PDF(130.5 KB) View with Adobe Reader on a variety of devices
ePub(102.5 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(87.2 KB) View on Kindle device or Kindle app on multiple devices
Updated:June 20, 2022
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to convert a lightweight Cisco Catalyst 9000 series Access Point (9115, 9117, 9120, 9130) to Embedded Wireless Controller (EWC) and gain access to its web interface. Other guides are available regarding the smartphone app or the web UI wizard to easily deploy Cisco EWC on Catalyst AP but this document focuses mainly on the CLI approach as well as conversion tips and tricks.
About Embedded Wireless Controller on Catalyst AP
The Cisco ® Embedded Wireless Controller on Catalyst ® Access Points provides an option for your Wi-Fi 6 network that is easy to deploy and manage. The control function is built into the Cisco Catalyst access point, so no added physical appliance is required.
This means you get enterprise-class capabilities, including robust security, Cisco reliability, and Wi-Fi 6 capacity and performance right out of the box. The deployment and management of your new wireless network requires little network knowledge or IT support, making it ideal for single-site or multisite deployments for organizations with minimal IT resources. Just set it and forget it.
The Cisco Embedded Wireless Controller on Catalyst Access Points runs a similar Cisco IOS®XE code as the Cisco Catalyst 9800 Series Wireless Controllers, making it resilient, secure, and intelligent. With the embedded wireless controller, you get the benefit of enterprise features without having to invest in a controller appliance.
Additionally, your investment in Cisco Catalyst access points is protected as your needs evolve. The embedded wireless controller can be migrated to cloud- or physical controller-based deployments as needed.
EWC on Catalyst AP Limitations
EWC is not capable of having its Gig 0 interface configured as trunk
EWC does not support SVIs
EWC is not capable of performing central switching
Gig 0 is the only interface that can be used as a Wireless Management
All of the EWC traffic has to be sourced from Gig 0 interface (including radius, capwap control, licensing traffic, and so on..)
EWC is not capable of performing embedded packet captures
EWC does not support APs in sniffer mode
EWC image does not boot up if there is another EWC, AireOS or 9800 WLC in the same broadcast domain. The AP will continue to function as a normal lightweight capwap AP until the other WLCs are removed from the network.
When converting or upgrading EWC in a deployment with mixed AP models, it is required to have a functioning TFTP server
Steps outlined in this article assume that the AP is running a lightweight capwap image and that a functional TFTP server is reachable to this AP. A serial connection to the AP is also a requirment.
EWC image version 17.1.1s
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The port where the EWC AP is connected to must be a trunk port with the native VLAN that of the management VLAN.
Before converting the Access Point, it is best practice to perform a factory reset, even if it is brand new:
Unplug the AP from its power source
Plug the console cable in and open a serial session on your PC
Press and hold the Mode/Reset button on the AP
Plug the AP back to its power source while still holding the Mode/Reset button
Continue holding the button until prompt on your serial session shows up
The console session will write out how long the button has been pressed for. At least 20 seconds are required for a full restart. The AP will boot up and default credentials Cisco/Cisco can be used to log in in command line (the web interface credentials are webui/Cisco)
Embedded Wireless Controller images are provided in the form of a zip file. The zip file contains:
EWC .bin image (example: C9800-AP-iosxe-wlc.bin)
AP image for all APs that can join EWC (example: ap1g4, ap1g7)
Readme.txt file that specifies which image corresponds to which AP model
Note: Please make sure to extract the contents of the zip archive to your TFTP server. The AP will need access to these files directly, it will not be able to get them if they are still in an archive.
This table lists all the images and corresponding AP models:
Image File Name
AP180x, AP183x, AP185x
AP380x, AP280x, AP156x
Note: Only Cisco Catalyst 9000 series APs are capable of running EWC code. All other APs in the previous table are capable of only joining EWC.
Contents of the extracted zip file must be copied to a TFTP server.
Before upgrading the image, we will rename the AP and assign it a static IP address, netmask and default gateway:
AP2CF8.9B5F.8628#capwap ap hostname AP1
Please note that if AP is already associated to WLC,
the new hostname will only reflect on WLC after AP
dis-associates and rejoins.
AP1#capwap ap ip 192.168.1.14 255.255.255.0 192.168.1.1
TFTP server is located on an IP address 192.168.1.25. Unlike Mobility Express, it is required to specify 2 different images: one for the AP and one for the EWC. Conversion of the image will be done using these command:
AP1#ap-type ewc-ap tftp://192.168.1.25/ap1g7 tftp://192.168.1.25/C9800-AP-iosxe-wlc.bin
Starting download eWLC image tftp://192.168.1.25/C9800-AP-iosxe-wlc.bin ...
It may take a few minutes. If longer, please abort command, check network and try again.
It may take a few minutes. If longer, please abort command, check network and try again.
Access Point CLI suggestions (using ?) only mention TFTP and SFTP as supported protocols. However, others like HTTP and HTTPS are also supported (and a lot faster than most commonly used TFTP). At the time of writing, upgrade over FTP is not possible. Enhacement "CSCvy36161 - 9100 APs ap-type ewc command only shows tftp and sftp as supported protocols" has been filed to change CLI suggestions to include HTTP and HTTPS.
AP-1#ap-type ewc-ap ? WORD URL of AP image <tftp|sftp>://<server_ip>/<file_path>
Once the image is upgraded, the AP reboots. Login using default credentials Cisco/Cisco. If the upgrade has been successful, output of the SHOW VERSION command will contain:
AP Image type : EWC-AP IMAGE
AP Configuration : EWC-AP CAPABLE
The EWC portion of the code will boot up. Booting up for the first time can take up to 15 minutes.
Important: The EWC process of the AP never boots if there is an existing AireOS, 9800 or Mobility Express or EWC controller in the same broadcast domain (VLAN).
Option 1 : Initial CLI Configuration
Once the EWC partition boots up, a prompt will offer to start up an initial configuration wizard. This article will cover manual configuration from scratch, without the use of Catalyst Wireless app or web browser wizard:
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: no
Would you like to terminate autoinstall? [yes]: no
Enter configuration commands, one per line. End with CNTL/Z.
WLC2CF8.9B5F.8628(config)#hostname EWC ######## Cteates local user admin ########
EWC(config-user-name)#password 0 Cisco123
EWC(config-user-name)#exit ######## Specifies credentials used to log into APs joined to this EWC ########
EWC(config)#ap profile default-ap-profile
EWC(config-ap-profile)#mgmtuser username admin password 0 Cisco123 secret 0 Cisco123
EWC(config-ap-profile)#exit ######## Configures management interface IP address and subnet########
EWC(config)#interface gigabitEthernet 0
EWC(config-if)#ip address 192.168.1.15 255.255.255.0
EWC(config-if)#exit ######## Default gateway IP address ########
EWC(config)#ip default-gateway 192.168.1.1 ######## Enables web interface of EWC ########
EWC(config)#ip http server
EWC(config)#ip http secure-server
######## Write to memory ######## EWC(config)#end EWC#write memory
Note: You must do "write memory" in order to save the configuration and also to clear the preinstalled day-zero configuration. If this is not done, GUI of the EWC will become inaccessibe as explained later in this guide.
Unlike a 9800 controller, EWC flash memory does not have enough space to store all AP images. All the AP images need to be hosted on an external TFTP or SFTP server. When a second AP tries to join, EWC will point it to the external server. Without these commands, no other AP will be able to join it:
Web interface can now be accessed at https://<EWC management IP address>.
Note: If both HTTP and HTTPs are enabled, the EWC will always serve the user with its HTTPS web interface. Having HTTP enabled is crucial for some features like web authentication and it is recommended to have it enabled.
Option 2 : Web UI Wizard
Once the AP has rebooted in EWC mode, it will broadcast a provisioning SSID ending with the last digits of its MAC address. You can connect to it using the PSK "password".
You can then open your browser and you will be redirected to mywifi.cisco.com which will take you to the AP web UI. Connect with user "webui" and password "cisco".
Note: The web redirection to the EWC configuration portal only works if you are connected to the provisioning SSID. It does not work if your laptop is connected to another wifi network or on the wired network. You cannot configure the AP from the wired network even if you enter the EWC IP address when it is in day0 wizard provisioning mode
Option 3 : Smartphone app
On the Apple Store as well as Android Play Store, you will be able to find the Cisco Catalyst Wireless application. Install it, and the app will allow you to easily provision your embedded controller either through manual connection or QR code.
Tips & Tricks
Joining Other APs to EWC
Up to 100 Access Points can be joined to EWC. APs joined to EWC can only function if they are in FlexConnect mode. Like it’s mentioned in previous chapter, EWC is not capable of hosting all AP images in its flash memory and it is required to have TFTP or SFTP server that needs to be specified with wireless profile image-download default command.
If the site where EWC is located has no infrastructure to host a permanent TFTP server, a regular laptop can be used temporarily. TFTP server with AP images only needs to be present on site during initial deployment and upgrade.
Accessing AP Console From EWC (former apciscoshell)
When console cable is plugged into the AP running EWC image, an EWC prompt will be shown by default. If, for any reason, access to the underlying AP shell is required, it can be done using these command:
EWC#wireless ewc-ap ap shell username admin
email@example.com's password: Cisco123
Note: If the AP management username and password were not specified in the AP profile, please use the default username Cisco and password Cisco instead.
This command is equivalent to apciscoshell that was previously available in Mobility Express controllers.
To exit back to EWC shell, use:
Connection to 192.168.129.1 closed.
Converting EWC Back To Lightweight CAPWAP Mode
If AP running in EWC mode needs to be converted back to lightweight capwap mode, it can be done via:
AP is the Master AP, system will need a reboot when ap type is changed to CAPWAP
. Do you want to proceed? (y/N) y
Important: This command will perform a complete factory reset of both AP and EWC partition. Make sure to backup existing EWC configuration before conversion.
Factory Reset from the EWC CLI
In order to reset the EWC back to factory defaults you can use this command from the EWC CLI prompt:
EWC#wireless ewc-ap factory-reset
Accessing Expert Mode
By default, web interface of EWC will not show all of its advanced functions. They can be enabled by clicking on the gear icon in the top right corner and turning on the expert mode:
Generating Management Interface Certificate and Trustpoint
EWC uses Manufacturer Installed Certificate (MIC) for all of its functions. At no point must a Self Signed Certificate be generated. All the commands specified in this article are enough to have EWC up and running and have APs join to it.
The EWC does not support configuring more than one SVI in the Cisco IOS®-XE code of the EWC. If you are looking to add VLANs for use in your WLANs, you need to create them in the flex profile on the member APs and not on the controller part.