Upgrading Autonomous Cisco Aironet Access

Points to Lightweight Mode

April 24, 2008

This application note describes how to upgrade autonomous Cisco Aironet access points to lightweight
mode so that they can communicate with wireless LAN controllers on your network. It contains these
sections:
• Upgrade Process Overview, page 1
• Solution Requirements, page 2
• Important Notes, page 3
• Preparing for the Upgrade, page 4
• Upgrade Procedure, page 9
• Post-Upgrade Tasks, page 16
• Importing the Output of the Upgrade Tool into WCS, page 17
• Caveats, page 20
• Terms and Acronyms, page 21
• Related Documents, page 22
• Appendix A: Configuring DHCP Option 43 for Lightweight Cisco Aironet Access Points on
Windows 2003 Enterprise DHCP Server, page 22
• Appendix B: Configuring Access Points in Cisco LWAPP Mode for Easy Deployment, page 25

Upgrade Process Overview

In the Cisco Centralized Wireless LAN Architecture, access points operate in lightweight mode. The
access points associate to a Cisco wireless LAN controller. The controller manages the configuration,
firmware, and control transactions such as 802.1x authentications. In addition, all wireless data traffic is
tunneled through the controller.

Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
 Solution Requirements

The Lightweight Access Point Protocol (LWAPP) is an IETF draft protocol that defines the control
messaging for setup and path authentication and run-time operations. LWAPP also defines the tunneling
mechanism for data traffic.
A lightweight access point discovers a controller using LWAPP discovery mechanisms and then sends it
an LWAPP join request. The controller sends the access point an LWAPP join response allowing the
access point to join the controller. When the access point is joined to the controller, it downloads its
software if the revisions on the access point and controller do not match. Subsequently, the access point
is completely under the control of the controller.
LWAPP secures the control communication between the access point and controller by means of a secure
key distribution, requiring already provisioned X.509 certificates on both the access point and controller.
Factory installed certificates are referenced by the term MIC, which is an acronym for Manufacturing
Installed Certificate. Cisco Aironet access points shipped before July 18, 2005, do not have MIC, so
these access points create a self-signed certificate when upgraded to operate in lightweight mode.
Controllers are programmed to accept self-signed certificates for authentication of specific access
points.
The upgrade process is as follows. The user runs an upgrade utility that accepts an input file with a list
of access points and their credentials. The utility telnets to the access points in the input file a series of
IOS commands to prepare the access point for the upgrade, including the commands to create the
self-signed certificates. Also, the utility telnets to the controller to program the device to allow
authorization of specific self-signed certificate access points. It then loads Cisco IOS Release
12.3(11)JX1 onto the access point so that it can join the controller. After the access point joins the
controller, it downloads a complete IOS version from it. The upgrade utility generates an output file that
includes the list of access points and corresponding self-signed certificate key-hash values that can be
imported into the WCS management software. The WCS can then send this information to other
controllers on the network.
After an access point joins a controller, you can reassign the access point to any controller on your
network.

Solution Requirements
Migration from autonomous access point mode to lightweight mode is possible on these Cisco Aironet
access point platforms:
• All 1121 access points
• All 1130AG access points
• All 1240AG access points
• All 1250 series access points
• For all IOS-based 1200 series modular access point (1200/1220 Cisco IOS Software Upgrade, 1210
and 1230 AP) platforms, it depends on the radio:
– if 802.11G, MP21G and MP31G are supported
– if 802.11A, RM21A and RM22A are supported
The 1200 series access points can be upgraded with any combination of supported radios: G only,
A only, or both G and A.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

2 OL-8092-06
 Important Notes

Note For an access point that contains dual radios, if one of the two radios is an LWAPP-supported
radio, the upgrade tool still performs the upgrade. The tool adds a warning message to the
detailed log that indicates which radio is unsupported.

• All 1310 AG access points

• Cisco C3201 Wireless Mobile Interface Card (WMIC)

Note The second-generation 802.11a radios contain two part numbers.

Access points must be running Cisco IOS Release 12.3(7)JA or later before you can perform the upgrade.

Note For Cisco C3201WMIC, access points must be running Cisco IOS Release 12.3(8)JK or later before you
can perform the upgrade.

These Cisco wireless LAN controllers support autonomous access points upgraded to lightweight mode:
• 2000 series controllers
• 4400 series controllers
• Cisco Wireless Services Modules (WiSMs) for Cisco Catalyst 6500 Series Switches
• Controller Network Modules within the Cisco 28/37/38xx Series Integrated Services Routers
• Catalyst 3750G Integrated Wireless LAN Controller Switches
Cisco controllers must run a minimum of software version 3.1.
Cisco Wireless Control System (WCS) must run a minimum of version 3.1.
The upgrade utility is supported on the Windows 2000 and Windows XP platforms.

Important Notes
Before using this utility, consider the following important notes:
• Access points converted with this tool will not connect to 40xx, 41xx, or 3500 controllers.
• You cannot upgrade access points with 802.11b-only or first-generation 802.11a radios.
• If you want to retain the static IP address, netmask, hostname, and default gateway of access points
after conversion and reboot, you must load one of the following autonomous images on the access
points before you covert the access points to LWAPP: 12.3(7)JA, 12.3(7)JA1, 12.3(7)JA2,
12.3(7)JA3, 12.3(7)JA4, 12.3(8)JA, 12.3(8)JA1, 12.3(8)JA2, 12.3(8)JEA, 12.3(8)JEA1,
12.3(8)JEA2, 12.3(8)JEB, 12.3(8)JEB1, 12.4(3g) JA, 12.4(3g) JA1.
• If you upgrade access points to LWAPP from one of the following autonomous images, the converted
access points do not retain their static IP address, netmask, hostname, and default gateway:
12.3(11)JA, 12.3(11)JA1, 12.3(11)JA2, 12.3(11)JA3.
• The LWAPP upgrade tool does not release Windows operating system memory resources when the
upgrade process is complete. Memory resources are released only after you exit the upgrade tool.
If you upgrade several batches of access points, you must exit the tool in between batches to release
memory resources. If you do not exit the tool in between batches, performance of the upgrade station
quickly degrades because of excessive memory consumption.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 3
 Preparing for the Upgrade

Preparing for the Upgrade

You must complete these tasks before beginning the upgrade from autonomous to lightweight mode:
1. Prepare the infrastructure so that the upgraded lightweight access point discovers a controller.
2. The autonomous access points must be running Cisco IOS Release 12.3(7)JA or later to perform the
lightweight mode conversion. If necessary, upgrade the access point to Cisco IOS Release 12.3(7)JA
or later. For C3201WMIC, upgrade to 12.3(8)JK or later.
3. Prepare the controller for the upgrade process.
4. Download the Autonomous to Lightweight Mode Upgrade Tool and the upgrade image file from
Cisco.com (see the “Obtaining the Upgrade Tool and Upgrade Image” section on page 6).

Preparing the Infrastructure

No lightweight access point can operate independently from a WLC. Each lightweight access point must
discover a WLC, issue an LWAPP join request, and if successful, receive a join response to become
joined to a controller.
The LWAPP discovery algorithm follows these steps:

Step 1 Initiates an IP subnet broadcast of an LWAPP controller discovery message. If the controller
management interface is on the same IP subnet as the lightweight access point, this discovery mechanism
is successful.
Step 2 Lists the previously joined controllers. This discovery mechanism requires prior success joining an
access point and controller.
Step 3 Establishes over-the-air provisioning (OTAP). If OTAP is turned on, access points advertise their
controller(s) over the air. New access points discover the controller based on the OTAP messages. OTAP
is turned off by default on the controllers. OTAP is not supported for controller discovery during the
upgrade process from autonomous to lightweight access point. After an access point is fully migrated to
the lightweight mode, OTAP is used to discover controllers.
Step 4 Uses DHCP option 43. This vendor-specific option can return one or more controller IP addresses to an
access point in the DHCP offer message. The access point sends an LWAPP join message to the
controller.
Step 5 Establishes DNS resolution of CISCO-LWAPP-CONTROLLER.localdomain. If the access point can
resolve the name, it issues an LWAPP join message to the resolved IP address.
Step 6 Reboots and repeats starting with Step 1.
After an access point joins a controller, you can reassign the access point to any controller on your
network.
The upgrade tool loads the upgrade image (Cisco IOS Release 12.3(11)JX1) onto the access point for
two purposes. First, it allows the upgraded access points to discover and join a controller. After joining
a controller, the access point downloads a complete LWAPP IOS image from the controller. Secondly,
the Cisco IOS Release 12.3(11)JX1 is stored in the access point flash memory to serve as an LWAPP
recovery image in case the complete LWAPP IOS image becomes corrupted.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

4 OL-8092-06
 Preparing for the Upgrade

An upgraded access point must find a controller it can join to complete the upgrade process. There are
several potential issues to be aware of:
• Cisco IOS Release 12.3(11)JX1 does not support OTAP.
• An upgraded access point preserves its DNS name server parameter, so
CISCO-LWAPP-CONTROLLER.localdomain can be used for controller discovery when the access
point is not on the same subnet as the management IP address of the controller.
The appropriate controller discovery mechanism should be in place before upgrading the autonomous
access points to lightweight mode. You should follow these rules carefully:
• If the access point is on the same IP subnet as the controller, the discovery should use the IP subnet
broadcast controller discovery.
• If the access point to be upgraded has a static IP address and is not on the same Layer-2 IP subnet
as the controller, then DNS resolution of CISCO-LWAPP-CONTROLLER.localdomain is the only
guaranteed controller discovery mechanism. The upgrade utility can configure a name server before
loading Cisco IOS Release 12.3(11)JX1. Verify the name server can properly resolve
CISCO-LWAPP-CONTROLLER.localdomain before beginning the upgrade procedures.
• If the access point to be upgraded gets an IP address via DHCP, then either option 43 or DNS
resolution of CISCO-LWAPP-CONTROLLER.localdomain can be used to discover the controller.
Verify IP connectivity for the following before beginning the upgrade process:
• between the access points to be upgraded and the controller Management Interface IP address
• between the PC that is hosting the upgrade tool and the access point
• between the PC that is hosting the upgrade tool and the controller
Check for the presence of firewalls that block telnet access between the access point and the upgrade
tool’s TFTP server (whether an internal or an external server).

Using DHCP Option 43

The IP address that should be configured as DHCP option 43 or be resolved from
CISCO-LWAPP-CONTROLLER is the IP address of the controller Management IP address. Consult the
specific documentation for the DHCP or DNS platform for details on configuring these parameters
correctly.
Cisco 1000 series access points use a string format for DHCP option 43, whereas Cisco Aironet access
points use the type-length-value (TLV) format for DHCP option 43. DHCP servers must be programmed
to return the option based on the access point’s DHCP Vendor Class Identifier (VCI) string (DHCP
option 60). The VCI strings for Cisco access points capable of operating in lightweight mode are:

Table 1 VCI String

Access Point VCI String

Cisco Aironet 1000 series Airespace.AP1200
Cisco Aironet 1100 series Cisco AP c1100
Cisco Aironet 1130 series Cisco AP c1130
Cisco Aironet 1200 series Cisco AP c1200
Cisco Aironet 1240 series Cisco AP c1240
Cisco Aironet 1250 series Cisco AP c1250

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 5
 Preparing for the Upgrade

Table 1 VCI String

Access Point VCI String

Cisco Aironet 1300 series Cisco AP c1300
Cisco Aironet 1500 series Cisco AP c15001
Cisco AP.OAP15002
Cisco AP.LAP15053
Cisco AP.LAP15104
Cisco AP c1520
Airespace.AP12005
Cisco 3201 Lightweight Access Point (LAP) Cisco AP C3201WMIC
1. Any 1500 Series AP that runs 4.1 software
2. 1500 OAP AP that runs 4.0 software
3. 1505 Model AP that runs 4.0 software
4. 1510 Model AP that runs 4.0 software
5. Any 1500 Series AP that runs 3.2 software

The format of the TLV block is:

Type: 0xf1 (decimal 241)
Length: Number of controller IP addresses * 4
Value: List of WLC management interfaces
See Appendix 1, “Appendix A: Configuring DHCP Option 43 for Lightweight Cisco Aironet Access
Points on Windows 2003 Enterprise DHCP Server,” for details on configuring these options in
combination with the appropriate VCI string. The appendix applies to Windows 2000 and 2003 DHCP
servers. After the infrastructure is prepared for the upgrade process, IP connectivity between the access
points to be upgraded and the WLC Management Interface IP address should be verified.

Obtaining the Upgrade Tool and Upgrade Image

The autonomous mode to lightweight mode access point upgrade process is only supported for access
point running Cisco IOS Releases 12.3(7)JA and later. The access points must be upgraded to this
version or a later version before they can be converted to lightweight mode. Consult the Cisco Aironet
documentation on upgrade procedures for autonomous access points.
You can find the upgrade tool and the upgrade image at the Download Software page on Cisco.com.

Note You must register or be a registered user of Cisco.com to download software.

To find the tool and the software image, follow these steps:

Step 1 Browse to the wireless downloads page:

http://www.cisco.com/public/sw-center/index.shtml
Step 2 Click Wireless Software.
Step 3 Log into Cisco.com.
Step 4 Click Access Points.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

6 OL-8092-06
 Preparing for the Upgrade

Step 5 Click the type of access point that you want to upgrade (for example, Cisco Aironet 1240 AG Series).
When you click the access point type, the access point folder expands.
Step 6 Click the access point that you want to upgrade in the expanded list. The Downloads page appears.
Step 7 For the upgrade tool, click the Autonomous to Lightweight Mode Upgrade Tool link.
Step 8 Click the latest tool release and follow the prompts to download the tool to your PC.
Step 9 For the recovery software upgrade image, click the Autonomous to Lightweight Mode Upgrage Image
link.
Step 10 Click the latest upgrade image name and follow the prompts to download the upgrade image to your PC.

Note The recovery software image for the upgrade has “rcv” in the image name—for example,
c1200-rcvk9w8-tar.123-11JX1.tar.

Note For Cisco C3201WMIC, use Cisco IOS Release 12.3(11)JA1, which is available in the Software Center
tables on Cisco.com

Preparing the Controller for the Upgrade Process

There are several key tasks that must be completed to prepare the controller for the upgrade process:
1. Upgrading the controller to version 3.1 or later
2. Configuring the controller to accept telnet connections
3. Synchronizing the controller time with the machine that hosts the upgrade tool
Consult the Cisco Wireless LAN Controller Configuration Guide for upgrade procedures for the
controller.
The controller can be configured to accept telnet connections through the controller console or the
controller web-interface. To configure telnet on the controller through the controller console, attach a
console to the controller, log into the CLI, and enter this command:
config network telnet enable

To configure telnet through the controller web-interface, log into the controller web-interface and
navigate to Management > Telnet-SSH, select Yes for the Allow New Telnet Sessions setting, and click
Apply (see Figure 1).

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 7
Preparing for the Upgrade

Figure 1 Telnet-SSH Configuration Page

The WLC time should be synchronized with the machine that hosts the upgrade utility. The upgrade
utility configures the access point to generate a self-signed certificate with a validity interval, beginning
with the machine time of the utility host or a time specified at run-time. If the WLC time is outside the
validity interval of the SSC, the access point cannot join the controller. To configure the WLC time, use
the WLC web-interface found by choosing Commands > Set Time (see Figure 2).

Figure 2 Set Time Page

The time can also be configured through the WLC CLI using the config time command. The WLC time
should be set to account for any offset from GMT.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

8 OL-8092-06
 Upgrade Procedure

Upgrade Procedure
The upgrade from autonomous to lightweight mode is accomplished with the upgrade tool. The upgrade
tool performs the basic tasks necessary to upgrade from autonomous to lightweight mode:
• Basic condition checking—verifies whether the access point is a supported one, whether it is
running a minimum software revision, and whether the radio types are supported.
• Preparation of the autonomous access point for conversion—adds the PKI configuration and
certificate hierarchy so access point authentication to the Cisco controllers can occur and self-signed
certificates can be generated for the access point.
• Loads the upgrade image (Cisco IOS Release 12.3(11)JX1), which allows the access point to join a
controller.
• On successful download, reboots the access point.
• Generates an output file consisting of access point MAC addresses, certificate type, and secure
key-hash and automatically updates the controller. The output file can be imported into WCS and
exported to other controllers.

Note During the upgrade process, the dot11radio is shut down.

To install and run the upgrade tool, you must satisfy these conditions:
• To install and run the upgrade tool, you must be logged in as the administrator of the PC.
• You must run the upgrade tool on a PC that is running Windows 2000 or Windows XP.
• You must use the upgrade tool with Cisco Aironet 1100, 1130, 1200, 1240, and 1310 series access
points that are running Cisco IOS release 12.3(7)JA or later. All access points must be in AP mode.
• If you use the upgrade tool over a WAN link, the link speed must be greater than or equal to 128
Kbps.
• Check for the presence and configuration of firewalls on your network. Firewalls might prevent the
downloading of images.
• You must enable Telnet service on all access points and on the controller.
• You must ensure that the system time is configured properly on your controller and access points.
• You must provide the upgrade tool with a valid IP file that contains the following information for
each access point that you want to upgrade:
– IP address
– Username
– Password
– Enable password (optional)

Note For each access point, the IP address, username, password, and optional enable password should
all be separated by commas. Ensure that the IP file does not contain multiple entries for the same
access point.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 9
 Upgrade Procedure

Installing the Upgrade Tool

To install and run the upgrade tool, your system must meet these minimum requirements:
• Operating system—Windows 2000 or Windows XP workstation only.
• Processor—Pentium III or an equivalent
• Speed—1 GHz
• RAM—512 MB
• Free space on hard drive—20 MB
To install the upgrade tool, follow these steps:

Step 1 Run the executable file UpgradeToolv30.exe. The install shield guides you through the rest of the install
procedure.

Note If the upgrade tool is already installed on your system, a dialog box alerts you that the upgrade
tool is already installed. Ensure that no upgrade tool window or readme file of an older version
of the tool are open. Cisco recommends that you uninstall the previous version before installing
the newer version. Click Yes if you want to replace the older version with the new version of
upgrade tool.

The minimum system requirements are displayed in the next dialog box. Then in the “Welcome” dialog
box, basic information about the setup program is displayed.
Step 2 Click Next in the “Welcome” dialog box. The “Choose Destination Location” dialog box then appears.
Step 3 The default installation location appears in the “Destination Folder” field. If you do not want to change
the default installation location, go to Step 4. If you want to change the installation location, follow these
steps:
a. Click Browse. The “Choose Folder” dialog box appears. The “Path” box contains the installation
location.
b. Change the installation location. You can either type the new location path in the “Path” box or use
the “Drives and Directories” lists to select a new drive and directory. The installation location must
be on a drive that is on the computer.
c. After the correct path is in the “Path” box, click OK.
The new installation location now appears under “Destination Folder” in the “Choose Destination
Location.”
Step 4 Click Next. The “Folder Selection” window prompts you to select the program folder where icons are
to be added by the setup process. You can choose the default folder, select from existing folders, or create
a new folder.
Step 5 Click Next. A dialog asks if you want to view the Readme file. Click Yes to read the file. Click No to
read the file later.
If the installation was successful, a dialog box tells you that the installation was successful.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

10 OL-8092-06
 Upgrade Procedure

Running the Upgrade Tool

Figure 3 shows the upgrade tool window.

Figure 3 Upgrade Tool Window

Enter information in these entry fields and click Start to begin the upgrade:

Step 1 The IP File field is the input file of access points to upgrade. Whether you have one or several access
points to upgrade, create a flat text file in the following format:
ap-ip-address,telnet-username,telnet-user-password,enable-password
ap-ip-address,telnet-username,telnet-user-password,enable-password
Each line in the text file lists the unit IP address, Telnet username and password, and a password that
permits access to the access point CLI privileged EXEC mode. Use a comma to separate each item on a
line. Save the text file on the same machine that hosts the upgrade tool. Click the . . . button to browse
to and select the text file.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 11
Upgrade Procedure

Step 2 To specify the way in which autonomous APs are upgraded, set the parameters in the Upgrade Options
section:
a. Check the Use WAN Link check box to upgrade over a WAN link. The following are
recommendations for upgrading over a WAN link:
– If you want to upgrade one AP each at different remote locations, place all APs in the same file
that contains the list of AP IP addresses. However, if the APs that you want to upgrade are all
at the same remote location, do not upgrade them concurrently to avoid problems with
bandwidth constraints.
– Use a local TFTP server. Pushing the image over a WAN link increases the amount of time the
upgrade takes. Telnet traffic does not compete with TFTP traffic for WAN bandwidth.
b. The upgrade tool creates a file of environmental variables for each AP on the workstation. These
environmental variables are the IP address, netmask, default gateway, and hostname of the AP as
they are identified in the running configuration. During the upgrade, the tool checks this file for
variable mismatches. The tool deletes this file at the end of the upgrade process.
If you check the All APs to DHCP check box, all upgraded APs use a DHCP server to get IP
addresses. This parameter is useful if you have a combination of static and DHCP-assigned IP
addresses and want all upgraded APs to use DHCP.
If you do not check the All APs to DHCP check box, configuration information that is present in
the running configuration is updated in the file of environmental variables for each AP. If the running
configuration contains an AP with a DHCP-assigned IP address, that AP will use a DHCP-assigned
IP address. If an AP in the running configuration had static IP address, the environmental variables
are updated with that particular static IP address.
If a firewall or an access control list is enabled during the upgrade process, the upgrade tool might
be prevented from copying the file that contains environmental variables from a workstation to an
AP.
If a firewall or access control list blocks the copy operation and you have selected the Use Upgrade
Tool TFTP Server option (see Step 3 below), you cannot proceed with the upgrade because the tool
cannot update the environmental variables and the image upload to the AP fails. Click OK and
disable the firewall or access control list setting for the upgrade (see Figure 4).

Figure 4 Upgrade Tool Window—Firewall or Access Control List with Internal TFTP Server

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

12 OL-8092-06
 Upgrade Procedure

If a firewall or an access control list blocks the copy operation and you have selected the Use
External TFTP Server option (see Step 3 below), you can proceed with the upgrade, but the tool
will not update the environmental variables. Click Yes to proceed or No not to proceed (see
Figure 5).

Figure 5 Upgrade Tool Window—Firewall or Access Control List with External TFTP Server

Caution If you select the Use External TFTP Server option, the TFTP server must not be located on the same
workstation as the upgrade tool. The message in Figure 5 applies only when the external TFTP server is
located on a workstation that is different from the workstation on which the upgrade tool is located.

If you are running the TFTP server on the same workstation as you are running the upgrade tool, the
following message appears (see Figure 6). If you want to run the built-in upgrade tool TFTP server, you
must stop the currently running TFTP server on the workstation. Then stop the tool by clicking the No
button in Figure 6. Restart the tool to run the built-in upgrade tool TFTP server.
If you click the Yes button in Figure 6, you must click the Use External TFTP Server radio button (see
Step 3 below). With this option, the upgrade tool does not handle environmental mismatches because the
built-in upgrade tool TFTP server is not running.

Figure 6 Upgrade Tool Window—TFTP Server Running on Same Workstation as Upgrade Tool

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 13
Upgrade Procedure

c. Check the Retain Hostname on APs check box so that the upgrade tool includes hostname that is
present in the running configuration in the environmental variables. LWAPP looks for these
environmental variables when an LWAPP private configuration file is not available.
If you are upgrading an AP for the second time, make sure that there is no private configuration file
present in the AP before upgrading again. The LWAPP hostname should be updated with the latest
hostname that was configured in the environmental variables by the tool during the first upgrade.
You can enter the clear lwapp private-config command when the AP is running an LWAPP
recovery image or when the AP is running an LWAPP image but not joined to a controller.
Step 3 The LWAPP Recovery Image section refers to upgrade image file (Cisco IOS Release 12.3(11)JX1)
loaded by the upgrade tool that allows the access point to join the controller. Perform the following steps
to specify information about the recovery image:
a. Click either the Use Upgrade Tool TFTP Server radio button or the Use External TFTP Server
radio button to download the upgrade image into the access point. To use the tool’s TFTP server,
store the upgrade image file in the images sub-directory for the upgrade tool. For example, if the
upgrade tool is installed in C:\Program Files\Cisco Systems\Upgrade Tool, the upgrade image file
must be stored in C:\\Program Files\Cisco Systems\Upgrade Tool\images. If you use an external
TFTP server, enter the TFTP server path, including the upgrade image filename, in the LWAPP
Recovery Image field. Enter the external TFTP server IP address in the TFTP Server IP Addr field.

Note For Cisco C3201WMIC, use the Cisco IOS Release 12.3(11)JA1 image file, which is available
in the Software Center tables on Cisco.com

b. Enter the IP address of the workstation on which you are running the upgrade tool in the System IP
Addr field. Providing the workstation IP address ensures that the upgrade tool has the correct IP
address in the case of a multi-homed workstation. Specifying the IP address ensures the correct
transfer of the environmental variable file to APs and the correct transfer of the recovery image if
you use an internal TFTP server.
c. Select the number of access points from the drop-down menu in the Max. AP at a run field. The
upgrade tool can handle up to 6 access points at one time. After you supply all necessary information
in the other fields and start the tool, the tool enters the access point IP addresses that are in the IP file.
Step 4 (Optional) The Controller Details section contains the information that the upgrade tool uses to log into
the controller and add the upgraded access point authorization information. In the IP Address field, enter
the controller Management interface IP address. In the Username and Password fields, enter the
username and password required to log into the controller Management interface.
Step 5 The System Time Details section provides the time setting that the upgrade tool uses to specify the start
time and date of the self-signed certificates validity period. You have two options—Use Controller Time
or User Specified Time—for selecting the time that is set on the access point:
• If you click the Use Controller Time radio button, the upgrade tool uses the controller time if you
have provided information about the controller in the Controller Details fields.
If you click this radio button but have not provided information about the controller, the upgrade
tool uses the time in UTC format of the workstation on which you are running the upgrade tool. If
the tool cannot find information about the controller, the following window appears. Click Yes to
use the workstation time or No not to use the workstation time (see Figure 7).

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

14 OL-8092-06
 Upgrade Procedure

Figure 7 Upgrade Tool Window—Using Workstation Time

Note If the upgrade tool uses the workstation date and time, the workstation date and time must be
June 12, 2005, 00 hours, 00 minutes, or after. Specifying a date and time before June 12, 2005,
00 hours, 00 minutes generates invalid certificates.

Note The Use Controller Time option is recommended.

• If you click the User Specified Time radio button, you can specify a time in the provided fields.

Note If you specify a date and time in the provided fields, you must enter a date and time that is June
12, 2005, 00 hours, 00 minutes, or after. Specifying a date and time before June 12, 2005, 00
hours, 00 minutes generates invalid certificates.

If the date and time is before June 12, 2005, 00 hours, 00 minutes, this message appears (see Figure 8):

Figure 8 Upgrade Tool Window—Entering Date Before June 12, 2005

Step 6 (Optional) You use the DNS Address field and Domain Name field to specify DNS parameters that the
upgraded access point can use to resolve CISCO-LWAPP-CONTROLLER.localdomain when the access
point is not on the same IP subnet as the controller Management interface.
Step 7 Use the Detailed Logging Level menu to set the logging level for the upgrade tool run. Cisco
recommends that you select All for the logging level.
The buttons at the bottom of the window control the tool operation:
• Start starts the upgrade process. When the upgrade process is running, you can click Stop to stop
the upgrade tool. The upgrade tool stops after completing the upgrade in progress.
• Exit closes the tool window.
• Config launches a window that shows the information that is added to the controller access point
authorization list. Each entry in the list includes an AP’s Ethernet MAC address, certification type,
and public key hash value.
This information is stored in a CSV file with this format: Config_<date stamp>_<time stamp>.csv.
At the end of the upgrade, the tool displays a reminder message about the CSV file (see Figure 9).

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 15
 Post-Upgrade Tasks

Figure 9 Upgrade Tool Window—Upgrade Process Complete

If you do not have a Wireless Control System (WCS), you can import an AP authorization list to the
controller by following these steps:

Step 1 Click on the Config button to generate a CSV file that contains a list of APs, their Ethernet MAC
addresses, their certification type, and public key hash values.
Step 2 Go to the https interface of the controller. Click on SECURITY. Then click AAA and under that,
AP Policies.
Step 3 Enable Accept Self Signed Certificate.
Step 4 Add the MAC address of each AP as it is listed in the CSV file.
Step 5 Select SSC as the Certificate Type.
Step 6 Enter the hash key for each AP from the CSV file.
Step 7 When you are finished, click on Add.

If you prefer, you can add this information from the controller CLI by entering the config auth-list
add ssc AP_MAC public_key_hash for each AP.

Note If you do have a WCS, see the “Importing the Output of the Upgrade Tool into WCS” section on page 17.

• AP Config launches a window that lists successfully upgraded access points in this format:
mac-address, ip-address, hostname, radio-type, interface, radio-channel, current-radio-power
• Summary Log launches a window that shows the final status for each of the upgraded access points.
• Detailed Log launches a window that shows a step-by-step status for each of the upgraded access
points.

Uninstalling the Upgrade Tool

To uninstall the upgrade tool, use the Add/Remove Programs option in the Windows Control Panel.

Post-Upgrade Tasks
After the upgrade is complete, the autonomous access point is now completely under the control of the
controller and the WCS. Typically, you need to complete these post-upgrade tasks:
• Assign access points to a specific controller

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

16 OL-8092-06
 Importing the Output of the Upgrade Tool into WCS

• Add the new access points to a WCS map

• Push the access point authorization list from WCS to the other controllers in the network
Consult the Cisco Airespace System Product Guide and for instructions on completing these tasks.

Importing the Output of the Upgrade Tool into WCS

To import the configuration file output of the upgrade tool into WCS, open the WCS web interface and
navigate to Configure > Templates > Security > AP Authorization.

Step 1 Select Add Template from the drop-down box in the upper right-hand side.
Step 2 Click Go (see Figure 10).

Figure 10 Adding a Template

Step 3 Browse to the location of the CSV file output by the upgrade tool and click Save (see Figure 11).

Figure 11 New Template Page

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 17
Importing the Output of the Upgrade Tool into WCS

Step 4 If you want to push the imported entries to other WLCs in the network, choose SSC entries and then
select Apply Templates.

Note If you have multiple controllers in your environment, a best practice is to populate each
controller with all known SSCs. To aid in populating multiple controllers, use the configuration
file that is located here: installed_location/Upgrade Tool/Config_date stamp_time stamp.csv.

Step 5 Click Go (see Figure 12).

Figure 12 Apply Templates

Step 6 Choose a WLC device to add to the SSC entries and click OK (see Figure 13).

Figure 13 Self-signed Certificate

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

18 OL-8092-06
 Converting a Lightweight Access Point Back to Autonomous Mode

Converting a Lightweight Access Point Back to Autonomous

Mode
You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco
IOS Release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point
is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point
is not associated to a controller, you can load the Cisco IOS release using TFTP.

Note In some LWAPP deployments, the LWAPP controller resides between the access points and the rest of
the network. In this topology, all traffic must cross over the controller before communication with
network resources, such as a TFTP server, can occur. When converting back to non-LWAPP IOS with an
access point that is no longer using the LWAPP protocol, traffic does not cross over the controller to
reach the TFTP server.

Note The lightweight 1300 series access points can only be converted back to autonomous mode using a
wireless LAN controller.

Using a Wireless LAN Controller to Return to a Previous Release

Follow these steps to revert from LWAPP mode to autonomous mode using a wireless LAN controller:

Step 1 Log into the CLI on the controller to which the access point is associated.
Step 2 Enter this command:
config ap tftp-downgrade tftp-server-ip-address filename access-point-name

Using a TFTP Server to Return to a Previous Release

Note This section does not apply to Cisco C3201WMIC and Cisco C3201LAP.

Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release
using a TFTP server:

Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2
and 10.0.0.30.
Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a
1200 series access point) in the TFTP server folder and that the TFTP server is activated.
Step 3 Set the timeout value on the TFTP server to 30 seconds.
Step 4 On the PC where the TFTP server is located, perform these steps:
a. Disable any software firewall products, such as Windows firewall, ZoneAlarm firewall, McAffee
firewall, or others.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 19
 Caveats

b. Ensure all Windows files are visible. From Windows Explorer, click Tools > Folder Options >
View; then uncheck the Hide extensions for known file types check box.
Step 5 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200
series access point, c1130-k9w7-tar.default for an 1130 series access point, c1240-k9w7-tar.default
for a 1240 series access point, and c1250-k9w7-tar.default for a 1250 series access point.
Step 6 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
Step 7 Disconnect power from the access point.
Step 8 Press and hold MODE while you reconnect power to the access point.
Step 9 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
Step 10 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED
blinking green.
Step 11 After the access point reboots, reconfigure it using the GUI or the CLI.

Caveats
This section describes resolved caveats.

Resolved Caveats in Release 3.4

• CSCsl82267—Unable to load RCV image using upgrade tool in MIC access points
When conversion of MIC access points (for example, the AP1240 and AP1130) is attempted, the
recovery image is not loaded on the access points.
• CSCsm34792—Upgrade tool version 3.2 fails on unconfigured SNTP servers on AP
The upgrade process fails for access points on which SNTP is configured.
• CSCsm55251—Upgrade tool times out if the initial upgrade attempt fails
If an incorrect version of a recovery image is selected, the upgrade tool fails. If a correct version is
then selected, the tool returns the message “Tool timed-out before response from the device.”
• CSCsm73407—Upgrade tool version 3.2 error message should be corrected
The error message “192.x.x.x, Couldn't getthe result of file Copy success/failure” should be
“Couldn't get the result of file copy success/failure.”

Resolved Caveats in Release 3.2

• CSCsj40023—IOS-to-LWAPP upgrade tool SSC load failure
After access points run through the IOS-to-LWAPP conversion process, the access points report
successful installation of the required self-signed certificate (SSC). However, the SSC is not
installed. The access points cannot join the controller.
• CSCsl32823—AP does not reboot after IOS-to-LWAPP conversion process
Access points do not reboot after conversion with upgrade tool release 2.05. Access points must be
rebooted manually.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

20 OL-8092-06
 Terms and Acronyms

Resolved Caveats in Release 3.0

• CSCsh54459—LWAPP upgrade tool corrupts access points when converted with user-specified time
When the user specifies a date and time before June 10 2005 22:16:01 UTC, access points fail to
join the controller .
With Upgrade Tool 3.0, the upgrade tool performs a validation check of the date and time. With
Upgrade Tool 3.0, the earliest date for generating valid certificates is June 12, 2005.
• CSCsh58663—The # sign in Cisco IOS access point hostname causes the LWAPP upgrade tool to
fail
The LWAPP upgrade tool used to stall when an access point hostname contains special characters.
Upgrade Tool 3.0 handles such special characters and proceeds with the upgrade process.
• CSCsi59466—LWAPP Upgrade Tool upgrade options do not function
When performing an upgrade with the LWAPP upgrade tool, the All APs on DHCP option and the
Retain Hostname on APs option do not function when the Use External TFTP Server option is
selectedbut the TFTP server is located on the same workstation as the upgrade tool.
To avoid these issues, when the User External TFTP Server option is selected, the user must not use
a TFTP server that is located on the same workstation as the upgrade tool.
• CSCsj10936—LWAPP upgrade tool rejects access points that have radios configured with the
station-role fallback shutdown option
The upgrade tool used to reject the upgrade and indicate that the station-role should be the root.
Upgrade Tool 3.0 accepts this configuration.

Terms and Acronyms

This section lists key terms and acronyms used in this document.
• Lightweight access point—An access point running software that makes the access point work with
the controllers
• LWAPP—Lightweight Access Point Protocol. An IETF draft protocol used in the Cisco Centralized
WLAN Architecture implementations. LWAPP defines both control and data encapsulation formats
used in the Cisco Centralized WLAN Architecture
• MIC—Manufacturing Installed Certificate, required to secure communications between lightweight
access points and controllers
• SSC—Self-Signed Certificate. Access points that do not contain a MIC (such as autonomous access
points upgraded to lightweight mode) automatically create a self-signed certificate.
• WCS—Cisco Wireless Control System. Management software that manages the controllers and
access points on your wireless LAN. Also provides advanced management features such as
location-based services.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 21
 Related Documents

Related Documents
These documents provide more information WCS, controllers, and lightweight access points:
• Cisco Wireless LAN Controller Configuration Guide
• Cisco Wireless Control System Configuration Guide
• Release Notes for Cisco Aironet 1130AG, 1200, 1230AG, and 1240AG Series Access Points for
Cisco IOS Release 12.3(11)JX1

Appendix A: Configuring DHCP Option 43 for Lightweight Cisco

Aironet Access Points on Windows 2003 Enterprise DHCP
Server
This appendix contains an example of configuring DHCP Option 43 for Lightweight Cisco Aironet
Access Points on Windows 2003 Enterprise DHCP Servers. Consult the product documentation for
configuring DHCP Option 43 with other DHCP Server implementations.

Step 1 Open the DHCP Server Administration Tool.

Step 2 Right-click on DHCP root and choose Define Vendor Classes (see Figure 14).

Figure 14 Define Vendor Class

Step 3 On the DHCP Vendor Class pop-up window, select Add (see Figure 15).

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

22 OL-8092-06
 Appendix A: Configuring DHCP Option 43 for Lightweight Cisco Aironet Access Points on Windows 2003 Enterprise

Figure 15 DHCP Vendor Class Window

Step 4 On the New Class pop-up window, enter a value for the Display Name field (such as Cisco Aironet 1130
AP) and an appropriate description.
Step 5 In the ASCII section, enter the appropriate string value for the Vendor Class Identifier (in Table 1 on
page 5). Remove the leading “.’s” inserted by Microsoft Windows in the ASCII field (see Figure 16).

Figure 16 ASCII Section

Step 6 Click OK.

Step 7 To configure the pre-defined options, right-click on the DHCP Server Root and choose Set Predefined
Options (see Figure 17).

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 23
Appendix A: Configuring DHCP Option 43 for Lightweight Cisco Aironet Access Points on Windows 2003 Enterprise

Figure 17 Set Predefined Options

Step 8 Use the drop-down menu to choose the newly created vendor option class in the Option Class field.
Step 9 Select Add. The Option Type window appears (see Figure 18).

Figure 18 Option Type Window

Step 10 In the Name field, enter a string value (such as Option 43).
Step 11 Use the drop-down menu to choose IP Address as the Data Type.
Step 12 Click to check the Array check box.
Step 13 In the Code field, enter the value 241 (0xf1).
Step 14 Enter a description if desired.
Step 15 Click OK. You will return to the Predefined Options and Values window.
Step 16 In the Predefined Options and Values window, click OK.
Step 17 Option 43 must now be configured as an appropriate DHCP scope option. Choose the appropriate DHCP
scope.
Step 18 Right-click on Scope Options and choose Add Option.
Step 19 Choose the Advanced Tab (see Figure 13).

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

24 OL-8092-06
 Appendix B: Configuring Access Points in Cisco LWAPP Mode for Easy Deployment

Figure 19 Advanced Tab

Step 20 Choose the vendor class previously defined.

Step 21 Click the check box to choose the 241 Option 43 value in the Available Options column.
Step 22 Enter each WLC management interface IP address.
Step 23 Click OK.
Repeat these steps for each type of lightweight access point (such as Cisco Aironet 1130, Cisco Aironet
1200, Cisco Aironet 1240, etc.).

Appendix B: Configuring Access Points in Cisco LWAPP Mode

for Easy Deployment
Access points in Cisco IOS LWAPP mode are managed by a Cisco wireless LAN controller. When you
deploy an access point in a remote place, the access point connects to the controller through a WAN link.
You can manually configure the access point so that it can register to a specified controller when a WAN
link is slow and a DHCP server is not available.
To register to a specified controller, you enter commands on the access point console to configure the
access point static IP address and the netmask; the IP address of the controller; the access point
hostname; and the default gateway IP address.
These commands have been provided to make the deployment of access points easier. They can be
entered in EXEC mode on the access point console.
These commands are disabled by default in an access point in LWAPP mode. They are enabled by default
when the access point is running a recovery IOS image.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 25
 Appendix B: Configuring Access Points in Cisco LWAPP Mode for Easy Deployment

Obtaining a Password to Enter into EXEC mode on the AP Console

An IOS LWAPP access point uses “Cisco” as the default enable password, but to enable these commands
for easy deployment, you must first provide the access point with a new enable password. This new
password enables you to enter into EXEC mode on the access point console.
When you enter the following command from the controller console, the controller sends a username and
a password to the access point:
config ap username user-id password pass {AP-name | all}
If you enter a AP-name argument, the username and password is configured only for the specified access
point. If you enter the all keyword, the username and password are sent to all access points that are
registered to the controller.

Note If you are relocating an access point that is using an LWAPP configuration file, you must clear the
LWAPP configuration in the access point NVRAM and restore the access point factory default settings
in order to enable the commands that specify the access point static IP address and the netmask; the IP
address of the controller; the access point hostname; and the default gateway IP address. See the
“Deleting the LWAPP Configuration File to Redeploy the AP” section on page 27 for information about
deleting the LWAPP configuration and enabling these commands.

Configuring Static Parameters to Register the Access Point to a Controller

Using the password that the controller sent to the access point, enter into EXEC mode on the access point
console. When the access point is running LWAPP or a recovery IOS image, you can configure the static
IP address on the access point, the IP address on the controller, the access point hostname, and the default
gateway IP address by entering these commands:
• lwapp ap ip address ip-addr subnet-mask
• lwapp ap controller ip address ip-addr
• lwapp ap hostname ap-hostname
• lwapp ap ip default-gateway ip-addr
The access point with a recovery IOS image uses the static controller IP address to register to the
specified controller and download the current LWAPP image. After the access point successfully
registers to the controller, it receives configurations from the controller. The access point static hostname
and the IP address of the controller are deleted from the access point configuration file. However, the
access point static IP address and the netmask and the default gateway IP address are not deleted.
When the access point is running a recovery IOS image, the commands to configure the static IP address
on the access point, the IP address on the controller, the access point hostname, and the default gateway
IP address are always enabled.
These commands are disabled in the following cases:
• When the access point is running an LWAPP image.
• When the access point has an LWAPP configuration file in NVRAM.
• When the access point is in REGISTERED state with the controller.
The access point console displays the following error message if you enter any of these commands when
they are disabled:
“ERROR!!! Command is disabled.”

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

26 OL-8092-06
 Appendix B: Configuring Access Points in Cisco LWAPP Mode for Easy Deployment

Clearing the Static Parameters

To clear the static IP address on the access point, the IP address on the controller, the access point
hostname, and the default gateway IP address, enter these commands on the access point console:
• clear lwapp ap ip address
• clear lwapp ap controller ip address
• clear lwapp ap hostname
• clear lwapp ap ip default-gateway
The access point console displays the following error message if you enter any of these commands when
they are disabled:
“ERROR!!! Command is disabled.”

Deleting the LWAPP Configuration File to Redeploy the AP

When you redeploy an access point after moving it from one location to another, you must first delete
the LWAPP configuration file and restore the access point to the factory default settings. Deleting the
LWAPP configuration enables the commands on the access point console to configure the static IP
address on the access point, the IP address on the controller, the access point hostname, and the default
gateway IP address.
To delete the LWAPP configuration and restore the factory defaults, enter the following command in
EXEC mode on the access point console:
clear lwapp private-config
The clear lwapp private-config command becomes available on the access point console after the
controller pushes a new username and password to the access point.

Note If the access point reloads for an unknown reason after you delete the LWAPP configuration, the
commands to configure the static IP address on the access point, the IP address on the controller, the
access point hostname, and the default gateway IP address will be disabled when the access point comes
up after reboot. In this situation, you can recover the access point by making the access point join a
controller and configuring the username and password on the access point from that controller.

This document is to be used in conjunction with the documents listed in the Related Documents section.

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks;
Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You,
Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press,
Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event
Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net
Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking
Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The
Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its
affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0804R)

Copyright © 2005-2008 Cisco Systems, Inc. All rights reserved.

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

OL-8092-06 27