The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Mobile Concierge is a solution that enables 802.1X capable clients to interwork with external networks. The Mobile Concierge feature provides service availability information to clients and can help them to associate available networks.
The services offered by the network can be broadly classified into two protocols:
Configuring Mobile Concierge (802.11u)
To enable or disable 802.11u on a WLAN, enter this command:
config wlan hotspot dot11u {enable | disable} wlan-id
To add or delete information about a third generation partnership project's cellular network, enter this command:
config wlan hotspot dot11u 3gpp-info {add index mobile-country-code network-code wlan-id | delete index wlan-id}
To configure the domain name for the entity operating in the 802.11u network, enter this command:
config wlan hotspot dot11u domain {{{add | modify} wlan-id domain-index domain-name} | {delete wlan-id domain-index}}
To configure a homogenous extended service set identifier (HESSID) value for a WLAN, enter this command:
config wlan hotspot dot11u hessid hessid wlan-id
The HESSID is a 6-octet MAC address that identifies the homogeneous ESS.
To configure the IP address availability type for the IPv4 and IPv6 IP addresses on the WLAN, enter this command:
config wlan hotspot dot11u ipaddr-type ipv4-type ipv6-type wlan-id
To configure the network authentication type, enter this command:
config wlan hotspot dot11u auth-type network-auth wlan-id
To configure the Roaming Consortium OI list, enter this command:
config wlan hotspot dot11u roam-oi {{{add | modify} wlan-id oi-index oi is-beacon} | {delete wlan-id oi-index}}
To configure the 802.11u network type and internet access, enter this command:
config wlan hotspot dot11u network-type wlan-id network-type internet-access
To configure the realm for the WLAN, enter this command:
config wlan hotspot dot11u nai-realm {{{add | modify} realm-name wlan-id realm-index realm-name | {delete realm-name wlan-id realm-index}}
To configure the authentication method for the realm, enter this command:
config wlan hotspot dot11u nai-realm {add | modify} auth-method wlan-id realm-index eap-index auth-index auth-method auth-parameter
To delete the authentication method for the realm, enter this command:
config wlan hotspot dot11u nai-realm delete auth-method wlan-id realm-index eap-index auth-index
To configure the extensible authentication protocol (EAP) method for the realm, enter this command:
config wlan hotpspot dot11u nai-realm {add | modify} eap-method wlan-id realm-index eap-index eap-method
To delete the EAP method for the realm, enter this command:
config wlan hotspot dot11u nai-realm delete eap-method wlan-id realm-index eap-index
Online Sign Up (OSU) is a process in which a mobile device is registered with a service provider, enabling users to select a plan to obtain network access. After the sign-up, the device receives the users' credentials to connect to the network. A network architecture for OSU is given below, which consists of a service provider network and a hotspot:
The service provider network consists of an OSU server, an Authentication, Authorization and Accounting (AAA) server, and (access to) a Certification Authority (CA). These devices may be co-located or separate.
The hotspot has its own OSU, which is optional, and a AAA server. The hotspot is configured to allow only HTTPS traffic to OSU servers. An OSU server registers new customers and provides security credentials to their mobile devices. It can also be used to initially provision devices of existing customers. The AAA server of the service provider is used to authenticate subscribers based on the information received from the OSU server.
The OSU process ensures that:
A user is communicating with the intended service provider network and OSU server.
The communication is protected between the mobile device and OSU server.
Poor security practices of one service provider affecting other service providers are reduced.
The Cisco Wireless LAN Controller (WLC) should support the following requirements:
Hotspot 2.0 Indication Element
OSU Service Provider List
Icon Request and Response Access Network Query Protocol (ANQP) Element
OSU Server-Only Authenticated L2 Encryption Network (OSEN)
Wireless Network Management (WNM) Notification Subscription Remediation Request
WNM Notification Deauth Imminent Request
Basic Service Set (BSS) Transition Management Request Frame - Session URL
QoS Map Set
Extended Capability Bit Support:
This element (using vendor-specific information) enables the Cisco WLCs and mobile devices to indicate that they are HotSpot (HS) 2.0 capable. All the beacon and probe response frames from HS 2.0 Cisco WLCs contain this HS 2.0 indication element. For mobile devices, the association and re-association request frames contain the HS 2.0 indication element.
This element provides information for the entities offering OSU service. The following information is provided for each OSU provider:
A friendly name (in one or more human languages)-Name of the OSU provider in human language, which matches the name drawn from the OSU server certificate exactly.
The Network Access Identifier (NAI) used to authenticate to the OSU (if configured for OSEN).
The icons and Uniform Resource Identifier (URI) of the OSU server.
Note | The WLC supports a maximum of 16 service providers per OSU-SP list. |
This element provides a filename for the (icon) download request from the mobile device, which is one of the filenames included in the OSU providers list element. The maximum file size for the icon is 65535 octets; the file type should be a valid image type, for example, PNG, JPEG, and so on. The file type restriction is not applicable for Cisco WLC and supports a maximum of 16 icons.
The OSEN element is used to advertise and select an OSEN-capable network.
The WNM notification request is sent from a WLC to a mobile device to indicate that subscription remediation is required when the AAA server indicates to WLC of this requirement through the RADIUS Access-Accept message. After the authentication is complete, the WLC sends WNM motification to the mobile device, using the URL of the Subscription Remediation server as the server URL.
A home SP uses the Deauthentication Imminent Notice to inform the mobile device when it is no longer authorized to use the service due to a temporary condition in the network that requires deauthentication, for example, congestion in the Wi-Fi AN or congestion on a mobile core network element. The notice also provides information on the time that must elapse before the AAA server permits the mobile device to reauthenticate again on the same Basic Service Set (BSS) or Extended Service Set (ESS). Following this, the mobile device should not try to reauthenticate to the same BSS or ESS until the expiry of the reauthentication delay.
The controller uses the BSS Transition Management Request frame to inform the mobile device of the impending session expiry. It also provides an URL to the user detailing on how to extend the session. The controller gets the information about session warning time and URL from the AAA server through the Access-Accept message.
This element has two sections, WNM Notification and QoS Map Set, which are explained in the previous sections.
Configuring 802.11u Mobility Services Advertisement Protocol
MSAP (Mobility Services Advertisement Protocol) is designed to be used primarily by mobile devices that are configured with a set of policies for establishing network services. These services are available for devices that offer higher-layer services, or network services that are enabled through service providers.
Service advertisements use MSAP to provide services to mobile devices prior to association to a Wi-Fi access network. This information is conveyed in a service advertisement. A single-mode or dual-mode mobile device queries the network for service advertisements before association. The device's network discovery and the selection function may use the service advertisements in its decision to join the network.
To enable or disable MSAP on a WLAN, enter this command:
config wlan hotspot msap {enable | disable} wlan-id
To assign a server ID, enter this command:
config wlan hotspot msap server-id server-id wlan-id
Configuring 802.11u HotSpot
This feature, which enables IEEE 802.11 devices to interwork with external networks, is typically found in hotspots or other public networks irrespective of whether the service is subscription based or free.
The interworking service aids network discovery and selection, enabling information transfer from external networks. It provides information to the stations about the networks prior to association. Interworking not only helps users within the home, enterprise, and public access, but also assists manufacturers and operators to provide common components and services for IEEE 802.11 customers. These services are configured on a per WLAN basis on the controller.
Note | The Downstream Group-Addressed Forwarding (DGAF) bit in the Hotspot 2.0 IE will not be updated automatically until you disable and enable the WLAN. |
Note | The character '?' is not supported in the value part of the commands. |
To enable or disable HotSpot2 on a WLAN, enter this command:
config wlan hotspot hs2 {enable | disable}
To configure the operator name on a WLAN, enter this command:
config wlan hotspot hs2 operator-name {add | modify} wlan-id index operator-name lang-code
wlan-id—The WLAN ID on which you want to configure the operator-name.
index—The operator index of the operator. The range is 1 to 32.
operator-name—The name of the 802.11an operator.
Tip | Press the tab key after entering a keyword or argument to get a list of valid values for the command. |
To delete the operator name, enter this command:
config wlan hotspot hs2 operator-name delete wlan-id index
To configure the port configuration parameters, enter this command:
config wlan hotspot hs2 port-config {add | modify} wlan-id index ip-protocol port-number
To delete a port configuration, enter this command:
config wlan hotspot hs2 port-config delete wlan-id index
To configure the WAN metrics, enter this command:
config wlan hotspot hs2 wan-metrics wlan-id link-status symet-link downlink-speed uplink-speed
link-status—The link status. The valid range is 1 to 3.
symet-link—The symmetric link status. For example, you can configure the uplink and downlink to have different speeds or same speeds.
downlink-speed—The downlink speed. The maximum value is 4,194,304 kbps.
uplink-speed—The uplink speed. The maximum value is 4,194,304 kbps.
To clear all HotSpot configurations, enter this command:
config wlan hotspot clear-all wlan-id
To configure the Access Network Query Protocol (ANQP) 4-way messaging, enter this command:
config advanced hotspot anqp-4way {enable | disable | threshold value}
To configure the ANQP comeback delay value in terms of TUs, enter this command:
config advanced hotspot cmbk-delay value
To configure the gratuitous ARP (GARP) forwarding to wireless networks, enter this command:
config advanced hotspot garp {enable | disable}
To limit the number of GAS request action frames to be sent to the controller by an AP in a given interval, enter this command:
config advanced hotspot gas-limit {enable num-of-GAS-required interval | disable}
When HotSpot2 is configured, the access points that are part of the network must be configured to support HotSpot2.
config ap venue add venue-name venue-group venue-type lang-code ap-name–Adds the venue details to the access point indicating support for HotSpot2.
venue-name—Name of the venue where this access point is located.
venue-type—Type of the venue. Depending on the venue-group chosen, select the venue type. See the following table.
lang-code—The language used. An ISO-14962-1997 encoded string defining the language. This is a three character language code. Enter the first three letters of the language in English (For example: eng for English)
Tip | Press the tab key after entering a keyword or argument to get a list of valid values for the command. |
config ap venue delete ap-name—Deletes the venue related information from the access point.
You can configure unique icons of the service providers to be displayed on the client devices. You can download these icon files to the Cisco WLC for the icon files to be sent through a gas message and displayed on the client devices. This feature enhances the user interface on the client devices wherein users can differentiate between service providers based on the icons displayed.
Note | The character '?' is not supported in the command values. |
To download an icon from the TFTP server or FTP server into Cisco Wireless Controller (WLC), enter this command:
configure icon parameters
To configure icon parameters, enter this command:
config icons file-info filename file-type lang-code width height
To delete an icon from flash, enter this command:
config icons delete {filename | all}
To display icon parameters, enter this command:
show icons summary
Note | The character '?' is not supported in the command values. |
Note | The character '?' is not supported in the command values. |
To configure an (OSU) Service Set Identifier (SSID) name, enter this command:
config wlan hotspot hs2 osu legacy-ssid {wlan-id | ssid-name}
To create an OSU service provider name, enter this command:
config wlan hotspot hs2 osu sp create wlan-id osu-index lang-code ascii/hex friendly-name[description]
To delete an OSU service provider, enter this command:
config wlan hotspot hs2 osu sp delete wlan-id osu-index lang-code
To configure a domain ID, enter this command:
config wlan hotspot hs2 domain-id {wland | domain-id}
To create an OSU URL, enter this command:
config wlan hotspot hs2 osu sp uri add wlan-id osu-index uri
To delete an OSU URL, enter this command:
config wlan hotspot hs2 osu sp uri delete wlan-id osu-index
To configure an OSU method list, enter this command:
config wlan hotspot hs2 osu sp method add wlan-id osu-index method-pri [method-sec]
To delete an OSU method list, enter this command:
config wlan hotspot hs2 osu sp method delete wlan-id osu-index method
To configure an OSU icon file on a given WLAN, enter this command:
config wlan hotspot hs2 osu sp icon-file add wlan-id osu-index icon-filename
Note | Yous should first configure icon parameters using the config icon icon-filename command. |
To delete an OSU icon file from a given WLAN, enter this command:
config wlan hotspot hs2 osu sp icon-file delete wlan-id osu-index icon-filename
To configure an OSU NAI, enter this command:
config wlan hotspot hs2 osu sp nai add wlan-id osu-index nai
To delete an OSU NAI, enter this command:
config wlan hotspot hs2 osu sp nai delete wlan-id osu-index
To display the OSU details configured on a given WLAN, enter this command:
show wlan wlan-id
Note | The character '?' is not supported in the command values. |
To configure downlink WAN metrics, enter this command:
config wlan hotspot hs2 wan-metrics downlink wlan-id dlink-speed dlink-load
To configure uplink WAN metrics, enter this command:
config wlan hotspot hs2 wan-metrics uplink wlan-id ulink-speed ulink-load
To configure the link status of WAN metrics, enter this command:
config wlan hotspot hs2 wan-metrics link-status wlan-id link-status
To configure the load measurement duration WAN metrics, enter this command:
config wlan hotspot hs2 wan-metrics lmd wlan-id ilmd-val
Assigning a unique range of VLAN IDs to each client can exceed the limit of 4096 VLANs. The 802.1Q-in-Q VLAN tag feature encapsulates the 802.1Q VLAN tagging within another 802.1Q VLAN tag. The outer tag is assigned according to the AP group, and the inner VLAN ID is assigned dynamically by the AAA server.
802.1Q-in-Q VLAN tagging is supported only on Cisco 5500 Series Wireless LAN Controllers, Cisco 8500 Series Wireless LAN Controllers, and Cisco WiSM2.
You cannot enable multicast until you disable IGMP snooping.
802.1Q-in-Q VLAN tagging is supported only on Layer 2 and Layer 3 intra-Controller roaming, and Layer 2 inter-Controller roaming. Layer 3 inter-Controller roaming is not supported.
0x8100 is the only supported value for the EtherType field of the 802.1Q-in-Q Ethernet frame.
You can enable 802.1Q-in-Q VLAN tagging only on centrally switched packets.
You can enable only IPv4 DHCP packets and not IPv6 DHCP packets for 802.1Q-in-Q VLAN tagging.
The IETF attribute which is a tunnel-type is required to override the C-VLAN.
C-VLAN can be set with tunnel-private-group-ID /tunnel-type and tunnel-private-group-id.