Adding Catalyst 9800 Wireless Controller and Access Points to Dashboard
Wireless Controller Prerequisites
Before you can onboard your wireless controller in the dashboard, you must first enable Meraki Tunnel Service.
Connecting Catalyst 9800 Wireless Controller to Dashboard
After the Meraki Tunnel has been established, the dashboard will check the wireless controller configuration to ensure the controller can be provisioned with the necessary dashboard configurations.
-
The username and password provided to the dashboard when adding the wireless controller to a Network must have privilege 15 access OR the wireless controller enable password must also be provided.
-
The wireless controller must use AAA New-model for device access control. This mode allows the dashboard to securely access the wireless controller.
aaa new-model
The aaa new-model command immediately applies local authentication to all lines and interfaces (except console line line con 0). If a telnet / SSH session is opened to the wireless controller after this command is enabled (or if a connection times out and has to reconnect), then the user has to be authenticated with the local database of the wireless controller. It is recommended to define a username and password on the switch before you start the AAA configuration, so you are not locked out of the wireless controller.
-
The wireless controller must have four unused consecutive VTY slots. These VTY lines will be provisioned and secured for only the dashboard to access the controller on these lines.
-
The following SSH encryption algorithms are supported by dashbaord: aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr, and aes256-ctr.
IPv6 is used inside the Meraki Tunnel for the dashboard to access the wireless controller.
Dashboard Prerequisites
- If you do not have a dashboard Account and Organization, follow the instructions in the following guide Creating a Dashboard Account and Organization
- Cloud Monitoring for Catalyst Wireless is a Meraki Dashboard Early Access feature. Before you can add your wireless controller to dashboard you must Opt-in to Cloud Monitoring for Catalyst Wireless. Go to Organization > Early access to enable.
- In order to claim 9800 wireless controllers to your organization, you must use the New Version of Organization > Inventory. To use the new version of inventory, navigate to Organization > Inventory and select Try New Version in the upper right corner.
- If you are using the Per-device licensing organization inventory page, you cannot claim 9800 wireless controllers on this Inventory page. You can claim and add 9800 wireless controllers by:
- Creating a new Network for your wireless controller via Organization > Create network. Click +Claim devices.
- To add a 9800 wireless controller to an existing network, navigate to the network and go to Network-wide > Add devices. Click +Claim devices.
In order to use the Create network or Add devices pages, you must use the new version of these pages. To use the new version, select Try New Version in the top right corner of these pages.
Restrictions
For detailed recommendations on how to organize your wireless controllers and access points in dashboard networks, see Cloud Monitoring for Catalyst Wireless Design Guide.
|
Dashboard managed MR or CW (Meraki mode) access points CANNOT be added to the same network as monitored access points and must be claimed to separate networks. |
![]() |
Dashboard managed MR or CW (Meraki mode) access points CANNOT be in the same network as Catalyst wireless controllers. |
|
A network can be reserved to hold access points of a single wireless controller. For example, you cannot add access points joined to wireless controller-A to a network that was already reserved to hold access points on wireless controller-B. |
Claiming Wireless Controllers to an Organization
To begin monitoring a C9800 wireless controller in the dashboard, you must first claim it. If the C9800 wireless controller is an HA-SSO unit, you'll need the Cloud IDs (Meraki Serial Numbers) for both C9800 controllers in the pair.
If your dashboard Organization uses Per-device licensing you cannot claim your 9800 wireless controller from the organization inventory. Go to Network-wide > Configure > Add devices and click +Claim Devices.
-
To claim the wireless controller into the dashboard you'll need to get the Cloud ID (Meraki Serial Number) of the controller from either the Web UI or CLI.
Web UI
Navigate to Configuration > Services > Cloud Services > Meraki:
Standalone C9800
HA-SSO C9800
CLI
Standalone C9800
CMON-9800-L#show meraki
Chassis Num PID Serial Number Cloud ID Mac Address Status Mode
--------------------------------------------------------------------------------------------------
1 C9800-L-C-K9 FCL262201G3 Q2ZZ-LU6P-3RFF 0845.d11b.8340 Registered C9K-C
HA-SSO C9800
C9800-HA#show meraki
Chassis Num PID Serial Number Cloud ID Mac Address Status Mode
------------------------------------------------------------------------------------------------------------
1 C9800-L-F-K9 FCL270501CM Q2ZZ-2TQ8-CKHF 8c1e.806f.8bc0 Registered C9K-C
2 C9800-L-F-K9 FCL270501Q0 Q2ZZ-J9N6-8BNK 8c1e.806f.87a0 Registered C9K-C
-
Login to dashboard and navigate to Organization > Configure > Inventory
Click + Claim devices.
-
Enter the C9800 wireless controller’s Meraki Serial Number (Cloud ID). For HA-SSO C9800 enter the serial number for each C9800 in the pair.
Click Claim Device.
The C9800 wireless controller will now be listed in your Organization inventory.
Add Wireless Controllers to Networks
Devices can be added to dashboard Networks from the Organization inventory page where you can add to an existing Network or create a new network, as well as the Organization Create Network page to create and add devices to a new Network.
Organization Inventory
Now that the wireless controller has been claimed to an organization, it must now be added to a dashboard network from the Organization > Configure > Inventory page.
- From the Organization > Configure > Inventory page, check the box next to the C9800 wireless controller to add to a network. For HA-SSO C9800 enter the box for each C9800 in the pair.
- Click Add to network.
a) If you have an existing dashboard network to add the wireless controller to, select Existing network and choose the name of the network from the drop-down
b) If you have an existing dashboard network, add the wireless controller to select New network. Name the network and choose the network configuration. Click Next.
Network configuration is not applicable to wireless controllers, however if this dashboard network may also include Meraki Managed devices, please choose the appropriate configuration option from the drop-down menu.
-
Choose an access point dashboard network assignment policy for the wireless controller.
The access point assignment selection is required regardless if the wireless controller you are adding does not currently have any access points associated. The selection made will be preserved and applied to any access points that join this wireless controller.
Select Single network if ALL access points are in the same physical LAN topology. Choose an Existing network or New network and name the new network.
Select Different networks (by site tag) if the dashboard should create and assign access points to dashboard networks using the site tag they are configured for in the wireless controller.
Click Next.
-
Enter the wireless controller username and password for dashboard to use to perform the required dashboard configuration provisioning.
Select the check box to acknowledge that the dashboard will access the wireless controller to do the configuration provisioning.
Click Next.
-
Confirm the wireless controller network assignment and the access point dashboard network assignment policy as well as the credentials required.
Click Confirm.
-
The Inventory page will update to show the wireless controller has been assigned to a network.
Access points are not immediately displayed in the inventory list
Click the network name to navigate to the wireless controller's dashboard network.
Organization Create Network
Now that the wireless controller has been claimed to an organization, you must add it to a dashboard network from the Organization > Configure > Inventory page.
-
From the Organization > Configure > Create network page, name the new network and choose Combined hardware network type.
Network configuration is not applicable to wireless controllers, however, if this dashboard network may also include Meraki-managed devices please choose the appropriate configuration option from the drop-down menu.
-
Check the box next to the C9800 wireless controller to add to a network. For HA-SSO C9800 enter the serial number for each C9800 in the pair.
Click Create network.
- Choose an access point dashboard network assignment policy for the wireless controller.
The access point assignment selection is required regardless if the wireless controller you are adding does not currently have any access points associated. The selection made will be preserved and applied to any access points that join this wireless controller.
Select Single network if ALL Access points are in the same physical LAN topology. Choose an Existing network or New network and name the new network.
Select Different networks (by site tag) if the dashboard should create and assign access points to dashboard networks using the site tag they are configured for in the wireless controller.
Click Next.
-
Enter the wireless controller username and password for dashboard to use to perform the required dashboard configuration provisioning.
Select the check box to acknowledge that the dashboard will access the wireless controller to do the configuration provisioning.
Click Next.
-
Confirm the wireless controller network assignment and the access point dashboard network assignment policy as well as the credentials required.
Click Confirm.
You will be redirected to the new network to navigate to the wireless controller's dashboard network.
Removing Wireless Controllers and Access Points from the Dashboard
We suggest you follow these steps when removing WLCs from your dashboard in order to avoid problems in the future.
-
Navigate to Wireless > Wireless LAN Controller > List
-
Make sure that the wireless controller that you want to remove is online (green)
If the wireless controller that you want to remove from the network is offline and you don’t have a way to bring it online you can still follow the same steps, simply keep in mind that the wireless controller could have some configuration lines that you’ll need to manually remove.
The Cloud Monitoring Catalyst 9800 Dashboard Provisioned Configurations documentation details all the configuration lines that are added to a wireless controller whenever it’s added to a network.
-
Select the wireless controller that you want to remove from the network and click Remove.
-
Wait for a couple of minutes.
-
In order to confirm that the dashboard removed the configuration used to monitor the WLC from the device, please log in to your WLC and run the command #show run | inc meraki and ensure you don’t see the configuration lines related to the monitoring of the WLC from the Meraki dashboard. Ensure you don’t see these lines in particular:
# username meraki-user privilege 15 secret… # username meraki-tdluser secret 9…
-
Stop communication between the device and the Meraki cloud.
As long as the Meraki service is still running in the device and the device has network access to the Meraki cloud, the node will continue to exchange keep-alive packets with the Meraki cloud. Disable the Meraki service to stop it.
Login to your WLC and run these commands:
# config t # no service meraki connect
To make sure the WLC is no longer trying to communicate with the Meraki cloud, please run # show meraki connect and make sure the service "meraki connect service" is disabled.
Meraki Offboard EEM Script
When you remove the wireless controller from the dashboard Network, dashboard will provision and run the following EEM (Embedded Event Manager) script to remove all dashboard provisioned configuratations from the wireless controller.
event manager applet MERAKI_OFFBOARD_CLEANUP authorization bypass
event timer watchdog time 5 maxrun 600
action 0001 cli command "enable"
action 0002 cli command "config terminal"
action 0003 syslog msg "start MERAKI_OFFBOARD_CLEANUP"
action 0060 cli command "no ip http authentication local"
action 0061 cli command "no ip http secure-server"
action 0062 cli command "no ip http access-class ipv6 MERAKI_MGMT_IPV6_IN"
action 0063 cli command "no ipv6 unicast-routing"
action 0064 cli command "no ipv6 access-list MERAKI_MGMT_IPV6_OUT"
action 0065 cli command "no ipv6 access-list MERAKI_MGMT_IPV6_IN"
action 0066 cli command "no ip access-list extended MERAKI_MGMT_IP_OUT"
action 0067 cli command "no ip access-list standard MERAKI_MGMT_IP_IN"
action 012E cli command "no yang-interfaces aaa authorization method-list MERAKI"
action 012F cli command "no netconf-yang"
action 0130 cli command "ip ssh pubkey-chain"
action 0131 cli command "no username meraki-user"
action 0132 cli command "exit"
action 0143 cli command "no ip ssh version 2"
action 0144 cli command "no ip ssh port 2222 rotary 55"
action 01F9 cli command "do-exec clear line vty 16" pattern ".*"
action 01FA cli command "y"
action 01FB cli command "do-exec clear line vty 17" pattern ".*"
action 01FC cli command "y"
action 01FD cli command "do-exec clear line vty 18" pattern ".*"
action 01FE cli command "y"
action 01FF cli command "do-exec clear line vty 19" pattern ".*"
action 0200 cli command "y"
action 0201 cli command "no line vty 16 19"
action 04C6 cli command "no aaa authentication login MERAKI local"
action 04C7 cli command "no aaa authorization exec MERAKI local"
action 04C8 cli command "no aaa authorization commands 1 MERAKI local"
action 04C9 cli command "no aaa authorization commands 15 MERAKI local"
action 04FB cli command "no username meraki-user" pattern ".*[confirm].*"
action 04FC cli command "y"
action 04FD cli command "no username meraki-tdluser" pattern ".*[confirm].*"
action 04FE cli command "y"
action 04E8 cli command "no event manager applet MERAKI_OFFBOARD_CLEANUP"
action 04E9 cli command "do-exec write memory"
action 04EA syslog msg "stop MERAKI_OFFBOARD_CLEANUP"
end
Removing Monitored Access Points from Dashboard
When a wireless controller is removed from a network, all the access points (online or offline) associated with that wireless controller are also removed from their networks automatically.
Online Access Points
If you remove an AP that is online and associated with a monitored wireless controller from a dashboard network, the access point is automatically re-added to the dashboard in its original network.
Offline Access Points
Every access point that joins a monitored wireless controller is automatically added to a network as specified in the Organize APs section, when the wireless controller was originally added to a network. If the access points eventually lose communication with the wireless controller they’ll appear as offline on the dashboard.
In scenarios when you know the AP will never reconnect with the wireless controller, such as when access points are physically removed from the network, you can manually remove them from the dashboard. To do so, follow these steps:
-
Navigate to Wireless > Monitor > Access Points
-
Select the offline access points that you no longer want to monitor
-
Click Remove