AP Audit Configuration

AP audit configuration

An AP audit configuration is a wireless network management feature that

  • detects and reports synchronization issues between the controller and an AP

  • provides both real-time and periodic comparison of configuration and operational states, and

  • supports automated error reporting using syslog for discrepancies.

In Cisco IOS XE Amsterdam, Release 17.3.1, two methods are implemented to support AP audit configuration.

  • Config Checker

  • Config Audit

Config Checker audits the application of wireless policies during the AP join phase. Any discrepancies detected at this stage are reported to the controller. This function is built-in and cannot be disabled. When you configure AP attributes such as name, IP address, controller information, tag, mode, radio mode, and radio admin state, the AP parses the CAPWAP payload configuration from the controller. It then reports any detected errors to the controller using the proper code. If a discrepancy is detected, the controller flags errors using the syslog.

Config Audit periodically compares operational states between an AP and the controller after the AP joins and while it remains connected. When discrepancies are found, Config Audit reports them immediately on the controller. You can view a consolidated report at any time. By default, this functionality is disabled. You can configure the periodic auditing interval.

Use the ap audit-report command to enable and configure audit report parameters. When you trigger the audit, the AP sends its configurations to the controller. The controller compares these configurations with the current settings. If there is a mismatch, the controller reports the error using syslog.

Feature history

Table 1. Feature history for AP audit configuration

Feature Name

Release Information

Feature Description

AP audit configuration

Cisco IOS XE 17.3.1

This feature enables real-time and periodic detection, reporting, and automated syslog alerting of synchronization discrepancies between the wireless controller and APs.

Restrictions for AP audit configuration

  • Config checker alerts are available only through the syslog.

  • IOS AP is not supported.

  • Audit reports do not synchronize from the active controller to the standby controller. After SSO, you cannot access audit reports until the next reporting interval for already connected APs.

  • Audit reports are not available when an AP operates in standalone mode.

  • This feature is supported only on APs in FlexConnect mode.

Configure AP audit parameters (CLI)

Enable and customize AP audit reporting to monitor and compare AP operational states against controller expectations.

The AP sends state view details to the controller, and the controller compares it with what it perceives as the AP state. This feature is disabled by default.

Procedure


Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Enable audit reporting.

Example:

Device(config)# ap audit-report enable

Step 3

Configure the AP audit reporting interval.

Example:

Device(config)# ap audit-report interval interval 1300

The default value for interval is 1440 minutes. The valid range is from 10 to 43200.


Verify AP audit report summary

To verify the AP audit report summary, use the show ap audit-report summary command:

Device# show ap audit-report summary
WTP Mac                    Radio                   Wlan                 IPv4 Acl          IPv6 Acl       Last Report Time
-------------------------------------------------------------------------------------------------------------------------------
1880.90fd.6b40   OUT_OF_SYNC    OUT_OF_SYNC    IN_SYNC        IN_SYNC        01/01/1970 05:30:00 IST   

Verify AP audit report detail

To verify an AP audit report's details, use the show ap name ap-name audit-report detail command:

Device# show ap name Cisco-AP audit-report detail
Cisco AP Name   : Cisco-AP
=================================================
IPV4 ACL Audit Report Status     : IN_SYNC 
IPV6 ACL Audit Report Status     : IN_SYNC
Radio Audit Report Status        : IN_SYNC
WLAN Audit Report Status         : 
Slot-id  Wlan-id  Vlan           State          SSID           Auth-Type      Other-Flag
-------------------------------------------------------------------------------------
0        4        IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC
1        4        IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC

bh-csr1# show ap name audit-report summary                        
WTP-Mac          Radio          Wlan           IPv4-Acl       IPv6-Acl       Last-Report-Time
------------------------------------------------------------------------------------------------------
4001.7aca.5140   IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        06/22/2020 13:17:39 IST    
4001.7aca.5a60   IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        06/22/2020 13:18:25 IST    
7070.8b23.a1a0   IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        06/22/2020 13:18:29 IST    
a0f8.49dc.9460   IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        06/22/2020 13:16:43 IST    
a0f8.49dc.96e0   IN_SYNC        IN_SYNC        IN_SYNC        IN_SYNC        06/22/2020 13:17:55 IST