Cisco Wlc 9800 Smart Licensing
Nancy Benigar
I am trying to setup evaluation licenses on a Catalyst 9800-CL appliance. I was told all you have to do was registered it under your Cisco smart account, and it will automatically activate the evaluation licenses for the appliance under your account. I registered the appliance with my smart account and I was able to register it, but I do not see any evaluation licenses under my account that was activated for the appliance. Could someone please provide me with directions on how to setup evaluation licenses on the Catalyst 9800-CL?
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
"No licenses are required to boot up a Cisco Catalyst 9800 Series Wireless Controller. However, in order to connect any access points to the controller, Cisco DNA licenses are required. "
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
This article does not cover all the Smart Licensing scenarios on Catalyst 9800, refer to the Smart Licensing Using Policy Configuration Guide for additional information. However, this article does give a series of useful commands to troubleshoot direct connect, CSLU and On-prem SSM Smart Licensing Using Policy issues on the Catalyst 9800.
The Smart Licensing Using Policy feature has been introduced to the Catalyst 9800 with the code version 17.3.2. The initial 17.3.2 release misses SLUP configuration menu in the WLC webUI, which was introduced with the 17.3.3 release. The SLUP is different from traditional smart licensing in couple of ways:
Warning: If you are using a Cisco Catalyst 9800-CL Wireless Controller, ensure that you are familiar with the mandatory ACK requirement that starts with Cisco IOS XE Cupertino 17.7.1. See RUM Reporting and Acknowledgment Requirement for Cisco Catalyst 9800-CL Wireless Controller.
Cisco Smart License Utility Manager (CSLU) is a Windows-based application (also available on Linux) that enables customers to administer licenses and their associated Product Instances from their premises instead of having to directly connect their Smart Licensed enabled Product Instances to Cisco Smart Software Manager (CSSM).
This section only covers the 9800 Wireless configuration. There are others steps to perform to configure licensing with CSLU (such as install CSLU, configure the CSLU software and so on), which is covered in the Configuration Guides .Whether you want to implement a product instance-initiated or CSLU-initiated method of communication, or complete the corresponding sequence of tasks.
Note: If you are getting the message, %PKI-3-CRL_FETCH_FAIL: CRL fetch for trustpoint SLA-TrustPoint failed, it is because you have not configured revocation-check none under the SLA-TrustPoint. This is the trustpoint used for Smart Licensing. In case of On-prem, the certificate on the licensing server is most often a self-signed certificate for which CRL verification is not possible, hence the requirement to configure no revocation checks.
Note: Authenticated proxies are not yet supported as of code release 17.9.2. If you are using authenticated proxies in your infrastructure, consider using the Cisco Smart License Utility Manager (CSLU), it supports this type of servers.
The 9800 WLC communicates with CSSM or On-prem Smart Software Manager every 8 hours, no matter what reporting interval is configured via web interface or CLI. This means that newly joined access points can appear on the CSSM up to 8 hours after they initially joined.
You can figure out the next time licenses are calculated and reported with the show license air entities summary command. This command is not part of the typical show tech or show license all output:
If the 9800 WLC needs to be replaced, the new device has to register with CSSM/On-prem Smart Software Manager and it is perceived as a new device. Releasing the license count of the previous device requires manual deletion under Product Instances:
Older WLC releases, earlier than 17.3.2, used a special offline licensing method called Specific License Registration (SLR). This licensing method has been deprecated in the releases using SLUP (17.3.2 and later).
If you upgrade a 9800 controller that was using SLR to a release post 17.3.2 or 17.4.1, it is recommended that you move to offline SLUP reporting rather than relying on the SLR commands. Save the license usage RUM file and register that with the Smart Licensing Portal. Since SLR does not exist anymore in newer releases, this reports the correct license count and releases any unused license. Licenses are not blocked anymore but the exact usage count is reported.
Instead of the tools.cisco.com that traditional smart licensing used, the new SLUP uses smartreceiver.cisco.com domain to establish trust. At the time of writing of this article, this domain resolves to multiple different IP addresses. Not all of this addresses are pingable. Pings must not be used as an internet reachability test from WLC. Not being able to ping these servers does not mean that they are not working properly.
Instead of pings, telnet over port 443 must be used as a reachability test. Telnet can be checked either against smartreceiver.cisco.com domain or directly against the server IP addresses. If traffic is not being blocked, port must show up as open in the output:
If terminal monitor command is enabled while the token is being configured, the WLC prints out the relevant logs in the CLI. These messages can also be obtained if you run the show logging command. Logs of a successfully established trust looks like this:
Even though communication between WLC and CSSM/On-prem SSM is encrypted and going over HTTPS, performing packet captures can reveal what causes the trust not to be established. The easiest way to collect packet captures is through the WLC Web interface.
Ensure that Monitor Control Plane checkbox is enabled. Increase the buffer size to the maximum 100MB. Add the interface which must be captured. Smart licensing traffic is sourced out of the wireless management interface by default or from the interface defined with the ip http client source-interface command:
Run this command a few minutes after a trust establishment has been attempted using a license smart trust idtoken all force command. IOSRP logs are extremely verbose. Append include smart-agent" to the command to get only smart licensing logs.
The show license history message command prints an empty response 1 second after the request is sent out if no response was received from the CSSM Cloud or On-prem SSM.
Communication with CSSM or On-prem SSM requires a decent certificate on the 9800 side. It can be self-signed, but it cannot be invalid or expired. In such a case, a packet capture shows a TLS alert for unknown CA sent by CSSM when the 9800 HTTP client certificate has expired.
Smart licensing uses the ip http client configuration, which is different from the ip http server that WLC Web interface uses. This means that these commands need to be configured properly:
It is important to note that devices that do TLS interception, such as a firewall with the SSL decrypt feature, can prevent the C9800 from establishing a successful handshake with the Cisco Licensing server as the HTTPS certificate presented is the firewall certificate instead of the Cisco Licensing server certificate.
Second I have the customer licenses loaded to the portal and associated to their on-prem SSM. I tried to configure the WLC to register to the on-prem but it seems not to be working, I followed the info from the following document
SWRN22WLC01(config)#license smart transport ?
automatic Use default transport type.
callhome Use the Callhome as transport.
cslu All future communication will use cslu url.
off Disable all communication from Smart Agent.
smart Use the Smart Transport.
But my understanding is that the 9800 should not use the call-home method if the transport call-home is not configured. am I wrong? also I have used the call-home method with other devices and in that case I have had to configure a profile different from the default to use the on-prem server, because the default profile would try to connect to CSSM through the Internet and this device does not have access to the internet, so it cannot communicate directly with CSSM.
I had some problems with callhome and on-prime server with switches and this WLC is basially a switch. But most of problem I had was on the server side cause the device site theres not much we can setup.
4a15465005