How to add Lightweight Access point to Wireless LAN Controller


Thu, 01/29/2015 - 03:34
Jul 2nd, 2009



Lightweight Access points are part Cisco Unified Wireless Network architecture. The architecture centralized wireless LAN configuration and control on the controller.


In this Cisco Unified Wireless Network architecture, access points are "lightweight," meaning that they cannot act independently of a controller. The wireless LAN controller manages the access point configurations and firmware.

The access points are zero-touch and no individual configuration of access points is required.

Lightweight access points must be discovered by a controller before they can become an active part of the network. Cisco's lightweight access points use the Lightweight Access Point Protocol (LWAPP) to communicate between the controller and other lightweight access points on the network.

In an LWAPP environment, a lightweight access point discovers a controller by using LWAPP discovery mechanisms and then sends it an LWAPP join request. The controller sends the access point an LWAPP join response allowing the access point to join the controller. When the access point joins the controller, the controller manages its configuration, firmware, control transactions, and data transactions.


Layer 3 LWAPP WLC Discovery Algorithm





Over-the-Air Provisioning (OTAP)






DHCP option 43





Using the DNS server in order to return WLC IP addresses to the LAP





Use IP helper address on the Router

Although this is not a part of the Layer 3 discovery algorithm, this is a simpler method that can be used when WLC and LAPs are in different subnets. After the LAP gets an IP address from the DHCP server, the LAP broadcasts a Layer 3 LWAPP discovery message on to its local subnet. The IP address of the WLC is configured as the ip-helper address on the router. The router forwards these broadcasts to the IP addresses configured with the ip-helper command on the interface on which the broadcast is heard. When you use the ip helper-address command, DIRECTED BROADCASTS, as well as unicasts, eight different UDP ports are forwarded automatically. Those ports are Trivial File Transfer (TFTP) (Port 69), Domain Name System (Port 53), Time Service (Port 37), NetBIOS Name Server (Port 137), NetBIOS Datagram Server (Port 138), Boot Protocol (BOOTP) Client and Server (Port 67 and Port 68), TACACS service (Port 49). Since LWAPP broadcast uses UDP port 12223 it must be explicitly forwarded on the router. Here is an example scenario. Assume that you have a WLC in one subnet, such as, and the LAPs and the DHCP server in a different subnet, such as Routing is enabled between the two subnets. This example shows the configuration on the router:


Router(config)#interface Fastethernet 0/1
Router(config-if)#ip helper-address!--- IP address of the WLC 
Router(config-if)#exitRouter(config)ip forward-protocol udp 12223

LAP registration process Video

Lightweight Access Point Registration with Wireless LAN Controllers (WLCs)



Troubleshooting - Debug from the Controller

There are a few debug commands on the controller you can use in order to see this entire process on the CLI .

  • debug lwapp events enable—Shows discovery packets and join packets.
  • debug lwapp packet enable— Shows packet level information of the discovery and join packets.
  • debug pm pki enable—Shows certificate validation process.
  • debug disable-all—Turns off debugs.

With a terminal application that can capture output to a log file, console in or secure shell (SSH)/Telnet to your controller, and enter these commands:


    config session timeout 120
    config serial timeout 120
    show run-config     (and spacebar thru to collect all)
    debug mac addr <ap-mac-address>
    (in xx:xx:xx:xx:xx format)
    debug client <ap-mac-address>

    debug lwapp events enable
    debug lwapp errors enable
    debug pm pki enable

After capturing the debugs, use the debug disable-all command to turn off all debugs.


This Document

Related Content


Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode