01 Feb

How to register lightweight AP in WLC using DNS records

Wireless networks

So you have your brand new shiny lightweight AP from Cisco and wireless controller. The beauty of the managed wireless solution is that it requires almost no effort to add a new access point to existing local network. There are multiple ways how lightweight AP can discover the WLC – I will show you, in my opinion, the easiest one.

Access Point registration

The WLC has two essential ports – management and service. The second one we use mostly for recovery procedure on physical appliances and is not that important when you use vWLC. The Management Port is the one you use to connect to WLC GUI. But by default, it is also used to register access point. You can always change this by selecting the “Enable Dynamic AP Management” option in other port configuration.

There are multiple options how lightweight access point can discover the controller. I think one of the most known is by using DHCP option 43, but that usually requires quite a lot of work and may not be supported by all DHCP server software. In my opinion, the easiest way to let AP discover the controller is via DNS discovery. There are two requirements for this solution to work:

  • The DHCP server must provide DNS servers IP addresses and the domain name in response
  • You need to configure CISCO-LWAPP-CONTROLLER.localdomain or CISCO-CAPWAP-CONTROLLER.localdomain where the ‘localdomain’ is the access point domain provided by DHCP.

So the whole required configuration is limited to setting up DHCP like for any other host you have in a network (no unique attributes), adding DNS entry and configure switch port in proper VLAN.

Before AP can register at WLC, we must configure the WLC itself as the master controller for the wireless network. To do that go to Controller -> Advanced -> Master Controller Mode, click the checkbox and apply the change.

When you boot up the AP, it should obtain its IP address from DHCP server. You should also see logs as below on AP console which means access point is trying to join the controller provided in DNS configuration.

*Dec 16 23:19:42.015: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Dec 16 23:19:42.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.1.205 peer_port: 5246
*Dec 16 23:19:42.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.1.205 peer_port: 5246
*Dec 16 23:19:42.223: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.1.205
*Dec 16 23:19:47.223: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.1.205

It takes 1-2 minute for AP to join the controller, even more, to be operational. Usually new AP first require firmware upgrade which takes time (unless you are needed do to it manually because it is too old compared to WLC firmware which I explained in Manual firmware upgrade of lightweight access point post). When registration process completes, you will see the access point on the list in the Wireless section.