can be imported into WCS and exported to other controllers.


Note During the upgrade process, the dot11radio is shut down.


To install and run the upgrade tool, you must satisfy these conditions:

To install and run the upgrade tool, you must be logged in as the administrator of the PC.

You must run the upgrade tool on a PC that is running Windows 2000 or Windows XP.

You must use the upgrade tool with Cisco Aironet 1100, 1130, 1200, 1240, and 1310 series access points that are running Cisco IOS release 12.3(7)JA or later. All access points must be in AP mode.

If you use the upgrade tool over a WAN link, the link speed must be greater than or equal to 128 Kbps.

Check for the presence and configuration of firewalls on your network. Firewalls might prevent the downloading of images.

You must enable Telnet service on all access points and on the controller.


Note You must enable Telnet service on all access points and on the controller, Secure Shell (SSH) is not supported.


You must ensure that the system time is configured properly on your controller and access points.

You must provide the upgrade tool with a valid IP file that contains the following information for each access point that you want to upgrade:

IP address

Username

Password

Enable password (optional)


Note For each access point, the IP address, username, password, and optional enable password should all be separated by commas. Ensure that the IP file does not contain multiple entries for the same access point.


Installing the Upgrade Tool

To install and run the upgrade tool, your system must meet these minimum requirements:

Operating system—Windows 2000 or Windows XP workstation only.

Processor—Pentium III or an equivalent

Speed—1 GHz

RAM—512 MB

Free space on hard drive—20 MB

To install the upgrade tool, follow these steps:


Step 1 Run the executable file UpgradeToolv30.exe. The install shield guides you through the rest of the install procedure.


Note If the upgrade tool is already installed on your system, a dialog box alerts you that the upgrade tool is already installed. Ensure that no upgrade tool window or readme file of an older version of the tool are open. Cisco recommends that you uninstall the previous version before installing the newer version. Click Yes if you want to replace the older version with the new version of upgrade tool.


The minimum system requirements are displayed in the next dialog box. Then in the "Welcome" dialog box, basic information about the setup program is displayed.

Step 2 Click Next in the "Welcome" dialog box. The "Choose Destination Location" dialog box then appears.

Step 3 The default installation location appears in the "Destination Folder" field. If you do not want to change the default installation location, go to Step 4. If you want to change the installation location, follow these steps:

a. Click Browse. The "Choose Folder" dialog box appears. The "Path" box contains the installation location.

b. Change the installation location. You can either type the new location path in the "Path" box or use the "Drives and Directories" lists to select a new drive and directory. The installation location must be on a drive that is on the computer.

c. After the correct path is in the "Path" box, click OK.

The new installation location now appears under "Destination Folder" in the "Choose Destination Location."

Step 4 Click Next. The "Folder Selection" window prompts you to select the program folder where icons are to be added by the setup process. You can choose the default folder, select from existing folders, or create a new folder.

Step 5 Click Next. A dialog asks if you want to view the Readme file. Click Yes to read the file. Click No to read the file later.

If the installation was successful, a dialog box tells you that the installation was successful.

Running the Upgrade Tool

Figure 2 shows the upgrade tool window.

Figure 2 Upgrade Tool Window

Enter information in these entry fields and click Start to begin the upgrade:


Step 1 The IP File field is the input file of access points to upgrade. Whether you have one or several access points to upgrade, create a flat text file in the following format:

ap-ip-address,telnet-username,telnet-user-password,enable-password

ap-ip-address,telnet-username,telnet-user-password,enable-password

Each line in the text file lists the unit IP address, Telnet username and password, and a password that permits access to the access point CLI privileged EXEC mode. Use a comma to separate each item on a line. Save the text file on the same machine that hosts the upgrade tool. Click the . . . button to browse to and select the text file.

Step 2 To specify the way in which autonomous APs are upgraded, set the parameters in the Upgrade Options section:

a. Check the Use WAN Link check box to upgrade over a WAN link. The following are recommendations for upgrading over a WAN link:

If you want to upgrade one AP each at different remote locations, place all APs in the same file that contains the list of AP IP addresses. However, if the APs that you want to upgrade are all at the same remote location, do not upgrade them concurrently to avoid problems with bandwidth constraints.

Use a local TFTP server. Pushing the image over a WAN link increases the amount of time the upgrade takes. Telnet traffic does not compete with TFTP traffic for WAN bandwidth.

b. The upgrade tool creates a file of environmental variables for each AP on the workstation. These environmental variables are the IP address, netmask, default gateway, and hostname of the AP as they are identified in the running configuration. During the upgrade, the tool checks this file for variable mismatches. The tool deletes this file at the end of the upgrade process.

If you check the All APs to DHCP check box, all upgraded APs use a DHCP server to get IP addresses. This parameter is useful if you have a combination of static and DHCP-assigned IP addresses and want all upgraded APs to use DHCP.

If you do not check the All APs to DHCP check box, configuration information that is present in the running configuration is updated in the file of environmental variables for each AP. If the running configuration contains an AP with a DHCP-assigned IP address, that AP will use a DHCP-assigned IP address. If an AP in the running configuration had static IP address, the environmental variables are updated with that particular static IP address.

If a firewall or an access control list is enabled during the upgrade process, the upgrade tool might be prevented from copying the file that contains environmental variables from a workstation to an AP.

If a firewall or access control list blocks the copy operation and you have selected the Use Upgrade Tool TFTP Server option (see Step 3 below), you cannot proceed with the upgrade because the tool cannot update the environmental variables and the image upload to the AP fails. Click OK and disable the firewall or access control list setting for the upgrade (see Figure 3).

Figure 3 Upgrade Tool Window—Firewall or Access Control List with Internal TFTP Server

If a firewall or an access control list blocks the copy operation and you have selected the Use External TFTP Server option (see Step 3 below), you can proceed with the upgrade, but the tool will not update the environmental variables. Click Yes to proceed or No not to proceed (see Figure 4).

Figure 4 Upgrade Tool Window—Firewall or Access Control List with External TFTP Server


Caution If you select the Use External TFTP Server option, the TFTP server must not be located on the same workstation as the upgrade tool. The message in Figure 4 applies only when the external TFTP server is located on a workstation that is different from the workstation on which the upgrade tool is located.

If you are running the TFTP server on the same workstation as you are running the upgrade tool, the following message appears (see Figure 5). If you want to run the built-in upgrade tool TFTP server, you must stop the currently running TFTP server on the workstation. Then stop the tool by clicking the No button in Figure 5. Restart the tool to run the built-in upgrade tool TFTP server.

If you click the Yes button in Figure 5, you must click the Use External TFTP Server radio button (see Step 3 below). With this option, the upgrade tool does not handle environmental mismatches because the built-in upgrade tool TFTP server is not running.

Figure 5 Upgrade Tool Window—TFTP Server Running on Same Workstation as Upgrade Tool

c. Check the Retain Hostname on APs check box so that the upgrade tool includes hostname that is present in the running configuration in the environmental variables. LWAPP looks for these environmental variables when an LWAPP private configuration file is not available.

If you are upgrading an AP for the second time, make sure that there is no private configuration file present in the AP before upgrading again. The LWAPP hostname should be updated with the latest hostname that was configured in the environmental variables by the tool during the first upgrade. You can enter the clear lwapp private-config command when the AP is running an LWAPP recovery image or when the AP is running an LWAPP image but not joined to a controller.

Step 3 The LWAPP Recovery Image section refers to upgrade image file (Cisco IOS Release 12.3(11)JX1) loaded by the upgrade tool that allows the access point to join the controller. Perform the following steps to specify information about the recovery image:

a. Click either the Use Upgrade Tool TFTP Server radio button or the Use External TFTP Server radio button to download the upgrade image into the access point. To use the tool's TFTP server, store the upgrade image file in the images sub-directory for the upgrade tool. For example, if the upgrade tool is installed in C:\Program Files\Cisco Systems\Upgrade Tool, the upgrade image file must be stored in C:\\Program Files\Cisco Systems\Upgrade Tool\images. If you use an external TFTP server, enter the TFTP server path, including the upgrade image filename, in the LWAPP Recovery Image field. Enter the external TFTP server IP address in the TFTP Server IP Addr field.


Note For Cisco C3201WMIC, use the Cisco IOS Release 12.3(11)JA1 image file, which is available in the Software Center tables on Cisco.com


b. Enter the IP address of the workstation on which you are running the upgrade tool in the System IP Addr field. Providing the workstation IP address ensures that the upgrade tool has the correct IP address in the case of a multi-homed workstation. Specifying the IP address ensures the correct transfer of the environmental variable file to APs and the correct transfer of the recovery image if you use an internal TFTP server.

c. Select the number of access points from the drop-down menu in the Max. AP at a run field. The upgrade tool can handle up to 6 access points at one time. After you supply all necessary information in the other fields and start the tool, the tool enters the access point IP addresses that are in the IP file.

Step 4 (Optional) The Controller Details section contains the information that the upgrade tool uses to log into the controller and add the upgraded access point authorization information. In the IP Address field, enter the controller Management interface IP address. In the Username and Password fields, enter the username and password required to log into the controller Management interface.

Step 5 The System Time Details section provides the time setting that the upgrade tool uses to specify the start time and date of the self-signed certificates validity period. You have two options—Use Controller Time or User Specified Time—for selecting the time that is set on the access point:

If you click the Use Controller Time radio button, the upgrade tool uses the controller time if you have provided information about the controller in the Controller Details fields.

If you click this radio button but have not provided information about the controller, the upgrade tool uses the time in UTC format of the workstation on which you are running the upgrade tool. If the tool cannot find information about the controller, the following window appears. Click Yes to use the workstation time or No not to use the workstation time (see Figure 6).

Figure 6 Upgrade Tool Window—Using Workstation Time


Note If the upgrade tool uses the workstation date and time, the workstation date and time must be June 12, 2005, 00 hours, 00 minutes, or after. Specifying a date and time before June 12, 2005, 00 hours, 00 minutes generates invalid certificates.



Note The Use Controller Time option is recommended.


If you click the User Specified Time radio button, you can specify a time in the provided fields.


Note If you specify a date and time in the provided fields, you must enter a date and time that is June 12, 2005, 00 hours, 00 minutes, or after. Specifying a date and time before June 12, 2005, 00 hours, 00 minutes generates invalid certificates.


If the date and time is before June 12, 2005, 00 hours, 00 minutes, this message appears (see Figure 7):

Figure 7 Upgrade Tool Window—Entering Date Before June 12, 2005

Step 6 (Optional) You use the DNS Address field and Domain Name field to specify DNS parameters that the upgraded access point can use to resolve CISCO-LWAPP-CONTROLLER.localdomain when the access point is not on the same IP subnet as the controller Management interface.

Step 7 Use the Detailed Logging Level menu to set the logging level for the upgrade tool run. Cisco recommends that you select All for the logging level.

The buttons at the bottom of the window control the tool operation:

Start starts the upgrade process. When the upgrade process is running, you can click Stop to stop the upgrade tool. The upgrade tool stops after completing the upgrade in progress.

Exit closes the tool window.

Config launches a window that shows the information that is added to the controller access point authorization list. Each entry in the list includes an AP's Ethernet MAC address, certification type, and public key hash value.

This information is stored in a CSV file with this format: Config_<date stamp>_<time stamp>.csv.

At the end of the upgrade, the tool displays a reminder message about the CSV file (see Figure 8).

Figure 8 Upgrade Tool Window—Upgrade Process Complete

If you do not have a Wireless Control System (WCS), you can import an AP authorization list to the controller by following these steps:


Step 1 Click on the Config button to generate a CSV file that contains a list of APs, their Ethernet MAC addresses, their certification type, and public key hash values.

Step 2 Go to the https interface of the controller. Click on SECURITY. Then click AAA and under that, AP Policies.

Step 3 Enable Accept Self Signed Certificate.

Step 4 Add the MAC address of each AP as it is listed in the CSV file.

Step 5 Select SSC as the Certificate Type.

Step 6 Enter the hash key for each AP from the CSV file.

Step 7 When you are finished, click on Add.


If you prefer, you can add this information from the controller CLI by entering the config auth-list add ssc AP_MAC public_key_hash for each AP.


Note If you do have a WCS, see the "Importing the Output of the Upgrade Tool into WCS" section.


AP Config launches a window that lists successfully upgraded access points in this format:

mac-address, ip-address, hostname, radio-type, interface, radio-channel, current-radio-power

Summary Log launches a window that shows the final status for each of the upgraded access points.

Detailed Log launches a window that shows a step-by-step status for each of the upgraded access points.

Uninstalling the Upgrade Tool

To uninstall the upgrade tool, use the Add/Remove Programs option in the Windows Control Panel.

Post-Upgrade Tasks

After the upgrade is complete, the autonomous access point is now completely under the control of the controller and the WCS. Typically, you need to complete these post-upgrade tasks:

Assign access points to a specific controller

Add the new access points to a WCS map

Push the access point authorization list from WCS to the other controllers in the network

Consult the Cisco Airespace System Product Guide and for instructions on completing these tasks.

Importing the Output of the Upgrade Tool into WCS

To import the configuration file output of the upgrade tool into WCS, open the WCS web interface and navigate to Configure > Templates > Security > AP Authorization.


Step 1 Select Add Template from the drop-down box in the upper right-hand side.

Step 2 Click Go (see Figure 9).

Figure 9 Adding a Template

Step 3 Browse to the location of the CSV file output by the upgrade tool and click Save (see Figure 10).

Figure 10 New Template Page

Step 4 If you want to push the imported entries to other WLCs in the network, choose SSC entries and then select Apply Templates.


Note If you have multiple controllers in your environment, a best practice is to populate each controller with all known SSCs. To aid in populating multiple controllers, use the configuration file that is located here: installed_location/Upgrade Tool/Config_date stamp_time stamp.csv.


Step 5 Click Go (see Figure 11).

Figure 11 Apply Templates

Step 6 Choose a WLC device to add to the SSC entries and click OK (see Figure 12).

Figure 12 Self-signed Certificate


Converting a Lightweight Access Point Back to Autonomous Mode

You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco IOS Release that supports autonomous mode. If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP.


Note In some LWAPP deployments, the LWAPP controller resides between the access points and the rest of the network. In this topology, all traffic must cross over the controller before communication with network resources, such as a TFTP server, can occur. When converting back to non-LWAPP IOS with an access point that is no longer using the LWAPP protocol, traffic does not cross over the controller to reach the TFTP server.



Note The lightweight 1300 series access points can only be converted back to autonomous mode using a wireless LAN controller.


Using a Wireless LAN Controller to Return to a Previous Release

Follow these steps to revert from LWAPP mode to autonomous mode using a wireless LAN controller:


Step 1 Log into the CLI on the controller to which the access point is associated.

Step 2 Enter this command:

config ap tftp-downgrade tftp-server-ip-address filename access-point-name

Using a TFTP Server to Return to a Previous Release


Note This section does not apply to Cisco C3201WMIC and Cisco C3201LAP.


Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:


Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.

Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.

Step 3 Set the timeout value on the TFTP server to 30 seconds.

Step 4 On the PC where the TFTP server is located, perform these steps:

a. Disable any software firewall products, such as Windows firewall, ZoneAlarm firewall, McAffee firewall, or others.

b. Ensure all Windows files are visible. From Windows Explorer, click Tools > Folder Options > View; then uncheck the Hide extensions for known file types check box.

Step 5 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, c1240-k9w7-tar.default for a 1240 series access point, and c1250-k9w7-tar.default for a 1250 series access point.

Step 6 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.

Step 7 Disconnect power from the access point.

Step 8 Press and hold MODE while you reconnect power to the access point.

Step 9 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.

Step 10 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.

Step 11 After the access point reboots, reconfigure it using the GUI or the CLI.


Caveats

This section describes resolved caveats.

Resolved Caveats in Release 3.4

CSCsl82267—Unable to load RCV image using upgrade tool in MIC access points

When conversion of MIC access points (for example, the AP1240 and AP1130) is attempted, the recovery image is not loaded on the access points.

CSCsm34792—Upgrade tool version 3.2 fails on unconfigured SNTP servers on AP

The upgrade process fails for access points on which SNTP is configured.

CSCsm55251—Upgrade tool times out if the initial upgrade attempt fails

If an incorrect version of a recovery image is selected, the upgrade tool fails. If a correct version is then selected, the tool returns the message "Tool timed-out before response from the device."

CSCsm73407—Upgrade tool version 3.2 error message should be corrected

The error message "192.x.x.x, Couldn't getthe result of file Copy success/failure" should be "Couldn't get the result of file copy success/failure."

Resolved Caveats in Release 3.2

CSCsj40023—IOS-to-LWAPP upgrade tool SSC load failure

After access points run through the IOS-to-LWAPP conversion process, the access points report successful installation of the required self-signed certificate (SSC). However, the SSC is not installed. The access points cannot join the controller.

CSCsl32823—AP does not reboot after IOS-to-LWAPP conversion process

Access points do not reboot after conversion with upgrade tool release 2.05. Access points must be rebooted manually.

Resolved Caveats in Release 3.0

CSCsh54459—LWAPP upgrade tool corrupts access points when converted with user-specified time

When the user specifies a date and time before June 10 2005 22:16:01 UTC, access points fail to join the controller .

With Upgrade Tool 3.0, the upgrade tool performs a validation check of the date and time. With Upgrade Tool 3.0, the earliest date for generating valid certificates is June 12, 2005.

CSCsh58663—The # sign in Cisco IOS access point hostname causes the LWAPP upgrade tool to fail

The LWAPP upgrade tool used to stall when an access point hostname contains special characters.

Upgrade Tool 3.0 handles such special characters and proceeds with the upgrade process.

CSCsi59466—LWAPP Upgrade Tool upgrade options do not function

When performing an upgrade with the LWAPP upgrade tool, the All APs on DHCP option and the Retain Hostname on APs option do not function when the Use External TFTP Server option is selectedbut the TFTP server is located on the same workstation as the upgrade tool.

To avoid these issues, when the User External TFTP Server option is selected, the user must not use a TFTP server that is located on the same workstation as the upgrade tool.

CSCsj10936—LWAPP upgrade tool rejects access points that have radios configured with the station-role fallback shutdown option

The upgrade tool used to reject the upgrade and indicate that the station-role should be the root.

Upgrade Tool 3.0 accepts this configuration.

Terms and Acronyms

This section lists key terms and acronyms used in this document.

Lightweight access point—An access point running software that makes the access point work with the controllers

LWAPP—Lightweight Access Point Protocol. An IETF draft protocol used in the Cisco Centralized WLAN Architecture implementations. LWAPP defines both control and data encapsulation formats used in the Cisco Centralized WLAN Architecture

MIC—Manufacturing Installed Certificate, required to secure communications between lightweight access points and controllers

SSC—Self-Signed Certificate. Access points that do not contain a MIC (such as autonomous access points upgraded to lightweight mode) automatically create a self-signed certificate.

WCS—Cisco Wireless Control System. Management software that manages the controllers and access points on your wireless LAN. Also provides advanced management features such as location-based services.

Related Documents

These documents provide more information WCS, controllers, and lightweight access points:

Cisco Wireless LAN Controller Configuration Guide

Cisco Wireless Control System Configuration Guide

Release Notes for Cisco Aironet 1130AG, 1200, 1230AG, and 1240AG Series Access Points for Cisco IOS Release 12.3(11)JX1

Appendix A: Configuring DHCP Option 43 for Lightweight Cisco Aironet Access Points on Windows 2003 Enterprise DHCP Server

This appendix contains an example of configuring DHCP Option 43 for Lightweight Cisco Aironet Access Points on Windows 2003 Enterprise DHCP Servers. Consult the product documentation for configuring DHCP Option 43 with other DHCP Server implementations.


Step 1 Open the DHCP Server Administration Tool.

Step 2 Right-click on DHCP root and choose Define Vendor Classes (see Figure 13).

Figure 13 Define Vendor Class

Step 3 On the DHCP Vendor Class pop-up window, select Add (see Figure 14).

Figure 14 DHCP Vendor Class Window

Step 4 On the New Class pop-up window, enter a value for the Display Name field (such as Cisco Aironet 1130 AP) and an appropriate description.

Step 5 In the ASCII section, enter the appropriate string value for the Vendor Class Identifier (in Table 1). Remove the leading ".'s" inserted by Microsoft Windows in the ASCII field (see Figure 15).

Figure 15 ASCII Section

Step 6 Click OK.

Step 7 To configure the pre-defined options, right-click on the DHCP Server Root and choose Set Predefined Options (see Figure 16).

Figure 16 Set Predefined Options

Step 8 Use the drop-down menu to choose the newly created vendor option class in the Option Class field.

Step 9 Select Add. The Option Type window appears (see Figure 17).

Figure 17 Option Type Window

Step 10 In the Name field, enter a string value (such as Option 43).

Step 11 Use the drop-down menu to choose IP Address as the Data Type.

Step 12 Click to check the Array check box.

Step 13 In the Code field, enter the value 241 (0xf1).

Step 14 Enter a description if desired.

Step 15 Click OK. You will return to the Predefined Options and Values window.

Step 16 In the Predefined Options and Values window, click OK.

Step 17 Option 43 must now be configured as an appropriate DHCP scope option. Choose the appropriate DHCP scope.

Step 18 Right-click on Scope Options and choose Add Option.

Step 19 Choose the Advanced Tab (see Figure 13).

Figure 18 Advanced Tab

Step 20 Choose the vendor class previously defined.

Step 21 Click the check box to choose the 241 Option 43 value in the Available Options column.

Step 22 Enter each WLC management interface IP address.

Step 23 Click OK.

Repeat these steps for each type of lightweight access point (such as Cisco Aironet 1130, Cisco Aironet 1200, Cisco Aironet 1240, etc.).


Appendix B: Configuring Access Points in Cisco LWAPP Mode for Easy Deployment

Access points in Cisco IOS LWAPP mode are managed by a Cisco wireless LAN controller. When you deploy an access point in a remote place, the access point connects to the controller through a WAN link. You can manually configure the access point so that it can register to a specified controller when a WAN link is slow and a DHCP server is not available.

To register to a specified controller, you enter commands on the access point console to configure the access point static IP address and the netmask; the IP address of the controller; the access point hostname; and the default gateway IP address.

These commands have been provided to make the deployment of access points easier. They can be entered in EXEC mode on the access point console.

These commands are disabled by default in an access point in LWAPP mode. They are enabled by default when the access point is running a recovery IOS image.

Obtaining a Password to Enter into EXEC mode on the AP Console

An IOS LWAPP access point uses "Cisco" as the default enable password, but to enable these commands for easy deployment, you must first provide the access point with a new enable password. This new password enables you to enter into EXEC mode on the access point console.

When you enter the following command from the controller console, the controller sends a username and a password to the access point:

config ap username user-id password pass {AP-name | all}

If you enter a AP-name argument, the username and password is configured only for the specified access point. If you enter the all keyword, the username and password are sent to all access points that are registered to the controller.


Note If you are relocating an access point that is using an LWAPP configuration file, you must clear the LWAPP configuration in the access point NVRAM and restore the access point factory default settings in order to enable the commands that specify the access point static IP address and the netmask; the IP address of the controller; the access point hostname; and the default gateway IP address. See the "Deleting the LWAPP Configuration File to Redeploy the AP" section for information about deleting the LWAPP configuration and enabling these commands.


Configuring Static Parameters to Register the Access Point to a Controller

Using the password that the controller sent to the access point, enter into EXEC mode on the access point console. When the access point is running LWAPP or a recovery IOS image, you can configure the static IP address on the access point, the IP address on the controller, the access point hostname, and the default gateway IP address by entering these commands:

lwapp ap ip address ip-addr subnet-mask

lwapp ap controller ip address ip-addr

lwapp ap hostname ap-hostname

lwapp ap ip default-gateway ip-addr

The access point with a recovery IOS image uses the static controller IP address to register to the specified controller and download the current LWAPP image. After the access point successfully registers to the controller, it receives configurations from the controller. The access point static hostname and the IP address of the controller are deleted from the access point configuration file. However, the access point static IP address and the netmask and the default gateway IP address are not deleted.

When the access point is running a recovery IOS image, the commands to configure the static IP address on the access point, the IP address on the controller, the access point hostname, and the default gateway IP address are always enabled.

These commands are disabled in the following cases:

When the access point is running an LWAPP image.

When the access point has an LWAPP configuration file in NVRAM.

When the access point is in REGISTERED state with the controller.

The access point console displays the following error message if you enter any of these commands when they are disabled:

"ERROR!!! Command is disabled."

Clearing the Static Parameters

To clear the static IP address on the access point, the IP address on the controller, the access point hostname, and the default gateway IP address, enter these commands on the access point console:

clear lwapp ap ip address

clear lwapp ap controller ip address

clear lwapp ap hostname

clear lwapp ap ip default-gateway

The access point console displays the following error message if you enter any of these commands when they are disabled:

"ERROR!!! Command is disabled."

Deleting the LWAPP Configuration File to Redeploy the AP

When you redeploy an access point after moving it from one location to another, you must first delete the LWAPP configuration file and restore the access point to the factory default settings. Deleting the LWAPP configuration enables the commands on the access point console to configure the static IP address on the access point, the IP address on the controller, the access point hostname, and the default gateway IP address.

To delete the LWAPP configuration and restore the factory defaults, enter the following command in EXEC mode on the access point console:

clear lwapp private-config

The clear lwapp private-config command becomes available on the access point console after the controller pushes a new username and password to the access point.


Note If the access point reloads for an unknown reason after you delete the LWAPP configuration, the commands to configure the static IP address on the access point, the IP address on the controller, the access point hostname, and the default gateway IP address will be disabled when the access point comes up after reboot. In this situation, you can recover the access point by making the access point join a controller and configuring the username and password on the access point from that controller.