Instead of Mobility Express, Cisco's latest 9000 series of Access Points (9115, 9117, 9120, 9130) are capable of running Embedded Wireless Controller (EWC) image. EWC is based on Cisco 9800 WLC code and allows one of the Access points to act as a controller for up to 100 other APs.
EWC or the Catalyst 9800 can be connected to DNA Spaces cloud in 3 different ways:
Via DNA Spaces Connector
Via Cisco Connected Mobile Xperience (CMX) on-prem appliance or VM
Integration with DNA Spaces is supported on every version of EWC. This article will be covering setup and troubleshooting of Direct Connection only for both the EWC on a Catalyst AP and the 9800 as the procedure are identical.
Important: Direct connection is only recommended for deployments of up to 50 clients. For any larger ones, use DNA Spaces Connector.
Embedded Wireless Controller image version 17.1.1s or Catalyst 9800-L using 16.12.1
DNA Spaces cloud
Steps outlined in this article assume that the EWC or 9800 has already been deployed and has a working web interface and SSH.
Configure the controller
DNA Spaces cloud nodes and the controller are communicating over HTTPS protocol. In this test setup, the controller has been placed behind a NAT with full internet access.
Install root certificate
Before configuring the controller, a DigiCert root certificate needs to be downloaded. SSH into the controller and run:
WLC# conf t
Enter configuration commands, one per line. End with CNTL/Z. WLC(config)# ip name-server <DNS ip> WLC(config)# ip domain-lookup
WLC(config)# crypto pki trustpool import url https://www.cisco.com/security/pki/trs/ios.p7b
Reading file from http://www.cisco.com/security/pki/trs/ios.p7b
Loading http://www.cisco.com/security/pki/trs/ios.p7b !!!
% PEM files import succeeded.
EWC have DNS configured by default using Cisco DNS servers, but it will be a required step for a 9800 controller.
To verify certificate has been installed, run:
EWC(config)#do show crypto pki trustpool | s DigiCert Global Root CA
cn=DigiCert Global Root CA
cn=DigiCert Global Root CA
Configure via Web Interface
Before the controller can be connected to DNA Spaces, it is required to set up NTP and DNS servers and have at least one AP joined.
Open the web interface of the EWC and navigate to the Administration > Time. Make sure that the WLC is synced up with an NTP server. By default, EWC is preconfigured to use ciscome.pool.ntp.org NTP servers. In case of 9800, you can use the same NTP or your preferred NTP server:
Navigate to Administration > DNS and verify that the DNS server has been added. By default, EWC is preconfigured to use Cisco Open DNS servers:
Under Configuration > Wireless > Access Points, verify that at least one AP has been joined. This AP can be the same one on which the EWC is running:
On DNA Spaces cloud, navigate from home page to Setup > Wireless Networks > Connect WLC/Catalyst 9800 Directly. Click on View Token:
Switch tab to Cisco Catalyst 9800. Copy the token and URL:
In the WLC web interface, navigate to Configuration > Services > Cloud Services > DNA Spaces. Paste URL and Authentication Token. If HTTP proxy is being used, specify its IP address and port.
Verify that the connection has been successfully established under Monitoring > Wireless > NMSP. Service Status should show green arrow:
Skip the next chapter and go to the “Import Controllers into Location Hierarchy”.
New NTP servers can be added using ntp server <ntp_ip_addr> command.
Verify DNS servers have been configured:
EWC#show ip name-servers
New DNS servers can be added using ip name-server <dns_ip> command.
To confirm AP has been joined:
EWC#show ap status
AP Name Status Mode Country
9115 Enabled Local BE
Like previously mentioned, access DNA Spaces cloud, navigate to Setup > Wireless Networks > Connect WLC/Catalyst 9800 Directly and click View Token:
Switch tab to Cisco Catalyst 9800. Copy the token and URL:
Run the following commands:
CL-9800-01(config)#no nmsp cloud-services enable
CL-9800-01(config)#nmsp cloud-services server url [URL]
CL-9800-01(config)#nmsp cloud-services server token [TOKEN]
CL-9800-01(config)#nmsp cloud-services enable
To verify that connection with DNA Spaces cloud has been successfully established, run:
CL-9800-01#show nmsp cloud-services summary
CMX Cloud-Services Status
Server : https://vasilijeperovic.dnaspaces.eu
CMX Service : Enabled
Connectivity : https: UP
Service Status : Active
Last IP Address : 188.8.131.52
Last Request Status : HTTP/2.0 200 OK
Heartbeat Status : OK
Import EWC into Location Hierarchy
Step 1. The rest of the configuration will be done in DNA Spaces. Under Setup > Wireless Networks > Connect WLC/Catalyst 9800 Directly, click on Import Controllers.
Step 2. Check the radio button next to your account name and click Next. If you already have some Locations added, they will show up in the list below:
Step 3. Find your controller IP address, check the box next to it and press Next:
Step 4. Since no other Locations have been added, just click Finish:
Step 5. Prompt saying the WLC has been successfully imported into Location Hierarchy will pop up:
Now that the WLC has been successfully connected to the cloud, you can start using all other DNA Spaces features.
Note: NMSP traffic always uses the Wireless Management interface for communicating with DNA Spaces or CMX. This can not be changed in the 9800 controller configuration. The interface number would be irrelevant, whichever interface is assigned as a Wireless Management Interface on the 9800 controller will be used.
Organize the Location Hierarchy on Cisco DNA Spaces
If a new location hierarchy is desired or if no locations were added in step 4 of the Import the 9800 controller to Cisco DNA Spaces section, you can configure them manually.
Location hierarchy is one of the most important features of DNA spaces as it is used for analytics information and based on it, the rules of the captive portals are configured. The more granular the location hierarchy is the more granular control one has over the rules of the captive portal and over the information that can be retrieved from DNA Spaces.
The location hierarchy feature on DNA Spaces works the same way as the traditional hierarchy from Cisco Prime Infrastructure or Cisco CMX, but the naming is quite different. When the controller is imported into the location hierarchy, it represents the equivalent as the campus from the traditional hierarchy; under the controller, groups can be created that are the equivalent to buildings; then, under the groups, networks can be configured that are the equivalent to floors, finally, under the networks, zones can be created that remains in the same level than they used to in the traditional location hierarchy. To sum up, this is the equivalence:
Table 1. Equivalence between the traditional hierarchy levels with the levels of DNA spaces.
DNA Spaces Hierarchy
Controller (Wireless Network)
Step 1. Configure a group. Groups organize multiple locations or zones based on geolocation, brand or any other type of grouping depending on the business. Navigate to Location Hierarchy, hover the mouse on the existing wireless controller and click on Create Group.
To change the name of the location level, hover the mouse on the network and click "Rename".
Step 2. Enter the Group name and select the Unconfigured location as that includes all the APs imported with the controller, those APs will be mapped then to networks and zones as needed. Click Add.
Step 3. Create a network. A network or location is defined in Cisco DNA Spaces as all access points within a physical building consolidated as a Location. Hover the mouse on the Group and click Add Network.
Note: This is the most important node in the Location Hierarchy as business insights and location analytics calculations are generated from here.
Step 4. Enter the network name and the access point prefix, click Fetch. DNA Spaces fetches all the APs associated to that controller with that prefix and allows one to add the APs to the floor. Only one prefix can be entered.
Step 5. In case more prefixes are needed in the network. Click the network name, in the Location Info tab click the Edit button next to Access Points Prefix Used.
Enter the prefix name, click +Add Prefix, and Save. Repeat for all the prefixes as needed, this will map the APs to the network and allow to map associate the APs to zones later.
Step 6. Create a Zone. A zone is a collection of access points within a section of a building/location. It can be defined based on the departments in a physical building or an organization. Hover the mouse on the Network and select Add Zone.
Step 7. Configure the Zone Name and select the APs for the zone, and click Add:
Troubleshoot & Common Issues
The web interface page under Monitoring > Wireless > NMSP (or running show nmsp cloud-services summary command) will usually show enough information about the connection failure. Several common mistakes can be found in the screenshots below:
1. When DNS is not configured, the error message “Transfer error (6): Couldn't resolve host name” shows up:
Certificate not being installed or NTP not being configured both result with the error message saying: “Transfer error (60): SSL peer certificate or SSH remote key was not OK”:
EWC, like all other 9800 controllers, supports always-on Radioactive Traces. In order to collect them and see why the connection is not being established, it is required to know which DNA Spaces IP address the EWC is reaching out to. This can be found under Monitor > Wireless > NMSP or through the CLI:
EWC#show nmsp status
CMX IP Address Active Tx Echo Resp Rx Echo Req Tx Data Rx Data Transport
184.108.40.206 Active 0 0 38 2 HTTPS
The EWC in this test setup is connecting to 220.127.116.11. Copy this IP address and navigate to Troubleshooting > Radioactive Trace. Click Add, paste the IP address and click Generate:
Select Generate logs for the last 10 minutes and click Apply. Enabling Internal Logs can generate large amounts of data that might be hard to analyze:
Note: Misconfigured DNS, NTP and lack of certificate will not generate any Radioactive Traces
Example of a Radioactive Trace in a case where Firewall is blocking the HTTPS: