• Description— Aironet IE is a Cisco proprietary attribute used by Cisco devices for better connectivity. It contains information, such as the access point name, load, number of associated clients, and so on sent out by the access point (AP) in the beacon and probe responses of the Cisco Mobility Express controller. The Cisco Client Extensions (CCX) clients use this information to choose the best AP with which to associate.

  The CCX software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco APs and to support Cisco features that other client devices do not. The features are related to increased security, enhanced performance, fast roaming, and power management.

  Aironet IE is optional for CCX based clients, however it can cause compatibility issues with some types of wireless clients. The recommendation is to enable for WGB and Cisco voice, but for general production network, it can be beneficial to disable Aironet IE after testing.

  CCX Aironet IE feature should be disabled.

• Status:

  • Selected—CCX Aironet IE disabled on all WLANs.

  • Unselected—CCX Aironet IE enabled on all WLANs.

• CLI Option—Disable support for Aironet IEs for a particular WLAN by entering this command:

  (Cisco Controller) >config wlan ccx aironetIeSupport disable wlan-id

• Description—HTTPs for management provides greater security by allowing secure access.

  Secure Web Access (HTTPS) should be enabled for managing the Cisco Mobility Express controller. Web Access (HTTP) should be disabled.

• Status:

  • Selected—HTTPS enabled; HTTP disabled

  • Unselected—HTTPS enabled, HTTP enabled or HTTPS disabled, HTTP enabled

• CLI Options:

  • Disable the web mode to deny users to access the controller GUI using http://ip-address, by entering this command:

    (Cisco Controller) >config network webmode disable .

  • Enable Secure Web Access mode to allow users to access the controller GUI using https://ip-address, by entering this command:

    (Cisco Controller) >config network secureweb enable .

• Description—In dense production networks, controllers have been verified to function optimally with load balancing ON and window size set at 5 or higher. In practical, this means load balancing behavior is only enabled when, for example, a large group of people congregate in a conference room or open area (meeting or class). Load balancing is very useful to spread these users between various available APs in such scenarios.

  Load balancing should be enabled. For time sensitive application such as voice, it can cause roaming issues. Therefore, it is recommended to test before enabling load balancing on the Cisco Mobility Express controller. Clicking Restore Default enables load balancing on the Cisco Mobility Express controller, which may impact service at the time.

• Status:

  • Selected—Enabled on all WLANs.

  • Unselected—Disabled on all WLANs.

• CLI Option—Enable load balancing on a WLAN by entering this command:

  (Cisco Controller) >config wlan load-balance allow enable wlan-id

• Description—Network Time Protocol (NTP) is very important for several features. It is mandatory to use NTP synchronization on the Cisco Mobility Express virtual controller if you use any of these features: Location, SNMPv3, access point authentication, or MFP. The controller supports synchronization with NTP.

  The NTP server is used to sync the Cisco Mobility Express virtual controller's time.

• Status—If disabled, click Manual Configuration to manually configure the syncing with the NTP server.

  • Selected—NTP is configured on the Cisco Mobility Express controller.

  • Unselected—NTP is not configured on the Cisco Mobility Express controller.

• CLI Option:

  • Enable NTP server by entering this command:

    (Cisco Controller) >config time ntp server ntp-server-index ntp-server-ip-address

• Description—The virtual controller in Cisco Mobility Express-enabled APs can determine the client type from the information received when a client device associates with the controller. This virtual controller acts as the collector of the information, and either displays the information directly on the Cisco Mobility Express GUI dashboard or sends required data to the ISE optimally.

  Local profiling (DHCP/HTTP) should be enabled on the Cisco Mobility Express controller. This may impact service at the time.

• Status:

  • Selected—Enabled on all WLANs. It is shown in Green state if RADIUS profiling is enabled

  • Unselected—Disabled.

    Note	You can turn off Local Profiling by clicking the Disable button.

• CLI Option—Enable local profiling (DHCP/HTTP) on all WLANs by entering this command:

  (Cisco Controller) >config wlan profiling local all enable

• We recommend that you use a custom site-tag instead of the default-site-tag for APs.

• For APs in local mode (or local site-tag), we recommend that you limit the number of APs per site-tag to 500. For example, if you have more than 500 APs in a building, use two site-tags for the building. Seamless and fast-roaming is supported across site-tags. You can configure more or less APs per site-tag, but the recommendation is not to exceed these numbers:

  Platform	Maximum Number of APs per Local Site-Tag
  C9800-80, C9800-CL (medium and large)	1600
  C9800-40	800
  Other C9800 platforms	Equal to the maximum number of APs supported

• For FlexConnect APs and related remote site-tags, if seamless roaming is required, the limit is 100 APs per site-tag.

• Description—WLAN should be using 802.1x or WPA2 or WPA3 security. You can enable this from the linked WLAN page. The default day 0 setting does not mandate configuring 802.1x.

• Status—If disabled, click Manual Configuration to specify the security setting of the WLAN.

  • Selected—Either 802.1x or WPA2 is enabled on at least one WLAN.

  • Unselected—Neither security is enabled on any WLAN.

• Description—Rogue wireless devices are an ongoing threat to corporate wireless networks. Network owners need to do more than just scanning the unknown devices. They must be able to detect, disable, locate, and manage rogue/intruder threats automatically and in real time.

  Rogue APs can disrupt wireless LAN operations by hijacking legitimate clients and using plain text, denial-of-service attacks, or man-in-the-middle attacks. That is, a hacker can use a rogue AP to capture sensitive information, such as passwords and usernames. The hacker can then transmit a series of clear-to-send (CTS) frames, which mimics an AP informing a particular wireless LAN client adapter to transmit and instruct all others to wait. This scenario results in legitimate clients being unable to access the wireless LAN resources. Thus, wireless LAN service providers look for banning rogue APs from the air space.

  The best practice is to use rogue detection to minimize security risks, for example, in a corporate environment. However, there are certain scenarios in which rogue detection is not needed, for example, in OEAP deployment, open venues/stadium, citywide, and outdoors. Using outdoor mesh APs to detect rogues would provide little value while incurring resources to analyze. Finally, it is critical to evaluate (or avoid altogether) rogue auto-containment, as there are potential legal issues and liabilities if left to operate automatically.

  Policy should be at least High.

• Status:

  • Selected—Policy is set to High or above

  • Unselected—Policy is set to Low.

• Set the rogue detection security level to High by entering this command:

  (Cisco Controller) >config rogue detection security-level high

• Description—This criterion normally indicates that unknown rogue APs are inside the facility perimeters, and can cause potential interference to the wireless network.

  This rule is not recommended for retail customers or venues that are shared by various tenants, where WiFi signals from all parties normally bleed into each other.

  Specifies the minimum RSSI value that rogues should have for APs to detect them and for the rogue entries to be created in the controller. Recommended value is –80 dBm.

• Status:

  • Selected—Set to –80 dBm.

  • Unselected—Set to less than –80 dBm.

• CLI Option—Set the minimum RSSI value that rogues should have by entering this command:

  (Cisco Controller) >config rogue detection min-rssi rssi-in-dBm

• Description—When the client fails to authenticate, the controller excludes the client. The client cannot connect to the network until the exclusion timer expires or is manually overridden by the administrator.

  Client exclusion detects authentication attempts made by a single device. When the device exceeds a maximum number of failures, that MAC address is not allowed to associate any longer to the controller.

  Client exclusion is enabled by default on the primary AP allowing it to exclude clients from joining the controller during the above events.

• Status:

  • Selected—Client exclusion is enabled for all events

  • Unselected—Client exclusion is disabled for all events

• CLI Option—Enable client exclusion for all events by entering this command:

  (Cisco Controller) >config wps client-exclusion all enable

You must use the wireless exclusion list client mac address to manually add clients to the exclusion list and use the no form of the command to remove the client from the exclusion list. However; the no form of the command does not remove the clients that are dynamically added to the exclusion list.

• Description—The user login policies are provided to limit the number of concurrent logins to the controller. You can limit the number of concurrent logins, and the recommendation is greater than default of 0 (unlimited).

• Status:

  • Selected—Configured

  • Unselected—No user login policies are present

• CLI Option:

  • Verify the user login policies by entering this command:

    
    Device# show run | i max-user-login
    

  • Configure user login policies by entering this command:

    
    Device# conf t
    Device(config)# wireless client max-user-login ?
     	 <0-8>  Maximum number of login sessions for a single user, 0-8 (0=Unlimited)

• Description—Auto CHD should be enabled.

  The controller uses the quality of client signal levels reported by the APs to determine if the power level of that AP needs to be increased. Coverage Hole Detection (CHD) is controller independent, so the RF group leader is not involved in those calculations. The controller knows how many clients are associated with a particular AP and what are the signal-to-noise ratio (SNR) values for each client.

  If a client SNR drops below the configured threshold value on the controller, the AP increases its power level to try to compensate for the client. The SNR threshold is based on the transmit power of the AP and the coverage profile settings on the controller.

  For instructions on how to configure auto CHD, see the Cisco Mobility Express User Guide.

• Status:

  • Selected—CHD enabled

  • Unselected— None or one enabled

• CLI Option—Enable auto CHD by entering this command:

  (Cisco Controller) >config advanced 802.11{a|b} coverage enable

• Description—Auto DCA should be enabled to allow RRM to select best channels for each radio.

  When a wireless network is first initialized, all radios participating require a channel assignment to operate without interference - optimizing the channel assignments to allow for interference free operation is DCA's job. Wireless network does this using the air metrics reported by each radio on every possible channel, and providing a solution that maximizes channel bandwidth and minimizes RF interference from all sources - Self (signal), other networks (foreign interference), Noise (everything else).

  DCA is enabled by default and provides a global solution to channel planning for your network.

• Status:

  • Selected—DCA is enabled for 2.4 / 5 GHz

  • Unselected—None or one is enabled

• CLI Option—Enable auto DCA by entering this command:

  (Cisco Controller) >config 802.11a channel global auto

  (Cisco Controller) >config 802.11b channel global auto

• Description—The controller dynamically controls the access point transmit power based on real-time wireless LAN conditions. You can choose between two versions of transmit power control: TPCv1 and TPCv2. With TPCv1, power can be kept low to gain extra capacity and reduce interference. With TPCv2, transmit power is dynamically adjusted with the goal of minimum interference. TPCv2 is suitable for dense networks. In this mode, there could be higher roaming delays and coverage hole incidents.

  Auto TPC is enabled by default to allow RRM to select best transmit power for each radio.

  The Transmit Power Control (TPC) algorithm increases and decreases the power of an access poin (AP) in response to changes in the RF environment. In most instances, TPC seeks to lower the power of the AP to reduce interference. But, in the case of a sudden change in the RF coverage-for example, if the AP fails or becomes disabled-TPC can also increase power of the surrounding APs. This feature is different from coverage hole detection, which is primarily concerned with clients. TPC provides enough RF power to achieve desired coverage levels while avoiding channel interference between APs.

  Note	For optimal performance, use the Automatic setting to allow best transmit power for each radio.

• Status:

  • Selected—TPC enabled for 2.4 / 5 GHz

  • Unselected—None or one enabled

• CLI Option—Enable Auto TPC by entering this command:

  (Cisco Controller) >config 802.11a txPower global auto

  (Cisco Controller) >config 802.11b txPower global auto

• Description—CleanAir should be enabled.

  To effectively detect and mitigate RF interference, enable CleanAir whenever possible. There are recommendations to various sources of interference to trigger security alerts, such as generic DECT phones, jammer, and so on.

  Note	Not all Cisco access points support CleanAir. Consult the data sheet of your Cisco AP model to see whether it supports CleanAir.

• Status:

  • Selected—Enabled

  • Unselected—Disabled

• CLI Option:

  • Verify CleanAir configuration on a network by entering this command:

    (Cisco Controller) >show 802.11{a|b} cleanair config

  • Enables CleanAir functionality on a network by entering this command:

    (Cisco Controller) >config 802.11{a|b} cleanair enable network

  • Enables interference detection specifically for jammer by entering this command:

    (Cisco Controller) >config 802.11{a|b} cleanair device enable jammer

• Description—Spontaneous interference is interference that appears suddenly on a network, perhaps jamming a channel or a range of channels completely. The Cisco CleanAir spectrum event-driven radio resource management (RRM) feature allows you to set a threshold for air quality (AQ) that, if exceeded, triggers an immediate channel change for the affected access point. Most RF management systems can avoid interference, but this information takes time to propagate through the system. Cisco CleanAir relies on AQ measurements to continuously evaluate the spectrum and can trigger a move within 30 seconds. For example, if an access point detects interference from a video camera, it can recover by changing channels within 30 seconds of the camera becoming active. Cisco CleanAir also identifies and locates the source of interference so that more permanent mitigation of the device can be performed at a later time.

  Note	Spectrum EDRRM can be triggered, to detect a significant level of interference, only by Cisco CleanAir-enabled access points in local mode.

  Event driven RRM is enabled by default.

• Status:

  • Selected—Enabled

  • Unselected—Disabled

• CLI Option—Enable Cisco CleanAir spectrum event-driven RRM by entering this command:

  (Cisco Controller) >config advanced 802.11{a|b} channel cleanair-event enable

• Description—To improve handling of WiFi Interference, Rogue Severity was added to the ED-RRM metrics. If a rogue access point is generating interference above a given threshold, this feature changes channels immediately instead of waiting until the next DCA cycle.

  This should be used when ED-RRM is enabled. It should be avoided on buildings with very large number of collocated WiFi networks (multi-tenant buildings) that are 100% overlapping.

• Status

  • Selected—WiFi interference is enabled.

  • Unselected—WiFi interference is disabled.

• CLI Option:

  • Verify the WiFi interference by entering this command:

    Device# show ap dot11 24ghz cleanair config

  • To enable WiFi interference, you need to perform the following:

    • Configure duty cycle by entering this command:

      
      Device# conf t
      Device (config)# ap dot11 24ghz rrm channel cleanair-event rogue-contribution dutycycle 80
      

    • Enable EDRRM by entering this command:

      
      Device# conf t
      Device (config)# ap dot11 24ghz rrm channel cleanair-event
      

    • Enable Rogue contribution by entering this command:

      
      Device# conf t
      Device (config)# ap dot11 24ghz rrm channel cleanair-event rogue-contribution

• Description—Avoid using this option to avoid frequent changes in DCA due to varying load conditions, this is disabled by default.

• Status

  • Selected—AP Load is disabled.

  • Unselected—AP Load is enabled.

• CLI Option:

  • Verify the current status by entering this command:

    Device# show ap dot11 24ghz channel | include Load

  • Enable DCA Cisco AP Load by entering this command:

    
    Device# conf t
    Device(config)# ap dot11 24ghz rrm channel load

  • Disable DCA Cisco AP Load by entering this command:

    
    Device# conf t
    Device(config)# no ap dot11 24ghz rrm channel load

• Description—Dynamic bandwidth selection selects the widest channel width with the highest client data rates and lowest channel utilization per radio. This minimizes data retries and CRC errors on the 5 GHz band while avoiding rogue APs and CleanAir Interferers.

• Status:

  • Selected—Channel width is selected as Best on both bands.

  • Unselected—Channel width is not selected as Best on both bands.

• CLI Option—Enable best channel width by entering this command:

  (Cisco Controller) >config advanced 802.11a channel dca chan-width best

• Description—Flexible radio assignment (FRA) enables automatic assignment of the XOR 2.4GHz radios to other roles such as 5 GHz and Monitor.

  We recommend that you enable FRA when you have APs such as the Cisco Aironet 2800 and 3800 Series that support XOR operation.

• Status:

  • Selected—FRA is enabled.

  • Unselected—FRA is disabled.

• CLI Option: Enable FRA by entering this command:

  (Cisco Controller) >config advanced fra enable

• Description—Number of WLANs should be less than 4.

  We recommend limiting the number of service set identifiers (SSIDs) configured at the controller. You can configure 16 simultaneous SSIDs (per radio on each AP), but as each WLAN/SSID needs separate probe responses and beaconing, the RF pollution increases as more SSIDs are added. Furthermore, some smaller wireless stations like PDA, WiFi Phones, and barcode scanners cannot cope with a high number of basic SSID (BSSID) information. This results in lockups, reloads, or association failures. Also the more SSIDs, the more beaconing needed, so less RF time is available for real data transmits. Cisco recommends one to three SSIDs for corporate, and one SSID for high-density designs. AAA override can be leveraged for per user VLAN/ settings on a single SSID scenario.

  The AP must beacon at the lowest mandatory speed set for each WLAN, in order to be able to reach the farthest stations irrespective of their location. This reduces available air time for client traffic.

• Status—Click Manual Configuration to manually configure the number of service set identifiers (SSIDs) configured at the controller.

  • Selected—Active SSID count is 4 or less.

  • Unselected—Active SSID count is more than 4.

• CLI Option:

  • Verify the number of WLANs by entering this command:

    (Cisco Controller) >show wlan summary

  • Disable unwanted WLANs by entering this command:

    (Cisco Controller) >config wlan disable wlan-id

• Description—Band selection should be enabled. However, if there is interactive traffic such as voice or video on the WLAN, do not use band selection. Clicking Enable turns band selection on.

  Band selection enables client radios that are capable of dual-band (2.4 and 5 GHz) operation to move to a less congested 5 GHz AP. The 2.4 GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other APs because of the 802.11b/g limit of three non-overlapping channels. To prevent these sources of interference and improve overall network performance, you can configure band selection on controller:

  • Band selection is enabled globally by default.

  • Band selection works by regulating probe responses to clients. It makes 5 GHz channels more attractive to clients by delaying probe responses to clients on 2.4 GHz channels.

  • Evaluate band selection for voice, particularly focusing on roaming performance. See below for further explanation.

  • Most newer model clients prefer 5 GHz by default if the 5 GHz signal of the AP is equal to or stronger than the 2.4-GHz signal.

  • Band select should be enabled for high-density designs

  Also, in high-density designs, the study of available UNII-2 channels should be made. Those channels that are unaffected by Radar and also usable by the client base should be added to the RRM DCA list as usable channels.

  Dual-band roaming can be slow depending on the client. If a majority of the base of voice clients exhibits a slow roaming behavior, it is more likely that the client sticks to 2.4 GHz. In this case, it has scanning issues on 5 GHz. Generally when a client decides to roam, it scans its current channel and band first. The clients generally scan for an AP that has a significantly better signal level, maybe as much as 20 dB and/or a significantly better SNR. Failing such available connection, the client may remain with its current AP. In this case, if the CU on 2.4 GHz is low and the call quality is not poor, then disabling the selected band is acceptable. However, the preferred design is to enable band selection on 5 GHz with all data rates enabled and 6 Mbps as mandatory. Then, set the 5 GHz RRM minimum Tx power level 6 dBm higher than the average 2.4 GHz power level set by RRM.

  The goal of this configuration recommendation is to enable the client to obtain a band and channel with better SNR and Tx power initially. As already stated, generally when a client decides to roam, it scans its current channel and band first. So, if the client initially joins the 5 GHz band, then it is more likely to stay on the band if there are good power levels on 5 GHz. SNR levels on 5 GHz are generally better than 2.4 GHz because 2.4 GHz has only three Wi-Fi channels and is more susceptible to interference such as Bluetooth, iBeacons, and microwave signals.

  802.11k is recommended to be enabled with dual-band reporting. This enables all 11k enabled clients to have the benefit of assisted roaming. With dual-band reporting enabled, the client receives a list of the best 2.4-GHz and 5-GHz APs upon a directed request from the client. Here, the client most likely looks at the top of the list for an AP on the same channel, and then on the same band as the client is currently on. This logic reduces scan times and saves battery power. Having 802.11k enabled on the WLC does not have a downside effect for non-802.11k clients.

• Status:

  • Selected—Enabled on all WLANs

  • Unselected—Disabled

• CLI Option:

  • Verify Band Select by entering this command:

    (Cisco Controller) >show band-select

  • Enable Band Select on a WLAN by entering this command:

    (Cisco Controller) >config wlan band-select allow enable wlan-id

• Description—We recommend that low data rates of 6 and 9 Mbps are disabled on 5GHz for better performance.

  Note	Low data rates should not be disabled for low density deployments where these data rates are expected to be present.

• Status:

  • Selected—Low data rates of 6 and 9 Mbps are disabled on 5GHz.

  • Unselected—Low data rates of 6 and 9 Mbps are enabled on 5GHz.

• CLI Option:

  • Disable 6Mbps on 5GHz by entering this command:

    (Cisco Controller) >config 802.11a rate disabled 6

  • Disable 9Mbps on 5GHz by entering this command:

    (Cisco Controller) >config 802.11a rate disabled 9

• Description—Low data rates of 1, 2, and 5.5 Mbps should be disabled on 2.4Ghz and 11 Mbps set to not mandatory on 2.4Ghz for better performance.

  Note	Low data rates should not be disabled for low density deployments where these data rates are expected to be present.

• Status:

  • Selected—Low data rates of 1, 2 or 5.5 Mbps are disabled on 2.4GHz or 11 Mbps is set to not mandatory.

  • Unselected—Low data rates of 1, 2 or 5.5 Mbps are enabled on 2.4GHz or 11 Mbps is set to mandatory.

• CLI Option:

  • Disable 1Mbps on 2.4GHz by entering this command:

    (Cisco Controller) >config 802.11b rate disabled 1

  • Disable 2Mbps on 2.4GHz by entering this command:

    (Cisco Controller) >config 802.11b rate disabled 2

  • Disable 5.5Mbps on 2.4GHz by entering this command:

    (Cisco Controller) >config 802.11b rate disabled 5.5

  • Configure or disable 11Mbps on 2.4GHz by entering this command:

    (Cisco Controller) >config 802.11b rate {disabled | supported} 11

• Description—Allows you to identify if the WLAN is configured with recommended L2 security, QoS, and Advanced settings for Apple devices. Application Visibility should be enabled.

• Status—Click Detailed to manually configure the L2 security, QoS, and advanced settings for Apple devices for individual, active WLANs.

  • Selected—At least one WLAN is compliant with all the recommended WLAN configurations for Apple devices.

  • Unselected—None of the active WLANs are compliant with all the recommended WLAN configurations for Apple devices.

• Description—Optimized roaming should be disabled because Apple devices use the newer 802.11r, 802.11k, or 802.11v roaming improvement.

• Status:

  • Selected—Optimized roaming is disabled.

  • Unselected—Optimized roaming is enabled.

• Description—Configuring the EDCA Profile as Fastlane improves Apple device performance on 5GHz networks.

• Status:

  • Selected—The 5GHz EDCA Profile is configured as Fastlane.

  • Unselected—The 5GHz EDCA Profile is not configured as Fastlane.

• Description—Enable the 5GHz radio to provide a faster and less interfering network for Apple devices.

• Status:

  • Selected—5GHz radio is enabled on the network.

  • Unselected—5GHz radio is disabled on the network.

• Description—All the MCS Rates (0-31) should be enabled on the 5GHz networks to help improve the performance of Apple client devices.

• Status:

  • Selected—All the MCS rates are enabled on the 5GHz network.

  • Unselected—Some of the MCS rates are disabled on the 5GHz network.