Connect Connector to Cisco Catalyst 9800 Series Wireless Controllers

Configure and Test the Connection Between Connector and Catalyst 9800 Controller

Before you begin

  1. Deploy a connector OVA and activate it using a token from Cisco Spaces.

  2. Note down the IP address of a Catalyst 9800 controller that is reachable from the Cisco Spaces: Connector.

  3. On the Catalyst 9800 controller CLI, enter the config mode and enable AAA with local authentication using the aaa authorization exec default local and aaa authentication login default local commands.

    On the Catalyst 9800 controller CLI, run the following command in the enable mode: 
    show run | sec  aaa

    From the output that is displayed, copy the configuration for aaa authorization exec default. In the config mode,  append the configuration for local authentication to the copied configuration and configure the appended configuration.

    For instance, if the output displays aaa authorization exec default group dnac-network-tacacs-group, the appended configuration is aaa authorization exec default group dnac-network-tacacs-group local. This ensures that the existing configuration is not overwritten.


Note
Any certificate imported to the controller for Wireless Management Interface(WMI) that has been signed with a signature algorithm weaker than SHA-256 is not supported. Verify your certificate before adding the controller using the show wireless management trustpoint command. 
Device# show wireless management trustpoint
Trustpoint Name  : manual_certs                   <<<<<<<<<<< Get the name of the trustpoint
Certificate Info : Available
Certificate Type : SSC
Certificate Hash : f7900ae5e35473b5e32343d4ea9556176e71a63a
Private key Info : Available
FIPS suitability : Not Applicable
You can also verify the same using the show crypto pki certificates verbose command. In the output displayed, verify the content of the following fields (also highlighted in bold in the output):

  • Signature Algorithm: Ensure that nothing less than SHA-256 is displayed here.

  • Associated Trustpoints: Ensure that the signature algorithm is for the required trustpoint.

. 
Device# show crypto pki certificates verbose
...
CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 00AE697E4C7EEBE3E4
  Certificate Usage: Signature
  Issuer: 
    e=support@vwlc.com
    cn=CA-vWLC-manual
    ou=Cisco DevX Wireless Simulator
    o=Cisco Virtual Wireless LAN Controller
    l=San Jose
    st=California
    c=US
  Subject: 
    e=support@vwlc.com
    cn=CA-vWLC-manual
    ou=Cisco DevX Wireless Simulator
    o=Cisco Virtual Wireless LAN Controller
    l=San Jose
    st=California
    c=US
  Validity Date: 
    start date: 18:08:16 Pacific Aug 27 2019
    end   date: 18:08:16 Pacific Aug 24 2029
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (4096 bit)
  Signature Algorithm: SHA256 with RSA Encryption                
  Fingerprint MD5: 623E2FA4 7F908675 5422FF3C 257179F9 
  Fingerprint SHA1: 05E3D17C 841AA033 C503D7BA 443CC2C2 1C510538 
  X509v3 extensions:
    X509v3 Key Usage: 6000000
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 1AE21C76 1B86780A B4E0AE43 205052BE EA0E4B4A 
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: 1AE21C76 1B86780A B4E0AE43 205052BE EA0E4B4A 
    Authority Info Access:
  Cert install time: 23:51:54 Pacific Jun 7 2024 
  Associated Trustpoints: manual_certs 
  Storage: nvram:supportvwlcc#E3E4CA.cer
”
...

Procedure

Step 1

Login to Cisco Spaces.

Step 2

In the Cisco Spaces dashboard, choose Setup > Wireless Networks.

Step 3

Expand the Connect via Spaces Connector area using the respective drop-down arrow to display a list of steps.

Step 4

To test the connectivity from the Connector to an existing Catalyst 9800 controller, click View Controllers in the Step 3 Area.

  1. Click the pencil icon to edit a Catalyst 9800 controller.

  2. Choose an active Connector from the Connector drop-down list to enable the Test Connectivity button.

  3. Go to this step to test the connectivity to an existing AireOS controller.

Step 5

To add a new Catalyst 9800 controller, click Add Controllers from the Step 3 Area.

Figure 1. Add a New Catalyst 9800 controller

Step 6

From the Connector drop-down list, choose a Connector.

Step 7

Enter the Controller IP address, Controller Name, and from the Controller Type drop-down list, choose Catalyst WLC to connect to a Cisco Catalyst 9800 Series Wireless Controllers.

Note

 
Ensure that the Controller IP address is not in the same subnet as the docker service network. You can validate this from the Connector CLI, where you can issue the connectorctl dockersubnet show command to verify the subnets used.

Step 8

Do one of the following:

  • Enter Netconf username, Netconf password, and Enable password. This choice allows the Connector to recover gracefully from NMSP drops and push a fresh configuration to the Catalyst 9800 controller whenever required. If you have not configured an enable password in Catalyst 9800 controller you can skip configuring the Enable password in this step.
  • Copy the configuration commands in the Catalyst WLC CLI commands section and run them manually on the Catalyst 9800 controller CLI.

Step 9

(Optional) Run the PING and SSH functionalities to test the reachability to the Catalyst 9800 controller and the credentials by clicking Test Connectivity. Note that Test Connectivity is available only for an active Connector.

Figure 2. Add a New Catalyst 9800 controller
Table 1. Error Description

Status of PING

Status of SSH Credential Test

Meaning of status message combination and possible checks.

SUCCESSFUL

SUCCESSFUL

 Connectivity test is successful.

SUCCESSFUL

FAILED

Ping test to the Catalyst 9800 controller is successful. But SSH test has failed. Check the following:

  1. Is SSH enabled on the controller?

  2. Is the SSH port 22 of the Catalyst 9800 controller reachable from the Connector?

  3. Have you provided accurate SSH read-write credentials?

FAILED

SUCCESSFUL

Connectivity test is successful.

FAILED

FAILED

Both Ping and SSH test to the Catalyst 9800 controller have failed. Check the following:

  1. Is there IP connectivity between Connector and controller?

  2. Is SSH enabled on the Catalyst 9800 controller?

  3. Is the SSH port 22 of the Catalyst 9800 controller reachable from the Connector?

  4. Have you provided accurate SSH credentials?

  5. Is AAA enabled with local authentication?

  6. Are you using an interface that is NOT the wireless management interface for NMSP and SSH connectivity?

Step 10

Click Save, and then click Close.

You can see the new Catalyst 9800 controller in the Controller Channel area of the Connector GUI. The Catalyst 9800 controller that is connected successfully to the Connector appears as Active. It takes approximately five minutes for the wireless controller to change to the Active state. Refresh your window to view the status change. The added Catalyst 9800 controller is also listed in the Controller Channel area of the Connector.
Figure 3. Details of the Catalyst 9800 controller

You can multiple Catalyst 9800 controllers to a Connector.

What to do next

You can import the added Catalyst 9800 controller to the Cisco Spaces location hierarchy.