cisco wlc 9800 tx power level assignment

• Cisco ISE (Identity Services Engine)
• ENCOR (350-401)
• ENWLSD (300-425)
• Overview of Wireless Site Surveys
• Performing Walk-through Surveys
• Performing Layer 1 Site Surveys
• Overview of Predictive Site Surveys
• RRM Overview
• Transmit Power Control
• (RX-SOP) Receive Start of Packet
• Neighbour Discovery Protocol
• RF Profiles
• Out of Box RF Profile
• Powering APs
• Cisco Wireless Licensing
• Wireless Roaming Concepts
• Validate Mobility Messaging
• AP Redundancy
• Controller Failure Detection
• AP Fallback
• AP Prioritization

Transmit Power Control (TPC)

One of the functions that makes up the RRM operations is Transmit Power Control (TPC) . In this lesson, we’ll be taking a closer look at the TPC algorithm and how it works.

2.0 Wired and Wireless Infrastructure   2.3 Design radio management

APs can broadcast and operate using a number of different power levels. The higher the power is set on our APs, the bigger our coverage cell. Due to this, the transmit power configured on APs needs to be managed to reduce co-channel interference. Can you imagine having to manage the power on each AP manually? Even then, having to find the right transmit power for your environment? It would be a nightmare… Thankfully, TPC (Transmit Power Control)  can manage this for us automatically. 

TPC is an algorithm that runs on our wireless controller  every 10 minutes by default. The main aim is to set an APs transmit power to its optimal value. This value will provide the best performance to clients whilst avoiding interference with other APs. As the AP will most likely have an antenna on the 2.4GHz and 5Ghz bands, TPC will run independently. There will be one transmit power set for the 2.4GHz radio and another for the 5GHz radio.

As the wireless controller has no idea how our wireless network is setup, NDP (Neighbour Discovery Protocol) is used to build the topology. Using the NDP frames, our WLC will  The WLC looks for APs that can hear each other at -70dBm or greater . In addition for this, in order for the TPC algorithm to operate, the AP must be able to hear an additional 3 APs.

We might have scenarios where we have a number of wireless controllers within our deployment. If this is the case, the controller allocated as RF group leader will run the TPC algorithm.

Now that you understand how TPC operates, let’s take a look at how the algorithm works. Our wireless controller will use the following criteria to determine if a TPC change is required:

1. Can the AP detect three other APs at -70dBm? 2. Use the following formula to determine the transmit power: Tx_Max + (Tx Power Control threshold – RSSI of 3rd highest neighbour)

In order to minimise potential disruption, RRM will only make gradual changes to the transmit power. As such, RRM will only increase or decrease the power by 3dB (half or double the transmit power).

Configuration

In most cases, TPC doesn’t require any configuration to work. There might however be situations where the TPC algorithm needs to be tweaked.

TPC configuration can applied using either of the following options:

• RF Profiles.

It’s worth noting that some TPC parameters can only be configured globally. This includes;

• TPC Version.
• How TPC runs.

Global Configuration:

Remember that the TPC algorithm runs independently on each 802.11 band. As such, we have a global TPC configuration for the 2.4GHz band (802.11b/g/n/ax) and one for the 5GHz band (802.11a/n/ac/ax) . The 2.4GHz global configuration can be configured by navigating to: WIRELESS > 802.11b/g/n/ax > RRM > TPC The 5GHz global configuration on the other hand can be configured by navigating to: WIRELESS > 802.11a/n/ac/ax > RRM > TPC

There are a number of configurable options available to TPC global configuration. This includes:

• TPC run method.
• Maximum power level assignment.
• Minimum power level assignment.
• Power threshold.

TPC Version:

There are two methods of TPC available:

• TPCv1 (Coverage Optimal Mode).
• TPCv2 (Interference Optimal Mode).

Unless you have a specific reason otherwise, it’s recommended to use the default TPCv1 – Coverage Optimal Mode .

TPC Run Method:

TPC can run using one of the following methods:

Minimum / Maximum Power Level Assignment:

These thresholds can be used to set the minimum or maximum amount of power that APs can use within the environment.

Power Threshold:

Finally, this is the cutoff used by RRM to determine whether it should reduce an APs power. An increase of the power threshold will cause the AP to operate at higher transmit power rates. A decrease of the threshold on the other hand will cause the AP to operate at lower transmit power rates.

RF Profile:

Alternately, we can control TPC parameters using RF profiles. Our RF profile can then be applied to AP groups to control TPC on specific APs. In our example, I’ve created an RF profile called MN_RF-Profile-2.4GHz .

The TPC parameters can be configured under the RRM tab of our RF profile. We can then amend the following configuration parameters:

• Maximum Power Level Assignment.
• Minimum Power Level Assignment.
• Power Threshold v1.
• Power Threshold v2.

WLC and AP Power settings

Ap power settings made easy.

To fully understand and sometimes troubleshoot our wireless networks, we need to know exactly what is going on with our AP s, especially what power they are outputting. So in this post we are going to look at AP Power settings made easy.

Cisco CCNA - Cisco Certified Network Associate Certification Training

The Benefits of a Cisco CCNA Certification

The Importance of Setting Goals

Have questions ready to find to get started.

Important Notice: NC-Expert does not accept enrollment applications from independent individuals. We require that employers pay for their employees. We continue to service corporate clients, using B2B transactions, with no change in service. We apologize for any inconvenience.

Our vision is to provide innovative, relevant, and accessible technical consulting and training for executives and engineers which will enable them to directly impact the growth of their companies.

Get In Touch

+1 (855) 941-2121

5113 Johnson Dr 

Pleasanton, CA 94588

[email protected]

Enrollment T&Cs 

NC-Expert - All Rights Reserved 

Privacy Policy | Enrollment T&Cs

Wait, but Wi-Fi?

Transmit Power Control Considerations

Proper configuration of Transmit Power Control (TPC) settings can help to ensure that your Access Point (AP) does not speak too loudly. If your AP is transmitting at 18dBm and an associated client station (STA) is at the cell edge and only capable of transmitting at 15dBm, your client will be able to hear the AP transmission, but the AP won’t be able to hear the client which leads to retransmissions and thus reduced performance.

Wireless network design is ultimately dependent upon the clients it is to support, so we will want to have an idea of what our intended clients are capable of. As an example, one of my customer’s clients is an HP EliteBook 8470p laptop workstation which has a Broadcom BCM943228HM4L Wi-Fi adapter. According to the product specification web page for this particular model, I was able to find that it is capable of transmitting at around 15dBm. If this is my customer’s least capable device, I would not want my AP to transmit louder than 15dBm either.

My customer is using a Cisco 3504 Wireless Controller running AireOS version 8.8. I am able to globally configure the Maximum Power Level Assignment to 15dBm.

If the same controller were managing multiple locations with different requirements, I can also set a Maximum Power Level Assignment for different RF Profiles.

Though the maximum power level is configured in dBm, Cisco uses a series of numbers to represent levels of power. Phil Morgan of NC-Expert wrote an article titled WLC and AP Power settings in which he discusses Cisco power levels in further detail. In his article, he discusses how we can determine what the power levels represent as they vary by AP model, band (2.4 vs 5GHz), and even channel groupings (i.e. U-NII 1, 2, 2e, 3).

I also stumbled upon an excellent post by Maxim Risman in the Cisco Community titled Cisco Access point 2802i Tx Power Chart where he demonstrates the use of another very helpful command which summarizes the power levels of all APs: show advanced 802.11a txpower

Note that the range for the power levels actually does not change, but rather TPC is limiting the highest level that can be used.

The current power level setting can also be found in the web GUI by navigating to Wireless > Access Points > Radios. There, you can see the power level for all of your APs in a column, or you can dive in to the configuration of a radio.

When performing predictive site surveys with Ekahau Pro site survey software, we have the ability to adjust the transmit power with which to generate our expected heat maps.

We can get an idea of how this difference may affect our design in the real world.

If you are interested in getting deeper into Cisco’s TPC implementation, you may want to check out a whitepaper they have published titled Transmit Power Control (TPC) Algorithm .

Published by Stephen

View all posts by Stephen

• Skip to content
• Skip to search
• Skip to footer

Troubleshoot Common Issues with LWA on 9800 WLCs

Available Languages

Download options.

• PDF (885.4 KB) View with Adobe Reader on a variety of devices
• ePub (1.0 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
• Mobi (Kindle) (840.5 KB) View on Kindle device or Kindle app on multiple devices

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes the common issues with clients connecting to a WLAN with Local Web Authentication (LWA).

Prerequisites

Requirements.

Cisco recommends you have basic knowledge of:

• Cisco Wireless LAN Controller (WLC) 9800 series.
• General understanding of Local Web Authentication (LWA) and its configuration.

Components Used

The information on this document is based on this software and hardware versions:

• 9800-CL WLC
• Cisco Access Point 9120AXI
• 9800 WLC Cisco IOS® XE version 17.9.3

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

LWA is a type of WLAN authentication that can be configured on the WLC where the end client that attempts to connect, after they select the WLAN from the list, presents a portal to the user. In this portal, the user could enter a username and password (depending on the configuration selected) to finish the connection to the WLAN.

Refer to the  Configure Local Web Authentication  configuration guide for more information on how to configure LWA on the 9800 WLC.

Radioactive (RA) Traces on the 9800 WLC

Radioactive traces are a great troubleshooting tool that can be used when troubleshooting various issues with the WLC and client connectivity. In order to collect RA traces do the steps:

From the GUI:

• Go to Troubleshooting > Radioactive Trace.
• Click on Start to enable Conditional Debug Global State.
• Click on + Add . A pop-up window is opened open. Enter the MAC address of the client. Any MAC address format is accepted ( aabb.ccdd.eeff, AABB.CCDD.EEEE , aa:bb:cc:dd:ee:ff , or AA:BB:CC:DD:EE:FF ). Then click on Apply to Device.
• Have the client reproduce the issue 3 or 4 times.
• Once the issue has been reproduced, click on Generate.
• A new pop-up window is opened. Generate logs for the last 10 minutes. (In this case it is not necessary to enable the Internal Logs). Click on  Apply to Device and wait for the file to be processed.
• Once the file has been generated, click on the Download icon.

From the CLI:

A new file in the bootflash is be generated called ra_trace_MAC_<mac-address>_HHMMSS.XXX_timezone_DayWeek_Month_Day_year.log

Copy the file to an external server for analysis

For more information about Radioactive Tracing please refer to this link.

Expected Flow

Refer to the information to understand the working scenario for LWA. 

Stages the Client Undergoes from the Client Perspective

• End client associates to the WLAN.
• Client gets an IP address assigned.
• Portal is presented to the end client.
• End client enters login credentials.
• End client is authenticated.
• End client is able to browse the Internet.

Stages the Client Undergoes from the WLC Perspective

Caution : Many logs from the Radio Active (RA) trace were left out for simplicity purposes.

End client associates to the WLAN

L2 Authentication

Client Gets an IP Address Assigned

L3 Authentication

Client Gets an IP Address

Portal Processing

WLC Processes Information to be Applied to the Connecting End Client

WLC Applies User Profile to the Connected End Client

Web Authentication is Completed

AAA Attributes Applied to End Client

End Client Reaches Run State

Common Troubleshooting Scenarios

Authentication failures.

Considerations

• Portal shown says "Authentication Failed" after entering correct credentials.
• WLC shows Client in "Web Auth Pending" state.
• The initial splash page is shown again to the user.

WLC RA Traces

Recommended Solutions

Ensure that the default AAA Method List for network authorization does exist on the WLC configuration.

• Go to  Configuration > Security > AAA > AAA Method List > Authorization.  Click on  + Add.
• Method List Name: default
• Type: network
• Group Type: local
• Click Apply to Device.

Portal is not Shown to the User but Client Appears Connected

Possible Behavior Experienced fom the End Client

• End client sees their device as "Connected".
• End client does not see the portal.
• End client does not enter any credentials.
• End client has an IP address assigned.
• WLC shows the client in "Run" state.

Cient gets an IP address assigned and it is immediately moved to "Run" state on the WLC. User attributes only show the VLAN assigned to the end client.

Ensure that the Web Policy is enabled on the WLAN.

• Go to  Configuration > Tags & Profiles > WLANs.
• Select the LWA WLANs.
• Go to  Security > Layer 3.
• Ensure the  Web Policy  checkbox is enabled.

Portal is not Shown to the User and Client Does Not Connect

• End client sees their device is continuously trying to connect.
• End client does not have an IP address assigned.
• WLC shows the client in "Webauth Pending" state.

Enable necessary HTTP/HTTPS servers. It is now possible to have more control over which HTTP/HTTPS servers need to be enabled to fully adapt to the needs of the network. Please refer to this link for more Information About Configuring HTTP and HTTPS Requests for Web Authentication as there are several HTTP combinations supported; for example, HTTPs can be used for webadmin only and HTTP used for webauth.

To allow administrative device management and web authentication with both HTTP and HTTPS access, from the CLI:

Caution : If both these servers are disabled, there is no access to the Graphical User Interface (GUI) of the WLC.

End clients are not getting an IP address

• End clients see their device is continuously trying to get an IP address.
• WLC shows the client in "IP Learning" state.

Disovery requests with no offer back.

First: Ensure that the Policy Profile has the correct VLAN assigned.

• Go to  Configuration > Tags & Profiles > Policy.
• Select the used policy profile.
• Go to  Access Policies.
• Select the right VLAN.

Second:  Ensure that there is a DHCP pool available for the user somewhere. Check its configuration, and its reachability. RA traces show under which VLAN DHCP DORA process is going through. Ensure this VLAN is the right VLAN.

Customized Portal is not Shown to the End Client

• The default portal of the WLC is seen.

First: Make sure that the WLAN is using the customized Web Auth Parameter Map.

• Go to Configuration > Tags & Profiles > WLANs.
• Select the WLAN from the list.
• Go to Security > Layer 3.
• Select the customized Web Auth Parameter map.

Second: It is important to note that the customized dowloaded from Cisco.com web portal does not work with a very sturdy and complicated programming interface. It is generally recommended to make changes only at a CSS level and perhaps adding or removing images. Applets, PHP, modify variables, React.js, and so on, are not supported. If a customized portal is not shown to the client, try using the default WLC pages and see if the issue can be replicated. If the portal is successfully seen, then there is something that is not supported on the customized pages that are supposed to be used.

Third: If using an EWC ( Embedded Wireless Controller ) it is suggested to use the CLI to add the customized pages to ensure that they are properly displayed:

Customized Portal is not Correctly Shown to the End Client 

• Customized portal is not rendered correctly (that is images are not displayed).

Make sure that the global parameter map has a virtual IP address assigned.

• Go to Configuration > Security > Web Auth.
• Select the global  parameter map from the list.
• Add an unroutable virtual IP address.

Tip : The virtual IP address serves as the redirect address for the web authentication login page. No other device on the network must have the same IP, it must not be mapped to a physical port, nor exist on any routing table. Therefore, it is recommended to configure the virtual IP as a non-routable IP address, only those that are on the RFC5737 can be used.

Portal Says that "Your connection is not secure/verify signature failed"

• Upon opening the portal the client sees an error saying that the connection is not secure.
• The portal is expected to use a certificate.

Things to Know

If the portal is expected to be displayed under HTTPS, it means that it needs to use an SSL (Secure Socket Layer) certificate. Said certificate must be issued by a 3rd party Certificate Authority (CA) to validate that the domain is fact real; providing trust to end clients when entering their credentials and/or viewing the portal. In order to upload a certificate to the WLC, please refer to this document.

First: Restart desired HTTP/HTTPS services. It is now possible to have more control over which HTTP/HTTPS servers need to be enabled to fully adapt to the needs of the network. Please refer to this link for more Information About Configuring HTTP and HTTPS Requests for Web Authentication.

Second: Make sure that the certificate is correctly uploaded to the WLC and that its validity date is correct.

• Go to Configuration > Security > PKI Management
• Search for the Trustpoint on the list
• Check its details

Third: Make sure that the correct certificate selected for usage on the WebAuth parameter map and that the Virtual IPv4 Hostname matches the Common Name (CN) in the certificate.

• Select the used parameter map from the list.
• Check that the trustpoint and Virtual IPv4 Hostname are correct.

Related Information

• Configure Local Web Authentication
• Web-Based Authentication (EWC)
• Customize the Web Authentication Portal on Catalyst 9800 WLC
• Generate and Download CSR Certificates on Catalyst 9800 WLCs
• Configuring Virtual Interfaces

Revision History

Contributed by Cisco Engineers

• Daniela Vignau Leon

Was this Document Helpful?

Contact Cisco

• (Requires a Cisco Service Contract )

This Document Applies to These Products

• Catalyst 9800 Series Wireless Controllers