802.11ac and a bit of 802.11ax #CWAP11

June 1997: 
802.11-1997 
September 1 999: 
802.11m 802.11b 
March 2007: 
802.11-2007 
March 2012: 
802.11-2012 
February 2014? 
802.1 
June 2003: 
802.1 lg 
September 2005: 
802.11e 
June 2004: 
802.1 li 
September 2009: 
802.11 n 
September 2009: 
802.11w 
2006 
May 2008: 
802.11k, 802.1 Ir 
2007 2008 2009 
September 2011: 
802.11 v,802.11u 
2010 2011 2012 2013 2014 
802.11ax 
Ratified Late 2020 
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 
Figure 1-1. 802.11 timeline

This blog post will be focusing on 802.11ac in particular. We visited the aspects of 802.11n in the last blog post.

802.11ac introduced the VHT (Very High Throughput) along with some core technological advancement like MU-MIMO, 256 QAM addition & support for 80MHz/160MHz channels. One of the key differences also lie in the support of only 5GHz band. So there is still a dependency on 802.11n for 2.4Ghz support, however the upcoming 802.11ax will support both 2.4GHz and 5GHz.

Table 1. 
PHY 
Calculating the speed of 802.1 lac and 802.1 lax 
802.1 lac 
802.1 lax 
Bandwidth 
(as number of 
data subcarriers) 
234 (80 MHz) 
2 234 (160 MHz) 
980 (80 MHz) 
2 x 980 (1 60 MHz) 
Data bits per 
subcarrier 
5/6 log2(256) 
= 6.67 
x 
5/6 x log2(1 024) 
= 8.33 
Time per 
OFDM symbol 
(800ns G') 
4 ps 
13.6 vs 
390 
Mbps 
780 
Mbps 
600 
Mbps 
1.2 
Gbps 
1.17 
Gbps 
1.8 
Gbps 
3.6 
Gbps 
1 .56 
G bps 
3.12 
G bps 
2.4 
G bps 
4.8 
G bps 
4.8 
Gbps
Table 1. 
PHY 
Calculating the speed of 802.1 lac and 802.1 lax 
802.1 lac 
802.1 lax 
Bandwidth 
(as number of 
data subcarriers) 
234 (80 MHz) 
2 234 (160 MHz) 
980 (80 MHz) 
2 x 980 (1 60 MHz) 
Data bits per 
subcarrier 
5/6 log2(256) 
= 6.67 
x 
5/6 x log2(1 024) 
= 8.33 
Time per 
OFDM symbol 
(800ns G') 
4 ps 
13.6 vs 
390 
Mbps 
780 
Mbps 
600 
Mbps 
1.2 
Gbps 
1.17 
Gbps 
1.8 
Gbps 
3.6 
Gbps 
1 .56 
G bps 
3.12 
G bps 
2.4 
G bps 
4.8 
G bps 
4.8 
Gbps

Multi-user MIMO

  • One of the greatest potential of 802.11ac
  • Prior to this all the 802.11 standards used single user.
  • If there are two receivers located in sufficiently different directions, a beamformed transmission may be sent to each of them at the same time.
  • Enables better spatial reuse. As per the below example, the MU-MIMO builds on small-cell approach by enabling even more tightly packed networks. As a result AP can send independent transmissions within its own coverage area. Just as 802.3(Ethernet) reduces collision domains, MU-MIMO intends to reduce spatial contention of transmissions.
Downlink Multi-User MIMO

802.11ac Wave 1 and 2 – The first wave of 802.11ac products will be driven by the enthusiasm for higher speeds. APs will typically have three stream capabilities, but with 802.11ac providing 80 MHz channels and 256-QAM modulation, the speed will go from 450 Mbps to 1.3 Gbps. The second wave of 802.11ac products will add even wider channels and possibly even multi-user MIMO support, as outlined in the figure below.

Attribute 
Maximum number of spatial streams 
Channel width 
Maximum modulation 
Typical maximum speed 
Beamforming support 
MU-MIMO support 
First wave 
3 
80 MHz 
256-QAM 
1.3 Gbps 
Varies (depending on vendor) 
Second wave 
3 or 4 
160 MHz 
256-QAM 
26 Gbps 
Yes 
Yes

The PHY

#Channels

  • OFDM based transmission, 802.11ac divides the channel into OFDM sub carriers each 312.5kHz
  • To increase throughput, 802.11ac introduces two new channel widths. Supports 80MHz and further added 160MHz channel option for even higher speeds.
  • 802.11ac channels have exactly the same shape as previous OFDM channels (802.11a,g,n)

MCS & GI

  • MCS Index tends to be much simpler than 802.11n. First 7 are mandatory and others are supported.
MCS index value 
2 
3 
4 
5 
6 
7 
8 
9 
Modulation 
BPSK 
QPSK 
QPSK 
16-QAM 
16-QAM 
64-QAM 
64-QAM 
64-QAM 
256-QAM 
256-QAM 
Code rate (R) 
1/2 
3/4 
1/2 
3/4 
3/4 
3/4
  • 802.11ac retains the ability to select a shortened OFDM guard interval if both Tx and Rx are capable of processing it. The GI shrinks from 800ns to 400ns, providing a 10% boost in the throughput.

VHT Signal Fields

The purpose of the Signal Field is to help the receiver decode the data payload, which is done by describing the parameters used for transmission. 802.11ac separates into Signal A and Signal B fields. For CWAP purposes this has not been dealt in depth. There are 2 parts in VHT Signal A field are referred as VHT-SIG-A1 & VHT-SIG-A2.

SIGNAL A

  • Bandwidth
    • 0 – 20MHz, 1 – 40MHz, 2- 80MHz & 3 – 160MHz
  • STBC
    • If the payload is encoded with STBC (Space-time block coding may be used when the number of radio chains exceed the number of spatial streams, it tx a single data stream across 2 spatial streams.) for extra robust-ness, this field is set to 1, otherwise will be 0.
  • Group ID
    • Frames to AP > group ID =0
    • Frames sent to STA Client > group ID = 63
  • Number of space-time streams
    • Starts from 0, e.g. if field is set to 3, then there are 4 space time streams.
  • Partial AID
    • Last 9 bits of the BSSID.
  • Transmit power save forbidden
    • Field will be 0, if AP in network allows client to power off radios when they have opportunity to transmit frames. Otherwise will be 1.
  • Short GI – Field set to 1 for 400ns, 0 for otherwise.
  • Short GI disambiguation – Extra symbol may be required denoting 1 or 0 for not required.
  • Coding – Field is 0 when convolutional coding is used to protect the data field, 1 when LDPC is used.
  • LDPC Extra Symbol – Field is set to 1 if extra symbol is required.
  • MCS – MCS Index value of the payload.
  • Beamformed – If matrix is applied to the transmission, the bit is set to 1 otherwise set to 0.
  • CRC – Error correction
  • Tail – 6 zeros are included to terminate the convolutional coder that protects the Signal A field.

SIGNAL B

  • Used to setup the data rate, as well as tune in the MIMO reception.
  • VHT Signal B Length (17, 19 or 21 Bits)
  • Reserved bits – Set to 1.
  • Tail bits
< IEEE 802.11ac Figure 22-19—VHT-SIG-A2 structure > 
32 
83 
84-87 
SU VHT-MCS/MU[1-3] coding 
SU VHT-MCS 
eam 
Formed 
Formed 
Rese rved 
Variable 
818-823 
BIO-B17 
u 
Composite Name 
SU Name 
MU Name 
Bits 
8 us 
L-STF 
BO-BI 
Composite Name 
SU Name 
MU Name 
Bits 
Coding 
OFDM PHY Modulation 
MU[2] 
Coding 
MUC3] 
Rese rved 
Coding 
VHT Modulation 
Bus 
L-LTF 
83 
4us 
VHT 
L-SIG 
84 ag 
8 us 
VHT-SIG-A 
NSTS 
MUCO] 
NSTS 
Bus 
BIO-B2 
NSTS/Partial AID 
Partial AID 
822 
823 
MU[I] 
NSTS 
MU[2] 
N STS 
MUC3] 
N STS 
< IEEE 802.1 lac Figure 22-18— 
VHT-SIG 
-Al structure >

Air Magnet Pro can help you scan through the PHY frames

The MAC

Frame aggregation was introduced in 802.11n, 802.11ac however adds an interesting new take on the aggregation. All frames transmitted use the aggregated MPDU (A-MPDU) format. Even the single frame transmitted in one shot is transmitted as aggregate frame.

Table 3-1. Size comparisons of transmissions for different 802.11 PHYs 
Attribute 
MSDU (MAC payload) size 
MPDU (MAC frame) size 
A-MSDU (aggregate MAC payload) 
sue 
PSDU (PLO payload) size 
PPDU frame) size 
802.11a 
2,304 
Implied by maximum MSDU 
Size 
Not used with 802.1 la 
4,095 bytes 
Implied by maximum PSDU 
size 
802.11n 
2,304 
Implied by A-MSDU size 
7,935 
65,535 bytes 
5.484 ms (mixed mode) or 10 
ms (greenfield mode) 
802.1 lac 
2,304 
11,454 
Implied by maximum 
MPDU size 
bytes 
5.484 ms

Management Frames

  • VHT Capabilities Information element.
v VHT Capabilities Info: 
ØxØ39179b1 
. . .01 
= Maximum MPDU Length: 7 991 
00.. = Supported Channel Width Set: Neither 160MHz nor 80+80 supported (OXO) 
. 1 = Rx LDPC: Supported 
1. = Short Gl for Supported 
.0.. 
= Short GI for 160MHz and 80+80MHz: Not supported 
1... = Tx STBC: Supported 
. = Rx ST BC: 1 Spatial Stream Supported (Oxl) 
. . .01 
. 1... = SU Beamformer Capable: Supported 
...1 
. = SU Beamformee Capable: Supported 
. = Beamformee STS Capability: 4 (Ox3) 
. 011. . 
= Number of Sounding Dimensions: 2 (Oxl) 
.01 
= MU Beamformer Capable: Not supported 
. = MU Beamformee Capable: Supported 
. ..Ø. = TXOP PS: Not supported 
.0.. 
. = +HTC—VHT Capable: Not supported 
.. 11 1... . .. 
. . = Max A-MPDU Length Exponent: 1 048 575 
. = VHT Link Adaptation: No Feedback (OXO) 
...o 
= Rx Antenna Pattern Consistency: Not supported 
= Tx Antenna Pattern Consistency: Not supported 
00.. = Extended NSS BW Support:
  • VHT Operations Information element
v Tag: VHT Operation 
Tag Number: VHT Operation (192) 
00 = Basic 
ll.. = Basic 
11 = Basic 
= Basic 
= Basic 
= Basic 
= Basic 
= Basic 
Tag length: 5 
v VHT Operation Info 
Channel Width: 20 MHz or 40 
Channel Center Segment 0: 
Channel Center Segment 1: 
Basic MCS Map: Oxfffc 
. ll.. 
.. 11 
. ll.. 
.. 11 
ll.. 
MHz 
1 
2 
3 
4 
5 
6 
7 
8 
SS: 
SS: 
SS: 
SS: 
SS: 
SS: 
SS: 
MCS 
Not 
Not 
Not 
Not 
Not 
Not 
Not 
0-7 (OXO) 
Suppo r ted 
Suppo r ted 
Suppo r ted 
Suppo r ted 
Suppo r ted 
Suppo r ted 
Suppo r ted

NOTE: Greenfield mode was offered with 802.11n. The efficiency gains from greenfield mode were often lost because airtime-devouring CTS-to self

messages were required before transmitting in the greenfield mode. As a result, greenfield mode was removed from 802.11ac.

Beamforming Basics

  • As 802.11ac beamforming is based on explicit channel measurements, both the transmitter and receiver must support it.
  • Any device that shapes its transmitted frames is called beamformer, receiver of such frames is called beamformee.
  • The AP initiates frame exchange with the STA, which helps it to measure the channel. The result of the channel measurement is a derivation of the steering matrix.
  • Steering Matrix describes how to setup each element of transmitter’s antenna system to precisely overlap transmissions to reach farther.
  • To steer transmissions in a particular direction, a beamformer will subtly alter what is transmitted by each array. A simple phase shift can alter/steer the transmission.

Null Data Packet (NDP) – Standardizes beamforming methods. 802.11ac method of beamforming is termed as null data packet sounding. Sounding is the term used to denote the process  performed by the transmitter to acquire channel state information (CSI) from each of the different users by sending training symbols and waiting for the receivers to provide explicit feedback containing a measure of the channel.

VHT beamformer shall initiate a sounding feedback sequence by transmitting VHT NDP announcement frame followed by a VHT NDP after a SIFS.

Beam 
rormer 
formec 
for mec 
NDP 
-=ment 
Frame 
F 
Frame 
Beamfcgm— I 
•ing Relx»rt r 
Fr ame S 
Beunfu•u• 
—ing 
IS Frmne 
. 1. AVHT

SU Beamforming

  • Begins with the beamformer sending a NDP announcement packet followed by NDP. The NDP has fixed known format. The beamformee receives the NDP, analyzes it and computes back in form of feedback matrix. The feedback matrix is sent in reply to the NDP in the form of compressed beamforming frame (CBF).
SIFS 
NDP 
Announcement 
Beamformer 
Compressed 
Beamtorming 
Beamfor mee 
SIFS

MU Beamforming

  • As opposed to Tx to one device, MU-MIMO Aps are capable of simultaneously transmitting data to multiple device groups.
  • The key distinction between them is that with MU-MIMO beamforming and beamformer requires a response from all beamformees in order to conclude channel sounding.
  • The CBF packet is 802.11 action frame which contains a channel matrix that specifies the CSI for each client. The CBF is the largest contributor to the overhead caused by MU-MIMO transmission and is size is determined by
    • Channel Width
    • Number of radio chain pairs
    • Bit count of each CSI unit
SIFS 
Beamformer 
Beamformee 1 
Be amforming 
Bea 
SIFS 
mforming 
Report poll 
ieai\ 
SIFS 
Beamformee 2 
Beamformee 3 
SIFS 
Compressed 
Beam f 
SIFS

Recommended Reading

Cisco 802.11ax White Paper
Wifi Certified 6 Highlights
802.11 Framing in Detail
802.11ac Channel Planning
802.11ac VHT PHY
Research Paper on VHT MU-MIMO
802.11ac – A Survival Guide

802.11n | HT Operations #CWAP10

The blog post will cover the topics related to High Throughput Throughput technologies in conjunction with the exam objectives laid down for CWAP-403 exam. 802.11 Frame Exchanges cover 25% of the knowledge domain required for the exam. Analysing HT & VHT transmission methods are one of the sub topics under this section. I will be focusing on the HT/802.11n type in this blog, apparently it has gone a little longer than i thought. There are certain section which might take further reading from 802.11n Survival Guide if you are keen.

802.11n ~ High Throughput

  •  Ratified Sep 2009
  • Clause 20 technology, backward compatible with HR-DSSS (Clause 18), OFDM (Clause 17).
  • Can be used for both 2.4GHz & 5GHz bands.

MIMO Enhancements

  • Transmit Beamforming (TxBF) – Tx(Transmitter) Radios multiple antenna can transmit in the best direction of the Rx (Receiver).
  • Spatial Multiplexing (SM) – Tx multiple radios at the same time with each unique stream containing different data.
  • Space-Time Block Coding(STBC) – Transmitting redundant copies of data stream from different antenna thereby increasing the signal quality.
  • Antenna Selection (ASEL) – Increase signal diversity by dynamic selection of antennas.

Spatial Multiplexing

  • Takes advantage of multipath (when signal tends to reflect, scatter, diffract or refract).
  • Multiple streams follow different paths to the receiver because of the space between the transmitting antenna is known as spatial diversity and is also called as spatial multiplexing.
  • When using SM, both Tx and Rx should participate and be MIMO systems.
FIGURE 10.2 
-123456789“ 
MuItiple spatial streams 
мно 
-123456789“ 
ммо 
c]ient

HT Channels

  • Use 20 MHz OFDM channels.(NON-HT)
    • Each 20MHz OFDM channel contains 64 subcarriers which are each 312.5 KHz wide and can be separately modulated.
    • First 6 & Last 5 sub carriers are null as they act like guard band for the channel + center subcarrier is also null. This leaves 52 subcarriers.
    • Out of 52, 48 transmit data while 4 used in dynamic calibration between Tx and Rx.
  • 20MHz OFDM channels (HT)
    • Each 20MHz OFDM channel has 56 subcarriers, 52 transmit data, 4 are used for calibration between Tx and Rx.
  • 40 MHz Channels
    • Use 114 OFDM subcarriers, 108 transmit data, 6  are used for calibration.
    • A 40MHz channel doubles the frequency bandwidth available for transmission of the data.
    • A 40MHz channel used by HT radios essentially 2x 20MHz OFDM channels bonded together.
Table 3-1. Channel description attributes 
+25, +53 
PHY standard 
80111a/g 
80111n,20MHz 
80111n,40MHz 
Subcarrier range Pilot subcarriers 
-26t0+26 
-28t0+28 
-57 to +57 
+7, +21 
+7, +21 
Subcarriers (total/data) 
52 total, 48 usable 
56 total, 52 usable 
114 total, 108 usable

Modulation and Coding Scheme (MCS Index)

  • Value that describes the number of spatial streams, modulations (BPSK, QPSK, 16-QAM or 64-QAM and further) and error correction code used in Tx.
  • 802.11n supports equal modulation, in which all SS are transmitted in same manner, and unequal modulation, in which the spatial streams may be modulated differently.
  • 802.11n defines 77 different combinations of modulation and coding.
  • There are 8 mandatory MCS for 20 MHz HT channels.
TABLE 10.1 
MCS index 
Mandatory modulation and coding schemes—20 MHz channel 
Data rates 
Spatial 
streams 
Modulation 
BPSK 
OPSK 
OPSK 
16-QAM 
16-QAM 
64-OAM 
64-OAM 
64-OAM 
800 ns Gl 
6.5 Mbps 
13.0 Mbps 
19.5 Mbps 
26.0 Mbps 
39.0 Mbps 
52.0 Mbps 
58.5 Mbps 
65.0 Mbps 
400 ns Gl 
7.2 Mbps 
14.4 Mbps 
21.7 Mbps 
28.9 Mbps 
43.3 Mbps 
57.8 Mbps 
65.0 Mbps 
72.2 Mbps

Guard Interval (GI)

  • The GI is the space between the symbols being transmitted.
  • May be confused with IFS, the GI is there to eliminated inter-symbol interference where is referred to as ISI.
  • ISI happens when echoes from one symbol interfere with another.
  • A good rule of thumb specifies that GI should be 4x the highest multipath delay spread. When 802.11a was designed, designers used conservative value of 200ns for the delay speed, and choose to make the GI 800ns.

HT PHY

I’ve discussed this topic in details under this blog post.

Wi-Fi Alliance

  • Before the 802.11n amendment was ratified, the HT technology was already being certified and sold. The Wi-Fi alliance had developed a vendor certification program called Wi-Fi CERTIFIED 802.11n draft 2.0. The Cert Program as name suggested, certified products against the amendment. Draft 2.0 supports a max data rate of 300Mbps which is half max data rate specified in ratified document.
  • Details about the Wi-Fi certified “n” features can be found here

HT Control Field

  • The 802.11n amendment adds a new field in 802.11 MAC header, called the HT Control Field. It is 4 octets long and follows QoS control field in 802.11 MAC header.
  • Any MPDU that contains an HT control field is referred to as +HTC MPDU.

The Order Bit – The 802.11n amendment uses the existing but relatively unused order bit in the Frame Control field of the MAC header to indicate the presence of an HT Control Field in QoS data & management frames. Original purpose of this bit was to indicate that data muse be sent using a strict ordered class of service.

Control Wrapper Frame – is/are described using the carried frame name + HTC, for example RTS+HTC or CTS+HTC

HT Control Field Format – figure below shows the format of HT Control field. (Honestly some of the stuff went way over my head but might have to figure this out by looking at a few pcaps & studying them :|)

Link Adaptation Control (16 bits)

  • TRQ – Training Request > Set to 1 to request the responder to transmit a sounding PPDU. Set to 0 to indicate that the responder is not requested to transmit a sounding PPDU.
  • MAI (MCS Request (MRQ) or ASEL Indicator) – When set to “14”, it is an ASEL indicater which indicates that you would interpret the MFB/ASELC subfield as an ASEL command.
  • MFSI – MCS Feedback Sequence Identifier- A MCS Feedback (MFB) frame is sent in response to a MCS Request.
  • MFB/ASELC – MCS feedback and Antenna Selection Command -When ASEL indicator is present, the MFB/ASELC subfield interpreted as ASELC subfield. Otherwise it is interpreted as MFB subfield. A value of 127 indicates that no feedback is present

Calibration Position (2 bits)

  • Set to 0 indicates this is not a calibration frame.
  • Set to 1 indicates calibration start.
  • Set to 2 indicates sounding response.
  • Set to 3 indicates sounding complete.

Calibration Sequence – Each of the four packets within the calibration exchange will have the same sequence number.

CSI/Steering – When using sounding frames to transmit feedback about the channel, the Channel State
Information (CSI)/Steering subfield identifies the type of feedback being used.

NDP Announcement – indicates that an NDP will be transmitted after the frame. It is set to 1 to indicate that an NDP will follow; otherwise, it is set to 0. NDP are used to send sounding PPDU when no other data needs to be transmitted. If a frame transmitted that require an immediate response and also has the TRQ=1 (request for sounding PPDU) then receiver can either transmit the MPDU response withing a sounding PPDU or send the response MPDU with the NDP Announcement bit set to 1, indicating that NDP will be transmitted following the current PPDU.

Reverse Direction Protocol – 802.11n amendment which improves the efficiency of data transfer between STAs.

HT Action Frames & Information Elements

Information Elements

HT Capabilities, HT Operations, 20/40 BSS Coexistence & Overlapping BSS Scan Parameters,

HT Capabilities Element

  • Can be seen in Beacon, Probe Req/Response, Association Req/Response & Reassoc Req/Response.
  • You can figure out the MCS values supported by the 802.11n AP from this section in the pcap.
  • Determine A-MPDU parameters

HT Operation Element

  • STA operation within an HT BSS environment.
  • Found in Beacon, Reassociation Response, and Probe Response frames transmitted by an AP.

HT information elements

  • Primary Channel, Secondary Channel Offset and STA channel width.
    – When the Supported Channel Width Set subfield is equal to 1(as in above), indicating a 20/40 MHz BSS, then the Primary Channel field indicates the primary channel number.
    – Secondary Channel – Directly above or below the primary channel.
  • Protection Mechanisms – To ensure backward compatibility with older 802.11 a/b/g radios, an HT access point will operate in one of four protection modes. 00 in above pcap example.
  • RIFS mode – The 802.11e QoS amendment introduced the capability for a transmitting radio to send a burst of frames during a transmit opportunity (TXOP). (prohibited in above pcap case).
  • Basic MCS Set – Last in Operations element, similar to MCS set field in HT Capabilities Element.

For Further Reading

How to capture WLAN Frames? #CWAP8

This blog post will focus on tools I’ve used for performing Wireless Frame Captures. I’ve been largely dependent on Macbook for capturing the wireless frames. I would highly suggest you for sourcing a Macbook for frame capture as Windows PC option involves getting a third party WLAN pcap which is not cheap. Thank you Apple for making it possible to capture frames natively on Mac.

The Hardware

  • Macbook Pro

Other Utilities Required/Recommended.

  • Wireshark is available as free tool to download. It is highly recommended to optimize it using the wireless configuration profiles available at Metageek. This is our primary tool for capturing and analyzing the frames.

It is recommended to add (Absolute Time, Relative Time & Delta Time) values on the Wireshark as it is important when analyzing the wireless frame analysis. In roaming scenarios, one may need to acquire the time it took for a client to move between one AP to another.

  • Airtool is also available for free. This tool is not mandatory but good to have. Since it is free, then why not? It helps capture frames on few mouse clicks and helping you easily move them analyze them on wireshark or via online (Packets)
  • Packets (Arista) – Phenomenal tool for analyzing the frames. Birds eye view of various frame types in the wireless environment, management retries, problem clients etc. Free account available up to 100MB of pcap (more than sufficient for your CWAP studies).
  • WiFi Explorer – Highly Recommended if you can purchase, the professional version costs around $20 USD. Can really help with identifying the WLAN discovery and metrics of the environment.
  • If you own an iPhone or iPad, one can configure Wi-FI Diagnostics on the phone. Thanks for George Stefanick for explaining it so nicely.

Cisco – Mobility Express Experience

A couple of days ago I bumped into an opportunity to setup Cisco Mobility Express for one of the clients. Cisco has enabled to accomplish a mobility solution which can hep you deploy wireless LAN networks and be able to manage WLAN with APs on the network acting as the controller. Here’s how Cisco describes it in layman’s terms –

“Mobility Express integrates wireless LAN (WLAN) controller functions into the Cisco Aironet  3800, 2800, 1850, 1830, 1815, 1560 and 1540 Series Access Points. As such, Mobility Express is the latest in a series of Cisco efforts to turn WLAN controllers into a software function that any network component can host. Cisco controller capabilities also can be housed in standalone appliances (Cisco Wireless LAN Controllers, or WLCs), Cisco switches, Cisco routers, a private cloud, and a public cloud.”

I started with first AP to be converted to mobility express. In my case I’ve used a Cisco 3800 indoor AP. You will either need a POE+ capable switch or a POE+ injector. In case you only have POE injector the configuration is still possible but radios will receive insufficient POE to power up and cannot test the solution. You can convert the AP to mobility express but radios won’t receive enough power to start up.

Also remember that – When trying to convert to Mobility Express Image the Access point must not join and existing WLC in your network

Download Mobility Express image from www.cisco.com. You will need a Cisco account and valid entitlement to download this image. Connect Console and Ethernet cables into their correct interface ports, Ethernet will also be used to power through the use of a Power injector. Plug Ethernet cable from network switch into data port of POE power injector unit and apply power to POE injector. Login to AP via console with username and password : Cisco

Check that the AP has been assigned a IP address from the DHCP server on your network. Identify that an IP address has been assigned to the AP. In my case I configured a DHCP on the switch and let the AP receive a newly assigned lease. Setup your TFTP server, (for this I will using Tftpd64) and browse to the folder that contains the Mobility Express image

In the Command line of the LAP enter the following to download and change the configuration to Mobility Express.

AP#ap-type mobility-express tftp://<TFTP Server IP>/<path to tar>/file

The transfer will now start and wait for it to complete. Once completed issue the command “reboot” on the AP to make sure that it starts extracting the file it has downloaded and apply the new mobility express software. Once the software is applied it will go through the CLI setup wizard.

enter “yes” to terminate the auto install

Enter your required configuration items in the config wizard.

Enter all the details with regards to the management interface IP, netmask, default gateway etc. Setup the SSID and provisioning. These settings can also be done at the later stage when you access the GUI. The AP will reboot with the settings.

I managed to add 3 APs in the network and complete the setup.