A blog with tips, tricks and tutorials to help you prepare your CCIE Wireless lab exam.

Sunday, August 9, 2009

Configure your LWAPP AP from the AP CLI

I had this case a couple of times and thought it might be useful for all of us... you know that the AP, upon booting, will try hard to discover a controller, using broadcast, pre-configuration (AP priming as they say) DHCP option 43, DNS, OTAP, etc.
Now my friend has an AP at home, and wants to use it to connect to its corporate network over his VPN link (my friend's router to the company VPN concentrator).
The AP is new, so there is no controller IP address the AP could remember from a previous life (AP priming).
There is no other AP around, so forget about OTAP.
My friend's network is small, so no option 43 or DNS that you can dream of.
Okay. Time to be creative... but Cisco thought about this case!
You can configure your AP directly from the CLI to provide information to it... boot the AP, get yourself a console connection, and try:
AP0023.0410.4aea#lwapp ap ?
controller lwapp primary controller
hostname Configure ap hostname
ip lwapp ap ip command
log-server Configure the syslog server where all LWAPP errors will be logged

As you can see, you can give your AP, in LWAPP mode, information about a controller:

AP0023.0410.4aea#lwapp ap controller ?
ip lwapp primary controller ip
AP0023.0410.4aea#lwapp ap controller ip
AP0023.0410.4aea#lwapp ap controller ip ?
address Configure primary Controller IP address
AP0023.0410.4aea#lwapp ap controller ip add
AP0023.0410.4aea#lwapp ap controller ip address ?
A.B.C.D Controller IP address
AP0023.0410.4aea#lwapp ap controller ip address

Done. You AP knows how to get to a controller (careful, if your AP is already connected to a controller, using this command does not make any sense anymore, and you get a nice "ERROR!!! Command is disabled" when you issue it).

You can also give some other information to your AP, such as AP hostname, or syslog IP address where to dump all issues that the AP might encounter while trying to get to your controller. A useful one is the AP IP address:

AP0023.0410.4aea#lwapp ap ip ?
address Configure ap static IP address
default-gateway Configure Default-gateway IP address

Configure both! The AP needs both to get out of the local network.

Once the AP is configured, you can use the show lwapp family of commands to check what is going on, such as the show lwapp ip config to check your AP IP details, or the show lwapp client config to check controller config and friends:

AP0023.0410.4aea#show lwapp client config
configMagicMark 0xF1E2D3C4
chkSumV2 46073
chkSumV1 17487
adminState ADMIN_ENABLED(1)
name AP0023.0410.4aea
location default location
group name
mwarName (these are the primary, secondary, tertiary controllers)
ApMode Local
Discovery Timer 10 secs
Heart Beat Timer 30 secs
Led State Enabled 1
Configured Switch 1 Addr

With this command, no more AP lost in the dark, far from its controller!


  1. So I have tried this for years and the default password needs to be changed as well, no? But I can never get it to work. When you convert and revert an AP does it still know that it was once connected

  2. This comment has been removed by the author.

    1. This comment has been removed by the author.

  3. Yes Busso (sorry, didn't see your comment before).
    The way to do it is:
    1. Get the AP connected to a controller.
    2. From the controller CLI, define a username and password for the AP, with config ap username "name" password "pass" "Ap name" . Username and password cannot be Cisco (the defaults).
    3. Reboot the AP in a VLAN in which it cannot discover a controller.
    4. Connect to the AP CLI using the new credentials.
    5. Enter the clear lwapp client private-config command.
    Now your AP is cleared, and you can use the lwapp ap commands...

    1. thanks buddy , u r great man , seriously , your commands really helped me alot , thank u once again

  4. So assuming that an LWAP AP always retains the IP address information of the first controller it was associated to, how do you treat such AP if you need to occasionally associate to a different controller, or how will it find the new controller if it has the old controller's IP address?

  5. Hi Rene,
    the trick here is that this controller IP address that you configure on the AP is just one of the methods that the AP will use to try to find a controller. It will try to get in touch with this controller, but will also try to discover other controllers at the same time, using 5 different methods (check this video for mode details http://www.youtube.com/user/cciewireless#p/u/13/cknQa_N962M ).
    Once the AP has gotten in touch with all the controllers it could reach, it will decide on which controller to join based on its configuration (primary controller, etc, again, please check the above video).
    So if the controller you configured on the AP is not reachable, no big deal, you can always provide other controller information to the AP. Configuring the controller AP does not force the AP to only use that IP address. The purpose is more to give controller information to an AP that does not have any other way of discovering a controller...

  6. the password needs to be configured from the controller.

  7. Hi Expert,

    I need ur help.
    I have converted AP to lwapp mode. Now the AP is running on c1130-rcvk9w8-mx/c1130-rcvk9w8-mx this mode. I cannot configure lwapp. What I can do now. Please teach me. Thank you.

  8. Hi Collin,
    Now that your AP is in LWAPP mode, you need to connect it to a controller (for example a Cisco Wireless LAN controller 2106). The AP cannot work in this mode without a controller.
    If you want to revert your AP back to autonomous mode, follow the instructions on thes section Reloading the AP image using the mode button in this page:
    Hope it helps

  9. Hi Henry,

    Thanks for advice. Am I able to hardcore the WLC ip address if i convert back to Autonomous mode?

    Thank you.


  10. The AP doesnt need a WLC in autonomous mode. What exactly are you trying to do?

  11. Hi jerome.The primary seconday tertiary controller,we can set this from controller under the ap page . So this means AP learns about these controllers through another controller right? If i want the controller where I am configuring the primary seconday to be the primary i need to include its management ip in the primary field? Is that how it works?

  12. Hey Yogesh,
    That's a very good point you are raising, thanks!
    Up to code 5.2, there is NO relationship between how an AP discovers controllers and how it decides to join one controller or the other.
    The AP uses broadcasts, DNS, DHCP option 43, OTAP, etc, to discover as many controllers as it possibly can. Each controller receiving a discovery request responds with a replay, that contains the controller name and current AP load. Once the AP used all the methods above to discover controllers, it looks at the answers it received and compares it to its won configuration.
    If the AP is configured with a primary, secondary or tertiary (which HAVE to be the controller name, as configured in the Controller > General page, never the IP address), the AP compares this name (and ASCII string) to the controller name returned in each discover response. If there is a match (the ASCII strings are the same), the AP thinks that this is the primary/secondary/tertiary, and sends a unicast join request to it.
    If the AP does not have any primary/secondary/tertiary configured or answering, it looks if one controller identified itself as a Master controller, and joins it.
    If no Master, the AP joins the controller with least load (less relative number of AP).
    So you see, you have to input the controller name, never its IP address (otherwise, the AP has something like " and the controller says "I am WLC5" for example, both ASCII strings are different and the AP does not see this controller as its primary.
    On code 5.2 and later, you can set in the primary/secondary/tertiary fields the controller name AND its IP address, which allows the AP to send a unicast discovery request to that address... makes things simpler...
    Take care

  13. Hi Jerome,
    I need your help on something..
    I have a 1522 Outdoor Mesh AP and the I'm trying to issue the "lwapp ap controller ip address <>" command, but it gets back to me with "ERROR!!! Command is disabled." All lwapp and clear lwapp commands return the same error. Ay ideas ?

    Thanl you.

  14. Hey Khaled,
    Yes, the issue is that the AP learned about a controller before, so it is refusing that command now... there is no way round I know of... the only way is to proceed as detailed in the answer to Russo above. You need to get the AP on a controller by another way... and if you still want to enter this command, then you need to change the AP username and password (to something else than Cisco/Cisco)... only then will you be able to issue the clear lwapp private config command and use the lwapp ap controller ip address...
    I know it is bad news as, if you are in a mesh context, most likely your AP is in the field somewhere with no easy access to a controller...
    If the AP is a MAP going through a RAP, you may be able, on the RAP gateway, to use the ip helper address and ip forward protocol udp 12223 to help the MAP broadcasts get to a controller?

  15. Hi Jerome

    Need to seek for your opinion.
    I have configured one user wifi vlan in WLC /23. however, there is too much of users already and i need to extend the subnet to /22.
    What is the maximum user for one vlan can support in WLC. What is the step i need to becareful when i change the subnet of the wifi vlan in production network.

  16. Hi, i try to configure this seeting to my AP 1522 unit. Its that all the setting? others need to setting inside controller?

    Can u tell me how to configure the controller WLC4400 using CLI? Im want to learn it. Hope you can help.


  17. Hi, I tried to upgrade my access point 1100 series from autonomous to lightweight mode but it failed and the access point is not able to send lwapp since it doesn't exist in CLI... The controller is a wireless cisco 5508 and I don't know if there is another configuration to perform on the controller.... Hope you can give me a hand on this issue !

  18. Hi Payne,
    You meant your AP is still in autonomous mode since it failed the upgrade or your firmware is corrupted due to the same failure? If it is still in autonomous mode and still manageable, redo the upgrade process again. Make sure you follow the upgrade process/procedure correctly. If it is a corrupted firmware, look for instructions to recover the AP firmware and re-perform the upgrade. You need to use the hardware button on the AP to perform the recovery. Do not confuse the lightweight recovery firmware with the autonomous IOS firmware. The former is what you will use the upgrade tool to upgrade the autonomous AP firmware to.

  19. Taking all this on board... What if you have NO access to a controller or your AP will not discover your new controller.
    How do you erase the lwapp private-config to enable you to add the new controller IP?

  20. Bexgear,
    from your AP console CLI, you would enter:
    clear lwapp private-config
    lwapp ap controller ip address (your controller IP).
    If you get the error command is disabled message, then there is no official way of erasing the old Ap config. You can try erase NVRAM, but this does not work on all version of the code...

  21. my wlc is burnt in city A. i am in another city B. APs attached to that wlc need to be migrated to another wlc in city B. APs are pinging but telnet is not working. pls suggest how do i ? i can enable HREAP after i am able to login to even one of the APs. i just need help to connect remotely to any one AP in city A.

  22. telnet to port 23 fails, as APs are running without WLC.

  23. Hi, i'm instaling a cisco solution with WLC5508, with various SSIDs, the authentication is in freeradius/LDAP in users of AD Sever,
    the problem is when a user SSID "guest" connects to an SSID "campus" for example, the freeradius should inform the controller that the user belongs to another group and redirect it, the old solution with the Enterasys driver works well, but I believe that one parameter in the freeradius configuration is needed, would help?

  24. Help! AP 1262 cannot Join Cisco WLC 4402

    We have two cisco 1262 AP and a 4402 WLC, the AP cannot join the WLC.

    The AP gets the address from dchp

    I cannot ping the AP address from the WLC, but i can ping the default gateway and other VLAN addresses.

    I already read the info on the this link :


    Still our AP cannot join the WLC no matter what i have tried.

    Can anyone help with this problem?


    - VLAN setup on a Cisco 3560 48 port poe Switch

    - tunk configured btwn the Gi Interface and the Management physical port

    - WLC mode is configured for Layer 3

    - AP Manager and Management are in the same Subnet

    - Option 43 is configured for the with the AP Manager's IP address

    - Opotion 60 is also configured with AP Manager's IP address

    - the port connected to the APs are in the AP Manager VLAN

    Please help.


  25. Hey anonymous,
    One comment and a few questions:
    - Your option 43 and option 60 should point to the WLC Management interface IP address, not the AP Manager interface IP address.
    - From the AP, can you ping the gateway?
    - Can you confirm that the AP port on the switch is an access port (not a trunk)
    - From the AP CLI, do you see the AP getting the WLC IP address from the DHCP server? Does it send discovery messages to the WLC? Do you see these messages on the WLC CLI (debug lwapp event enable, or debug capwap even enable)?
    - Do you tag (VLAN tag) your WLC Management interface? (you can check that with the WLC CLI command show interface summary, you would see a VLAN value for the Management interface if you tag, and "0" if you do not tag)? If you tag the WLC Management interface, make sure that you switch trunk native VLAN is NOT the WLC Management VLAN (e.g. if your WLC Management tags VLAN 10, your switch trunk native VLAN should be for example VLAN 1, but NOT VLAN 10). If you do not tag the Management interface (tag is 0), then your switch trunk native VLAN should match the WLC VLAN (so if your WLC is in VLAN 10, but you tag "0" on the WLC side, then the switch native VLAN on the trunk link to the WLC should have VLAN 10 as the native VLAN).

  26. hello all thanks for such valuable infomation.. My situation is that our company brought some 1131AG AP
    we are getting LWAPP client error: Could not resolve Cisco-LWAPP-Controller.domain name.
    when I try to go into debug and try and configure bvi it gives an error cannot access bvi1

    when connected to router it recieves ip address from DHCP, look at the fa0 and it shows interface up up

    But my question is do we have to purchase a wlc or can we configure it through DNS server..

  27. You need a WLC. The DNS server is used to help the AP discover the WLC (you enter an entry for CISCO-LWAPP-CONTROLLER.domain in your DNS server, pointing to the IP address of the WLC, and the AP can use this information to find the WLC), but you cannot configure the AP from the DNS server... if the APs are new, you can maybe RMA them (return them to Cisco), you can get the APs in LWAPP/CAPWAP mode (they need a controller, and the AP serial usually shows AIR-LAP), or in autonomous mode (you can configure each AP individually, no need for a controller, and the AP serial usually shows AIR-AP -without the L-).
    You can also convert the APs between LWAPP and autonomous mode, you may want to google this process or ask TAC for help...

  28. we have AIR-AP1131AG.. we connect to dhcp it see an ip address.
    Try to configure AP using BVI but when entering interface bvi 1 receive invalid input marker
    I am using ? after every entry. Also receiving CAPWAP could not resolve cisco-capwap-controller and Cisco-lwapp-controller. I try to put the controller via DNS and have a pointed IP but still get error. Is there a step by step tutorial on these AP to start from the beginning from taking out of box to seeing what appears on screen and configure them.
    Cisco doc is not the best!

  29. I have a cisco 1131ag connecting to 2960 switch which connects to linksys router. I ap to switch connected via a switchport mode trunk, encap dot1q, native vlan,nonnegotiate... My question is how do i get the ap to be in that native vlan.
    When I try to configure via cli it wont take the command vlan #
    Also do i have to set the default gateway of the ap as the same of the linksys router, dchp from the Linksys router?

  30. Thanks Hosting Chile!
    Anonymous, is your AP in CAPWAP mode or autonomous mode? If it is in autonomous mode, I suggest you use the web interface, it will be easier. You cannot really configure it like a router or a switch, you need to create bridge groups for each of your VLANs. This is a bit difficult from the CLI, so the web interface might be the way to go (http://). If the AP gets an IP address with DHCP, it should also get the gateway from the server. If you use static IP addressing for your BVI, you need to set the gateway with the command (config)#ip default-gateway .
    If your AP is in CAPWAP mode, you need to use an access port, or set your AP to HREAP/flexconnect mode from a controller. You can then configure, through the controller interface, the AP native VLAN. You cannot do it from the AP CLI for an AP in CAPWAP mode.

  31. Hi Jerome,

    can we enable interface radio AP3500 in CAPWAP mode using CLI?
    could you share the command?
    the AP already connect to controller, but any warning that say "interface radio down"
    show ip interface brief
    Interface IP-Address OK? Method Status Protocol
    BVI1 unassigned NO unset down down
    Dot11Radio0 unassigned NO unset up up
    Dot11Radio1 unassigned NO unset up up
    GigabitEthernet0 unassigned NO unset up up
    GigabitEthernet0.1 unassigned YES unset up up


  32. Hi Santo,
    Your radio interfaces are up... the normal way to turn them on or off are from the WLC CLI. Your network has to be up (config 802.11b|802.11a enable network). Then you can turn the AP radio on with config ap enable . You can also enable the AP individual radio with config 802.11b|802.11a enable
    For all this, the AP should be registered to the controller. Before this happens, the AP keeps its radios off (as it cannot provide any radio service until it gets its config from the WLC).


  33. Hello,

    How to setup 4400 WLCs so that APs provide multiple SSIDs (e.g. one for employee WLAN and one for guest WLAN)? In this configuration would a trunk need to be configured from a switch to the APs?


  34. Hello Anonymous,
    You just need to create 2 WLANs on your 4400. You can create 2 different dynamic interfaces (2 different VLANs/subnet, using the same outgoing physical port or different port, it's all your choice), or use a single dynamic interface to which you will map your WLANs.
    Please see here fore more detailed step by step WLAN creation:
    Your AP, once it has joined the controller, will automatically support these 2 WLANs. The port to your AP does not need to be a trunk, it should in fact be an access port. The reason is that the AP will join the controller using IP, so it is in a VLAN just like a PC would be in a VLAN. Then, traffic between the AP and the controller is encapsulated, so the VLANs you carry within the frames are not seen outside: all you see is an AP IP address communicating with a controller IP address, so your AP should be in an individual VLAN, and does not need any trunking (there is an exception when the AP is in a special mode called FlexConnect, but this is a special case).
    Your controller port would be a trunk, not because it communicates with APs, but because, once it receives wireless client traffic from the AP (again, encaspulated, so no VLAN needed yet), the 4400 will send the traffic to the wired network. Pretty much like a router on a stick, it needs to be on a trunk so as to be able to send client traffic in different VLANs.

    hope this helps

    1. Thank you Jerome, this is very helpful! Seemed like a somewhat basic question, but I could not find those details in any configuration guide, design guide, white paper, or article anywhere :-).

  35. Hi Jerome. I have a new 3502i fresh from the box and as I try to configure it manually to associate to a controller it is just cycling to the boot loader process (blinking green). I tried to reboot the AP couple of times already but to no avail I still can't get to the CLI prompt of the AP. The current setup of the AP is it's connected to our network via POE switch since I don't have a power injector and a console connection to my laptop. I also tried to configure POE switch to default interface to make the AP not associate to any Vlans. Is the AP sequence really that long or I'm having a faulty 3502 AP? Thanks,

  36. Hi Ryan,
    Do you see the Ap from the WLC (debug capwap event enable/debug capwap error enable, do you get messages from the AP MAC address?).
    Also, can you console to the AP? If so, the AP would tell you what is going wrong.
    Did you configure the AP manually to get to that WLC? Otherwise, how is the AP getting the WLC information?

  37. This article is very interesting and informative... i like this post and i feel very happy to read this article...
    thanks for sharing...
    more info:- Cisco Router Support

  38. Dear I have an AP C1142N-C-K9 currently running as autonomous AP, I tried several methods to changed it to LWAP, I could not. the last massage saying permission denied even tho there isnt any required. More over I can no to ping test to G0 IP or my Laptop running tftp. Please need help and steps to convert it. All effort appreciated.

  39. Hi anonymous,

    "permission denied" while doing what? Entering a command (what command)?
    The easiest method is IMHO the archive download command (http://mrncciew.com/2012/10/20/lightweight-to-autonomous-conversion/), is it what you tried? Can you describe the steps you used?

    1. Hi Jerome,
      I know this is been going on a long time ago, so I am sorry. I have a quick question: how to change the default location of a lightweight AP from the command line?

  40. Hi all,

    I have a 2 location where site A has a 5508 controller and few 1131 and 3702 AP, similarly site B has a 5508 WLC and 3702 AP. But when the AP of site A has rebooted for some reason it was not joined to the site A wlc it is going to site B WLC. Ideally it should connected to the site A WLC. Can you please let me know why this is happening

  41. Is there a way to prevent a client from connecting to a certain ap, but allowing it to connect to all other access points broadcasting the same SSID?

  42. Hi Everybody ,

    We are Migrating our WLC - AP from Layer 2 comunicaction to Layer 3 Comunication ,

    I mean ,

    Layer 2 Comunication between WLC and AP

    Right now we have WLC 4402 Configure with Int Ap-manager (Vlan 81: 192.168.22.x) , Int Managment (Vlan 80: 192.168.49.x) & AP (Vlan 81: 192.168.22.x) Interface .

    So we have AP-Manager Interface and AP both are in same Vlan and all works well.

    Layer 3 Comunication between WLC adn AP With option 43 hex MGMT ip & option 60 ascii "Cisco AP c1130" (We have CISCO 1131 model)

    In this senario we change AP Vlan and Network (Now Vlan 70: 172.26.73.x)

    So the senario is ,

    WLC 4402 Configure with Int Ap-manager (Vlan 81: 192.168.22.x) , Int Managment (Vlan 80: 192.168.49.x) & AP (Vlan 70: 172.26.73.x) Interface .

    It does not work. AP do register with WLC but it continue restaring without stoping.

    --- Its been check it gets correct IP of VLAN 70.

    --- In debug it says :

    Fri Sep 11 14:54:46 2015: xx:xx:xx:xx:xx:xx Max retransmissions reached on AP xx:xx:xx:xx:xx:xx for (CONFIGURE_COMMAND
    , 12)
    Fri Sep 11 14:54:46 2015: xx:xx:xx:xx:xx:xx apfSpamProcessStateChangeInSpamContext: Down LWAPP event for AP xx:xx:xx:xx:xx:xx slot 0
    Fri Sep 11 14:54:46 2015: xx:xx:xx:xx:xx:xx apfSpamProcessStateChangeInSpamContext: Deregister LWAPP event for AP xx:xx:xx:xx:xx:xx slot 0
    Fri Sep 11 14:54:46 2015: xx:xx:xx:xx:xx:xx apfSpamProcessStateChangeInSpamContext: Down LWAPP event for AP xx:xx:xx:xx:xx:xx slot 1
    Fri Sep 11 14:54:46 2015: xx:xx:xx:xx:xx:xx apfSpamProcessStateChangeInSpamContext: Deregister LWAPP event for AP xx:xx:xx:xx:xx:xx slot 1
    Fri Sep 11 14:54:46 2015: DTL Deleting AP 14 -

    Can any body plz Help.

  43. Hi Budies,

    can any one help share the troubleshooting steps for autonomous access points when a client is not getting associated to AP. i mean what all config/settings need to be checked

  44. I would like to advice any one out there who is experiencing love trauma , Financial difficulty, Child bearing , Miscarriages and so many more. All thanks to Dr. Madu for the good works he has been doing for my family and Friends, For I will always be grateful to Him for the his good works. He helped me with a spell that brought back my broken relationship and also i was able to have a baby after so many miscarriages. You could contact Dr. Madu to on his email: ( maduutemple @ gmail . com )or his Whatsapp : +234 8107 547 068 for his nice spell work.

  45. Error Says : Did not get logserver setting from Dhcp. Could not connect to the controller 4402. My ap is 1552H Wth lwapp image on it

  46. I need to change the APs from one AP group to another (new_AP). Old AP group name is OLD_AP. I don't have any access to controller. Can someone please paste the tested scrip including the Yes no (until the process is completed)

  47. I had the bad certificate error rejected by peer. WLC 4402 using AIR-LAP1242AG-A-K9 V01 and I set my controller time back 8 years and they all AP's connected with no issue. Not the best fix but will get you out of a crunch.

  48. Response dicovered but not from primed controllers even through i have other aps connected to the same switch and resgitered to the controller

  49. Hi Jerome,
    I know this is been going on a long time ago, so I am sorry. I have a quick question: how to change the default location of a lightweight AP from the command line?

  50. Hi Jerome,
    I know this is been going on a long time ago, so I am sorry. I have a quick question: how to change the default location of a lightweight AP from the AP command line?

  51. This written piece gives fastidious understanding yet.
    Zero Up 2.0 Bonus

  52. The deep you dig into the topic and endow with us the perfect knowledge is appreciable.
    Zero Up 2.0 Review

  53. This blog helps us to learn more about Cisco Access points. Buy actual Remote Cisco Wireless Autonomous Access Point Configuration at https://www.sancuro.com/services/cisco-wireless-wireless-autonomous-access-point-configuration in a short period of time.

  54. This comment has been removed by the author.

  55. I have AP 3502E and AP 2602I not joined with WLC 4402 having 25 AP support WLC ios K9-7-0-252-0
    Kindly let me know the issue

  56. Do you want to reset your iPhone? Click: hard reset iphone

  57. Hello, I wish for to subscribe for this website to get most recent updates, thus where can i do it please assist.

  58. Hi my friend! I want to say that this post is amazing, nice written and come with approximately all significant infos. I would like to look more posts like this .

  59. Cừ Tràm Thái Dương là nhà cung cấp cọc cừ tràm, cây chống bạch đàn, cừ dừa, tấm phên tre, cót ép trang trí, mê bồ tre giá rẻ uy tín chất lượng hàng đầu hiện nay tại TPHCM và các tỉnh. Hotline: 0888.888.767. CID https://www.google.com/maps?cid=4975960960674761550. Vựa Cừ Tràm nằm tại địa chỉ 550 Quốc Lộ 1A, Tổ 11, Khu Phố 1, An Phú Đông, Quận 12, TP.HCM. Email: thaiduong@cutram.vn. Website: cutram.vn