EN 
 
www.SAMURAJ-cz.com 
01.12.2025 Iva WELCOME IN MY WORLD
 
 
Petr Bouška
SAMURAJ-cz.com
IT Manager OKsystem
Veeam Vanguard
View profile

This website is originally written in the Czech language. Most content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Cisco WLC C9800 - obecně o Wi-Fi 6 a 6E, WPA3 a dalších standardech

Cisco WLC C9800 - generally about Wi-Fi 6 and 6E, WPA3 and other standards

| Petr Bouška - Samuraj |
About 4 years ago, Cisco completely redesigned its solution for wireless infrastructure. Earlier wireless network controllers (WLCs) were based on Cisco AireOS. The new ones use Cisco IOS XE and are Cisco Catalyst 9800 Series Wireless Controllers. Together with them, new access points (Access Points) Catalyst 9100 Access Points appeared, which are already in the second generation. In this first installment, we'll take a brief look at the modern standards and protocols that new controllers and APs support.
displayed: 7 667x (3 034 CZ, 4 633 EN) | Comments [0]

Note: The description in the article is based on the Cisco Catalyst 9800-L Wireless Controller with Cisco IOS XE Cupertino version 17.9.3 (currently the recommended version). To which Cisco Catalyst 9164I AP access points are connected.

Catalyst 9800 Series Wireless Controllers

The new generation of Cisco wireless controllers (WLC) is completely rewritten and built on the Cisco IOS XE operating system, which is common for Catalyst 9000 switches, WLC 9800, and Catalyst 9100 AP. Compared to the previous AireOS, it is a big step forward. When configuring in CLI, we can use standard IOS commands, for example, for network configuration, authentication, or backup (using the archive command). New commands have been added for wireless network configuration. The GUI, referred to as WebUI, is more modern and user-friendly.

Cisco Catalyst 9800 Series Wireless Controller WebUI (GUI)

WLAN configuration is based on a new configuration model that uses profiles and tags. In principle, it is not much different from the original configuration, and those who worked with the GUI of the previous WLC version will probably not have a problem managing this one. C9800 controllers support the latest wireless standards and protocols.

WLC - Wireless Controller

The smallest WLC model is the Catalyst 9800-L. It supports up to 250 Access Points, 5000 clients, and a throughput of 5 Gbps. When using the Performance license, the values are doubled. It allows for cluster creation.

Cisco Catalyst 9800-L Wireless Controller

A special variant is the Embedded Wireless Controller on Catalyst Access Points. We can also run the WLC virtually (locally or in the cloud), designated as Catalyst 9800-CL.

Access Points

The Catalyst 9100 Access Points series supports Wi-Fi 6. The latest models also support Wi-Fi 6E, an extension of the IEEE 802.11ax standard that uses the 6 GHz band.

This includes the Cisco Catalyst 9164I AP equipped with five radios - 2.4 GHz (2x2), 5 GHz (4x4), 6 GHz (4x4), IoT radio, and scanning radio. It supports CleanAir Pro. Power can be supplied via PoE+ 25W (IEEE 802.3at) or including the USB port via UPOE 30W (IEEE 802.3bt), or via a power adapter. If the power is weaker, for example, Enhanced PoE 20W, the AP will start, but the radios cannot be activated (it seems there is no way to bypass this to turn on at least one radio).

Cisco Catalyst 9164I Access Point

Documentation

Wireless Security, Standards, and Protocols

Basic Terms

  • AP - Wireless Access Point - an access point used to connect wireless devices to an IP network, operates by transmitting and receiving radio signals, older models were labeled as Cisco Aironet AP, newer ones as Cisco Catalyst AP, when deploying it is good to come up with a reasonable naming convention and addressing (e.g., DHCP with reservation)
  • WLC - Wireless LAN Controller or Wireless Controller - a network device that centrally manages the configuration, security policies, and operation of multiple APs
  • CAPWAP - Control and Provisioning of Wireless Access Points Protocol - a standardized protocol (RFC 5415) for communication between AP and WLC
  • WLAN - Wireless Local Area Network - a wireless local area network (Wi-Fi)
  • SSID - Service Set Identifier - each wireless network (WLAN) is identified by its name SSID (it can be hidden, not broadcasted), which is used to connect to the network

Standards for Wireless Networks

The IEEE 802.11 family of standards defines wireless communication in local networks. It is referred to as Wi-Fi (WiFi), Wireless LAN, or WLAN. In 2018, the Wi-Fi Alliance began using generation numbers to denote the 802.11 protocols.

  • IEEE 802.11b - 2.4 GHz band, max speed 1 to 11 Mbps, range 35 m
  • IEEE 802.11a - 5 GHz band, max speed 6 to 54 Mbps, range 35 m
  • IEEE 802.11g - 2.4 GHz band, max speed 6 to 54 Mbps, range 38 m
  • IEEE 802.11n - 2.4 and 5 GHz bands, max speed 72 to 600 Mbps, range 70 m
  • IEEE 802.11ac (Wi-Fi 5) - 5 GHz band, max speed 433 to 6,933 Mbps, range 35 m
  • IEEE 802.11ax (Wi-Fi 6) - 2.4 and 5 GHz bands, max speed 600 to 9,608 Mbps, range 30 m
  • IEEE 802.11ax (Wi-Fi 6E) - 6 GHz band, max speed 600 to 9,608 Mbps, range 15 m, not backward compatible

Note: The maximum speed is a theoretical value achieved under optimal conditions. In practice, it is rarely reached, and the actual speed is significantly lower for the latest standards. However, new standards bring many new technologies that improve network connection and data transmission.

Note: The range is a very approximate value indoors, mainly for comparison.

IEEE 802.11ax - Wi-Fi 6 and 6E

The latest version is the IEEE 802.11ax standard. It operates in the 2.4 and 5 GHz bands under the name Wi-Fi 6 (Wi-Fi 7 is approaching). Later, the standard was extended to the 6 GHz band under the name Wi-Fi 6E. Compared to its predecessor IEEE 802.11ac, it increases throughput per area in high-density client environments (offices, shopping centers, etc.).

New features include Orthogonal frequency-division multiple access (OFDMA), Trigger-based Random Access, Spatial frequency reuse, and Target Wake Time (TWT). Multi-user MIMO is improved.

Wi-Fi 6 certification requires support for WPA3, which also mandates the use of Protected Management Frame (PMF). Wi-Fi 6E requires support for OWE and WPA3 with SAE or 802.1x-SHA256. It is not backward compatible with WPA2 or Open, and mixed mode (combining multiple security methods) is not possible.

WLAN Security Standards - L2 Security Methods

Various general terms are used to denote wireless network security, including Open, WEP, WPA, WPA2, and WPA3. For example, simply security, security standards, or security methods. Sometimes with the addition of Wireless, WLAN, or Wi-Fi, or Cisco uses L2.

It is an informal grouping of authentication and encryption. It is used to prevent unauthorized users from accessing the wireless network and to protect the transmission. The main type is Wi-Fi Protected Access (WPA), today versions WPA2 and WPA3, Wired Equivalent Privacy (WEP) and the first version of WPA are no longer used. A bit special, and used for certain purposes, is Open Security, where no encryption or authentication is used (at L2, we can use authentication at L3 using Web Auth).

The encryption protocol used today is mainly the Advanced Encryption Standard (AES), the old Temporal Key Integrity Protocol (TKIP) is not used. Authentication is generally via the IEEE 802.1X standard or Pre-Shared Key (PSK).

WPA3 - Wi-Fi Protected Access 3

Wi-Fi Protected Access (WPA) is a designation for wireless network security that determines the security standard. It is a security certification program by the Wi-Fi Alliance.

Generally, WPA is divided (by authentication) into

  • WPA-Personal - where a key (64 hexadecimal digits or a phrase of 8 to 63 characters) is used, also referred to as WPA-PSK mode
  • WPA-Enterprise - requires an authentication (RADIUS) server, uses various types of IEEE 802.1X Extensible Authentication Protocol (EAP) for authentication, also referred to as WPA-802.1X mode

The latest version is WPA3 from 2018. In WPA3 Personal, PSK (Pre-Shared Key) is replaced by SAE (Simultaneous Authentication of Equals). From a user perspective, it is still the use of a key (password), but it is more secure. WPA3 Enterprise still uses IEEE 802.1X/EAP.

The use of Protected Management Frame (PMF) is required, sometimes referred to as Management Protection Frame (MFP), according to IEEE 802.11w, which protects management messages between AP and client (such as authentication, association, beacon, probes).

The minimum encryption algorithm mandated is CCMP-128 (AES-128 in CCM mode), which was already in WPA2. It adds the option to use 192-bit encryption with GCPM-256 (AES-256 in GCM mode). CCMP - Counter Mode with Cipher Block Chaining Message Authentication Code Protocol, GCMP - Galois/Counter Mode Protocol.

Supports Transition mode, which is Mixed Mode, allowing the use of WPA2 for connecting clients that do not support WPA3.

WPA3 modes

  • WPA3-Personal Only - uses WPA3 SAE + PMF
  • WPA3-Personal Transition - uses WPA3 SAE + PMF and WPA2 PSK (optional PMF), clients without WPA3 support connect using WPA2
  • WPA3-Enterprise Only - uses WPA3 802.1X/EAP + PMF
  • WPA3-Enterprise Transition - uses WPA3 802.1X/EAP + PMF and WPA2 802.1X/EAP (optional PMF), clients without WPA3 support connect using WPA2
  • WPA3-Enterprise 192-Bit - uses WPA3 EAP-TLS (requires certificates) + PMF, encryption GCMP & ECCP, SHA384

Devices supporting Wi-Fi 6 (IEEE 802.11ax) must support WPA3. However, many older devices with Wi-Fi 5 (IEEE 802.11ac) support WPA3.

Enhanced Open and Opportunistic Wireless Encryption (OWE)

As a replacement for open (Open) unsecured wireless networks, Enhanced Open Security was created. It uses the Opportunistic Wireless Encryption (OWE) protocol defined in RFC 8110.

Using the Diffie-Hellman algorithm, unique encryption keys are established (using a 4-Way Handshake). For users, it behaves the same as Open, no password (key) is required to connect to the network. Communication is encrypted, but no verification (authentication) occurs. OWE support among clients is currently limited, but it is required for Wi-Fi 6E certification.

OWE can operate in two modes:

  • Enhanced Open Only - uses the OWE protocol to provide 128-bit CCMP/AES encryption, requires PMF
  • Enhanced Open Transition - for backward compatibility with devices that do not support OWE, requires 2 SSIDs (one OWE, the other Open)

IEEE 802.11r Fast Transition and IEEE 802.11k

Fast Transition (IEEE 802.11r) is a standard for fast roaming. It ensures continuous connectivity of a wireless device while moving, with a quick and secure transition from one AP to another. The initial authentication handshake with the target AP (i.e., the next access point the client intends to connect to) is performed before the client associates with the target AP.

IEEE 802.11k is a standard for Radio Resource Measurement. It provides information to find the best available access point. Typically, the client connects to the AP with the strongest signal. If it is heavily loaded, a more optimal AP with a weaker signal may be available. Clients can request a neighbor list containing information about known neighboring APs suitable for roaming (within the same SSID).

FlexConnect

A Lightweight Access Point, i.e., an AP managed by a WLC (cannot operate independently), can operate in either local or FlexConnect mode. It is configured using a Site Tag.

  • Local Mode - the standard operating mode, which uses Central Switching, tunnels both wireless user traffic and all control traffic through CAPWAP to the WLC, where user traffic is mapped to a dynamic interface/VLAN (enters the network)
  • FlexConnect Mode - designed for branch offices and remote offices, APs can be connected to the WLC at the headquarters via WAN, user traffic can enter the network locally from the AP using Local Switching or centrally through the WLC using Central Switching, can also use Local Authentication, AP operates even when the connection to the WLC is lost

Note: Other possible modes are Sniffer, Sensor, Monitor, or Bridge. They are configured directly on the AP.

Windows 10 and Wi-Fi 6E

Probably the most widespread wireless adapters supporting Wi-Fi 6E are Intel AX210 and AX211 (Intel Wi-Fi 6E AX211 160MHz). For new features, the latest drivers are needed (even for branded computers, the original Intel driver can be used) Windows 10 and Windows 11 Wi-Fi Drivers for Intel Wireless Adapters. I even encountered an issue where laptops with older drivers ended up on a blue screen when using WPA3.

Windows displays information about Wi-Fi 6 support Faster and more secure Wi-Fi in Windows. It states that for Wi-Fi 6 and WPA3 support, Windows 10 20H1 (version 2004) is required. I did not find official information about Wi-Fi 6E and the 6 GHz band. The article Wi-Fi problems and your home layout mentions 6 GHz only for Windows 11. Intel also states that Windows 11 is required How to Enable Wi-Fi 6E/ 6GHz Band Using Intel Wi-Fi 6E (Gig+) products.

Practical tests (and various discussions) confirm that Wi-Fi 6E does not work in Windows 10. The given WLAN (SSID) does not appear in the list at all. I am surprised that support in the network adapter and driver is not enough. Several discussions state that it can be enabled using Intel driver version 22.45.1.1. I was not able to get it working in any test.

Author:

Related articles:

Cisco WLC

The Wireless LAN Controller is a Cisco device for central management of WiFi networks (access points). The articles describe the function and configuration of Cisco wireless networks. From Access Points (i.e. access points), to WLC, Wireless Control System (WCS) and Cisco Prime Infrastructure.

If you want write something about this article use comments.

Comments

There are no comments yet.

Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)