Cisco Lightweight AP Registration

unclesamThis post is about the lightweight AP (LAP) registration process to the Cisco wireless LAN controller (WLC).

To troubleshoot an AP that will not join, we should first understand the process in which a Cisco LAP will try to register to a Cisco WLC.

Like many network devices, the LAP will request an IP address when you apply power and a network connection, unless you have configured a BVI1 IP address statically. The LAP must have an IP address in order to begin the discovery and join process.

The LAP will determine which WLC it will send discovery requests to via the following:

  1. DHCP Option 43
    • Set up a DHCP pool with option 43
    • Option 43 configuration requires a hex string that is obtained by combining Type + Length + Value (TLV)
  3. Previously joined management IP addresses retained by LAP
  4. Layer 3 broadcast on same subnet
  5. OTA Provisioning
  6. Statically configured WLC IP address on the LAP
    • To configure – Power up the LAP locally or via POE and enter the primary WLC IP address manually via CLI command prompt
      • OCEAN-OF-RF-AP1#capwap ap controller ip address x.x.x.x

NOTE: Option 43 and DNS methods require additional configuration and access to systems or devices that you may not control. You will need to ensure that you have access to the additional systems or engage other teams to complete tasks for these methods.

If we hit bumps during the discovery and join phases, we have tools to help review and remedy the situation.

Start with the groundwork – Ensure that layer 1 is solid. I also like to check the configuration for the switch-port that my LAP is patched into. Be sure that enough power is reaching the device.

Validate that the time is correct and that there is not a certificate issue. Review the Cisco compatibility matrix for the model LAP with the WLC code revision that is being used. Check for regulatory domain issues.

Attempt to ping between the LAP and WLC – vice versa. If there is a firewall, confirm that all of the necessary listed Cisco ports are open for LAP/WLC communication.

PRO TIP: From a physical perspective, I always try to have 2 cables installed per AP for a new install – a) For cable redundancy, and b) The second cable gets patched to the console port of the AP, allowing me console access from the switch closet. If you installed AP’s in some of the places that I have you would appreciate how awesome that second cable and console access from an IDF is! If you are at a site without a second cable… Get the ladder out. :0)

Console access is one of your best friends. If the AP is not joining, reboot or power-cycle the AP and watch the console as the boot process begins. You will find a lot of information in the CLI output during the initial boot.

For an example, I purposely changed the LAP’s access port to a null VLAN in order pooch DHCP  – Some output omitted:

%CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
%CAPWAP-3-EVENTLOG: AP does not have an Ip address !! %Unknown DHCP problem.. No allocation possible

Obviously the issue is because the LAP does not have an IP address. When I flipped the LAP’s switch-port back to the correct VLAN, notice that my LAP receives an IP address (via option 43) and continues on to discover and join the WLC.

%DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address, mask, hostname OCEAN-OF-RF-AP1
%CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246
%CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: peer_port: 5246
%CAPWAP-5-SENDJOIN: sending Join Request to
%CAPWAP-5-JOINEDCONTROLLER: AP has joined controller 2504-LAB
%CAPWAP-3-EVENTLOG: Discovery Request sent to with discovery
%CAPWAP-3-EVENTLOG: Discovery Response from
%CAPWAP-3-EVENTLOG: Dtls Session Established with the AC,port= 5246
%CAPWAP-3-EVENTLOG: Join request: version=134309376
%CAPWAP-5-SENDJOIN: sending Join Request to
%CAPWAP-3-EVENTLOG: Join Response from

As you  probably noticed, the debug output adds a deeper layer and provides very useful data. Familiarize yourself with the output messages whenever you are able to and you will have a better understanding of successful registrations – That alone will help you troubleshoot and resolve issues.

Debug and show commands are powerful tools in our arsenal. Become a strong Jedi and use the CLI force… As a Jedi, we must show intelligence and practice restraint – Always debug with caution! Here are a few to get you started…

On the Access Switch:

  • LAB-Switch#show power inline fastEthernet 0/47
    Interface Admin Oper Power Device Class Max
    ——— —— ———- ——- ——————- —– —-
    Fa0/47 auto on 15.4 AIR-CAP2602E-A-K9 3 15.4
  • Check the access port config and local DHCP pool (if applicable)
  • Review Layer 2 communication from LAP to switch
    • mac address
    • cdp
  • Make sure that the time is correct

On the Access Point:

  • Make sure that the time is correct
    • OCEAN-OF-RF-AP1#show clock
  • Review DHCP activity
    • OCEAN-OF-RF-AP1#debug dhcp detail
  • Review CAPWAP events
    • OCEAN-OF-RF-AP1#debug capwap client event
      • Shown in output of the example above
  • Review packets for DHCP and discovery/join process
    • OCEAN-OF-RF-AP1#debug ip udp (port # optional)


  • Make sure that the time is correct
    • (Cisco Controller) >show time
  • Review CAPWAP events
    • (Cisco Controller) >debug capwap events enable
  • Debug CAPWAP messages
    • (Cisco Controller) >debug capwap (?)
  • Check for certificate (pki) issues

After a LAP joins a WLC it will begin to download the correct code from the WLC, if it has not already joined for that rev.

Let me know if you have any tips or experiences in regards to discovery/join issues in the field.

I am saving the packet capture portion for another post as I am now studying for the CWAP. Thanks for reading!


Let me have it!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s