Configure Network Settings

Network Settings Overview

You can create network settings that become the default for your entire network. There are two primary areas from which you can define the settings within your network:

  • Global settings: Settings defined here affect your entire network and include settings for servers such as DHCP, DNS, AAA, NTP, and so on; IP address pools; Device Credential profiles; Telemetry settings such as Syslog, Traps, and NetFlow.

  • Site settings: Settings define here override global settings and can include settings for servers, IP address pools, and device credential profiles.


Note


Changes in network settings that are being used by the active fabric are not supported. These network settings include site hierarchy, renaming IP pools, and several other features.



Note


Certain network settings can be configured on devices automatically using the Device Controllability feature. When Cisco DNA Center configures or updates devices, the transactions are captured in the Cisco DNA Center audit logs. You can use the audit logs to help you track changes and troubleshoot issues.


You can define the following global network settings by choosing Design > Network Settings and clicking the appropriate tab.

Add Cisco ISE or Other AAA Servers

You can define Cisco Identity Services Engine (ISE) servers or other, similar AAA servers for network, client, and endpoint authentication at the site or global level. For network authentication, RADIUS and TACACS protocols are supported. For client and endpoint authentication, only RADIUS is supported. Only one Cisco ISE is supported per Cisco DNA Center.

You can configure the source interface under the RADIUS or TACACS server group to support multi-ISE configuration, wherein each Cisco ISE cluster has its own server group. The source interface used for RADIUS and TACACS servers is determined in the following way:

  • If the device has a Loopback0 interface configured, Loopback0 is configured as the source interface.

  • Otherwise, the interface that Cisco DNA Center uses as the management IP is configured as the source interface.

After you configure a Cisco ISE server for a site, the devices that are assigned to the site are automatically updated on the corresponding Cisco ISE server with a /32 mask. Subsequently, any changes to those devices in Cisco ISE are sent automatically to Cisco DNA Center.

For FIPS mode of deployment, the shared secret consists of shared secret, keywrap, and message authenticator code key.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > Network.

Step 2

Click Add Servers to add a AAA server.

Step 3

In the Add Servers window, check the AAA check box, and click OK.

Step 4

Set the AAA server for network users, client/endpoint users, or both.

Step 5

Check the Network and/or Client/Endpoint check boxes and configure servers and protocols for the AAA server.

Step 6

Choose the Servers for authentication and authorization: ISE or AAA.

  • If you choose ISE, configure the following:

    • From the Network drop-down list, choose the IP address of the Cisco ISE server. The Network drop-down list contains all the IP addresses of the Cisco ISE servers that are registered in System Settings on the Cisco DNA Center home page. Selecting a Cisco ISE IP populates the primary and additional IP address drop-down lists with Policy Service Node (PSN) IP addresses for the selected Cisco ISE. You can either enter an IP address for the AAA server or choose the PSN IP address from the IP Address (Primary) and IP Address (Additional) drop-down lists.

    • Choose the Protocol: RADIUS or TACACS.

      Note

       

      AAA settings for a physical and managed site for a particular wireless controller must match, or provisioning fails.

  • If you choose AAA, configure the following:

    • Enter an IP address for the AAA server or choose the IP addresses from the IP Address (Primary) and IP Address (Additional) drop-down lists. These drop-down lists contain the non-Cisco ISE AAA servers registered in the System Settings.

      Ensure that the AAA server IP address is not part of an existing Cisco ISE cluster.

Note

 

If you switch the server type from ISE (with TACACS) to AAA with TACACS, TACACS will be disabled on the Cisco ISE server because it is no longer used for authentication.

Step 7

Click Save.


Configure Global Network Servers

You can define the global network servers that become the default for your entire network.


Note


You can override the global network settings on a site by the defining site-specific settings.


Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > Network.

Step 2

In the DHCP Server field, enter the IP address of a DHCP server.

Note

 

You can click the plus icon and enter both IPv4 and IPv6 addresses.

You must define at least one DHCP server in order to create IP address pools.

Step 3

In the DNS Server field, enter the domain name of a DNS server.

Note

 

You can click the plus icon and enter both IPv4 and IPv6 addresses.

You must define at least one DNS server in order to create IP address pools.

Step 4

Click Save.


Global Device Credentials Overview

"Global device credentials" refers to the common CLI, SNMP, and HTTPS credentials that Cisco DNA Center uses to discover and collect information about the devices in your network. Cisco DNA Center uses global credentials to authenticate and access the devices in a network that share these configured device credentials. You can add, edit, and delete global device credentials. You can also associate credentials to the Global site or a specific site.

Configure Global CLI Credentials

You can configure and save up to 10 global CLI credentials.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > Device Credentials.

Step 2

From the left hierarchy tree, choose Global.

Step 3

In the CLI Credentials area, click Add.

Step 4

Enter information in the following fields:

Table 1. CLI Credentials
Field Description
Name/Description Name or phrase that describes the CLI credentials.
Username Name that is used to log in to the CLI of the devices in your network.
Password

Password that is used to log in to the CLI of the devices in your network.

For security reasons, re-enter the password as confirmation.

Note

 

Passwords are encrypted for security reasons and are not displayed in the configuration.

Enable Password

Password used to move to a higher privilege level in the CLI. Configure this password only if your network devices require it.

For security reasons, re-enter the enable password.

Note

 

Passwords are encrypted for security reasons and are not displayed in the configuration.

Step 5

Click Save.

To apply the credential to a site, choose the site from the left hierarchy tree, select the button next to the credential, then click Save.

Step 6

If you are changing existing credentials, choose whether you want to update the credentials now or schedule it for later.


Configure Global SNMPv2c Credentials

You can configure global SNMPv2c credentials to monitor and manage your network devices.


Note


Cisco DNA Center does not support SNMPv2c device credentials when FIPS mode is enabled. You must specify SNMPv3 credentials instead.


Before you begin

You must have the SNMP information for your network.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > Device Credentials.

Step 2

From the left hierarchy tree, choose Global.

Step 3

In the SNMP Credentials area, click Add.

Step 4

For the Type, click SNMP v2c and enter the following information:

Table 2. SNMPv2c Credentials
Field Description

Read

  • Name/Description: Name or description of the SNMPv2c settings that you are adding.

  • Read Community: Read-only community string password used only to view SNMP information on the device.

Note

 

Passwords are encrypted for security reasons and are not displayed in the configuration.

Write

  • Name/Description: Name or description of the SNMPv2c settings that you are adding.

  • Write Community: Write community string used to make changes to the SNMP information on the device.

Note

 

Passwords are encrypted for security reasons and are not displayed in the configuration.

Step 5

Click Save.

Step 6

If you are changing existing credentials, choose whether you want to update the credentials Now or schedule it for later.


Configure Global SNMPv3 Credentials

You can configure global SNMPv3 credentials to monitor and manage your network devices.

Before you begin

You must have your network's SNMP information.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > Device Credentials.

Step 2

From the left hierarchy tree, choose Global.

Step 3

In the SNMP Credentials area, click Add.

Step 4

For the Type, click SNMP v3 and enter the following information:

Table 3. SNMPv3 Credentials

Field

Description

Name/Description

Name or description of the SNMPv3 settings that you are adding.

Username

Name associated with the SNMPv3 settings.

Mode

Security level that an SNMP message requires. Choose one of the following modes:

  • noAuthNoPriv: Does not provide authentication or encryption.

  • AuthNoPriv: Provides authentication, but does not provide encryption.

  • AuthPriv: Provides both authentication and encryption.

Auth Type

Authentication type to be used. (Enabled if you select AuthPriv or AuthNoPriv as the authentication mode.) Choose one of the following authentication types:

  • SHA: Authentication based on HMAC-SHA

  • MD5: Authentication based on HMAC-MD5

Auth Password

SNMPv3 password used for gaining access to information from devices that use SNMPv3. These passwords (or passphrases) must be at least eight characters in length.

Note

 
  • Some wireless controllers require that passwords (or passphrases) be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.

  • Passwords are encrypted for security reasons and are not displayed in the configuration.

Privacy Type

Privacy type. (Enabled if you select AuthPriv as the authentication mode.) Choose one of the following privacy types:

  • DES: DES 56-bit (DES-56) encryption in addition to authentication based on the CBC DES-56 standard.

  • AES128: CBC mode AES for encryption.

  • None: No privacy.

Privacy Password

SNMPv3 privacy password that is used to generate the secret key for encrypting messages that are exchanged with devices that support DES or AES128 encryption. Passwords (or passphrases) must be at least eight characters long.

Note

 
  • Some wireless controllers require that passwords (or passphrases) be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.

  • Passwords are encrypted for security reasons and are not displayed in the configuration.

Step 5

Click Save.

Step 6

If you are changing existing credentials, you are prompted to update the new credentials on devices now or schedule the update for a later time.

  • To update the new credentials now, click the Now radio button and click Apply.
  • To schedule the update for a later time, click the Later radio button, define the date and time of the update and click Apply.

    Note

     

    Use the Time Zone check box to indicate whether you want the update to happen according to the site time zone or according to a specified time zone.


Configure Global HTTPS Credentials

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > Device Credentials.

Step 2

From the left hierarchy tree, choose Global.

Step 3

In the HTTPS Credentials area, click Add.

Step 4

Enter the following information:

Table 4. HTTP(S) Credentials
Field Description

Type

Specifies the kind of HTTPS credentials you are configuring. Valid types are Read or Write.

Read

You can configure up to 10 HTTPS read credentials:

  • Name/Description: Name or description of the HTTPS credentials that you are adding.

  • Username: Name used to authenticate the HTTPS connection.

  • Password: Password used to authenticate the HTTPS connection. Passwords are encrypted for security and are not displayed in the configuration.

  • Port: Number of the TCP/UDP port used for HTTPS traffic. The default is port number 443 (the well-known port for HTTPS).

The password must contain between 7 and 128 characters, including at least one of the following:

  • Lowercase letter (a to z)

  • Uppercase letter (A to Z)

  • Number (0 to 9)

  • Special character: # _ * ? –

The password cannot contain spaces or angle brackets (< >). Note that some Cisco IOS XE devices do not allow a question mark (?).

Write

You can configure up to 10 HTTPS write credentials:

  • Name/Description: Name or description of the HTTPS credentials that you are adding.

  • Username: Name used to authenticate the HTTPS connection.

  • Password: Password used to authenticate the HTTPS connection. Passwords are encrypted for security and are not displayed in the configuration.

  • Port: Number of the TCP/UDP port used for HTTPS traffic. The default is port number 443 (the well-known port for HTTPS).

The password must contain between 7 and 128 characters, including at least one of the following:

  • Lowercase letter (a to z)

  • Uppercase letter (A to Z)

  • Number (0 to 9)

  • Special character: # _ * ? –

The password cannot contain spaces or angle brackets (< >). Note that some Cisco IOS XE devices do not allow a question mark (?).

Step 5

Click Save.

Step 6

If you are changing existing credentials, choose whether you want to update the credentials Now or schedule it for later.


Guidelines for Editing Global Device Credentials

The following are guidelines and limitations for editing existing global device credentials:

  • Cisco DNA Center uses the following process when you edit, save, and then apply a global device credential:

    1. Cisco DNA Center pushes the credential to the device that has local authentication. With local authentication, credential changes are applied and Cisco DNA Center manages the devices using these credentials.

      (Cisco DNA Center does not push CLI credential changes to a device that is under a site with an inherited or configured AAA server. With AAA authentication, credential changes are not applied. Cisco DNA Center manages the devices using these credentials only if the same credentials exist on the AAA server.)

    2. After successfully pushing the credential to the device, Cisco DNA Center confirms it can reach the device using the new credential.


      Note


      If this step fails, Inventory uses the old credentials to manage the device even though Cisco DNA Center pushed the new credentials to the device. In this case, the Provision > Inventory window might indicate that the device is Unmanaged if you updated an existing credential.


    3. After successfully reaching the device using the new credential, the Cisco DNA Center Inventory starts managing the device using the new credential.

  • Sites can contain devices that use SNMPv2c and SNMPv3 credentials. When you edit and save global SNMPv2c or SNMPv3 credentials, Cisco DNA Center pushes those changes to devices and enables that credential. For example, if you have a device that uses SNMPv2c, but you edit and save the SNMPv3 global credential, Cisco DNA Center pushes the new SNMPv3 credential to all devices in the associated site and enables it, meaning that all devices will be managed using SNMPv3, even the devices that previously had SNMPv2c enabled.

  • To avoid any possible disruptions, modify the User Name when you edit CLI credentials. This creates a new CLI credential and leaves any existing CLI credentials unchanged.

Edit Global Device Credentials

You can edit and save global device credentials without Cisco DNA Center applying those credential changes until you’re ready. When you decide to apply the changes, Cisco DNA Center searches all sites that reference the device credential you changed and pushes the change to all the devices.

You can update or create new global device credentials, but Cisco DNA Center never removes any credentials from devices.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > Device Credentials.

Step 2

From the left hierarchy tree, choose Global.

Step 3

Click Manage Credentials, check the check box for the device credential that you want to change, and choose Actions > Edit.

Step 4

In the Edit Credentials dialog box, make the required changes, and click Save.

Note

 
The CLI password credentials support only ASCII-printable characters (character code 32-127; see https://en.wikipedia.org/wiki/ASCII#Printable_characters).

Step 5

In the credential tile, click Apply.

Step 6

In the Apply Credentials dialog box, choose whether you want to update the credentials Now or schedule it for later.

Step 7

To view the status of the credential change, choose Provision > Network Devices > Inventory.

The Credential Status column displays one of the following statuses:

  • Success: Cisco DNA Center successfully applied the credential change.

  • Failed: Cisco DNA Center was unable to apply the credential change. Hover over the icon to display additional information about which credential change failed and why.

  • Not Applicable: The credential is not applicable to the device type.

If you edited and saved more than one credential (for example, CLI, SNMP, and HTTPS), the Credential Status column displays Failed if Cisco DNA Center was unable to apply any of the credentials. Hover the cursor over the icon to display additional information about which credential change failed.


Associate Device Credentials to Sites

The sites you create under the Global site can inherit the global device credentials, or you can create different device credentials specific for a site.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > Device Credentials.

Step 2

From the left hierarchy tree, choose the required site.

Step 3

Click Manage Credentials.

Step 4

Select the credentials that you want to associate with the selected site and then click Assign.

A success message is displayed at the bottom of the screen indicating the device credential was successfully associated with the site.


Manage Device Credentials

The Manage Credentials workflow allows you to create, edit, assign, and apply credentials to devices.

Credentials are assigned to the Global site or to the sites, buildings, or floors that you choose. If you assign credentials at the global level, all the sites, buildings, and floors inherit the settings from the global level.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > Device Credentials.

Step 2

From the left hierarchy tree, choose either Global or the required area, building, or floor.

Step 3

Click Manage Credentials.

The Manage Credentials window opens.

Step 4

From the Add drop-down list, choose a type of credential, for example, CLI, HTTP(S) Read, SNMPv3, and so on.

Step 5

In the Add New Credentials window, do the following:

  1. Enter information in the required fields.

  2. Check the Assign credential to site check box.

    Note

     
    If the box is not checked, the credential will get created but not assigned to any site.
  3. Click Save.

The newly created credential is displayed in the Manage Credentials window.

Step 6

Choose the credential that you want to assign and click Assign.

Step 7

To apply the credentials, do any one of the following:

  • To apply a credential across the entire site hierarchy, go to Manage Credentials, hover your cursor over the Actions menu for the required credential, and choose Apply.

  • To apply a credential only to a specific site, choose the desired site in the left hierarchy pane and click Assign on the card corresponding to that credential.

Step 8

In the Apply Credentials dialog box, choose whether you want to update the credentials Now or schedule it for later.

The credentials are applied to all the applicable sites.

You can reschedule any apply credentials task that has not yet started.

Step 9

To view the status of your task, do any one of the following:

  • In the Device Credentials window, click the refresh icon at the top-right corner. Hover your cursor over the icon next to the heading in the credential card.

  • Choose Provision > Inventory. The Credential Status column shows the status.

  • Choose Activities > Audit Log.

Step 10

To edit the credentials, do the following:

  1. Click the edit icon next to the corresponding credential.

    Alternatively, in the Manage Credentials window, hover your cursor over the ellipsis icon next to the credential name and click Edit.

  2. In the Edit Information window, click OK.

  3. In the Edit Credentials window, make the required changes.

  4. Click Save.

Step 11

To reschedule the Start time of a credential application, do one of the following:

  • Task scheduled globally: In the Manage Credentials window, hover your cursor over the horizontal ellipsis icon next to the credential name and choose Apply, and then click Apply.

  • Task scheduled from the main page for sites, buildings, or floors: Return to the sites, buildings, or floors for which the task was originally scheduled and click Apply on the corresponding credential card.

Note

 
You cannot change the time zone.

Configure IP Address Pools

Cisco DNA Center supports IPv4 and IPv6 dual-stack IP pools.

You can manually create IPv4 and IPv6 address pools.

You can also configure Cisco DNA Center to communicate with an external IP address manager. For more information, see the Cisco DNA Center Administrator Guide.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > IP Address Pools.

Step 2

Click Add and complete the required fields in the Add IP Pool window.

If you have configured Cisco DNA Center to communicate with an external IP address manager, you cannot create an IP pool that overlaps an existing IP address pool in the external IP address manager.

Step 3

Click Save.

The newly added pool appears in the IP Address Pools table. You can click the IPv4 or IPv6 option in the SUBNET TYPE area if you prefer to view only the IPv4 or IPv6 address pools.

Note

 
When you edit an IP address pool and make DHCP changes, you do not need to reprovision devices using that IP address pool.

Import IP Address Pools from an IP Address Manager

You can import IP address pools from Bluecat or Infoblox.


Note


The IP address pools cannot have subpools and cannot have any assigned IP addresses from the IP address pool.


You must configure Cisco DNA Center to communicate with an external IP Address Manager (IPAM). For more information, see the Cisco DNA Center Administrator Guide.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > IP Address Pools.

Step 2

From the Actions drop-down list, choose Import from IPAM Server and complete the required fields.

Step 3

Enter a CIDR and then click Retrieve to get the list of IP pools available to import.

Step 4

Click Select All or choose the IP address pools to import, then click Import.


Import IP Address Pools from a CSV File

You can import IP address pools from a CSV file.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > IP Address Pools.

Step 2

From the Actions drop-down list, choose Import from CSV File.

Step 3

Click Download Template to download the latest sample file.

Step 4

Add the IP address pools to the file and save the file.

Step 5

Upload the CSV file by doing one of the following actions:

  1. Drag and drop the file to the drag and drop area.

  2. Click where it says "click to select" and select the file.

Step 6

Click Import.


Reserve an IP Address Pool

Before you begin

Ensure that one or more IP address pools have been created.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > IP Address Pools.

Step 2

From the left hierarchy tree, choose a site.

Step 3

Click Reserve and complete the following fields to reserve all or part of an available global IP address pool for the specific site:

  • IP Address Pool Name: Unique name for the reserved IP address pool.

  • Type: Type of IP address pool. For LAN automation, choose LAN. Options are:

    • LAN: Assigns IP addresses to LAN interfaces for applicable underlays.

    • Management: Assigns IP addresses to management interfaces.

    • Service: Assigns IP addresses to service interfaces.

    • WAN: Assigns IP addresses to WAN interfaces.

    • Generic: Used for all other network types.

  • IP Address Space: IPv4 and IPv6 address pool from which you want to reserve all or part of the IP addresses.

  • CIDR Prefix/Number of IP Addresses: IP subnet and mask address used to reserve all or part of the global IP address pool or the number of IP addresses you want to reserve. If you choose \64 as the CIDR Prefix for an IPv6 IP pool, the SLAAC option is checked. (When SLAAC is selected, the devices automatically acquire IP addresses without the need for DHCP servers.)

  • Gateway: Gateway IP address.

  • DHCP Servers: DHCP server IP address(es).

  • DNS Servers: DNS server address(es).

Step 4

Click Reserve.

If you reserve both IPv4 and IPv6 address pools, which means the fabric is provisioned with a dual-stack IP pool, you cannot switch back to a single-stack IP pool if the IPv6 pool is already attached to a VN.

However, if the IPv6 pool is not attached to a VN, you can downgrade it from a dual-stack IPv6 to a single-stack IPv4 pool. To downgrade to a single stack, in the IP Address Pools window, click Edit for the dual-stack IP pool. In the Edit IP Pool window, uncheck the IPv6 check box and click Save.


Edit IP Address Pools

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > IP Address Pools.

Step 2

From the left hierarchy tree, choose the required site.

Step 3

To edit all the IP address pools in bulk, do the following:

  1. From the Actions drop-down list, choose Edit All.

  2. Click Yes in the Warning message.

  3. In the Edit IP Pool window make the desired changes and click Save.

Step 4

To edit only the desired IP address pools, do the following:

  1. Choose the desired IP address pools and from the Actions drop-down list, click Edit Selected.

    You can also click Edit corresponding to the chosen IP address pools.

  2. In the Edit IP Pool window make the desired changes and click Save.


Delete IP Address Pools

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > IP Address Pools.

Step 2

From the left hierarchy tree, choose the required site.

Step 3

To delete all the IP address pools in bulk, do the following:

  1. From the Actions drop-down list, choose Delete All.

  2. Click Yes in the Warning message.

Step 4

To delete only the desired IP address pools, do the following:

  1. Choose the desired IP address pools and from the Actions drop-down list, click Delete Selected.

    You can also click Delete corresponding to the chosen IP address pools.

  2. Click Yes in the Warning message.


Clone an IP Address Pool

You can clone an existing IP address pool at the site level. When you clone an IP address pool, the DHCP server and DNS server IP addresses are automatically filled.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > IP Address Pools.

Step 2

From the left hierarchy tree, choose the required site.

Step 3

Locate the desired IP address pool and, in the Actions area, click Clone.

Step 4

In the Clone IP Pool window, do the following:

  1. Optionally, edit the pool name. (You cannot edit the Type, IP Address Space, or Global Pool values, which are inherited from the pool from which you are cloning.)

  2. Edit the CIRD prefix values as necessary.

  3. Click Clone.


Release IP Address Pools

You can release single-stack and dual-stack pools that are reserved at the site level.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > IP Address Pools.

Step 2

From the left hierarchy tree, choose the required site.

Step 3

To release all the IP address pools in bulk, do the following:

  1. From the Actions drop-down list, choose Release All.

  2. Click Yes in the Warning message.

  3. At the prompt, click Release.

Step 4

To release only the desired IP address pools, do the following:

  1. Choose the desired IP address pools and from the Actions drop-down list, click Release Selected.

  2. At the prompt, click Release.


View IP Address Pools

This procedure shows how to view 10 or more IP address pools in table view and tree view.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > IP Address Pools.

Step 2

From the left hierarchy tree, choose the required site.

Step 3

Use the toggle button to switch between the table view and tree view.

  • When the view contains 10 or more IP address pools, by default the GUI displays the pools in the table view.

  • When the view contains fewer than 10 IP address pools, by default the GUI displays the pools in the tree view.

Note

 

Toggling between the table and tree map view is based on the pool count not on the user selection on the UI.

Tree view applies to the Global pool and site pool.

Step 4

The IP Address Pools table view displays a list of IP address pools based on Name, Type, IPv4 Subnet, IPv4 Used, IPv6 Subnet, IPv6 Used, and Actions.

Note

 
  • Hover your cursor over the i icon next to the IPv4 Used and IPv6 Used. A tooltip displays more information about IPv4 Used, IPv6 Used, Free, Unassignable, Assigned, and Default Assigned IP address pool.

  • In the IPv4 and IPv6 columns, hover your cursor over the i icon next to the corresponding used percentage of IPv4 and IPv6 for a given IP address pool. A tooltip displays the percentage of Free, Unassignable, Assigned, and Default Assigned IP addresses.

Step 5

In the table view, click the IPv4 only or Dual-Stack option in the Subnet Type area if you prefer to view only the IPv4 or Dual-Stack address pools.

Step 6

In the tree view, hover your cursor over the IP address pool that you are interested in, and click to view the slide-in pane which contains the following information:

  • Subnet type of an IP address pool.

  • Percentage of available IP addresses along with Pool CIDR, Gateway, DHCP Server(s), and DNS Server(s) under the respective pool.

  • Percentage of used IP addresses under the respective pool.

Step 7

In the Used area, click Assigned to view the list of assigned IP addresses to a device filtered based on Device Name, IP Address, and Site.

Step 8

Click Unassignable to view the list of unassigned IP addresses which cannot be assigned to a device filtered based on Device Name, IP Address, and Site.

Step 9

Click Edit to edit an IP address pool.

Step 10

Click Release to release an IP address pool.

Note

 
  • In the side bar for a global pool, you can view the usage of a given pool across all the child pool.

  • Global and site IP address pool can have blocklisted IP addresses.

  • Subpools cannot have blocklisted IP addresses.

    • Cisco DNA Center rejects the IP address pool creation request of a CIDR address pool if it contains blocklisted IP addresses.

    • In the next free IP address pools request, Cisco DNA Center skips the blocklisted IP addresses to find the next IP address free pool.

Step 11

(Optional) In the side bar click Export to export the table data.


Configure Service Provider Profiles

You can create a service provider (SP) profile that defines the class of service for a particular WAN provider. You can define 4-class, 5-class, 6-class, and 8-class service models. After you create an SP profile, you can assign it to an application policy and to the WAN interfaces in the application policy scope, including setting the subline rate on the interface, if needed.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > SP Profiles.

Step 2

In the QoS area, click Add.

Step 3

In the Profile Name field, enter a name for the SP profile.

Step 4

From the WAN Provider drop-down list, enter a new service provider, or choose an existing one.

Step 5

From the Model drop-down list, choose a class model: 4 class, 5 class, 6 class, and 8 class.

For a description of these classes, see Service Provider Profiles.


Configure Global Wireless Settings

Global wireless network settings include settings for Service Set Identifiers (SSIDs), wireless interfaces, RF, and sensors.


Note


You can create a wireless sensor device profile for only Cisco Aironet 1800s Active Sensor devices.


Create SSIDs for an Enterprise Wireless Network

The following procedure describes how to configure SSIDs for an enterprise wireless network.


Note


The SSIDs are created at the global level. Sites, buildings, and floors inherit settings from the global level.


Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the SSID table, hover your cursor over Add, and choose Enterprise.

Step 5

In the Wireless SSID workflow, complete the Basic Settings setup:

  1. If the Sensor toggle button is available, ensure that it’s disabled.

  2. In the Wireless Network Name (SSID) field, enter a unique name for the wireless network.

  3. In the WLAN Profile Name field, enter a name for the WLAN profile.

    Based on the WLAN profile name, Cisco DNA Center automatically generates the policy profile name for Cisco Catalyst 9800 Series Wireless Controller.

  4. In the Wireless Option settings, click one of the following radio buttons:

    • Multi band operation (2.4 GHz, 5 GHz, 6GHz): The WLAN is created for 2.4 GHz, 5 GHz, and 6 GHz, and band select is disabled.

    • Multi band operation with band select: The WLAN is created for 2.4 GHz, 5 GHz, and 6 GHZ, and band select is enabled.

    • 5GHz only: The WLAN is created for 5 GHz, and band select is disabled.

    • 2.4GHz only: The WLAN is created for 2.4 GHz, and band select is disabled.

    • 6GHz Only: The WLAN is created for 6 GHz, and band select is disabled.

  5. From the Primary Traffic Type drop-down list, choose one of the following options:

    • VoIP (Platinum): QoS on the wireless network is optimized for wireless voice and data traffic.

    • Video (Gold): QoS on the wireless network is optimized for video traffic.

    • Best Effort (Silver): QoS on the wireless network is optimized for wireless data traffic only.

    • Non-real Time (Bronze): QoS on the wireless network is optimized for low-bandwidth usage.

  6. In the SSID STATE settings, click the toggle buttons to enable or disable the following settings:

    • Admin Status: Use this toggle button to turn on or turn off the radios on the APs. When the Admin Status is disabled, the APs remain associated with the wireless controller and are accessible, and the APs still require licenses.

    • Broadcast SSID: Use this toggle button to enable or disable the visibility of the SSID to all the wireless clients within range.

Step 6

Complete the Security Settings setup:

  1. For Level of Security, choose the encryption and authentication type for the network. The sites, buildings, and floors inherit settings from the Global hierarchy. You can override the level of security at the site, building, or floor level.

    • Enterprise: You can configure both WPA2 and WPA3 security authentication by checking the respective check boxes.

      Note

       

      Wi-Fi Protected Access (WPA2) uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP).

      WPA3 is the latest version of WPA, which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks. WPA3-Enterprise provides higher-grade security protocols for sensitive data networks.

      For multiband operation using only 2.4-GHz and 5-GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4-GHz, 5-GHz, and 6-GHz bands, you must enable WPA3 and disable WPA2 for the 6-GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

    • Personal: You can configure both WPA2 and WPA3 security authentication by checking the respective check boxes. By default, the WPA2 check box is enabled. If you choose Personal, enter the passphrase key in the Pass Phrase field. This key is used as the pairwise master key (PMK) between the clients and authentication server.

      Note

       

      WPA3-Personal brings better protection to individual users by providing more robust password-based authentication, making the brute-force dictionary attack much more difficult and time-consuming.

      For WPA2-Personal, you can override a preshared key (PSK) at the site, building, or floor level. If you override a PSK at the building level, the subsequent floors inherit the new settings. For information, see Preshared Key Override.

      For multiband operation using only 2.4-GHz and 5-GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4-GHz, 5-GHz, and 6-GHz bands, you must enable WPA3 and disable WPA2 for the 6-GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

      (Optional) For WPA2-Personal, do the following to configure multi-preshared key (MPSK) support:

      1. Click Configure MPSK.

      2. In the Configure MPSK dialog box, click Add to an MPSK. You can add up to five MPSKs.

      3. From the Priority drop-down list, choose a priority.

        Note

         

        If the priority 0 key is not configured in central web authentication (CWA) Flex mode, client connection to the WLAN may fail.

      4. From the Passphrase Type drop-down list, choose a passphrase type.

      5. In the Passphrase field, enter a passphrase.

      6. Click Save.

      MPSK is not supported on Cisco AireOS Wireless Controllers. MPSK applies to Layer 2 security configuration for WPA2- Personal.

    • Open Secured: From the Assign Open SSID drop-down list, choose an open SSID to redirect the clients to an open-secured SSID. The open-secured policy provides the least security.

      Note

       

      Fast Transition is not applicable for open-secured SSID.

      Since open-secured SSID depends on open SSID, you must have enabled anchor on open SSID before enabling it on open-secured SSID.

    • Open: The open policy provides no security. It allows any device to connect to the wireless network without any authentication.

  2. For Authentication, Authorization, and Accounting Configuration, click Configure AAA to add and configure the AAA servers for the enterprise wireless network SSID.

    For more information, see Configure AAA Server for an Enterprise Wireless Network.

  3. Check the AAA Override check box to enable the AAA override functionality.

    By default, this check box is dimmed. You must configure an AAA server using the Configure AAA option to use this check box.

  4. Check one or more of the following check boxes:

    • Fast Lane: Check this check box to enable fastlane capabilities on the network.

      Note

       

      By enabling fastlane, you can set the iOS devices to receive an optimized level of wireless connectivity and enhanced QoS.

    • Identity PSK (for Personal Layer 2 Security): Check this check box to enable unique preshared keys that can be created for individuals or groups of users in the SSID.

    • MAC Filtering: Check this check box to enable MAC-based access control or security on the wireless network.

      Note

       

      When MAC filtering is enabled, only the MAC addresses that you add to the wireless LAN are allowed to join the network.

    • Deny RCM Clients: Check this check box to deny clients with randomized MAC addresses.

    • Enable Posture: Check this check box to enable posture assessment. The Pre-Auth ACL List Name drop-down list appears when you enable posture. Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate security policies. This allows you to control clients' access to protected areas of a network.

    • Pre-Auth ACL List Name: From the drop-down list, choose the ACL list name that you already created to map with the SSID.

      Note

       

      AAA configuration is mandatory for posturing. Click Configure AAA to add AAA servers for the enterprise wireless network SSID.

  5. Click Next.

Step 7

Complete the Advance Settings setup:

  1. For Fast Transition (802.11r):

    • Choose Adaptive, Enable, or Disable mode.

      Note

       

      802.11r allows wireless clients to quickly roam from one AP to another AP. Fast transition ensures less disrupted connectivity when a wireless client roams from one AP to another AP.

    • Check the Over the DS check box to enable fast transition over a distributed system. By default, fast transition over a distributed system is disabled.

  2. For MFP Client Protection, choose Optional, Required, or Disabled.

    Note

     

    Management Frame Protection (MFP) increases the security of management frames. It provides security for the otherwise unprotected and unencrypted 802.11 management messages that are passed between APs and clients. MFP provides both infrastructure and client support.

    By default, Optional is selected. If you choose Required, the clients are allowed to associate only if the MFP is negotiated (that is, if WPA2 is configured on the wireless controller, and the client is also configured for WPA2 and supports CCXv5 MFP).

  3. For Protected Management Frame (802.11w), choose the required option.

    Note

     

    The options available under Protected Management Frame (802.11w) vary based on the settings that you chose under Level of Security. The following options may be available:

    • Optional

    • Required

    • Disabled

  4. For 11K:

    • Neighbor List: Check this check box to configure all the 11k-capable clients to request a neighbor report about the known neighboring APs that are candidates for roaming.

      Note

       

      To facilitate roaming, a 11k-capable client that is associated with an AP sends a request to a list of neighboring APs. The request is sent in the form of an 802.11 management frame, which is known as an action frame. The AP responds with a list of neighbor APs on the same WLAN with the Wi-Fi channel numbers. The response is also an action frame. The client identifies the AP candidates for the next roam from the response frame.

    • Session Timeout: Check this check box to set the maximum time for a client session to remain active before reauthorization.

      Note

       

      By default, Session Timeout is enabled with a timeout of 1800 seconds.

    • Client Exclusion: Check this check box to set the client exclusion timer.

      Note

       

      When a user fails to authenticate, the wireless controller excludes the client from connecting. The client is not allowed to connect to the network until the exclusion timer expires. By default, Client Exclusion is enabled with a timeout of 180 seconds.

  5. For 11v BSS Transition Support:

    • BSS Max Idle Service: Check this check box to set the idle period timer value. The idle period timer value is transmitted using the association and reassociation response frame from APs to the client.

      Note

       

      The BSS Max idle period is the time frame during which an AP doesn’t disassociate a client because of nonreceipt of frames from the connected client.

    • Client User Idle Timeout: Check this check box to set the user idle timeout for a WLAN.

      Note

       

      If the data sent by the client is more than the threshold quota specified as the user idle timeout, the client is considered to be active and the wireless controller begins another timeout period.

      By default, Client User Idle Timeout is enabled with a user idle timeout of 300 seconds.

    • Directed Multicast Service: Check this check box to enable directed multicast service.

      Note

       

      By default, Directed Multicast Service is enabled. Using the Directed Multicast Service (DMS), the client requests APs to transmit the required multicast packets as unicast frames. This allows clients to sleep for a longer time and saves the battery power.

  6. For Radius Client Profiling, use this toggle button to enable or disable RADIUS profiling on a WLAN.

    Note

     

    At least one AAA or PSN server is required to enable this feature.

  7. (Optional) For NAS-ID:

    1. From the NAS-ID Opt drop-down list, choose the required type of network access server identifier (NAS ID).

      To specify a custom script for the NAS ID, choose Custom Option from the NAS-ID Opt drop-down list and enter the custom script in the corresponding Custom Script for Opt field. You can enter up to 31 alphanumeric characters, special characters, and spaces for the custom script. Cisco DNA Center doesn't support the special characters ? " < and trailing spaces for the custom script.

      Note

       

      Cisco DNA Center supports NAS ID with custom script only for Cisco Catalyst 9800 Series Wireless Controllers that run Cisco IOS XE Release 17.7 or later.

    2. (Optional) Click + to add another NAS ID. You can add up to three NAS IDs.

      Note

       

      Cisco DNA Center applies only one NAS ID for Cisco AireOS Wireless Controllers. You can overwrite the NAS ID at the site-level from the Design > Network Settings > Wireless window.

  8. Configure CCKM: Use this toggle button to enable CCKM as the authentication key management option in Cisco DNA Center.

    • Timestamp Tolerance: This field is visible only if you enable CCKM. Enter the CCKM tolerance level. CCKM tolerance level is not applicable for the Cisco AireOS Wireless Controller platform.

    Note

     

    You can configure CCKM only if SSID has Layer 2 security as Enterprise in WPA2 or WPA2+WPA3.

  9. (Optional) Under Configure Client Rate Limit, enter a value for the client rate limit in bits per second. The valid range is from 8000 through 100000000000. The value must be a multiple of 500.

    Note

     

    This configuration is not applicable for Cisco AireOS Wireless Controllers. To configure client rate limit for Cisco AireOS Wireless Controllers, click the menu icon ( ) and choose Tools > Model Config Editor > Wireless > Advanced SSID Configuration. For more information, see Create a Model Config Design for Advanced SSID.

    Following are the valid ranges for client rate limit on Cisco IOS XE devices:

    • The valid range for Cisco Catalyst 9800-L Wireless Controller, Cisco Catalyst 9800-40 Wireless Controller, and Cisco Catalyst 9800-80 Wireless Controller is from 8000 through 67000000000 bits per second.

    • The valid range for Cisco Catalyst 9800-CL Wireless Controller is from 8000 through 10000000000 bits per second.

    • The valid range for Cisco Embedded Wireless Controller on Catalyst Access Points is from 8000 through 2000000000 bits per second.

    • The valid range for Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches is from 8000 through 100000000000 bits per second.

  10. (Optional) Use the Coverage Hole Detection toggle button to enable or disable the coverage hole detection functionality.

  11. Click Next.

Step 8

Complete the Associate SSID to Profile setup:

  1. From the left pane, select a profile and click Associate Profile.

    If you don’t have a profile, click Add Profile and configure the profile settings. For information, see Create Network Profiles for Wireless.

  2. Click Next.

Step 9

In the Summary window, review the configuration settings. (To make any changes, click Edit.)

Step 10

Click Save.

The SSID is created.


Preshared Key Override

SSIDs are created at the Global hierarchy. The sites, buildings, and floors inherit settings from the Global hierarchy. You can override a preshared key (PSK) at the site, building, or floor level. If you override a PSK at the building level, the subsequent floor inherits the new setting.

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings > Wireless.

Step 2

From the left hierarchy tree, choose the site, building, or floor to edit the PSK.

Step 3

Under Enterprise Wireless, click the Passphrase field, and enter a new passphrase for the PSK SSID.

Step 4

Click Save.

A success message saying Passphrase for the SSID(s) updated successfully is displayed.

Hover your cursor over the inherit icon next to the SSID to view the origin of this setting.

Step 5

To reset the PSK override, check the check box of the PSK SSID on the site, building, or floor and click Delete. The PSK is reset to the global passphrase value.


Create Pre-Auth Access Control Lists

Using the Pre-Authentication ACL feature, you can create a pre-authentication ACL for web authentication to allow certain types of traffic before authentication is complete. This ACL is referenced in the access-accept of Cisco Identity Services Engine (ISE) and defines the traffic that is permitted and the traffic that is denied by the ACL. After ACLs are configured on the Cisco Wireless Controller, they can be applied to the management interface, the AP-manager interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients or to the controller central processing unit (CPU) to control all traffic destined for the CPU. You can configure both IPv4 and IPv6 ACLs.

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

Under the Pre-Auth Access Control Lists area, click Add to create a new pre-auth ACL.

Step 5

In the New Pre-Auth ACL slide-in pane, configure the following:

  1. In the Pre-Auth ACL List Name field, enter a name for the ACL list.

  2. In the Pre-Auth ACL Name field, enter a name for the pre-auth ACL.

  3. Click the IP Addresses tab and choose the ACL type you are creating: IPV4 or IPV6.

Step 6

Click the IP Addresses tab and choose the ACL type you are creating: IPV4 or IPV6.

  1. From the Protocol drop-down list, choose the protocol ID of the IP packets to be used for this ACL. These are the protocol options: Any, TCP, or UDP.

  2. In the Source Port field, enter the source port number. The range is from 0 through 65535. The port options are used by applications that send and receive data to and from the networking stack. Some ports are designated for certain applications such as Telnet, SSH, HTTP, and so on.

  3. In the Source IP Address field, enter the IP address and netmask of the source. If you are configuring an IPv6 ACL, enter the IPv6 address and prefix length of the source in the Source IP Address field.

  4. From the Source Subnet drop-down list, choose a value for the source subnet.

  5. In the Destination Port, enter the destination port number.

  6. In the Destination IP Address, enter the IP address and netmask of the destination. If you are configuring IPv6 ACL, enter the IPv6 address and prefix length of the destination.

  7. From the Destination Subnet drop-down list, choose a value for the destination subnet.

  8. To add multiple rules, click the icon. You can add up to 256 rules.

Step 7

Click the Walled Garden URLs tab to add specific URLs to the allowed list for web authentication of captive portal and walled garden. Authentication is not required to access the allowed list of URLs. When you try to access sites that are not in the allowed list, you are redirected to the Login page.

Step 8

In the URL field, enter the URL and click to add the URL to the allowed list for web authentication. You can add up to 32 URL entries.

Step 9

Click Save.

Step 10

Map the ACL with the SSID while creating SSIDs for an enterprise wireless network.


Configure AAA Server for an Enterprise Wireless Network

Before you begin

  • Make sure you have defined the AAA server under System Settings > External Services > Authentication and Policy Servers.

  • You must have either administrator (ROLE_ADMIN) or policy administrator (ROLE_POLICY_ADMIN) permissions, and the appropriate RBAC scope to perform this procedure.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

From the SSID table, in the Action column, click Configure AAA against an SSID for which you want to configure the AAA server.

Step 5

From the Configure Authentication and Authorization Server drop-down list of the Configure AAA Server slide-in pane, you can either search for a server IP address by entering its name in the Search field or choose the AAA IP address.

Note

 
  • The Configure AAA option is not supported for the Mobility Express (ME) devices.

  • Effective with Release 2.3.5.3, you must configure an AAA server for an SSID to push the authentication configuration for the SSID. If an AAA server is not configured for the SSID, Cisco DNA Center pushes the aaa authentication dot1x default local command to the wireless controller and the default method list that points to local authentication is mapped to the SSID.

Step 6

Click + to add an Additional Server.

Note

 

You can configure a maximum of six AAA servers for an SSID of enterprise wireless network.

Step 7

From the Additional Server drop-down list, choose the server IP address.

Step 8

To use the AAA server for accounting, check the Copy Same Servers for Accounting check box.

Note

 

Effective with Release 2.3.5.3, you must configure an accounting server for an SSID to push the accounting configuration for the SSID.

Step 9

To configure a different accounting server for an SSID, do the following:

  1. From the Configure Accounting Server drop-down list, you can either search for a server IP address by entering its name in the Search field or choose the accounting server IP address.

  2. Click + to add an Additional Server.

    Note

     

    You can configure a maximum of six accounting servers for an SSID of enterprise wireless network.

  3. From the Additional Server drop-down list, choose the server IP address.

Step 10

Click Configure.

Note

 

Cisco DNA Center allows you to override the set of AAA server configurations for the SSID at the site level. For each set of overridden AAA settings per SSID, Cisco DNA Center creates a new WLAN profile with the corresponding AAA servers mapped to it. If an SSID is overridden for different floors, and you make changes in the AAA servers, Cisco DNA Center creates the new WLAN profiles equal to the number of floors.

You must reprovision the device to override the AAA servers at the site level. See Wireless Device Provisioning Overview.


Create SSIDs for a Guest Wireless Network

This procedure explains how to create SSIDs for a guest wireless network.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the SSID table, hover your cursor over Add, and choose Guest.

Step 5

In the Wireless SSID workflow, complete the Basic Settings setup:

  1. In the Wireless Network Name (SSID) field, enter a unique name for the wireless network.

  2. In the WLAN Profile Name field, enter a name for the WLAN profile.

    Based on the WLAN profile name, Cisco DNA Center automatically generates the policy profile name for Cisco Catalyst 9800 Series Wireless Controller.

  3. In the Wireless Option setting, click one of the following radio buttons:

    • Multi band operation (2.4 GHz, 5 GHz, 6GHz): The WLAN is created for 2.4 GHz, 5 GHz, and 6 GHz, and band select is disabled.

    • Multi band operation with band select: The WLAN is created for 2.4 GHz, 5 GHz, and 6 GHZ, and band select is enabled.

    • 5GHz only: The WLAN is created for 5 GHz, and band select is disabled.

    • 2.4GHz only: The WLAN is created for 2.4 GHz, and band select is disabled.

    • 6GHz Only: The WLAN is created for 6 GHz, and band select is disabled.

  4. From the Primary Traffic Type drop-down list, choose one of the following options:

    • VoIP (Platinum): QoS on the wireless network is optimized for wireless voice and data traffic.

    • Video (Gold): QoS on the wireless network is optimized for video traffic.

    • Best Effort (Silver): QoS on the wireless network is optimized for wireless data traffic only.

    • Non-real Time (Bronze): QoS on the wireless network is optimized for low-bandwidth usage.

  5. In the SSID STATE settings, click the toggle buttons to enable or disable the following settings:

    • Admin Status: Use this toggle button to turn on or turn off the radios on the APs. When the Admin Status is disabled, the APs remain associated with the wireless controller and are accessible, and the APs still require licenses.

    • Broadcast SSID: Use this toggle button to enable or disable the visibility of the SSID to all the wireless clients within range.

Step 6

Complete the Security Settings setup:

  1. For the L2 Security setting, choose the L2 encryption and authentication type:

    • Enterprise: You can configure either the WPA2 or the WPA3 security authentication type by checking the respective check boxes. By default, the WPA2 check box is enabled.

      Note

       

      Wi-Fi Protected Access (WPA2) uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Fast transition is applicable for enterprise WPA2 SSID.

      WPA3 security authentication is the latest version of WPA, which is a suite of protocols and technologies that provide authentication and encryption for Wi-Fi networks. WPA3-Enterprise provides higher grade security protocols for sensitive data networks.

      For multiband operation using only 2.4-GHz and 5-GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4-GHz, 5-GHz, and 6-GHz bands, you must enable WPA3 and disable WPA2 for the 6-GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

    • Personal: You can configure both WPA2 and WPA3 or configure WPA2 and WPA3 individually by checking the respective check boxes.

      Note

       

      WPA3-Personal security authentication brings better protection to individual users by providing more robust password-based authentication. This makes the brute-force dictionary attack much more difficult and time-consuming.

      Enter the passphrase key in the Pass Phrase field. This key is used as the pairwise master key (PMK) between the clients and the authentication server.

      For multiband operation using only 2.4-GHz and 5-GHz bands, you must enable WPA2 (WPA3 is optional). For multiband operation using 2.4-GHz, 5-GHz, and 6-GHz bands, you must enable WPA3 and disable WPA2 for the 6-GHz band to be operational on the devices running Cisco IOS Release 17.7 and later.

      (Optional) For WPA2-Personal, do the following to configure multi-preshared key (MPSK) support:

      1. Click Configure MPSK.

      2. In the Configure MPSK dialog box, click Add to an MPSK. You can add up to five MPSKs.

      3. From the Priority drop-down list, choose a priority.

        Note

         

        If the priority 0 key is not configured in central web authentication (CWA) Flex mode, client connection to the WLAN may fail.

      4. From the Passphrase Type drop-down list, choose a passphrase type.

      5. In the Passphrase field, enter a passphrase.

      6. Click Save.

      MPSK is not supported on Cisco AireOS Wireless Controllers. MPSK applies to Layer 2 security configuration for WPA2- Personal.

    • Open Secured: From the Assign Open SSID drop-down list, choose an open SSID to associate with the open SSID. Associating secures the open SSID. You must have an open SSID created before associating it with the open secured SSID.

      Note

       

      Fast Transition is not applicable for open-secured SSID.

      Since open-secured SSID depends on open SSID, you must have enabled anchor on open SSID before enabling it on open-secured SSID.

    • Open: The open policy provides no security. It allows any device to connect to the wireless network without any authentication.

  2. For the L3 Security setting, choose the L3 encryption and authentication type:

    • Web Policy: Provides a higher level of L3 security.

      For Authentication Server, configure these authentication server settings:

      Authentication Server Type Description

      Central Web Authentication

      Use AAA server for central web authentication (CWA).

      (Optional) If you choose Cisco ISE for CWA, from the What kind of portal are you creating today? drop-down list, choose the type of portal you want to create:

      • Self Registered: The guests are redirected to the self-registered guest portal to register by providing information to automatically create an account.

      • HotSpot: The guests can access the network without providing any credentials.

      (Optional) If you choose Cisco ISE for CWA, from the Where will your guests redirect after successful authentication? drop-down list, choose where you want to redirect the guests after successful authentication:

      • Success Page: The guests are redirected to an Authentication Success window.

      • Original URL: The guests are redirected to the URL that they had originally requested.

      • Custom URL: The guests are redirected to the custom URL that is specified here. Enter a redirect URL in the Redirect URL field.

      • Web Authentication Internal

      • Web Authentication External

      Web authentication or Web Auth is a Layer 3 security method that allows a client to pass Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) traffic only until they have passed some form of authentication.

      For web authentication internal, the client is redirected to a page that is constructed by the Cisco Wireless Controller.

      For web authentication external, the client is redirected to the specified URL. Enter a redirect URL in the Web Auth Url field.

      • Web Passthrough Internal

      • Web Passthrough External

      Web passthrough is a solution that is used for guest access and requires no authentication credentials. In web passthrough authentication, wireless users are redirected to the usage-policy page when they use the internet for the first time. After accepting the policy, users are allowed to use the internet.

    • Open: There is no security at the Layer 3 level and any device can connect to the SSID.

  3. If you choose Web Authentication Internal, Web Authentication External, Web Passthrough Internal, or Web Passthrough External, for Timeout Settings for sleeping clients settings, choose the authentication for sleeping clients:

    • Always authenticate: Enables authentication for sleeping clients.

    • Authenticate after: Enter the duration for which sleeping clients are to be remembered before reauthentication becomes necessary. The valid range is from 10 minutes through 43200 minutes, and the default duration is 720 minutes.

    Note

     

    Clients with guest access and web authentication are allowed to sleep and wake up without having to go through another authentication process through the login page. You can configure the duration for which the sleeping clients are to be remembered for before reauthentication becomes necessary. The valid range is from 10 minutes through 43200 minutes; the default is 720 minutes. You can configure the duration on a WLAN and on a user group policy that is mapped to the WLAN. The sleeping timer becomes effective after the idle timeout. If the client timeout is less than the time configured on the sleeping timer of the WLAN, the lifetime of the client is used as the sleeping time.

  4. For Authentication, Authorization, and Accounting Configuration, click Configure AAA to add and configure the AAA servers for the guest wireless network SSID.

    For more information, see Configure AAA Server for a Guest Wireless Network.

  5. Check the AAA Override check box to enable the AAA override functionality.

    By default, this check box is dimmed. You must configure an AAA server using the Configure AAA option to use this check box.

  6. Check one or more of the following check boxes:

    • Fast Lane: Check this check box to enable fastlane capabilities on the network.

      Note

       

      By enabling fastlane, you can configure the iOS devices to receive an optimized level of wireless connectivity and enhanced QoS.

    • Identity PSK (for Personal L2 Security): Check this check box to enable unique preshared keys that can be created for individuals or groups of users in the SSID.

    • MAC Filtering: Check this check box to enable MAC-based access control or security in the wireless network.

      Note

       

      When MAC filtering is enabled, only the MAC addresses that you add to the wireless LAN are allowed to join the network.

    • Deny RCM Clients: Check this check box to deny clients with randomized MAC addresses.

  7. Click Next.

Step 7

Complete the Advance Settings setup:

  1. For Fast Transition (802.11r):

    • Choose Adaptive, Enable, or Disable mode.

      Note

       

      802.11r allows wireless clients to quickly roam from one AP to another AP. Fast transition ensures less disrupted connectivity when a wireless client roams from one AP to another AP.

    • Check the Over the DS check box to enable fast transition over a distributed system. By default, fast transition over a distributed system is disabled.

  2. For MFP Client Protection, choose Optional, Required, or Disabled.

    Note

     

    Management Frame Protection (MFP) increases the security of management frames. It provides security for the otherwise unprotected and unencrypted 802.11 management messages that are passed between APs and clients. MFP provides both infrastructure and client support.

    By default, Optional is selected. If you choose Required, the clients are allowed to associate only if the MFP is negotiated (that is, if WPA2 is configured on the wireless controller, and the client is also configured for WPA2 and supports CCXv5 MFP).

  3. For Protected Management Frame (802.11w), choose the required option.

    Note

     

    The options available under Protected Management Frame (802.11w) vary based on the settings that you chose under Level of Security. The following options may be available:

    • Optional

    • Required

    • Disabled

  4. For 11K:

    • Neighbor List: Check this check box for all the 11k-capable clients to request a neighbor report about the known neighboring APs that are candidates for roaming.

      Note

       

      To facilitate roaming, a 11k-capable client that is associated with an AP sends a request to a list of neighboring APs. The request is sent in the form of an 802.11 management frame, which is known as an action frame. The AP responds with a list of neighbor APs on the same WLAN with the Wi-Fi channel numbers. The response is also an action frame. The client identifies the AP candidates for the next roam from the response frame.

    • Session Timeout: Check this check box to set the maximum time for a client session to remain active before reauthorization.

      Note

       

      By default, Session Timeout is enabled with a timeout of 1800 seconds.

    • Client Exclusion: Check this check box to set the client exclusion timer.

      Note

       

      When a user fails to authenticate, the wireless controller excludes the client from connecting. The client is not allowed to connect to the network until the exclusion timer expires. By default, Client Exclusion is enabled with a timeout of 180 seconds.

  5. For 11v BSS Transition Support:

    • BSS Max Idle Service: Check this check box to set the idle period timer value. The idle period timer value is transmitted using the association and reassociation response frame from the APs to the client.

      Note

       

      The BSS Max idle period is the timeframe during which an AP doesn’t disassociate a client because of nonreceipt of frames from the connected client.

    • Client User Idle Timeout: Check this check box to set the user idle timeout period for a WLAN.

      Note

       

      If the data sent by the client is more than the threshold quota specified as the user idle timeout period, the client is considered to be active and the wireless controller refreshes for another timeout period.

      By default, Client User Idle Timeout is enabled with a user idle timeout of 300 seconds.

    • Directed Multicast Service: Check this check box to enable directed multicast service.

      Note

       

      By default, Directed Multicast Service is enabled. Using the Directed Multicast Service (DMS), the client requests APs to transmit the required multicast packets as unicast frames. This allows clients to sleep for a longer time and saves the battery power.

  6. (Optional) For NAS-ID:

    1. From the NAS-ID Opt drop-down list, choose the required type of network access server identifier (NAS ID).

      (Optional) To specify a custom script for the NAS ID, choose Custom Option from the NAS-ID Opt drop-down list and enter the custom script in the corresponding Custom Script for Opt field. You can enter up to 31 alphanumeric characters, special characters, and spaces for the custom script. Cisco DNA Center doesn't support the special characters ? " < and trailing spaces for the custom script.

      Note

       

      Cisco DNA Center supports NAS ID with custom script only for Cisco Catalyst 9800 Series Wireless Controllers that run Cisco IOS XE Release 17.7 or later.

    2. (Optional) Click + to add another network access server identifier. You can add up to three NAS IDs.

      Note

       

      Cisco DNA Center applies only one NAS ID for Cisco AireOS Controllers. You can overwrite the NAS ID at the site-level from the Design > Network Settings > Wireless window.

  7. (Optional) Under Configure Client Rate Limit, enter a value for the client rate limit in bits per second. The valid range is from 8000 through 100000000000. The value must be a multiple of 500.

    Note

     

    This configuration is not applicable for Cisco AireOS Wireless Controllers. To configure client rate limit for Cisco AireOS Wireless Controllers, click the menu icon ( ) and choose Tools > Model Config Editor > Wireless > Advanced SSID Configuration. For more information, see Create a Model Config Design for Advanced SSID.

    Following are the valid ranges for client rate limit on Cisco IOS XE devices:

    • The valid range for Cisco Catalyst 9800-L Wireless Controller, Cisco Catalyst 9800-40 Wireless Controller, and Cisco Catalyst 9800-80 Wireless Controller is from 8000 through 67000000000 bits per second.

    • The valid range for Cisco Catalyst 9800-CL Wireless Controller is from 8000 through 10000000000 bits per second.

    • The valid range for Cisco Embedded Wireless Controller on Catalyst Access Points is from 8000 through 2000000000 bits per second.

    • The valid range for Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9000 Series Switches is from 8000 through 100000000000 bits per second.

  8. (Optional) Use the Coverage Hole Detection toggle button to enable or disable the coverage hole detection functionality.

  9. Click Next.

Step 8

Complete the Associate SSID to Profile setup:

  1. From the left pane, select a profile and click Associate Profile .

    If you don’t have a profile, click Add Profile and then configure the profile settings. For information, see Create Network Profiles for Wireless.

  2. Click Next.

Step 9

In the Summary window, review the configuration settings. (To make any changes, click Edit.)

Step 10

To save the SSID settings, click Save.

The SSID is created.


Configure AAA Server for a Guest Wireless Network

Before you begin

  • Make sure you have defined the AAA server under the System Settings > External Services > Authentication and Policy Servers window.

  • You must have either administrator (ROLE_ADMIN) or policy administrator (ROLE_POLICY_ADMIN) permissions and the appropriate RBAC scope to perform this procedure.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

From the SSID table, in the Action column, click Configure AAA of SSID for which you want to configure the AAA server.

Step 5

From the Server drop-down list of the Configure AAA Server slide-in pane, you can either search for a AAA IP address by entering its name in the Search field or choose AAA IP address.

Note

 
  • You must configure at least one AAA or Policy Service Node (PSN) server for Central Web Authentication (CWA) SSIDs of guest wireless network.

  • Effective with Release 2.3.5.4, Cisco DNA Center-generated preauthentication ACLs are created only for the configured AAA or PSN servers for CWA SSIDs of guest wireless networks. If you upgrade to Release 2.3.5.4 from Release 2.3.5.3 or earlier, to ensure that there is no compliance mismatch, you must reprovision the wireless controller.

  • Cisco DNA Center allows you to map AAA server in any combination of identity services engine PSNs and third-party AAA IPs.

  • In the Server drop-down list, the AAA IP addresses and the PSN IP addresses are grouped in the corresponding sections.

  • The Configure AAA option is not supported for Mobility Express (ME) devices.

  • Effective with Release 2.3.5.3, you must configure an AAA server for an SSID to push the authentication configuration for the SSID. If an AAA server is not configured for the SSID, Cisco DNA Center pushes the aaa authentication dot1x default local command to the wireless controller and the default method list that points to local authentication is mapped to the SSID.

Step 6

Click + to add an Additional Server.

Note

 

You can configure a maximum of six AAA servers for an SSID of guest wireless network.

Step 7

From the Additional Server drop-down list, choose the server IP address.

Step 8

(Optional) To delete a server or an additional server, click the delete icon next to each server.

Step 9

To use the AAA server for accounting, check the Copy Same Servers for Accounting check box.

Note

 

Effective with Release 2.3.5.3, you must configure an accounting server for an SSID to push the accounting configuration for the SSID.

Step 10

To configure a different accounting server for an SSID, do the following:

  1. From the Configure Accounting Server drop-down list, you can either search for a server IP address by entering its name in the Search field or choose the accounting server IP address.

  2. Click + to add an Additional Server.

    Note

     

    You can configure a maximum of six accounting servers for an SSID of guest wireless network.

  3. From the Additional Server drop-down list, choose the server IP address.

Step 11

Click Configure.

Note

 

Cisco DNA Center allows you to override the set of AAA server configurations for the SSID at the site level. For each set of overridden AAA settings per SSID, Cisco DNA Center creates a new WLAN profile with the corresponding AAA servers mapped to it. If an SSID is overridden for different floors, and you make changes in the AAA servers, Cisco DNA Center creates the new WLAN profiles equal to the number of floors.

You must reprovision the device to override the AAA servers at the site level. See Wireless Device Provisioning Overview.


Create SSID Scheduler

You can create SSID scheduler to enable or disable WLAN based on time zone.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

In the SSID table, click SSID Scheduler.

Step 4

In the SSID Scheduler window, click Add.

Step 5

In the Create Scheduler slide-in pane, do the following:

  1. Enter a unique name for the SSID scheduler that you want to create.

  2. Click Client Deny radio button for denying clients from joining SSID.

  3. Click Enable SSID to schedule SSID broadcasting.

  4. Choose the Scheduler Type Daily, Weekly, or Monthly and complete the required settings.

  5. From the Time Zone drop-down list, choose the time zone.

  6. Click Save.

    The created SSID scheduler appears in the SSID Scheduler table.

Step 6

To edit the SSID scheduler, do the following:

  1. From the SSID Scheduler table, choose the SSID scheduler and click Edit.

  2. In the Edit SSID Scheduler slide-in pane, make the required changes and click Save.

Step 7

To delete the SSID scheduler, choose the SSID scheduler and click Delete.

Step 8

To view the details of SSID scheduler, choose the SSID scheduler and click Scheduler History.

Note

 

To view the Scheduler History, you must install Assurance package.


What to do next

Enable the SSID scheduler for wireless controller. For more details, see Add SSIDs to a Network Profile.

Create a Wireless Interface

You can create wireless interfaces only in nonfabric deployments.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

From the Wireless Interfaces table, click +Add.

Step 5

Configure the wireless interface settings in the Create a Wireless Interface slide-in pane:

  1. In the Interface Name field, enter the dynamic interface name.

  2. In the VLAN ID field, enter the VLAN ID for the interface.

Step 6

Click Save.

The wireless interface is created and displayed in the Wireless Interfaces table.


Design and Provision Interface/VLAN Groups to Nonfabric Deployments

Cisco DNA Center allows you to configure networks with multiple broadcast domains through different VLANs. When the same set of APs broadcast the same WLAN, the broadcast domains are controlled through multiple VLANs on the same WLAN through interface groups.

Cisco DNA Center interface groups are logical groups of interfaces that facilitate user configuration, where the same interface group can be configured on multiple WLANs or while overriding a WLAN interface per AP group. An interface can be part of multiple interface groups. A WLAN can be associated with an interface or interface group.


Note


The interface group name and the interface name cannot be the same.

The Cisco DNA Center VLAN group feature maps a WLAN to a single VLAN or multiple VLANs using VLAN groups. VLAN groups can be associated to policy profiles.

The following procedure explains how to design and provision the interface or VLAN groups for nonfabric deployments.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

For the VLAN Group table, click Add.

The Add VLAN Group slide-in pane is displayed.

Step 4

Enter a valid VLAN Group Name, select single or multiple interfaces from the list, and click Save.

Note

 
If you select more than 15 interfaces, the selected interfaces might not be displayed correctly onscreen.

Step 5

In the Edit Network Profile page, the VLAN group is associated with the SSID.

For information on how to create an SSID, see Create SSIDs for an Enterprise Wireless Network.

Step 6

To add more SSIDs to the VLAN group, click Add SSID.

Step 7

Choose Interface or VLAN group.

Step 8

Click the add icon to create a new interface or VLAN group.

Note

 
Interface or VLAN group is not applicable for FlexConnect local switching.

Step 9

Click Save.

Step 10

In Configure Interface and VLAN, you can view the list of interface names, interface groups names, and other parameters required to configure the interface and VLAN.

Note

 
An interface group cannot contain more than 64 interfaces.

Step 11

Click the menu icon () and choose Provision > Network Devices > Inventory.

Step 12

Select the device.

Step 13

From the Actions drop-down menu, choose Provision > Provision Device.

Step 14

Review the details in the Assign Site, Configuration, Model Configuration, Advanced Configuration, and Summary screens. From each screen, click Next to advance to the next screen.

Step 15

Click Deploy.

The Provision Device dialog box is displayed.

Step 16

Choose Now and click Apply.

The message Task Scheduled view status in Tasks is displayed.


Create a Wireless Radio Frequency Profile

You can either use the default radio frequency profiles (LOW, TYPICAL, HIGH), or create custom radio frequency profiles.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the Wireless Radio Frequency Profile area, hover your cursor over Add, and choose Basic RF Profile.

Step 5

In the Profile Name field of the Create Wireless Radio Frequency Profile window, enter the RF profile name.

Step 6

Configure the following in the 2.4 GHz tab:

  1. Ensure that the 2.4 GHz toggle button is enabled.

    Note

     
    • For Cisco Catalyst 9800 Series Wireless Controller, if you disable the 2.4 GHz toggle button, Cisco DNA Center disables the Admin status of the 2.4 GHz RF profile.

    • In Release 2.3.5.3, for Cisco AireOS Wireless Controller, if you disable the 2.4 GHz toggle button, Cisco DNA Center disables the Admin status of the respective radios on all APs that use this RF profile. We recommend that you disable the Admin status using the Configure Access Points workflow. For more information, see Configure AP Workflow.

    • Effective with Release 2.3.5.4, for Cisco AireOS Wireless Controller, if you disable the 2.4 GHz toggle button and reprovision the wireless controller or AP, Cisco DNA Center creates the RF profile for the corresponding band and maps it to the AP group (instead of configuring it as None) and disables the Admin status of the corresponding radios on the APs.

    • For Cisco AireOS Wireless Controller, when you disable the Admin status for the 2.4-GHz band on the RF profile, Cisco DNA Center changes the XOR radio on the APs using that RF profile to manual 5-GHz mode. If you enable the Admin status later and reprovision the AP, Cisco DNA Center changes the radio to automatic mode enabling the usage of 2.4-GHz and 5-GHz bands, and monitor mode. So, if you want to disable the Admin status for the 2.4-GHz band on XOR-capable APs, we recommend that you disable the Admin status of the XOR radio using the Configure Access Points workflow. The Admin status configured using the Configure Access Points workflow isn't overwritten when the wireless controller or APs are reprovisioned. For more information, see Configure AP Workflow.

  2. Under Parent Profile, select High, Medium (Typical), Low, or Custom. (The Data Rate and Tx Configuration fields change depending on the parent profile selected. For example, if you select High, it populates the profile configurations available in the device for 2.4-GHz. If you change any settings in the populated Data Rate and Tx Configuration, the Parent Profile automatically changes to Custom.) Note that a new RF profile is created only for the selected custom profiles.

    Note

     

    Low, Medium (Typical), and High are the default RF profiles. If you select a default RF profile, the respective RF profile on the device is used, and the new RF profile is not created on wireless controller.

  3. DCA Channel dynamically manages channel assignment for an RF group and evaluates the assignments on a per-AP radio basis.

    • Check the Select All check box to select DCA channels 1, 6, and 11. Alternatively, check the individual check boxes next to the channel numbers.

    • Click Show Advanced to select the channel numbers under the Advanced Options.

    • Check the Select All check box to select DCA channels that are under Advanced Options, or check the check box next to the individual channel numbers. The available channel numbers are 2, 3, 4, 5, 7, 8, 9, 10, 12, 13, and 14.

      Note

       

      For Cisco AireOS Wireless Controller, Cisco DNA Center automatically configures the selected DCA channels in the global RRM DCA channel list.

      Select the DCA channels based on the country code of the device. During provisioning, only the allowed channels for the country configured on the wireless controller are considered and the unsupported channels are ignored. Provisioning may fail if all the channels that you've selected are unsupported as per the country codes configured on the controller.

  4. Under Supported Data Rate, configure the following:

    • Check the Enable 802.11b data rates check box to enable the 802.11b data rates.

    • Use the slider to set the rates at which data can be transmitted between an access point and a client. The available data rates are 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54.

  5. Under Mandatory Data Rates, check the check boxes next to the individual data rates. You can choose up to two data rates. The available data rates are 6, 9, 12, 18, 24, 36, 48, and 54.

    The available data rates change depending on the data rates set under Supported Data Rate.

  6. Under Tx Power Configuration, set the power level and power threshold for an AP.

    • Power Level: To determine whether the power of an AP needs to be reduced. Reducing the power of an AP helps mitigate co-channel interference with another AP on the same channel or in close proximity. Use the Power Level slider to set the minimum and maximum power level. The range is from -10 dBm to 30 dBm and the default is -10 dBm.

    • TPC Power Threshold: Is the cutoff signal level used by Radio Resource Management (RRM) to determine whether to reduce the power of an AP. Use the Power Threshold slider to increase and decrease the power value, which causes the AP to operate at higher or lower transmit power rates. The range is from -50 dBm to 80 dBm and the default threshold is -70 dBm.

    • RX SOP: Receiver Start of Packet Detection Threshold (RX SOP) determines the Wi-Fi signal level, in dBm, at which an AP's radio demodulates and decodes a packet. From the RX SOP drop-down list, choose High, Medium, Low, or Auto threshold values for each 802.11 band.

  7. Under Coverage Hole Detection, configure the following:

    Note

     

    You must enable global coverage hole detection in Tools > Model Config Editor > Wireless > RRM General Configuration for the corresponding radio band and provision it on the managing wireless controller. For more information about the model configuration design for RRM general parameters, see Create a Model Config Design for RRM General Parameters. For more information about provisioning, see Provision Wireless Devices.

    • In the Minimum Client Level (clients) field, enter a value for the minimum number of clients. The valid range is from 1 through 200. The default value is 3.

    • In the Data RSSI Threshold (dBm) field, enter the data Received Signal Strength Indication (RSSI) threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Voice RSSI Threshold (dBm) field, enter the voice RSSI threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Exception Level (%) field, enter an exception level. The valid range is from 0 through 100 percent. The default value is 25 percent.

  8. In the Max Clients field, enter the maximum client limit value. The valid range is from 0 through 500.

    Note

     

    Maximum client limit is not supported on the Cisco AireOS Wireless Controller.

    • If the wireless controller is running a version earlier than Cisco IOS XE Release 17.7, the maximum client limit is 200.

    • If the wireless controller is running Cisco IOS XE Release 17.7 or later and earlier than Cisco IOS XE Release 17.9, the maximum client limit is 400.

    • If the wireless controller is running Cisco IOS XE Release 17.9 or later, the maximum client limit is 500.

  9. Under 802.11ax, configure the following spatial reuse parameters:

    Note

     

    802.11ax is supported only on wireless controllers that run Cisco IOS XE Release 17.6.1 and later.

    • Check the OBSS PD check box to enable the Overlapping BSS Packet Detect (OBSS-PD) functionality.

    • In the Non-SRG OBSS PD Max Threshold (dBm) field, enter a value for the non-Spatial Reuse Group (SRG) OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

    • Check the SRG OBSS PD check box to enable the SRG OBSS-PD functionality.

      SRG OBSS-PD is supported only on wireless controllers that run Cisco IOS XE Release 17.7.1 and later.

    • In the SRG OBSS PD Min Threshold (dBm) field, enter a value for the SRG OBSS-PD minimum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -82 dBm.

    • In the SRG OBSS PD Max Threshold (dBm) field, enter a value for the SRG OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

Step 7

Configure the following in the 5 GHz tab:

  1. Ensure that the 5 GHz toggle button is enabled.

    Note

     
    • For Cisco Catalyst 9800 Series Wireless Controller, if you disable the 5 GHz toggle button, Cisco DNA Center disables the Admin status of the 5 GHz RF profile.

    • In Release 2.3.5.3, for Cisco AireOS Wireless Controller, if you disable the 5 GHz toggle button, Cisco DNA Center disables the Admin status of the respective radios on all APs that use this RF profile. We recommend that you disable the Admin status using the Configure Access Points workflow. For more information, see Configure AP Workflow.

      Effective with Release 2.3.5.4, for Cisco AireOS Wireless Controller, if you disable the 5 GHz toggle button and reprovision the wireless controller or AP, Cisco DNA Center creates the RF profile for the corresponding band and maps it to the AP group (instead of configuring it as None) and disables the Admin status of the corresponding radios on the APs.

    • For Cisco AireOS Wireless Controller, when you disable the Admin status for the 5-GHz band on the RF profile, Cisco DNA Center changes the XOR radio on the APs using that RF profile to manual 2.4-GHz mode. If you enable the Admin status later and reprovision the AP, Cisco DNA Center changes the radio to automatic mode enabling the usage of 2.4-GHz and 5-GHz bands, and monitor mode. So, if you want to disable the Admin status for the 5-GHz band on XOR-capable APs, we recommend that you disable the Admin status of the XOR radio using the Configure Access Points workflow. The Admin status configured using the Configure Access Points workflow isn't overwritten when the wireless controller or APs are reprovisioned. For more information, see Configure AP Workflow.

  2. From the Parent Profile drop-down list, choose High, Medium (Typical), Low, or Custom. (The Data Rate and Tx Configuration fields change depending on the parent profile selected. For example, if you select High, it populates the configurations available in the device for 2.4 GHz. If you change any settings in the populated Data Rate and Tx Configuration fields, the Parent Profile automatically changes to Custom.) A new RF profile is created only for select custom profiles.

    Note

     

    Low, Medium (Typical), and High are the default RF profiles. If you select a default RF profile, the respective RF profile that is already present in the device is used and the new RF profile is not created on wireless controller.

  3. From the Channel Width drop-down list, choose one of the channel bandwidth options: Best, 20 MHz, 40 MHz, 80 MHz, or 160 MHz.

  4. Check the Zero Wait DFS check box to allow APs with 5-GHz radio band to switch to a new channel without any waiting time.

    Note

     

    Cisco DNA Center supports Zero wait DFS for Cisco Wireless Controllers running Cisco IOS XE Release 17.9.1 and later.

  5. Under DCA Channel, configure the following to manage channel assignments:

    Note

     

    For Cisco AireOS Wireless Controller, Cisco DNA Center automatically configures the selected DCA channels in the global RRM DCA channel list.

    Select the DCA channels based on the country code of the device. During provisioning, only the allowed channels for the country configured on the wireless controller are considered and the unsupported channels are ignored. Provisioning may fail if all the channels that you've selected are unsupported as per the country codes configured on the controller.

    • Check the Select All check box to select DCA channels UNII-1 36-48, UNII-2 52-144, and UNII-3 149-173. Alternatively, check the individual check boxes next to the channel numbers.

    • Click Show Advanced to select the channel numbers for each band.

    • UNII-1 36-48: The channels available for UNII-1 band are 36, 40, 44, and 48. Check the UNII-1 36-48 check box to include all channels, or check an individual check box.

    • UNII-2 52-144: The channels available for UNII-2 band are 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, and 144. Check the UNII-2 52-144 check box to include all channels, or check an individual check box.

    • UNII-3 149-165: The channels available for UNII-3 band are 149, 153, 157, 161, and 165. Check the UNII-3 149-165 check box to include all channels, or check an individual check box.

  6. Use the Supported Data Rate slider to set the rates at which data can be transmitted between an access point and a client. The available data rates are 6, 9, 12, 18, 24, 36, 48, and 54.

  7. Under Mandatory Data Rates, check the check boxes next to the individual data rates. You can choose up to two data rates. The available data rates are 6, 9, 12, 18, 24, 36, 48, and 54.

    The available data rates change depending on the data rates set under Supported Data Rate.

  8. Under Tx Power Configuration, set the power level and power threshold for an AP.

    • Power Level: Determines whether the power of an AP needs to be reduced. Reducing the power of an AP helps mitigate co-channel interference with another AP on the same channel or in close proximity. Use the Power Level slider to set the minimum and maximum power level. The range is from -10 dBm to 30 dBm and the default is -10 dBm.

    • TPC Power Threshold: Is the cutoff signal level used by Radio Resource Management (RRM) to determine whether to reduce the power of an AP. Use the Power Threshold slider to increase and decrease the power value, which causes the AP to operate at higher or lower transmit power rates. The range is from -50 dBm to 80 dBm and the default threshold is -70 dBm.

    • RX SOP: Receiver Start of Packet Detection Threshold (RX SOP) determines the Wi-Fi signal level in dBm at which an AP's radio demodulates and decodes a packet. From the RX SOP drop-down list, choose High, Medium, Low, or Auto threshold values for each 802.11 band.

  9. Under Coverage Hole Detection, configure the following:

    Note

     

    You must enable global coverage hole detection in Tools > Model Config Editor > Wireless > RRM General Configuration for the corresponding radio band and provision it on the managing wireless controller. For more information about the model configuration design for RRM general parameters, see Create a Model Config Design for RRM General Parameters. For more information about provisioning, see Provision Wireless Devices.

    • In the Minimum Client Level (clients) field, enter a value for the minimum number of clients. The valid range is from 1 through 200. The default value is 3.

    • In the Data RSSI Threshold (dBm) field, enter the data Received Signal Strength Indication (RSSI) threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Voice RSSI Threshold (dBm) field, enter the voice RSSI threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Exception Level (%) field, enter an exception level. The valid range is from 0 through 100 percent. The default value is 25 percent.

  10. In the Max Clients field, enter the maximum client limit value. The valid range is from 0 through 500.

    Note

     

    Maximum client limit is not supported on the Cisco AireOS Wireless Controller.

    • If the wireless controller is running a version earlier than Cisco IOS XE Release 17.7, the maximum client limit is 200.

    • If the wireless controller is running Cisco IOS XE Release 17.7 or later and earlier than Cisco IOS XE Release 17.9, the maximum client limit is 400.

    • If the wireless controller is running Cisco IOS XE Release 17.9 or later, the maximum client limit is 500.

  11. Under Flexible Radio Assignment (FRA), check the Client Aware check box to enable the Client Aware feature.

    This feature monitors the dedicated 5-GHz radio and when the client load passes the threshold, automatically changes the FRA from a monitor role into a 5-GHz role, effectively doubling the capacity of the cell on demand. Once the capacity crisis is over and Wi-Fi load returns to normal, the radios resume their previous roles.

    Note

     

    You must enable FRA in Tools > Model Config Editor > Wireless > RRM FRA Configuration for the corresponding radio band and provision it on the managing wireless controller. For more information about the model configuration design for RRM FRA parameters, see Create a Model Config Design for RRM FRA Parameters. For more information about provisioning, see Provision Wireless Devices.

    If you enable the Client Aware feature, configure the following:

    • In the Client Select (%) field, enter a value for client selection. The valid range is from 0 through 100 percent. The default value is 50 percent.

    • In the Client Reset (%) field, enter a reset value for the client. The valid range is from 0 through 100 percent. The default value is 5 percent.

  12. Under 802.11ax, configure the following spatial reuse parameters:

    Note

     

    802.11ax is supported only on wireless controllers that run Cisco IOS XE Release 17.6.1 and later.

    • Check the OBSS PD check box to enable the Overlapping BSS Packet Detect (OBSS-PD) functionality.

    • In the Non-SRG OBSS PD Max Threshold (dBm) field, enter a value for the non-Spatial Reuse Group (SRG) OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

    • Check the SRG OBSS PD check box to enable the SRG OBSS-PD functionality.

      SRG OBSS-PD is supported only on wireless controllers that run Cisco IOS XE Release 17.7.1 and later.

    • In the SRG OBSS PD Min Threshold (dBm) field, enter a value for the SRG OBSS-PD minimum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -82 dBm.

    • In the SRG OBSS PD Max Threshold (dBm) field, enter a value for the SRG OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

Step 8

Configure the following in the 6 GHz tab:

  1. Ensure that the 6 GHz toggle button is enabled.

    Note

     
    • 6-GHz radio is supported only on wireless controllers that run Cisco IOS XE Release 17.7.1 and later.

    • For Cisco Catalyst 9800 Series Wireless Controller, if you disable the 6 GHz toggle button, Cisco DNA Center disables the Admin status of the 6 GHz RF profile.

  2. Enable the Enable PSC Enforcing toggle button to allow Preferred Scanning Channel (PSC) enforcement.

    PSC enforcement improves the connectivity of the 6-GHz devices by prioritizing the PSC-enabled channels.

    Note

     

    If you enable PSC enforcement, the check boxes next to the non-PSC channels are dimmed.

  3. Under DCA Channel, configure the following to manage channel assignments.

    • Check the Select All check box to include all DCA channels, or check an individual check box to select an individual DCA channel.

      • UNII-5 1-93

      • UNII-6 97-113

      • UNII-7 117-185

      • UNII-8 189-233

    • Click Show Advanced to select the channel numbers for each band.

    Note

     

    Select the DCA channels based on the country code of the device. During provisioning, only the allowed channels for the country configured on the wireless controller are considered and the unsupported channels are ignored. Provisioning may fail if all the channels that you've selected are unsupported as per the country codes configured on the controller.

  4. Use the Supported Data Rate slider to set the rates at which data can be transmitted between an access point and a client. The available data rates are 6, 9, 12, 18, 24, 36, 48, and 54.

  5. Under Mandatory Data Rates, check the check boxes next to the individual data rates. You can choose up to two data rates. The available data rates are 6, 9, 12, 18, 24, 36, 48, and 54.

    The available data rates change depending on the data rates set under Supported Data Rate.

  6. Under Tx Power Configuration, set the power level and power threshold for an AP.

    • Power Level: Determines whether the power of an AP needs to be reduced. Reducing the power of an AP helps mitigate co-channel interference with another AP on the same channel or in close proximity. Use the Power Level slider to set the minimum and maximum power level. The range is from -10 dBm to 30 dBm and the default is -10 dBm.

    • TPC Power Threshold: Is the cutoff signal level used by Radio Resource Management (RRM) to determine whether to reduce the power of an AP. Use the Power Threshold slider to increase and decrease the power value, which causes the AP to operate at higher or lower transmit power rates. The range is from -50 dBm to 80 dBm and the default threshold is -70 dBm.

    • RX SOP: Receiver Start of Packet Detection Threshold (RX SOP) determines the Wi-Fi signal level in dBm at which an AP's radio demodulates and decodes a packet. From the RX SOP drop-down list, choose High, Medium, Low, or Auto threshold values for each 802.11 band.

  7. Under Coverage Hole Detection, configure the following:

    Note

     

    You must enable global coverage hole detection in Tools > Model Config Editor > Wireless > RRM General Configuration for the corresponding radio band and provision it on the managing wireless controller. For more information about the model configuration design for RRM general parameters, see Create a Model Config Design for RRM General Parameters. For more information about provisioning, see Provision Wireless Devices.

    • In the Minimum Client Level (clients) field, enter a value for the minimum number of clients. The valid range is from 1 through 200. The default value is 3.

    • In the Data RSSI Threshold (dBm) field, enter the data Received Signal Strength Indication (RSSI) threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Voice RSSI Threshold (dBm) field, enter the voice RSSI threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Exception Level (%) field, enter an exception level. The valid range is from 0 through 100 percent. The default value is 25 percent.

  8. In the Max Clients field, enter the maximum client limit value. The valid range is from 0 through 500.

    Note

     
    • If the wireless controller is running a version earlier than Cisco IOS XE Release 17.7, the maximum client limit is 200.

    • If the wireless controller is running Cisco IOS XE Release 17.7 or later and earlier than Cisco IOS XE Release 17.9, the maximum client limit is 400.

    • If the wireless controller is running Cisco IOS XE Release 17.9 or later, the maximum client limit is 500.

  9. Under Flexible Radio Assignment (FRA), complete the following:

    Note

     
    • You must enable FRA in Tools > Model Config Editor > Wireless > RRM FRA Configuration for the corresponding radio band and provision it on the managing wireless controller. For more information about the model configuration design for RRM FRA parameters, see Create a Model Config Design for RRM FRA Parameters. For more information about provisioning, see Provision Wireless Devices.

    • FRA is supported only on wireless controllers that run Cisco IOS XE Release 17.9.1 and later.

    • In the Client Reset Count field, enter a reset count value for the client. The valid range is from 0 through 10. The default value is 1.

    • In the Client Utilization Threshold (%) field, enter a utilization threshold value for the client. The valid range is from 0 through 100 percent. The default value is 5 percent.

  10. Under 802.11ax, configure the following multiple basic service set identifier (BSSID) and spatial reuse parameters:

    • From the 6 GHz Discovery Frames drop-down list, choose the required option from None, Broadcast Probe Response, and FILS Discovery.

      6-GHz discovery frames are needed if the 6-GHz radio is the only operational radio. For more information about the 6-GHz discovery frames, click Learn More.

    • In the Broadcast Probe Response Interval (msec) field, enter the broadcast probe response interval, in msec. The valid range is from 5 msec through 25 msec. The default value is 20 msec.

    • Under MULTI BSSID, check the check boxes to enable the following parameters:

      • Downlink OFDMA

      • Uplink OFDMA

      • Downlink MU-MIMO

      • Uplink MU-MIMO

      • Target wake time

      • TWT Broadcast Support

      Note

       

      You must enable multiple BSSID in Tools > Model Config Editor > Wireless > Dot11ax Configuration for the corresponding radio band and provision it on the managing wireless controller. For more information about the model configuration design for Dot11ax, see Create a Model Config Design for Dot11ax Configuration. For more information about provisioning, see Provision Wireless Devices.

    • Check the OBSS PD check box to enable the Overlapping BSS Packet Detect (OBSS-PD) functionality.

    • In the Non-SRG OBSS PD Max Threshold (dBm) field, enter a value for the non-Spatial Reuse Group (SRG) OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

    • Check the SRG OBSS PD check box to enable the SRG OBSS-PD functionality.

      SRG OBSS-PD is supported only on wireless controllers that run Cisco IOS XE Release 17.7.1 and later.

    • In the SRG OBSS PD Min Threshold (dBm) field, enter a value for the SRG OBSS-PD minimum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -82 dBm.

    • In the SRG OBSS PD Max Threshold (dBm) field, enter a value for the SRG OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

Step 9

Click Save.

Step 10

To mark a profile as the default RF profile, check the Profile Name check box and click Mark Default.

Step 11

In the Warning window, click OK.


What to do next

You must provision the APs to apply the RF profile settings on the device. For more information, see Provision a Cisco AP—Day 1 AP Provisioning.

Edit or Delete a Basic Radio Frequency Profile

The following procedure describes how to edit or delete a basic RF profile.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the Wireless Radio Frequency Profile area, click the Basic RF Profile tab.

Note

 

The Basic RF Profile table lists the number of created basic RF profiles based on Profile Name, Type, 2.4 GHz Data Rates, 5 GHz Data Rates, 6 GHz Data Rates, Channel Width, and Profile Type.

Step 5

Check the check box next to the basic profile name that you want to edit.

Step 6

From the Action drop-down list, choose Edit/View.

Note

 

You can edit one basic RF profile at a time.

Step 7

In the Edit Wireless Radio Frequency Profile window, configure the basic RF profile settings. For more information, see Create a Wireless Radio Frequency Profile.

Step 8

Click Save.

Step 9

To delete a basic RF profile, check the check box next to the basic RF profile name.

Step 10

From the Action drop-down list, choose Delete and then click Yes.

Step 11

To mark a basic RF profile as the default, check the check box next to a basic RF profile name.

Step 12

From the Action drop-down list, choose Mark Default and then click Yes.


What to do next

For Cisco AireOS Wireless Controllers, if you modify the DCA channels or data rates for an RF profile that is already provisioned on a wireless controller, Cisco DNA Center resets the corresponding radio.

If you update an RF profile that is already provisioned on a wireless controller and AP, you must reprovision either the wireless controller or AP. Wireless controller reprovision also pushes the RF profile updates to the devices and reprovisioning the AP is not necessary. For more information about provisioning a wireless controller, see Provision a Cisco AireOS Controller and Provision a Cisco Catalyst 9800 Series Wireless Controller.

Prerequisites for Configuring AI Radio Frequency Profiles

  • You must enable Cisco AI Network Analytics under the system settings. For more information, see Configure Cisco AI Network Analytics Data Collection in Cisco DNA Center Administrator Guide.

  • You must enable AI-Enhanced RRM under Cisco AI Analytics in the system settings. Click the menu icon () and choose System > Settings > External Services > Cisco AI Analytics.

    In the Cisco AI Analytics window, under the AI-ENHANCED RRM area, click the toggle button to enable the AI-Enhanced RRM.

  • Cisco AI RF profiles are supported only on Cisco Catalyst 9800 Series Wireless Controllers running Cisco IOS XE Release 17.7.1 or later.


    Note


    Ensure that the Group Mode option for all the three bands (2.4 GHz, 5 GHz, and 6 GHz) is configured as auto or leader on the wireless controller.


  • Cisco AI RF profiles are supported for 6-GHz radio only on wireless controllers that run Cisco IOS XE Release 17.9.1 and later.

  • You must be a Super Admin or Network Admin.

Create an AI Radio Frequency Profile

The following procedure describes how to create an AI radio frequency profile for your building.

Before you begin

Ensure that the prerequisites are met. For more information, see Prerequisites for Configuring AI Radio Frequency Profiles.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the Wireless Radio Frequency Profile area, hover your cursor over Add and choose AI RF Profile.

Step 5

In the Profile Name field of the Create AI Radio Frequency Profile window, enter the RF profile name.

Step 6

In the Radio Frequency Settings area of Basic Settings, check the 2.4 GHz, 5 GHz, or 6 GHz check box.

The radio frequencies are checked by default. If you uncheck a radio frequency, Cisco DNA Center disables the Admin status of the corresponding RF profile.

Note

 

Cisco Catalyst 9800 Series Wireless Controller running Cisco IOS XE Release 17.9.1 and later support the AI RF profile for the 6 GHz radio band.

Step 7

In the Busy Hours area, define the start and end time of the site time zone.

Note

 

Busy hours are dependent upon the time zone of the building. You must configure a timezone under network settings for the respective building.

Step 8

In the Busy Hour Sensitivity area, click the Low, Medium, or High radio button to define the threshold of Radio Resource Management (RRM) sensitivity for the busy hours interval.

Step 9

In the Enable RF Settings area, click the toggle buttons under the 2.4 GHz, 5 GHz, or 6 GHz columns to enable or disable RF settings for the corresponding radio bands.

The supported RF settings are:
  • Flexible Radio Assignment (FRA): FRA optimizes the radio coverage per band and determines the best role assignment for redundant radios.

  • Dynamic Channel Assignment (DCA): DCA dynamically manages channel assignment for an RF group and evaluates the assignments on a per-AP radio basis.

  • Transmit Power Control (TPC): TPC manages and transmits power for APs. It also maximizes the SNR during the reduction in interference.

  • Dynamic Bandwidth Selection (DBS): DBS monitors and adjusts the channel width to balance the performance and interference.

Note

 
  • When you disable the 2.4 GHz radio band for FRA, it automatically disables the 5 GHz radio band for FRA, and conversely.

  • When you disable the 5 GHz radio band for DCA, it disables the 2.4 GHz radio band for FRA and the 5 GHz radio band for FRA and DBS.

  • You can individually enable the 2.4 GHz radio band for DCA and TPC; and the 5 GHz radio band for DCA, TPC, and DBS. For the 5 GHz radio band, if DCA and DBS are disabled and you enable DBS, DCA is also enabled.

  • You can enable or disable the 6 GHz radio band together for DCA and DBS RF settings. You can individually enable the 6 GHz radio band for TPC.

  • FRA is not supported for the 6 GHz radio band.

Step 10

Expand Advanced and click the 2.4 GHz toggle button.

  1. In the DCA Channel area, check the Select All check box to select DCA channels 1, 6, and 11. Alternatively, check the individual check boxes next to the channel numbers.

  2. In the Advanced Options area, check the Select All check box to select all the DCA channels.

  3. Click Show Advanced to select the remaining channel numbers.

  4. Check the check box next to the individual channel numbers. The channel numbers that are available for the profile are 2, 3, 4, 5, 7, 8, 9, 10, 12, 13, and 14.

    Note

     

    Select the DCA channels based on the country code of the device. During provisioning, only the allowed channels for the country configured on the wireless controller are considered and the unsupported channels are ignored. Provisioning may fail if all the channels that you've selected are unsupported as per the country codes configured on the controller.

  5. In the Supported Data Rate area, configure the following:

    • Check the Enable 802.11b data rates check box to enable the 802.11b data rates. This action also enables the 802.11b supported data rate check boxes in the Mandatory Data Rates area.

    • Use the slider to set the rates at which data can be transmitted between an AP and a client. The available data rates are 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54.

  6. In the Mandatory Data Rates area, check the check box next to the individual data rates. You can choose up to two data rates. The available data rates are 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54.

  7. In the Tx Power Configuration area, set the following:

    • Power Level: Determines whether the power of an AP needs to be reduced. Reducing the power of an AP helps mitigate co-channel interference. Use the Power Level slider to set the minimum and maximum power level. The range is from -10 dBm through 30 dBm. The minimum default is -10 dBm and maximum default is 30 dBm.

    • TPC Power Threshold: Is the cutoff signal level used by RRM to determine whether to reduce the power of an AP. Use the TPC Power Threshold slider to increase and decrease the power value, which causes the AP to operate at higher or lower transmit power rates. The range is from -50 dBm through 80 dBm and the default threshold is -70 dBm.

    • RX SOP: Receiver Start of Packet Detection Threshold (RX SOP) determines the Wi-Fi signal level, in dBm, at which an AP's radio demodulates and decodes a packet. From the RX SOP drop-down list, choose High, Medium, Low, or Auto threshold values for each 802.11 band.

  8. Under Coverage Hole Detection, configure the following:

    Note

     

    You must enable global coverage hole detection in Tools > Model Config Editor > Wireless > RRM General Configuration for the corresponding radio band and provision it on the managing wireless controller. For more information about the model configuration design for RRM general parameters, see Create a Model Config Design for RRM General Parameters. For more information about provisioning, see Provision Wireless Devices.

    • In the Minimum Client Level (clients) field, enter a value for the minimum number of clients. The valid range is from 1 through 200. The default value is 3.

    • In the Data RSSI Threshold (dBm) field, enter the data Received Signal Strength Indication (RSSI) threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Voice RSSI Threshold (dBm) field, enter the voice RSSI threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Exception Level (%) field, enter an exception level. The valid range is from 0 through 100 percent. The default value is 25 percent.

  9. In the Max Clients field, enter the maximum client limit value. The valid range is from 0 through 500.

    Note

     
    • If the wireless controller is running a version earlier than Cisco IOS XE Release 17.7.1, the maximum client limit is 200.

    • If the wireless controller is running Cisco IOS XE Release 17.7.1 or later and earlier than Cisco IOS XE Release 17.9.1, the maximum client limit is 400.

    • If the wireless controller is running Cisco IOS XE Release 17.9.1 or later, the maximum client limit is 500.

  10. Under 802.11ax, configure the following spatial reuse parameters:

    Note

     

    802.11ax is supported only on wireless controllers that run Cisco IOS XE Release 17.6.1 and later.

    • Check the OBSS PD check box to enable the Overlapping BSS Packet Detect (OBSS-PD) functionality.

    • In the Non-SRG OBSS PD Max Threshold (dBm) field, enter a value for the non-Spatial Reuse Group (SRG) OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

    • Check the SRG OBSS PD check box to enable the SRG OBSS-PD functionality.

      SRG OBSS-PD is supported only on wireless controllers that run Cisco IOS XE Release 17.7.1 and later.

    • In the SRG OBSS PD Min Threshold (dBm) field, enter a value for the SRG OBSS-PD minimum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -82 dBm.

    • In the SRG OBSS PD Max Threshold (dBm) field, enter a value for the SRG OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

Step 11

In the Advanced area, click the 5 GHz toggle button.

  1. Check the Zero Wait DFS check box to allow APs with 5-GHz radio to switch to a new channel without any waiting time.

    Note

     

    Cisco DNA Center supports Zero wait DFS for Cisco Wireless Controllers running Cisco IOS XE Release 17.9.1 and later.

  2. Use the DBS Max Width slider to set the channel width of the AI RF profile.

    The available channel width options are 20 MHz, 40 MHz, 80 MHz, or 160 MHz.

    The Auto Channels Logic area displays a color-coded representation of channels that are available in the Unlicensed National Information Infrastructure (UNII) radio bands for the available channel widths.

    You can select DBS Max Width only when DBS is enabled.

    When you disable the DBS, Cisco DNA Center allows you to select the static channel width.

  3. Set the DCA Channel to manage the following channel assignments:

    • UNII-1 36-48: The channels available for UNII-1band are 36, 40, 44, and 48.

    • UNII-2 52-144: The channels available for UNII-2band are 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, and 144.

    • UNII-3 149-165: The channels available for UNII-3 band are 149, 153, 157, 161, and 165.

  4. Check the Select All check box to include all DCA channels, or check an individual check box to select an individual DCA channel.

  5. Click Show Advanced to view and select the individual DCA channel numbers.

    • Check the UNII-1 36-48 check box to include all channels, or check an individual check box.

    • Check the UNII-2 52-144 check box to include all channels, or check an individual check box.

    • Check the UNII-3 149-165 check box to include all channels, or check an individual check box.

    Note

     

    Select the DCA channels based on the country code of the device. During provisioning, only the allowed channels for the country configured on the wireless controller are considered and the unsupported channels are ignored. Provisioning may fail if all the channels that you've selected are unsupported as per the country codes configured on the controller.

  6. Use the Supported Data Rate slider to set the rates at which data can be transmitted between an AP and a client. The available data rates are 6, 9, 11, 12, 18, 24, 36, 48, and 54.

  7. In the Mandatory Data Rates area, check the check box next to the individual data rates. You can choose up to two data rates. The available data rates are 6, 9, 11, 12, 18, 24, 36, 48, and 54.

  8. In the Tx Power Configuration area, set the Power Level, Power Threshold, and RX SOP.

    • Use the Power Level slider to set the minimum and maximum power level. The range is from -10 dBm through 30 dBm. The minimum default is -10 dBm and maximum default is 30 dBm.

    • Use the TPC Power Threshold slider to increase and decrease the power value, which causes the AP to operate at higher or lower transmit power rates. The range is from -50 dBm through 80 dBm and the default threshold is -70 dBm.

    • From the RX SOP drop-down list, choose High, Medium, Low, or Auto threshold values.

  9. Under Coverage Hole Detection, configure the following:

    Note

     

    You must enable global coverage hole detection in Tools > Model Config Editor > Wireless > RRM General Configuration for the corresponding radio band and provision it on the managing wireless controller. For more information about the model configuration design for RRM general parameters, see Create a Model Config Design for RRM General Parameters. For more information about provisioning, see Provision Wireless Devices.

    • In the Minimum Client Level (clients) field, enter a value for the minimum number of clients. The valid range is from 1 through 200. The default value is 3.

    • In the Data RSSI Threshold (dBm) field, enter the data Received Signal Strength Indication (RSSI) threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Voice RSSI Threshold (dBm) field, enter the voice RSSI threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Exception Level (%) field, enter an exception level. The valid range is from 0 through 100 percent. The default value is 25 percent.

  10. In the Max Clients field, enter the maximum client limit value. The valid range is from 0 through 500.

    Note

     
    • If the wireless controller is running a version earlier than Cisco IOS XE Release 17.7.1, the maximum client limit is 200.

    • If the wireless controller is running Cisco IOS XE Release 17.7.1 or later and earlier than Cisco IOS XE Release 17.9.1, the maximum client limit is 400.

    • If the wireless controller is running Cisco IOS XE Release 17.9.1 or later, the maximum client limit is 500.

  11. Under 802.11ax, configure the following spatial reuse parameters:

    Note

     

    802.11ax is supported only on wireless controllers that run Cisco IOS XE Release 17.6.1 and later.

    • Check the OBSS PD check box to enable the Overlapping BSS Packet Detect (OBSS-PD) functionality.

    • In the Non-SRG OBSS PD Max Threshold (dBm) field, enter a value for the non-Spatial Reuse Group (SRG) OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

    • Check the SRG OBSS PD check box to enable the SRG OBSS-PD functionality.

      SRG OBSS-PD is supported only on wireless controllers that run Cisco IOS XE Release 17.7.1 and later.

    • In the SRG OBSS PD Min Threshold (dBm) field, enter a value for the SRG OBSS-PD minimum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -82 dBm.

    • In the SRG OBSS PD Max Threshold (dBm) field, enter a value for the SRG OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

Step 12

In the Advanced area, click the 6 GHz toggle button.

  1. Use the DBS Width slider to set the minimum and maximum channel width of the AI RF profile.

    The available channel width options are 20 MHz, 40 MHz, 80 MHz, or 160 MHz.

    The Auto Channels Logic area displays a color-coded representation of channels that are available in the UNII radio bands for the available channel widths.

    You can select DBS Width only when DBS is enabled.

  2. Enable the Enable PSC Enforcing toggle button to allow Preferred Scanning Channel (PSC) enforcement.

    PSC enforcement improves the connectivity of the 6-GHz devices by prioritizing the PSC-enabled channels.

    Note

     

    If you enable PSC enforcement, the check boxes next to the non-PSC channels are dimmed and the check boxes next to the PSC channels are checked by default. If necessary, you can uncheck the check box next to the required PSC channel.

  3. Set the DCA Channel to manage the following channel assignments:

    • UNII-5 1-93: The channels available for the UNII-5 band are 1, 5, 9, 13, 17, 21, 25, 29, 33, 37, 41, 45, 49, 53, 57, 61, 65, 69, 73, 77, 81, 85, 89, and 93.

    • UNII-6 97-113: The channels available for the UNII-6 band are 97, 101, 105, 109, and 113.

    • UNII-7 117-185: The channels available for the UNII-7 band are 117, 121, 125, 129, 133, 137, 141, 145, 149, 153, 157, 161, 165, 169, 173, 177, 181, and 185.

    • UNII-8 189-233: The channels available for the UNII-8 band are 189, 193, 197, 201, 205, 209, 213, 217, 221, 225, 229, and 233.

  4. Check the Select All check box to include all DCA channels, or check an individual check box to select an individual DCA channel.

  5. Click Show Advanced to select the remaining DCA channel numbers.

    • Check the UNII-5 1-93 check box to include all channels, or check an individual check box.

    • Check the UNII-7 117-185 check box to include all channels, or check an individual check box.

    • Check the UNII-8 189-233 check box to include all channels, or check an individual check box.

    Note

     

    Select the DCA channels based on the country code of the device. During provisioning, only the allowed channels for the country configured on the wireless controller are considered and the unsupported channels are ignored. Provisioning may fail if all the channels that you've selected are unsupported as per the country codes configured on the controller.

  6. Use the Supported Data Rate slider to set the rates at which data can be transmitted between an AP and a client. The available data rates are 6, 9, 12, 18, 24, 36, 48, and 54.

  7. In the Tx Power Configuration area, set the Power Level, TPC Power Threshold, and RX SOP.

    • Use the Power Level slider to set the minimum and maximum power level. The range is from -10 dBm through 30 dBm and the default is -10 dBm.

    • Use the TPC Power Threshold slider to increase and decrease the power value, which causes the AP to operate at higher or lower transmit power rates. The range is from -50 dBm through 80 dBm and the default threshold is -70 dBm.

    • From the RX SOP drop-down list, choose High, Medium, Low, or Auto threshold values.

  8. Under Coverage Hole Detection, configure the following:

    Note

     

    You must enable global coverage hole detection in Tools > Model Config Editor > Wireless > RRM General Configuration for the corresponding radio band and provision it on the managing wireless controller. For more information about the model configuration design for RRM general parameters, see Create a Model Config Design for RRM General Parameters. For more information about provisioning, see Provision Wireless Devices.

    • In the Minimum Client Level (clients) field, enter a value for the minimum number of clients. The valid range is from 1 through 200. The default value is 3.

    • In the Data RSSI Threshold (dBm) field, enter the data Received Signal Strength Indication (RSSI) threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Voice RSSI Threshold (dBm) field, enter the voice RSSI threshold in dBm. The valid range is from -90 dBm through -60 dBm. The default value is -80 dBm.

    • In the Exception Level (%) field, enter an exception level. The valid range is from 0 through 100 percent. The default value is 25 percent.

  9. In the Max Clients field, enter the maximum client limit value. The valid range is from 0 through 500.

    Note

     
    • If the wireless controller is running a version earlier than Cisco IOS XE Release 17.7.1, the maximum client limit is 200.

    • If the wireless controller is running Cisco IOS XE Release 17.7.1 or later and earlier than Cisco IOS XE Release 17.9.1, the maximum client limit is 400.

    • If the wireless controller is running Cisco IOS XE Release 17.9.1 or later, the maximum client limit is 500.

  10. Under 802.11ax, configure the following multiple basic service set identifier (BSSID) and spatial reuse parameters:

    • From the 6 GHz Discovery Frames drop-down list, choose the required option from None, Broadcast Probe Response, and FILS Discovery.

      6-GHz discovery frames are needed if the 6 GHz radio is the only operational radio. For more information about the 6-GHz discovery frames, click Learn More.

    • In the Broadcast Probe Response Interval (msec) field, enter the broadcast probe response interval, in msec. The valid range is from 5 msec through 25 msec. The default value is 20 msec.

    • Under MULTI BSSID, check the check boxes to enable the following parameters:

      • Downlink OFDMA

      • Uplink OFDMA

      • Downlink MU-MIMO

      • Uplink MU-MIMO

      • Target wake time

      • TWT Broadcast Support

      Note

       

      You must enable multiple BSSID in Tools > Model Config Editor > Wireless > Dot11ax Configuration for the corresponding radio band and provision it on the managing wireless controller. For more information about the model configuration design for Dot11ax, see Create a Model Config Design for Dot11ax Configuration. For more information about provisioning, see Provision Wireless Devices.

    • Check the OBSS PD check box to enable the Overlapping BSS Packet Detect (OBSS-PD) functionality.

    • In the Non-SRG OBSS PD Max Threshold (dBm) field, enter a value for the non-Spatial Reuse Group (SRG) OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

    • Check the SRG OBSS PD check box to enable the SRG OBSS-PD functionality.

      SRG OBSS-PD is supported only on wireless controllers that run Cisco IOS XE Release 17.7.1 and later.

    • In the SRG OBSS PD Min Threshold (dBm) field, enter a value for the SRG OBSS-PD minimum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -82 dBm.

    • In the SRG OBSS PD Max Threshold (dBm) field, enter a value for the SRG OBSS-PD maximum threshold, in dBm. The valid range is from -82 dBm through -62 dBm. The default value is -62 dBm.

Step 13

Click Save.


What to do next

You must provision the APs to apply the RF profile settings on the device. For more information, see Provision a Cisco AP—Day 1 AP Provisioning.

Edit an AI Radio Frequency Profile

The following procedure describes how to edit an AI RF profile.

Before you begin

Ensure that the prerequisites are met. For more information, see Prerequisites for Configuring AI Radio Frequency Profiles.

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the Wireless Radio Frequency Profile area, click the AI RF Profile tab.

The AI RF Profile table lists the number of created AI RF profiles based on Profile Name, Busy Hours, Busy Hour Sensitivity, FRA, DCA, DBS, TPC, and Mapped Buildings.

Step 5

Check the check box next to the AI RF profile that you want to edit.

You can edit one AI RF profile at a time.

Step 6

Click Edit/View.

Step 7

In the Edit AI RF Profile window, configure the AI RF profile settings. For more information, see Create an AI Radio Frequency Profile.

Step 8

Click Save.


What to do next

If you update an RF profile that is already provisioned on a wireless controller and AP, you must reprovision either the wireless controller or AP. Wireless controller reprovision also pushes the RF profiles updates to the devices and reprovisioning the AP is not necessary. For more information about provisioning a wireless controller, see Provision a Cisco Catalyst 9800 Series Wireless Controller.

Delete an AI Radio Frequency Profile

The following procedure describes how to delete an AI RF profile.

Before you begin

Ensure that the prerequisites are met. For more information, see Prerequisites for Configuring AI Radio Frequency Profiles.

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the Wireless Radio Frequency Profile area, click the AI RF Profile tab.

The AI RF Profile table lists the number of created AI RF profiles based on Profile Name, Busy Hours, Busy Hour Sensitivity, FRA, DCA, DBS, TPC, and Mapped Buildings.

Step 5

To delete an AI RF profile, check the check box next to the AI RF profile that you want to delete.

Step 6

Click Delete and then click Yes.

Note

 

Cisco DNA Center does not allow you to delete an AI RF Profile which is already assigned to a building.


What to do next

If you delete an RF profile that is already provisioned on a wireless controller and AP, you must reprovision the wireless controller. Reprovisioning the AP is not necessary. For more information about provisioning a wireless controller, see Provision a Cisco Catalyst 9800 Series Wireless Controller.

Configure an AI Radio Frequency Profile

The following procedure describes how to assign an AI RF profile to a building.

Before you begin

Ensure that the prerequisites are met. For more information, see Prerequisites for Configuring AI Radio Frequency Profiles.

Procedure


Step 1

Click the menu icon () and choose Workflows > Configure AI RF Profile.

Step 2

In the Assign AI RF Profiles window, click Let’s Do it to go directly to the workflow.

Step 3

In the Task Name field of the Configure AI RF Profile window, enter a task name.

Step 4

In the Select Locations to Assign AI RF Profiles window, select the locations where you want to assign the AI-enabled RF profiles. You can either search for a site by entering its name in the Find Hierarchy field, or expand Global and choose the sites.

The Site selection summary table lists the sites based on the site selection in the site hierarchy and displays the Selected Location and Impacted Location of the selected sites.

  • Selected Locations: A location that is being enabled for AI RF profile.

  • Impacted Locations: A location that is being partially managed by the same wireless controller of the selected location.

    Note

     
    • When you a select a site, Cisco DNA Center selects all the existing sites that are managed by the same wireless controller as impacted locations. However, existing sites where AI-Enhanced RRM is already enabled aren't selected as impacted locations. To modify any settings for the existing AI-Enhanced RRM-enabled sites, you must select the corresponding sites.

    • When a wireless controller manages more than one building and if you enable the AI RF profile only on one building, Cisco DNA Center automatically enables other buildings with the same AI RF profile.

      For example, if two wireless controllers manage three buildings and you enable the AI RF profile on one building, Cisco DNA Center automatically enables the other two buildings with the same AI RF profile.

Step 5

In the Select AI RF Profiles to assign window, the Building table lists AI RF profiles based on Location, Floors, Current RF Profiles, and Replace with AI RF Profiles.

  1. In the Building table, check the check box next to a location to choose an AI RF profile.

  2. Based on the location, choose an AI-enabled RF profile from the drop-down list under Replace with AI RF Profiles to replace with the current AI RF profile.

  3. If the AI RF profile isn’t created, click the three dots under the Action column to create a new AI RF profile, or copy the current RF profile and AI settings.

  4. You can also create an AI RF profile from the Create a new AI RF Profile to apply link in the Select AI RF Profiles to assign window. For more information, see Create an AI Radio Frequency Profile.

Step 6

In the Details of selected AI RF Profile window, review the AI Settings, Common Settings, and Assignment details of the AI-enabled RF profiles.

Note

 

AI-enhanced RRM computation occurs every 30 minutes. RRM decisions are updated and pushed to devices after the computation.

Step 7

In the Summary window, review the Task Details, Select Locations to Assign AI RF Profiles, and Select AI RF Profiles to assign.

Step 8

In the Deploy the AI RF Profiles window, choose whether you want to deploy the profile Now or schedule it for later.

Step 9

Click Continue.

The Done! AI RF Profiles Assigned window opens.

Step 10

Click the menu icon () and choose Activities > Tasks.

Step 11

In the Tasks window, click the task link.

A slide-in pane displays the Assigned Building(s), Selected AI RF Profile, and Provision Details.


Assign a Location to an Existing AI RF Profile

The following procedure describes how to assign a location to an existing AI RF profile.

Before you begin

Ensure that the prerequisites are met. For more information, see Prerequisites for Configuring AI Radio Frequency Profiles.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the Wireless Radio Frequency Profile area, click the AI RF Profile tab.

The AI RF Profile table lists the number of created AI RF profiles.

Step 5

Click the three dots under the Action column for an AI RF profile.

Step 6

From the drop-down list, choose Assign Location.

The Manage Location Assignment window opens.

Step 7

You can either search for a site by entering its name in the Search field, or expand All Sites to choose the sites.

Note

 
  • The site hierarchy shows the AI-enabled locations.

  • Sites or buildings that are not eligible for the AI profile are disabled.

  • You cannot select a floor under a building. When you select a building for an AI-enabled RF profile, the floors underneath are assigned automatically.

If the same wireless controller manages other buildings, the Confirm Impacted Sites window opens.

Step 8

Review the confirmation and click Confirm to assign the chosen sites to the AI-enabled RF profile.

Step 9

Click Assign.

A Download a Backup of Current RF Settings window opens that allows you to download the backup of the RF settings across the selected buildings.

Step 10

(Optional) Click the backup link to download a .csv file to your local machine.

Step 11

Click Confirm.

Step 12

In the subsequent confirmation window, click Confirm.

In the AI RF Profile table, the locations assigned to the AI RF profile are displayed under the Mapped Buildings column.


What to do next

Provision Devices of an AI RF Profile-Enabled Building

The following procedure describes how to provision devices across the locations to deploy the AI RF profile.

  1. Click the menu icon () and choose Provision > Network Devices > Inventory.

    In the Inventory window, the Device table lists the discovered AI RF profile associated devices.

  2. Check the check box next to the AI RF profile associated device name that you want to provision.

  3. From the Actions drop-down list, choose Provision > Provision Device.

  4. Proceed through all the steps and in the Summary step, click Deploy.

  5. In the Summary window, view the remaining network settings that will be pushed to the device. For more information, see Wireless Device Provisioning Overview.

Unassign a Location from an Existing AI RF Profile

The following procedure describes how to unassign a location from an existing AI RF profile.

Before you begin

Ensure that the prerequisites are met. For more information, see Prerequisites for Configuring AI Radio Frequency Profiles.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the Wireless Radio Frequency Profile area, click the AI RF Profile tab.

The AI RF Profile table lists the number of created AI RF profiles.

Step 5

Click the three dots under the Action column for an AI RF profile.

Step 6

From the drop-down list, choose Unassign Location.

The Unassign AI RF Profile window opens.

Step 7

Check the check box next to a site to unassign an AI RF profile.

Step 8

Click the Select from available RF Profiles radio button to select an available RF profile that you want to assign to the chosen location.

Step 9

From the Select RF Profile to Replace drop-down list, choose an RF profile.

The Select RF Profile to Replace drop-down list shows AI RF profiles and basic RF profiles.

If you select a basic RF profile from the drop-down list, a Confirm Impacted Sites window validates whether the same wireless controller manages the other site.

Review the Confirm Impacted Sites window and click Confirm to assign the chosen sites to the selected RF profile.

Step 10

Click Upload a CSV with RF settings back to upload a backup of the RF settings from your local machine.

Step 11

Click Choose a file to import the CSV file, or drag and drop the CSV file to the drag and drop area.

Note

 

The maximum size of the CSV file is 10 MB.

From the uploaded CSV file, if you find an RF setting based on the selected location name, a Confirm RF Settings for Selected Locations window shows the Location and Matched RF Profiles.

Step 12

Review the Confirm RF Settings for Selected Locations window and click Confirm.

Step 13

Click Unassign.

Step 14

In the confirmation window, click Continue.

Step 15

Click the menu icon () and choose Activities > Tasks > to view upcoming, in progress, completed, and failed unassign location to AI RF profile tasks.


What to do next

Provision Devices of an AI RF Profile-Enabled Building

The following procedure describes how to provision the devices across the AI RF profile assigned locations to deploy the AI RF profile.

  1. Click the menu icon () and choose Provision > Network Devices > Inventory.

    In the Inventory window, the Device table lists the discovered AI RF profile associated devices.

  2. Check the check box next to the AI RF profile associated device name that you want to provision.

  3. From the Actions drop-down list, choose Provision > Provision Device.

  4. Proceed through all the steps and in the Summary step, click Deploy.

  5. In the Summary window, review the remaining network settings that will be pushed to the device. For more information, see Wireless Device Provisioning Overview.

Upgrade a Basic Radio Frequency Profile to an AI Radio Frequency Profile

Before you begin

Ensure that the prerequisites are met. For more information, see Prerequisites for Configuring AI Radio Frequency Profiles.

To onboard a site in an AI-enhanced RRM service, at least one of the following services must be enabled:

  • Flexible Radio Assignment (FRA)

  • Dynamic Channel Assignment (DCA)

  • Transmit Power Control (TPC)

  • Dynamic Bandwidth Selection (DBS)

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

Check the check box next to the basic RF profile name that you want to upgrade to an AI RF profile.

Step 5

From the Action drop-down list, choose Upgrade to AI.

Step 6

In the confirmation window, click Yes.

Step 7

In the Edit AI RF Profile window, configure the AI RF profile settings. For more information, see Create an AI Radio Frequency Profile.


Create an AP Authorization List

Cisco DNA Center allows you to configure a list of authorized APs. Cisco DNA Center supports the following types of AP authorization:

  • Local authorization: Uses the AP MAC address, serial number, or both, for authorization against the local database.

  • AAA authorization: Uses a list of AAA servers for authorization.

You can choose the AP authorization list while provisioning the Cisco Wireless Controller. Cisco Wireless Controllers respond only to requests from the APs that are present in the AP authorization list.


Note


  • If both MAC address and serial number are required for an AP authorization, ensure that both are added to the AP authorization list. If one of these AP entries isn’t available in the AP authorization list provisioned for a wireless controller, the corresponding AP can't join the network.

  • For mesh AP (MAP), you must add the MAC address for AP authorization.

  • For Cisco AireOS Wireless Controllers, Cisco DNA Center supports only the MAC address for AP authorization. If you configure both MAC address and serial numbers, only MAC address is used for Cisco AireOS Wireless Controllers.

  • For Cisco Catalyst 9800 Series Wireless Controllers, Cisco DNA Center supports the configuration of AP authorization lists only on the wireless controllers running Cisco IOS Release 17.5 and later.


Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the AP Authorization List table, click Add.

Step 5

In the AP Authorization List slide-in pane, enter a name for the AP authorization list.

Step 6

To configure local authorization, do the following:

  1. In the Local Auth tab, check the Configure Local Authorization check box.

  2. In the Type area, choose an authorization type:

    • To use the AP MAC address for authorization, click Mac Address.

    • To use the AP serial number for authorization, click Serial Number.

  3. To enter the AP MAC address or serial number data, do one of the following:

    • To add the MAC address or serial number individually to the authorization list, click Add. In the AP Entry field, enter the data.

    • To upload the CSV file with the data, click Upload. In the dialog box, do the following:

      1. Drag and drop your CSV file into the drag and drop area. Alternatively, click Choose a file and browse to select your CSV file stored locally.

        Note

         

        If you don't have a CSV file, click Download to download a CSV file that you can edit and upload.

      2. Click Save.

  4. (Optional) To use both the MAC address and serial number for authorization:

    1. Click Mac Address and enter the AP MAC address data (6.c).

    2. Click Serial Number and enter the AP serial number data (6.c).

Step 7

To configure AAA authorization, do the following:

  1. In the AAA Auth tab, check the Configure AAA Authorization check box.

  2. Based on the AP authorization requirement for the AAA server, do one of the following:

    • If the AAA server uses only the MAC address for AP authorization, check the Authorize AP against MAC Address check box.

    • If the AAA server uses only the serial number for AP authorization, check the Authorize AP against Serial Number check box.

    • If the AAA server uses both the MAC address and serial number for AP authentication, check both the Authorize AP against MAC Address and Authorize AP against Serial Number check boxes.

  3. To add AP entries to the AP authorization list, do one of the following:

    • Click the plus icon () next to the required AP entry.

    • Click the AP entry and click Add Selected.

      Note

       

      To choose multiple AP entries, press Shift, click the AP entries, and click Add Selected.

    • To add all the AP entries to the AP authorization list, click Add All. You can use the Search field to filter the AP entries.

Step 8

Click Save.


Edit or Delete an AP Authorization List

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the AP Authorization List table, check the check box next to the authorization list name that you want to edit or delete.

  • To edit the AP authorization list, click Edit. In the AP Authorization List slide-in pane, edit the configuration as necessary, and click Save. For more information, see Create an AP Authorization List.
  • To delete the AP authorization list, click Delete, and then click Yes.

Create an Anchor Group

You can create anchor groups with up to three Cisco Wireless Controllers and set the priority for the anchors. You can add the following devices as anchors:

  • Cisco Wireless Controllers that are managed by Cisco DNA Center.

  • Cisco Wireless Controllers that are not managed by Cisco DNA Center (external wireless controllers).


Note


You must add at least one anchor to an anchor group.


Priority order of the anchors determines the traffic sharing across the anchors:

  • Equal sharing: When the priority order of all the anchors is the same (for example, 1, 1, and 1).

  • Partial sharing: When the priority order of more than one anchor is the same (for example, 1, 1, and 2).

  • Sequential sharing: When the priority order of the anchors is sequential (for example, 1, 2, and 3).

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the Anchor Group table, click Add.

Step 5

In the Anchor Group Name field of the Anchor Group slide-in pane, enter the anchor group name.

Step 6

To add a managed wireless controller as an anchor, click Add Managed WLC and do the following in the Add Managed WLC dialog box:

  1. Check the check box next to the name of the devices that you want to add as anchors.

    To search for a device, in the Search Table search field, enter either the partial name or the full name of the device and press Enter.

  2. Click Add.

Step 7

(Optional) To add an external wireless controller as an anchor, click Add External WLC and do the following in the Add External WLC dialog box:

  1. In the Device Name field, enter the device name.

  2. From the Device Series drop-down list, choose a device series.

  3. In the Peer IP Address field, enter the peer IP address.

  4. (Optional) In the NAT IP Address field, enter the Network Address Translation (NAT) IP address.

  5. In the MAC Address field, enter the MAC address of the device.

  6. In the Mobility Group Name field, enter the mobility group name.

  7. (Optional) In the Hash field, enter the hash for the Cisco Catalyst 9800 Series Wireless Controller.

    Note

     

    This field is available for only the Cisco Catalyst 9800-CL Wireless Controllers.

  8. Click Add.

Step 8

(Optional) To add an existing external wireless controller as an anchor, click Add Existing External WLC and do the following in the Add Existing External WLC dialog box:

  1. Check the check box next to the name of the devices that you want to add as anchors.

    To search for a device, in the Search Table search field, enter either the partial name or the full name of the device and press Enter.

  2. Click Add.

Step 9

(Optional) To set the priority for an anchor, from the Priority Order drop-down list, choose the priority for the anchor wireless controller.

Step 10

Click Save.


Edit or Delete an Anchor Group

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the Anchor Group table, check the check box next to the anchor group that you want to edit or delete.

  • To edit the anchor group, click Edit. In the Anchor Group slide-in pane, configure the anchors and click Save. For more information, see Create an Anchor Group.
  • To delete the anchor group, click Delete and then click Yes.

AP Profiles

AP profiles consolidate the AP authentication settings for Plug and Play (PnP), Cisco Advanced Wireless Intrusion Prevention System (aWIPS), rogue management, and mesh networks. AP profiles allow you to manage and provision APs.

Cisco DNA Center provides a default AP profile for Cisco IOS XE devices and Cisco AireOS devices. You can edit the default AP profiles, but you can't delete them. Site tags and AP groups generated by Cisco DNA Center use the default AP profiles.

If your authentication method is EAP-Transport Level Security (EAP-TLS), which uses certificate-based authentication, you cannot use a subordinate CA certificate. With EAP-TLS authentication for AP profiles, you can only use a root CA certificate.


Note


When you upgrade to Release 2.3.5.5 from an earlier version, by default, Cisco DNA Center doesn't push the default AP profile to the wireless controller. To update the default AP profile on the wireless controller, you must explicitly save it on the AP Profiles window. For more information, see Edit or Delete an AP Profile.

When you save the default AP profile, if there’s a difference between the current wireless controller configuration and the AP profile configuration saved on Cisco DNA Center, Cisco DNA Center pushes the default AP profile to the wireless controller during subsequent reprovisioning.

After saving the default AP profile, there’s no option to prevent Cisco DNA Center from pushing the default AP profile to the wireless controller during reprovisioning.


You can also create custom AP profiles for Cisco IOS XE and Cisco AireOS devices. To assign an AP profile to a site, associate it with a wireless network profile.

Create an AP Profile for Cisco IOS XE Devices

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the AP Profile table, hover your cursor over Add and choose AP Profile for IOS-XE.

Step 5

In the Create Access Point Profile window, enter a name for the AP profile.

Step 6

(Optional) Enter a description for the AP profile.

Step 7

If this AP profile is for remote teleworker APs or Cisco OfficeExtend APs, check the Remote Teleworker check box.

You can enable or disable the Remote Teleworker check box only while creating the AP profile. You can't update this option for existing AP profiles.

Note

 

Remote teleworker-enabled AP profiles don't support the following settings:

  • aWIPS application

  • Rogue detection

  • Mesh

  • Power

Step 8

Configure the required settings in the followings tabs:

  1. Management: For more information, see Configure Management Settings for an AP Profile for Cisco IOS XE Devices.

  2. Security: For more information, see Configure Security Settings for an AP Profile for Cisco IOS XE Devices.

  3. Mesh: For more information, see Configure Mesh Settings for an AP Profile for Cisco IOS XE Devices.

  4. Power: For more information, see Configure Power Settings for an AP Profile for Cisco IOS XE Devices.

  5. Additional: For more information, see Configure Additional Settings for an AP Profile for Cisco IOS XE Devices.

Step 9

Click Save.


Configure Management Settings for an AP Profile for Cisco IOS XE Devices

Use this procedure to configure the following for an AP profile for Cisco IOS XE devices:

  • Authentication settings to onboard APs securely during the PnP claim process. Based on the authentication settings configured at the global-level or site-level hierarchy in Cisco DNA Center, PnP pushes the 802.1x (Dot1x) supplicant and certificates when claiming an AP. The AP uses the 802.1x supplicant for authenticating with Cisco ISE.

  • Authentication settings for day n authentication of APs.

  • Credentials for console access, SSH, and Telnet.

  • Enabling Cisco Discovery Protocol (CDP) to make an AP discoverable to its neighboring devices.

Procedure

Step 1

In the Create Access Point Profile window (Design > Network Settings > Wireless > AP Profile table > Add > AP Profile for IOS-XE), click the Management tab.

Step 2

In the Access Points Authentication area, choose an authentication method.

Note

 

This authentication method is used during the AP PnP claim and day n authentication. Changing the authentication method impacts the service of the APs onboarded through the PnP claim process. If you change the authentication method, perform a factory reset for the APs onboarded through PnP claim process. If an AP joins with a different Extensible Authentication Protocol (EAP) method, the EAP method changes based on the authentication method that you choose.

The following authentication methods are available:

  • NO-AUTH: Default authentication method.

  • EAP-TLS: EAP-Transport Level Security (EAP-TLS) uses certificate-based authentication.

  • EAP-PEAP: EAP-Protected Extensible Authentication Protocol (EAP-PEAP) provides mutual authentication, ensures confidentiality and integrity to vulnerable user credentials, protects itself against passive (eavesdropping) and active (man-in-the-middle) attacks, and securely generates cryptographic keying material. EAP-PEAP is compatible with the IEEE 802.1X standard and RADIUS protocol.

    If you choose EAP-PEAP, enter a username and password. Cisco DNA Center generates a certificate and applies it during the PnP claim process.

  • EAP-FAST: EAP-Flexible Authentication through Secure Tunneling (EAP-FAST) provides mutual authentication and uses a shared secret to establish a tunnel. The tunnel is used to protect weak authentication methods that are based on passwords. The shared secret, referred to as a Protected Access Credentials (PAC) key, is used to mutually authenticate the client and server while securing the tunnel.

    If you choose EAP-FAST, enter a username and password. Cisco DNA Center generates a certificate and applies it during the PnP claim process.

Step 3

In the SSH and Telnet area, configure the following:

  1. (Optional) Click the SSH toggle button to configure the credentials for SSH.

  2. (Optional) Click the Telnet toggle button to configure the credentials for Telnet.

  3. In the Username field, enter the name used to authenticate the device.

    Username can’t contain spaces or angle brackets (< >).

    Note

     

    If you disable SSH and Telnet, the Username field is optional.

  4. In the Password field, enter the password used to authenticate the device.

    Note

     

    If you disable SSH and Telnet, the Password field is optional.

  5. In the Enable Password field, enter the password to enable a higher privilege level in the CLI.

    Note

     

    If you disable SSH and Telnet, the Enable Password field is optional.

Step 4

In the Cisco Discovery Protocol (CDP) State area, click the CDP State toggle button to enable or disable CDP.


What to do next

Configure the other necessary settings for the AP profile. For more information, see Create an AP Profile for Cisco IOS XE Devices.

Configure Security Settings for an AP Profile for Cisco IOS XE Devices

Use this procedure to configure the following for an AP profile for Cisco IOS XE devices:

  • Cisco Advanced Wireless Intrusion Prevention System (aWIPS) and forensic capture to detect intrusion threats and mitigate them. Cisco DNA Center supports aWIPS for devices running Cisco IOS XE Release 17.3.1 or later.

  • Rogue detection to detect the APs that are installed on the network without explicit authorization from a system administrator. Cisco DNA Center supports rogue detection for devices running Cisco IOS XE Release 17.4 or later.

Procedure

Step 1

In the Create Access Point Profile window (Design > Network Settings > Wireless > AP Profile table > Add > AP Profile for IOS-XE), click the Security tab.

Step 2

In the aWIPS and Forensic Capture Enablement area, configure the following:

  1. Click the aWIPS toggle button to enable or disable aWIPS.

  2. Click the Forensic Capture Enablement toggle button to enable or disable forensic capture.

    Note

     

    You must enable the aWIPS toggle button to use the Forensic Capture Enablement toggle button.

Step 3

In the Rogue Detection area, click the Rogue Detection toggle button to enable or disable rogue detection.


What to do next

Configure the other necessary settings for the AP profile. For more information, see Create an AP Profile for Cisco IOS XE Devices.

Configure Mesh Settings for an AP Profile for Cisco IOS XE Devices

Use this procedure to configure the mesh settings for an AP profile for Cisco IOS XE devices.

Before you begin

Ensure that you add the MAC address of the mesh access point (MAP) to the AP authorization list. For more information, see Create an AP Authorization List.

Procedure

Step 1

In the Create Access Point Profile window (Design > Network Settings > Wireless > AP Profile table > Add > AP Profile for IOS-XE), click the Mesh tab.

Step 2

Click the Mesh toggle button.

Note

 

If you disable the Mesh toggle button, the existing custom mesh settings are deleted, and the AP profile is associated with the default mesh profile on the device.

Step 3

(Optional) In the Range - Root AP to Mesh AP (in feet) field, enter the maximum range (in feet) from the root access points (RAP) to the MAPs in the network. The valid range is from 150 feet through 132000 feet.

Step 4

(Optional) To allow wireless client association over the backhaul radio, check the Backhaul Client Access check box.

Generally, the backhaul radio is a 5-GHz radio for most of the MAPs. The backhaul radio can carry both backhaul traffic and client traffic.

If you disable the Backhaul Client Access check box, Cisco DNA Center sends only backhaul traffic over the backhaul radio, and client association is only over the secondary radio or radios.

Step 5

(Optional) In the RAP Downlink Backhaul area, choose the required option.

If your country prohibits the use of 5 GHz, choose 2.4 GHz. Even if your country allows the use of 5 GHz, consider using 2.4 GHz because 2.4-GHz radio can cover larger mesh or bridge distances.

Note

 

When you change the RAP configuration from 5 GHz to 2.4 GHz, Cisco DNA Center propagates the update from the RAP to all the MAPs. At this point, the MAPs disconnect from the 5-GHz network and connect to the 2.4-GHz network.

Step 6

(Optional) In the Backhaul Data Rates area, from the 5GHz Band Radio Type and 2.4GHz Band Radio Type drop-down lists, choose an interface rate.

Valid backhaul interface rates are 802.11abg, 802.11n, 802.11ac (5-GHz band radio only), 802.11ax, and Auto, depending on the AP. Backhaul creates a wireless connection between the APs. The rate selection is important for effective use of the available RF spectrum. The rate can also affect the throughput of client devices.

With the Auto data rate, each link can arrive at the best possible rate for its link quality.

We recommend that you configure the mesh backhaul data rate as Auto.

Step 7

(Optional) In the Bridge Group Name field in the Bridge Group area, enter a name of up to 10 characters for the bridge group.

A bridge group name controls the association of MAPs. By grouping radios, two networks on the same channel, but in different bridge group names can’t communicate with one another. This setting is also useful if you have more than one RAP in your network in the same sector (area).

If you don't enter a bridge group name, Cisco DNA Center uses the Default bridge group name for the mesh profile.


What to do next

Configure the other necessary settings for the AP profile. For more information, see Create an AP Profile for Cisco IOS XE Devices.

Configure Power Settings for an AP Profile for Cisco IOS XE Devices

Use this procedure to configure the following for an AP profile for Cisco IOS XE devices:

  • AP power profile: If an AP doesn't receive the required power, it functions in a derated state based on the settings in the AP power profile. For more information, see Create an AP Power Profile.


    Note


    The power settings are applicable only for the Cisco Wireless Controllers running Cisco IOS XE Release 17.10.1 and later.


  • Calendar power profile: You can create calendar power profiles for APs that are in power save mode. You can map multiple AP power profiles to different calendar schedules as required. Based on the configured schedule, Cisco DNA Center runs all the rules defined in the AP power profiles simultaneously.

Procedure

Step 1

In the Create Access Point Profile window (Design > Network Settings > Wireless > AP Profile table > Add > AP Profile for IOS-XE), click the Power tab.

Step 2

In the AP Power Profile area, from the Select Value drop-down list, choose a power profile.

(To create a power profile, click Create New and configure the parameters. For more information, see Create an AP Power Profile.)

Step 3

In the Calendar Power Profile area, do the following:

  1. To add a calendar power profile, click Add. In the Add Calendar Power Profile slide-in pane, do the following:

    1. From the Select Power Profile drop-down list, choose a power profile.

      To create a power profile, click Create New and configure the parameters. For more information, see Create an AP Power Profile.

    2. Choose the recurrence frequency for applying the power profile rules to the APs:

      • Daily: Applies the power profile rules to APs daily.

      • Weekly: Applies the power profile rules to APs every week on the selected days. Click the required day to select it.

      • Monthly: Applies the power profile rules to APs every month on the selected dates. Click the required date to select it.

    3. Specify the start time and end time for the power profile rules.

    4. Click Save.

  2. (Optional) To edit a power profile rule, check the check box next to the corresponding power profile name and click Edit. In the Edit Power Profile slide-in pane, edit the required parameters and click Save.

  3. (Optional) To delete a power profile, check the check box next to the corresponding power profile name, click Delete, and then click Yes.


What to do next

Configure the other necessary settings for the AP profile. For more information, see Create an AP Profile for Cisco IOS XE Devices.

Configure Additional Settings for an AP Profile for Cisco IOS XE Devices

Use this procedure to configure the following for an AP profile for Cisco IOS XE devices:

  • Country code: Set the country code for the Rest of World (ROW) domain APs that don't have a country code configured already.


    Note


    The country code setting doesn't impact the APs that already have a country code configured.


  • Time zone: Choose the time zone for the APs.

  • Client limit: Specify the maximum number of allowed clients.

Procedure

Step 1

In the Create Access Point Profile window (Design > Network Settings > Wireless > AP Profile table > Add > AP Profile for IOS-XE), click the Additional tab.

Step 2

In the Country Code area, from the Select Value drop-down list, choose a country for ROW APs that don't have a country code configured.

Step 3

In the Time Zone area, choose one of the following options:

  • Not Configured: APs operate in the UTC time zone.
  • Controller: APs operate in the Cisco Wireless Controller time zone.
  • Delta from Controller: APs operate in the offset time from the wireless controller time zone. Configure the following offset values:
    • HH: Enter the hour value. The valid range is from -12 through 14.

    • MM: Enter the minute value. The valid range is from 0 through 59.

Step 4

In the Client Limit area, enter a value for the maximum client limit. The valid range is from 0 through 1200.


What to do next

After configuring all the necessary settings for the AP profile, click Save. For more information, see Create an AP Profile for Cisco IOS XE Devices.

Create an AP Profile for Cisco AireOS Devices

For Cisco AireOS devices, AP profiles group the AP-level parameters and configurations. AP profiles can be mapped to custom AP groups. When APs are provisioned, all the APs under the corresponding AP group are configured with the settings available in the AP profile.

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the AP Profile table, hover your cursor over Add and choose AP Profile for AireOS.

Step 5

In the Create Access Point Profile window, enter a name for the AP profile.

Step 6

(Optional) Enter a description for the AP profile.

Step 7

If this AP profile is for remote teleworker APs or Cisco OfficeExtend APs, check the Remote Teleworker check box.

You can enable or disable the Remote Teleworker check box only while creating the AP profile. You can't update this option for existing AP profiles.

Note

 

Remote teleworker-enabled AP profiles don't support the following settings:

  • Rogue detection

  • Mesh

Step 8

Configure the required settings in the followings tabs:

  1. Management: For more information, see Configure Management Settings for an AP Profile for Cisco AireOS Devices.

  2. Security: For more information, see Configure Security Settings for an AP Profile for Cisco AireOS Devices.

  3. Mesh: For more information, see Configure Mesh Settings for an AP Profile for Cisco AireOS Devices.

Step 9

Click Save.


Configure Management Settings for an AP Profile for Cisco AireOS Devices

Use this procedure to configure the following for an AP profile for Cisco AireOS devices:

  • Credentials for console access, SSH, and Telnet.

  • Enable Cisco Discovery Protocol (CDP) to make the AP discoverable to its neighboring devices.

Procedure

Step 1

In the Create Access Point Profile window (Design > Network Settings > Wireless > AP Profile table > Add > AP Profile for AireOS), click the Management tab.

Step 2

In the SSH and Telnet area, configure the following:

  1. (Optional) Click the SSH toggle button to configure the credentials for SSH.

  2. (Optional) Click the Telnet toggle button to configure the credentials for Telnet.

  3. In the Username field, enter the name used to authenticate the device.

    Username can’t contain spaces or angle brackets (< >).

    Note

     

    If you disable SSH and Telnet, the Username field is optional.

  4. In the Password field, enter the password used to authenticate the device.

    Note

     

    If you disable SSH and Telnet, the Password field is optional.

  5. In the Enable Password field, enter the password to enable a higher privilege level in the CLI.

    Note

     

    If you disable SSH and Telnet, the Enable Password field is optional.

Step 3

In the Cisco Discovery Protocol (CDP) State area, click the CDP State toggle button to enable or disable CDP.


What to do next

Configure the other necessary settings for the AP profile. For more information, see Create an AP Profile for Cisco AireOS Devices.

Configure Security Settings for an AP Profile for Cisco AireOS Devices

Use this procedure to configure rogue detection for an AP profile for Cisco AireOS devices. Rogue detection allows you to detect the APs that are installed on the network without explicit authorization from a system administrator.

Procedure

Step 1

In the Create Access Point Profile window (Design > Network Settings > Wireless > AP Profile table > Add > AP Profile for AireOS), click the Security tab.

Step 2

In the Rogue Detection area, click the Rogue Detection toggle button to enable or disable rogue detection.


What to do next

Configure the other necessary settings for the AP profile. For more information, see Create an AP Profile for Cisco AireOS Devices.

Configure Mesh Settings for an AP Profile for Cisco AireOS Devices

Use this procedure to configure the mesh settings for an AP profile for Cisco AireOS devices.

Before you begin

Ensure that you add the MAC address of the MAP to the AP authorization list. For more information, see Create an AP Authorization List.

Procedure

Step 1

In the Create Access Point Profile window (Design > Network Settings > Wireless > AP Profile table > Add > AP Profile for AireOS), click the Mesh tab.

Step 2

Click the Mesh toggle button.

Step 3

(Optional) In the RAP Downlink Backhaul area, click the radio button next to the required option.

If your country prohibits the use of 5 GHz, choose 2.4 GHz. Even if your country allows the use of 5 GHz, consider using 2.4 GHz because 2.4-GHz radio can cover larger mesh or bridge distances.

Note

 

When you change the RAP configuration from 5 GHz to 2.4 GHz, Cisco DNA Center propagates the update from the RAP to all the MAPs. At this point, the MAPs disconnect from the 5-GHz network and connect to the 2.4-GHz network.

Step 4

(Optional) In the Bridge Group Name field in the Bridge Group area, enter a name of up to 10 characters for the bridge group.

A bridge group name controls the association of MAPs. By grouping radios, two networks on the same channel, but in different bridge group names, can’t communicate with one another. This setting is also useful if you have more than one RAP in your network in the same sector (area).

If you don't enter a bridge group name, Cisco DNA Center uses the Default bridge group name for the mesh profile.


What to do next

After configuring all the necessary settings for the AP profile, click Save. For more information, see Create an AP Profile for Cisco AireOS Devices.

Edit or Delete an AP Profile

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the AP Profile table, check the check box next to the AP profile that you want to edit or delete.


Create an AP Power Profile

You can create AP power profiles for Cisco Wireless Controllers running Cisco IOS XE Release 17.10.1 and later. Assign an AP power profile to APs by associating it to an AP profile. You can define multiple rules for an AP power profile and specify the sequences of rules.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the AP Power Profile table, click Add.

Step 5

In the Create Power Profile slide-in pane, enter a name for the AP power profile.

Step 6

(Optional) Enter a description for the AP power profile.

Step 7

To create a rule for the AP power profile, click Add.

Step 8

In the Rule dialog box, configure the following:

  1. From the Interface drop-down list, choose a type of interface.

  2. From the Interface ID drop-down list, choose an interface ID.

    Note

     

    If only one interface ID is available, Cisco DNA Center automatically selects the available interface ID.

  3. From the Parameter drop-down list, choose a parameter.

    Note

     

    If only one parameter is available, Cisco DNA Center automatically selects the available parameter.

  4. From the Parameter Value drop-down list, choose a parameter value.

    Note

     

    If only one parameter value is available, Cisco DNA Center automatically selects the available parameter value.

  5. Click Add.

Step 9

(Optional) To create another rule for the AP power profile, repeat Step 7 and Step 8.

Step 10

(Optional) To update the sequence of a rule in the Rules table, click the corresponding icon icon, and drag and drop the rule to the required position.

Step 11

Click Save.


What to do next

Associate the AP power profile with an AP profile. For more information, see Create an AP Profile for Cisco IOS XE Devices.

Edit or Delete an AP Power Profile

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose Global.

Step 4

In the AP Power Profile table, check the check box next to the AP power profile that you want to edit or delete.

  • To edit the AP power profile, click Edit. In the Edit Power Profile slide-in pane, edit the description, rules, and sequence as necessary, and click Save. For more information, see Create an AP Power Profile.
  • To delete the AP power profile, click Delete, and then click Yes.

Provision a Cisco Sensor SSID for Nonfabric Deployment

  • The Cisco DNA Center sensor uses the Cisco sensor provisioning Service Set Identifier (SSID) to communicate with the Plug and Play (PnP) server and obtain day-0 configurations for running tests.


    Note


    The Cisco sensor provisioning SSID is not applicable for APs working as sensors.
  • For fabric deployments, the Cisco sensor provisioning SSID is mapped to an Infrastructure Virtual Network Access Point (INFRA VN–AP) pool to communicate with Cisco DNA Center.

  • The following platforms support the Cisco sensor provisioning SSID:

    • Cisco AireOS Controller

    • Cisco Catalyst 9800 Series Wireless Controller (both fabric and nonfabric deployments)

  • The Cisco sensor provisioning SSID supports the following network controllers:

    • Cisco Catalyst 9800 Wireless Controllers for Cloud

    • Cisco Catalyst 9800 Series Wireless Controller

    • Cisco AireOS Controller

The following procedure enables you to configure the Cisco sensor provisioning SSID for nonfabric deployments.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the SSID table, hover over and choose Enterprise.

The Wireless SSID workflow appears.

Step 4

Toggle the Sensor field and click Next.

Note

 

The parameters for the SSID are automatically populated and cannot be edited.

Step 5

Click Next.

Step 6

In the Wireless Profiles screen, check a profile from the Profiles table.

The Edit Wireless Profile dialog box appears.

Step 7

In Fabric, select Yes and click Save.

The Success Profile sensorProfile selected message appears.

Step 8

Click Finish.

Step 9

Click the menu icon () and choose Provision > Network Devices > Inventory.

Step 10

Check a device and from the Actions drop-down menu, choose Provision > Provision Device.

Step 11

Review the details under Assign Site, Configuration, Model Configuration, Advanced Configuration, and Summary. Click Next after each screen.

Step 12

Click Deploy.

The Provision Device dialog box is displayed.

Step 13

Choose Now and click Apply.

Result: The message Task Scheduled view status in Tasks appears at the bottom-right corner.


Manage Backhaul Settings

Use this procedure to view, create, and manage backhaul configurations for wireless sensors. A wireless sensor requires a backhaul SSID to communicate with Cisco DNA Center.

Procedure


Step 1

Click the menu icon () and choose Assurance > Manage > Sensors.

The Sensor List window appears.

Step 2

Hover your cursor over the Settings tab and choose Backhaul Settings.

Step 3

You can add and manage backhaul SSIDs by doing the following:

  1. Click + Add Backhaul.

    The Create Sensor Backhaul SSID Assignment window appears with two areas: Wired Backhaul and Wireless Backhaul.

  2. In the Settings Name field, enter a name for the backhaul SSID.

  3. In the Wired Backhaul area, configure the following:

    • Level of Security: Displays the encryption and authentication type used by the selected SSID. The available security options are:

      • 802.1x EAP: Standard used for passing Extensible Authentication Protocol (EAP) over wired LAN.

      • Open: No security or authentication is used.

    • EAP Method: If you choose 802.1x EAP, you must choose one of the following EAP methods for user authentication from the drop-down list:

      • EAP-FAST: Enter the username and password in the fields provided.

      • PEAP-MSCHAPv2: Enter the username and password in the fields provided.

      • EAP-TLS: Choose Enroll Using Certificate Bundle or Enroll Using SCEP.

        If you choose Enroll Using Certificate Bundle, click the drop-down arrow under Certificate Bundle, click + Add New Certificate Bundle, and enter the username and certificate bundle password.

      • PEAP-TLS: Choose Enroll Using Certificate Bundle or Enroll Using SCEP.

        If you choose Enroll Using Certificate Bundle, click the drop-down arrow under Certificate Bundle, click + Add New Certificate Bundle, and enter the username and certificate bundle password.

  4. In the Wireless Network Name (SSID) area, select the wireless network (SSID) and configure the following.

    • Level of Security: Displays the encryption and authentication type used by the selected SSID. The available security options are:

      • WPA2 Enterprise: Provides a higher level of security using Extensible Authentication Protocol (EAP) (802.1x) to authenticate and authorize network users with a remote RADIUS server.

      • WPA2-Personal: Provides a good security using a passphrase or a preshared key (PSK). This allows anyone with the passkey to access the wireless network.

        If you select WPA2 Personal, enter the passphrase in the Passphrase text box.

      • PSK Format: The available preshared key formats are:

        • ASCII: Supports ASCII PSK passphrase.

        • HEX: Supports 64-character HEX key PSK password.

      • Open: No security or authentication is used.

  5. Click Save.

Step 4

You can edit the existing backhaul configurations by doing the following:

  1. Check the check box of the backhaul configuration.

  2. Hover your cursor over the Actions drop-down list and choose Edit.

Step 5

You can delete a backhaul configuration by doing the following:

  1. Check the check box of the backhaul configuration.

  2. Hover your cursor over the Actions drop-down list and choose Delete.


About Cisco Connected Mobile Experiences Integration

Cisco DNA Center supports the integration of Cisco Connected Mobile Experiences (CMX) for wireless maps. With the CMX integration, you can get the exact location of your wireless clients, rogue access points and interferers on the floor map within the Cisco DNA Center user interface.

Depending on your requirements, you can create CMX settings either at the global level or at the site, building, or floor level. For a small enterprise, you can assign CMX at the global level, which is the parent node. All children inherit their settings from the parent node. For a medium enterprise, you can assign CMX at the building level and for a small enterprise, you can assign CMX at the floor level.


Note


CMX should be anonymized for security purposes.


Create Cisco CMX Settings

Procedure

Step 1

Click the menu icon () and choose System > Settings.

Step 2

From the External Services section, click CMX Servers/Cisco Spaces.

The CMX Servers/Cisco Spaces window opens.

Step 3

From the CMX Servers table, click Add.

Step 4

Complete the fields in the Add CMX Server slide-in pane:

  • IP Address: Enter the valid IP address of the CMX web GUI.

  • User Name: Enter the CMX web GUI username.

  • Password: Enter the password credentials.

  • SSH User Name: Enter the CMX admin username.

  • SSH Password: Enter the CMX admin password credentials.

Note

 
Make sure that CMX is reachable.

Step 5

Click Add.

The CMX server is added successfully.

Step 6

To assign a CMX server to a site, building, or a floor, click the menu icon and choose Design > Network Settings.

Step 7

Click the Wireless tab.

Step 8

From the left hierarchy tree, choose either Global or the required area, building, or floor.

Step 9

In the CMX Servers/Cisco Spaces section, use the drop-down list, choose the CMX server.

Step 10

Click Save.

The Create CMX Settings window opens.

After the CMX is added, if you make any changes to the floor on the Network Hierarchy page, the changes are synchronized automatically with the CMX.

When the CMX is synced, Cisco DNA Center starts querying the CMX for the client location and displays the location on the floor map.

Step 11

From the floor map, you can do the following:

  • View the location of the client, which is shown as a blue dot.

  • Hover your cursor over an AP. A dialog box is displayed with Info, Rx Neighbor, and Clients tabs. Click each tab for more information. Click Device 360 to open the Device 360 window and view issues. Click an issue to see the location of the issue and the location of the client device.

  • Click an AP to open a side bar with details about the AP.

  • Perform real-time client tracking when Intelligent Capture and CMX are integrated.

Step 12

If the CMX was down when you made changes, you must synchronize manually. To do so, on the Network Hierarchy page, hover your cursor over the ellipsis next to the building or floor on which you made the changes in the left hierarchy tree, and then choose Sync: CMX Server/Cisco Spaces to push the changes manually.

Step 13

To edit the CMX server details or delete a CMX server, do the following:

  1. Click the menu icon () and choose System > Settings.

  2. From the External Services section, click CMX Servers/Cisco Spaces.

  3. Select the CMX server that you want to edit, make any changes, and click Update.

  4. Select the CMX server that you want to delete and click Delete.

  5. Click OK to confirm the deletion.


For CMX Authentication Failure

  • Check if you are able to log in to the CMX web GUI with the credentials that you provided at the time of CMX settings creation on Cisco DNA Center.

  • Check if you are able to log in to the CMX console using SSH.

  • Check if you are able to exercise CMX REST APIs using the API Documentation link on the CMX GUI.

If Clients Do Not Appear on the Cisco DNA Center Floor Map

  • Check if the Cisco wireless controller on the particular floor is configured with CMX and is active.

  • Check if the CMX GUI shows clients on the floor map.

  • Use the Cisco DNA Center Maps API to list the clients on the floor: curl -k -u <user>:<password> -X GET /api/v1/dna-maps-service/domains/<floor group id>/clients?associated=true

About Cisco Spaces Integration

Enterprises operating in the physical world have limited to no visibility into the behavior of people and connected assets within their buildings. Cisco Spaces solves this physical blind-spot problem using location-sensing intelligence from all underlying Cisco wireless networks and translating the data into business-ready insights.

Cisco DNA Center integrates with Cisco Spaces to provide you with the exact location of wireless clients, rogue APs, and interferers on Cisco DNA Center floor maps. Depending on your requirements, you can create Cisco Spaces settings either at the global level or at the site, building, or floor level.

When you assign Cisco Spaces at the global level or at the site, building, or floor level, Cisco DNA Center automatically sends the floor map configuration to Cisco Spaces. Similarly, any time you save a change to a floor map, Cisco DNA Center automatically synchronizes the floor map configuration with Cisco Spaces. Synchronization occurs serially; one floor map doesn’t start to synchronize until the previously configured floor map synchronization is completed. So, if multiple floors are configured in close succession, it can take a long time to complete.

You can also trigger a manual synchronization of floor maps to Cisco Spaces. However, we recommend that you use discretion when using this option. When a manual synchronization is triggered, the Cisco DNA Center GUI hangs until the synchronization has completed and Cisco DNA Center returns a response to indicate the synchronization success or failure. Additionally, if an automatic synchronization is already in progress when a manual synchronization is triggered, the manual synchronization won't start until the automatic synchronization is done. While waiting for the automatic synchronization to end and during the manual synchronization itself, the Cisco DNA Center GUI hangs. In these cases, depending on the number of floor maps contained in the site, the Cisco DNA Center GUI could hang for a long period.

Therefore, you should use the manual synchronization option only in the unlikely event that the automatic map synchronization to Cisco Spaces fails due to a network issue or a temporary service outage. The manual synchronization option should not be used on a consistent basis to update floor map changes with to Cisco Spaces.

To integrate Cisco Spaces with Cisco DNA Center, see the "Cisco DNA Center Integration" section in the Cisco Spaces Configuration Guide.

Assign Cisco Spaces to Sites

To monitor sites using Cisco Spaces, you need to assign Cisco Spaces to the site that you want to monitor.

Before you begin

Integrate Cisco Spaces with Cisco DNA Center. For details, see the Cisco Spaces Configuration Guide.

Procedure

Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose either Global or the area, building, or floor to which you want to assign Cisco Spaces.

Step 4

Click DNA Spaces/CMX Servers.

Step 5

In the DNA Spaces/CMX Servers section, from the Location Services drop-down list, select a site.

Step 6

Click Save.

Cisco DNA Center deploys the site information to Cisco Spaces automatically.


Monitor Sites Using Cisco Spaces

You can monitor sites using Cisco Spaces.

Before you begin
  • Integrate Cisco Spaces with Cisco DNA Center. For details, see the Cisco Spaces Configuration Guide.

  • Assign Cisco Spaces to the site that you want to monitor.

Procedure

Step 1

In the Cisco DNA Center GUI, click the menu icon () and choose Design > Network Hierarchy.

Step 2

From the left hierarchy tree, choose either Global or the area, building, or floor that you want Cisco Spaces to monitor.

Step 3

To confirm that Cisco Spaces is operational, verify that the Cisco Spaces/CMX status icon displays on the floor that you want to monitor, as shown in the following figure.


Configure a FlexConnect VLAN

You can configure the following FlexConnect VLAN settings:

  • Native VLAN: Allows a FlexConnect group to carry the management traffic between APs and Cisco Wireless Controllers.

  • AAA Override VLAN: Provides dynamic VLAN assignment of locally switched clients.

You can apply these settings at the global level and override them at the site, building, or floor level.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

From the left hierarchy tree, choose the required site:

  • Global: Configures the VLAN at the global level for all sites.

  • Area, building, or floor: Configures the VLAN at the chosen level only.

Step 4

In the Native VLAN ID field, enter a value for the VLAN ID. The valid range is from 1 through 4094.

Step 5

For the AAA Override VLAN settings, enter a VLAN ID and VLAN name mapping in the corresponding VLAN ID and VLAN Name fields. To add more mappings, click the Add icon.

Note

 

The maximum number of VLAN mappings that you can define for a FlexConnect deployment is 16. However, for Cisco Catalyst 9800 Series Wireless Controllers, this number includes default WLAN VLANs and VLANs pushed by AAA.

Step 6

Click Save.


What to do next

Create a wireless network profile or configure an SSID:

For the saved FlexConnect VLAN settings to get configured on the wireless controller, you must provision the wireless controller. For information, see Provision a Cisco AireOS Controller or Configure and Provision a Cisco Catalyst 9800 Series Wireless Controller.

After provisioning the wireless controller, you must provision the AP that is associated with the controller.

About Wireless Mesh Networks

In a Cisco wireless mesh network, Access Points (APs) operate in one of the following two ways:

  • Root Access Point (RAP): Connected to the wired network at each location.

  • Mesh Access Point (MAP): Communicate wirelessly while providing secure and scalable wireless LAN.


Note


All APs are configured and shipped as MAPs. To use an AP as a RAP, you must reconfigure it as a RAP. In all mesh networks, make sure that there is at least one RAP.


RAPs are connected to the wired network at each location. All the downstream APs operate as MAPs and communicate using wireless links.

The topology displays a wireless mesh network consisting of root AP and mesh AP.

Both MAPs and RAPs can provide WLAN client access. However, typically, the location of RAPs is often not suitable for providing client access.

Some buildings have onsite controllers to terminate CAPWAP sessions from the MAPs, but it’s not a mandatory requirement because CAPWAP sessions can be backhauled to a controller over a wide-area network (WAN).

In a Cisco wireless backhaul network, traffic can be bridged between MAPs and RAPs. This traffic can be from wired devices that are being bridged by the wireless mesh or CAPWAP traffic from the MAPs. This traffic is always AES encrypted when it crosses a wireless mesh link such as a wireless backhaul.

For more information about mesh networks, see the latest Cisco Wireless Mesh Access Points, Design and Deployment Guide.

Cisco Wireless Controller Configuration

For mesh networks, you need to configure a list of authorized APs in the controllers. Controllers respond only to requests from the MAPs that are present in its authorization list.


Note


Cisco DNA Center supports the configuration of authorization lists on Cisco Catalyst 9800 Series Wireless Controller running Cisco IOS Release 17.5 and later.


Both Cisco AireOS Wireless Controller and Cisco Catalyst 9800 Series Wireless Controller can use Cisco DNA Center to configure the Bridge Group Name (BGN) and RAP downlink backhaul mesh settings. In Cisco Catalyst 9800 Series Wireless Controller, you can also configure the maximum range of the MAPs, backhaul client access, and backhaul data rates.

These settings are configured for the global site in the Create AP Profile window. For more information, see Configure Mesh Settings for an AP Profile for Cisco IOS XE Devices and Configure Mesh Settings for an AP Profile for Cisco AireOS Devices.

AP Configuration

If you have existing APs that you want to use in mesh network mode, you must first change the AP Mode to Bridge or Flex+Bridge using the Configure Access Point workflow. For information, see Configure AP Workflow.

After an AP is configured for Bridge or Flex+Bridge mode, the AP 360 window shows the mesh configuration. At this point, you need to provision the APs with the new configuration. Provision a Cisco AP—Day 1 AP Provisioning.

Configure a Certificate Revocation Check

Use the following steps to configure a certificate revocation check for the controller certificate.

Procedure


Step 1

Click the menu icon () and choose Design > Network Settings > Security and Trust.

Step 2

From the left hierarchy tree, choose a site, building, or floor.

Step 3

In the Revocation Check drop-down list, Revocation - Check: CRL None is selected by default.

Step 4

To skip the revocation check, choose Revocation - Check: None and click Save.