Configuring Cisco Wireless Controllers and Cisco Catalyst 9800 Series Controllers for Cisco Spaces

This chapter describes the configurations to be done in the CiscoWireless Controller (Cisco AireOS) or Cisco Catalyst 9800 Series Controllers to work with Cisco Spaces. The configurations required differ based on the wireless controller type and connector you use.


Note


  • You cannot connect a Cisco Wireless Controller with hyper location with Cisco Spaces and Cisco CMX simultaneously.

  • If you want to connect a Cisco Wireless Controller with both Cisco CMX and Cisco Spaces simultaneously, you must use a Cisco Spaces: Connector. Check the limitations for the number of NMSP connections your Cisco Wireless Controller can support, and ensure that your Cisco Wireless Controller can support the addition of a new connection to Cisco Spaces: Connector, especially if there are existing connections to multiple Cisco CMX servers.

  • You cannot use a Cisco Wireless Controller simultaneously with Cisco WLC Direct Connect and Cisco Spaces: Connector. Disable the Cisco WLC Direct Connect before using the Cisco Spaces: Connector.

  • It is recommended to use Cisco Spaces: Connector rather than Cisco WLC Direct Connect, especially when you are using a lower version of Cisco Wireless Controller.Also, certain apps such as Operation Insights, Detect and Locate, and so on are supported only by Cisco Spaces: Connector.

  • It is not recommended to compare the data displayed in your wireless network with the data shown in Cisco Spaces reports as it is expected to defer as per the design.



Note


The configurations are done in the external applications that are not a part of Cisco Spaces, and the menu path and names specified for the tabs, windows, options, and so on in this documentation are subject to change.

The features supported by various connector types, and the configurations for various combinations of wireless controllers and connectors are as follows:

Connecting Cisco Spaces to Cisco Wireless Controller through Cisco CMX

To connect Cisco Spaces with Cisco Wireless Controllers through Cisco CMX, you must have Cisco CMX 10.6 or later.

For Cisco Unified Wireless Network with Cisco CMX, the following configurations are required to work with Cisco Spaces:


Note


  • The configuration for internet provisioning and RADIUS authentication is required only if you need RADIUS authentication. This configuration is required only if you need social authentication for your portals.


Configuring Cisco Wireless Controller for Social Authentication

For social authentication with Cisco Unified Wireless Network, you must do some configurations in the Cisco Wireless Controller.

To configure the Cisco Unified Wireless Network for social authentication, perform the following steps:

Procedure


Step 1

Log in to Cisco Wireless Controller using your credentials.

Step 2

Choose Security > Access Control Lists > Access Control Lists.

Step 3

In the Access Control List window that appears, click the Access Control List configured for Cisco Spaces.

Click Add New Rule and add additional two rules with following information. .

No

Action

Source IP Address/Netmask

Destination IP Address/Netmask

Protocol

Source Port Range

Destination Port Range

DSCP

Direction

1

Permit

0.0.0.0/0.0.0.0

0.0.0.0/0.0.0.0

TCP

HTTPS

Any

Any

Any

2

Permit

0.0.0.0/0.0.0.0

0.0.0.0/0.0.0.0

TCP

Any

HTTPS

Any

Any

Note

 
This wall garden ranges configured for social authentication will allow the customers to access all the HTTPS web sites directly after connecting to your SSID, without using the captive portal.

Step 4

Add social platform specific domains as ACLs based on the social networks that you want to use for authentication. To add social domains as ACLs, perform the following steps:

  1. In the Cisco Wireless Controller dashboard, choose Security > Access Control Lists.

  2. Click More Actions for the Access Control List configured for Cisco Spaces.

  3. Click Add Remove URL.

  4. Enter a social URL name, and click Add.

  5. Repeat steps c and d for each domain.

    Note

     

    These domain names are managed by the social networks and can change at any time. Also, these domain names are subjected to change based on country/region. If you are facing any issue, contact the Cisco Spaces support team.

    The commonly used domain names for various social platforms are as follows:

    Facebook
    • facebook.com

    • static.xx.fbcdn.net

    • www.gstatic.com

    • m.facebook.com

    • fbcdn.net

    • fbsbx.com

    LinkedIn
    • www.linkedin.com

    • static-exp1.licdn.com

    Twitter
    • abs.twimg.com

    • syndication.twitter.com

    • twitter.com

    • analytics.twitter.com


Connecting Cisco Catalyst 9800 Series Wireless Controller or Cisco Wireless Controller to Cisco Spaces Using WLC Direct Connect or Cisco Spaces: Connector

To import the locations from Cisco 9800 Series Wireless Controller or Cisco Wireless Controller (without CMX) to Cisco Spaces, you must first connect the Controller to Cisco Spaces through one of the connectors.

The connectors, Cisco WLC Direct Connect and Cisco Spaces Connector can be used for both Cisco Wireless Controller and Cisco Catalyst 9800 Series Wireless Controller.


Note


  • If you want to connect a Cisco Wireless Controller with both Cisco CMX and Cisco Spaces simultaneously, you must use a Cisco Spaces: Connector. However, it is not recommended to connect a single Controller to both Cisco Spaces and Cisco CMX simultaneously.

  • It is recommended not to compare the data displayed in Cisco Spaces reports such as Behavior Metrics with the data displayed in Cisco Wireless Controller or Cisco CMX, as it is expected to differ as per design.

  • For importing a Controller to Cisco Spaces, ensure that at least one AP is connected to that particular Controller.

  • In the Controller, if new APs are added to the Controller, those APs get automatically imported during the next Controller synchronization. If an imported AP is deleted from the Controller, the changes will be reflected in Cisco Spaces only after 48 hours. However, an AP without updates will be deleted after 48 hours only if updates are coming from other APs. For example, if there are 10 APs that are configured, and if 2 APs are removed from Controller, these 2 APs will be removed from Cisco Spaces only when updates are received from other 8 APs.

  • If an AP is disassociated from the Controller, it is not immediately removed from Cisco Spaces to release the AP count. The APs will be removed from Cisco Spaces only after 48 hours.


The configurations required for various combinations of Wireless Controllers and Connectors are as follows:

Connecting Cisco Spaces to Cisco Wireless Controller Using Cisco WLC Direct Connect

To connect the Cisco Wireless Controller Version 8.3 or later (without Cisco CMX installation) to the Cisco Spaces, and to import the Cisco Wireless Controller and its access points to the Cisco Spaces, perform the following steps:

Before you begin

  • You need Cisco Wireless Controller Version 8.3 or later.

  • For importing a Cisco Wireless Controller to Cisco Spaces, ensure that at least one AP is connected to that particular Cisco Wireless Controller.

  • The Cisco Wireless Controller must be able to reach Cisco Spaces cloud over HTTPS.

  • Cisco Wireless Controller must be able to reach out to the internet.

  • To use Cisco Spaces with anchor mode, you must have a network deployment with Cisco Wireless Controllers in both anchor controller mode and foreign controller mode. If the network deployment contains Cisco Wireless Controller in Anchor Controller mode and Foreign Controller mode, Cisco WLC Direct Connect must be enabled in both controllers using the commands described in this section. In addition, the Cisco Wireless Controllers in both modes must be able to reach the Cisco Spaces cloud over HTTPS. However, Cisco Spaces does not support Cisco Wireless Controller Version 8.3.102 in anchor mode.

  • To connect the Cisco AireOS Wireless Controller Version 8.3 or later successfully to the Cisco Spaces using Cisco WLC Direct Connect, you must have a root certificate issued by DigiCert CA. If the network deployment contains Cisco Wireless Controller in Anchor Controller mode and Foreign Controller mode, you must import the certificate to the Cisco Wireless Controllers in both modes”.

Procedure


Step 1

Import the DigiCert CA root certificate.

  1. Download your root certificate from the following link:

    https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem

  2. Copy the root certificate content to a file with .cer extension, and save the file as {your_filename}.cer.

  3. Copy the {your_filename}.cer file to the default directory on your TFTP.

  4. Log in to the Cisco Wireless Controller CLI, and execute the following commands:

     transfer download datatype cmx-serv-ca-cert 
     transfer download mode tftp 
     transfer download filename {your_filename}.cer 
     transfer download serverip {your_tftp_server_ip} 
     transfer download start 
  5. Type Y to start the upload

  6. After the new root certificate has been uploaded successfully, execute the following commands to disable, and then enable your Cisco CMX Cloud Services:

    config cloud-services cmx disable 
    config cloud-services cmx enable 

    Note

     
    After uploading the root certificate, Cisco Wireless Controller will prompt for reboot. Rebooting is recommended, but not mandatory. The certificate will be installed in either case.

If you try to connect the Wireless Controller to Cisco Spaces using a root certificate not issued by DigiCert CA, you will get the following error:

https:SSL certificate problem: unable to get local issuer certificate

Step 2

In the Cisco Wireless Controller CLI mode, execute the following commands:

config cloud-services cmx disable 
 config cloud-services server url https://{Customer Path Key}.{LB Domain} {LB IP Address}
config cloud-services server id-token <Customer JWT Token> 
 config network dns serverip <dns server ip> 
 config cloud-services cmx enable 

Note

 

To view the {Customer Path Key}, {LB Domain}, {LB IP Address}, and {Customer JWT Token}, log in to Cisco Spaces dashboard, and click the three-line menu icon that is displayed at the top-left of the dashboard. Choose Setup > Wireless Networks. Then expand Connect WLC / Catalyst 9800 Directly, and click View Token. Click the WLC tab, and you can view the {Customer Path Key}, {LB Domain}, and {LB IP Address} at Step 1b and {Customer JWT Token} at Step 1c.

Step 3

Check the summary using the following command:

show cloud-services cmx summary

The result appears.

Now in the Cisco Spaces dashboard, when you choose CUWN-WLC in the Add a Wireless Network window, the WLC will be listed. So, you can import the APs of that WLC to the Cisco Spaces.

Example:

Sample Result

(Cisco Controller) >show cloud-services cmx summary

CMX Service

Server ....................................... https://$customerpathkey.dnaspaces.io

IP Address.................................... <Local System IP Address>

Connectivity.................................. https: UP

Service Status ............................... Active

Last Request Status........................... HTTP/1.1 200 OK

Heartbeat Status ............................. OK

Now the Cisco Wireless Controller will be available for import in the Cisco Spaces location hierarchy. You can import the locations using Map services or Access Point Prefix.


Configuring Cisco Wireless Controller (without Cisco CMX) for Notification and Reports

Without Cisco CMX, you can connect Cisco Wireless Controller to Cisco Spaces using the connectors WLC Direct Connect and Cisco Spaces Connector. In these cases, the configurations required for notifications and reports aredone automatically when you import the Cisco Wireless Controller.


Note


If you are using Cisco Spaces with WLC Direct Connect or Cisco Spaces Connector, the controller must be in Foreign controller mode.

Cisco Spaces Scale Benchmark

Table 1. Scale Summary

SNO

Cisco Spaces: Connector

Cisco WLC Direct Connect

CMX Tethering Connector

Platforms

Cisco AireOS

Cisco AireOS

Cisco Catalyst 9800 Series

Cisco AireOS

Max Scale on supported appliance.

12.5K APs, 250K clients

Incoming NMSP should not be more than 10.5K messages/sec.

50 APs and 50 Clients

50 APs and 50 Clients

60K clients, 5K APs, and 50k RFID tags

Maps with 1BLDG-100 Floors and each floor with 50 APs

Scale supported releases

Connector version 2.1.1 with docker v2.0.204

8.8MR2

16.12, 17.1

8.8MR2 with CMX 10.6 (high end)


Note


Currently, scaling is not available for Mobility Express.