Prime Infrastructure 3.1.6 has been posted to Cisco.com!

Direct link is https://software.cisco.com/download/release.html?mdfid=286304360&flowid=&softwareid=284272933&release=3.1.6&relind=AVAILABLE&rellifecycle=&reltype=latest

The Software Update checker inside Prime Infrastructure sees it, as expected.

Please take a few minutes to review the Release Notes.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1-6/release/notes/cpi_rn.html

Please know that this upgrade is nearly 1 GB, and that it will take more than 15 minutes to install–please be patient.

#WirelessFriday February 2017 – Questions and Responses

February 24, 2017 was #Wireless Friday and the topic was Wi-Fi Optimization. Clients are using more real-time and higher bandwidth applications. Your Wi-Fi network needs adapt to a constantly changing environment. The webinar will include mini-demos on health dashboards, flexible radio assignment, and application prioritization.

Today, we heard from Patrick Croak, Wireless CCIE, who walked us through areas where we could achieve WiFi optimization.  If you would like to review the event recording, please go to catch the recording.

 There were a number of resources mentioned.  Here they are:

 As a next step I’d like to recommend contacting your partner or Cisco account team to schedule a deep-dive or even a WLAN Tuning session. 

I would like to thank the following panelists:

  • Ben Edwards, Enterprise Networking CSE, Cisco
  • Bill Fulton, Enterprise Networking PSS, Cisco
  • Brad Kincaid, Enterprise Networking PSS, Cisco
  • Christopher Medrano, Enterprise Networking CSE, Cisco
  • Derrick Williams, Enterprise Networking CSE, Cisco
  • John DiGiovanni, Enterprise Networking RM, Commercial West and Central, Cisco
  • Ron Amenta, Enterprise Networking PSS, Cisco
  • Sangita Mahishi, Enterprise Networking PSS, Cisco

Questions and Responses:

Q1.  Does the packet capture only work for CAPWAP clients? What about Flexconnect
A1.  Packet capture should work for Flexconnect clients. In a Flexconnect deployment, the AP’s still maintain a CAPWAP tunnel to the WLC, just over a WAN link.

Q2.  When you are specifying packet captures, are you refering to the actual wireless frames or ethernet frames?
A2.  Wireless. The packets are captured and dumped in the order of arrival or transmit of packets except for beacons and probe responses. The packet capture contains information such as channel, RSSI, data rate, SNR, and timestamp.

 Q3.  Should we broadcast or not broadcast our guest wireless SSID in a multitenant environment? Is there any security gained from not broadcasting as the clients will still call out for it. Or does hiding it help reduce potential DoS attacks on the server?
A3.  Many would suggest there is essential no security benefit to not broadcast. Any sniffer can discover that. Most now understand we need to play nice in the same sandbox.

 Q4.  Do you know when the 8.3 code with be a “star” release?
A4.  If you are referring to 8.3 MR1, it was posted February 27, 2017.  Check out the release notes here.

Q5.  Can you talk about TPC versions or is the name the whole story?
A5.  You can review the differences in the following white paper. TPCv1 is most commonly used. http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_RRM_White_Paper/b_RRM_White_Paper_chapter_0101.html#id_15224 

Q6.  Is the workstation profiling coming from ISE?
A6.  The workstation profiling is coming directly from the controller.

Q7.  Are the adjustments to the 2800 and 3800 series APs available in Cisco Prime Infrastructure?
A7.  Yes

Q8.  What version is being demonstrated?
A8.  Any Version of code after 8.1 will look like this. This code running here is 8.3.

Q9.  When enabling fast transition does the FT 802.1x option need to be enabled in authentication key management?
A9.  Either FT 802.1x or FT PSK. http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html#task_2C619E3A576D474F80D6CB4BA8B4DBA6

#WirelessFriday January 2017 – Questions and Responses

We had a great #WirelessFriday on January 20, 2017!  The topic was all about GUEST ACCESS. We answered questions such as: Is there a technical reason why guest access should be super easy? What kind of self-service guest authorization mechanisms are there? What would the guest experience be and how is that managed on the back-end?  If you weren’t able to join us live, you can watch the recording.  Here’s the questions that came up during the call and the responses from our panelists.

We heard from Robert Roulhac, Cisco Virtual Systems Engineer, Security Focus.

I would like to thank the following panelists:

  • Allan Ross, Enterprise Networking CSE, Cisco
  • Ben Edwards, Enterprise Networking CSE, Cisco
  • AJ Shah, Enterprise Networking CSE, Cisco

Q1.  How does SMS integration work?
A1.  ISE uses an SMS gateway to forward SMS messages to the user.

Q2.  Is there any way Guest can select or put in email address for sponsor ?
A2.  You can utilize a sponsor portal to create guest accounts for users. http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/sponsor_guide/b_spons_SponsorPortalUserGuide_21/Support_Guests.html

Q3.  We have setup guest access in such a way that sponsor has to create account for Guest… Is there any way Guest can enter email add of employee and employee get email to approve guest request ?
A3.  Yes, Sponsors can also receive email notifications requiring their approval for self-registering guests. http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01110.html#task_1EAD5E171B7849EDA41 

Q4.  What if you don’t use ISE but currently have a guest anchor. Does this merge easily?
A4.  The deployment of ISE would be identical on a primary or a guest anchor controller.

Q5.  To clarify which is easier. Today I have an anchor what’s the advantage of ISE?
A5.  ISE provides the same functionality on a guest anchor as it would on an internal controller.

Q6.  Does ISE integrate with Meraki?
A6.  Yes it does. please see https://communities.cisco.com/docs/DOC-68192

Q7.  The guest service could then be provided on both the Meraki network and Corp HQ WLC?
A7.  Yes, Meraki is just another Network Access Device (NAD) in ISE.

Q8.  Is best practice to keep SSID’s down to a minimum to 3-4 range?
A8.  Yes, the fewer the better.  Each SSID requires management overhead of airtime. Management frames are sent at lowest set data rate and eats valuable airtime for data to clients. https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Multi-SSID_Deployment_Considerations 

Q9.  In a non-anchor deployment, the ACLs would have to allow guest traffic reach the corporate authentication server (ISE), correct?
A9.  That is correct for redirect.  To clarify, data traffic does not traverse the corporate network, only the webauth redirect for authentication 

Q10.  Does the auto-WLC-configuration script also configure url redirection for https?
A10.  the redirect url is passed from ISE to the WLC via radius when the user associates

Q11.  can the guest provisioning be utilized against an existing SSID?
A11.  Yes once the WLC is integrated with ISE

Q12.  what impact does WLC settings on timeout have?
A12.  Authorization timeouts should be set in ISE and not in the WLC. If you are using ISE, it is advised to remove the session timeout values from the WLC.

Q13.  Isnt there a security concern allowing 80 or 443 to ISE from guest endpoints?
A13.  ISE is a hardened appliance. Access is controlled via the pre-auth ACL to only the ports the ACL allows 

Q14.  does the ISE guest SSID provisioning create the ACL on the WLC also?
A14.  Using the guest wizard in ISE 2.2, it will be provisioned on the WLC via the wizard. Before ISE 2.2 the ACL will have to be manually configured.

 

Cisco WLAN Controller AP Modes – An Incomplete Guide

An Access Point, as defined by 802.11, can take a packet out of thin air and convert it to ethernet and has the ability to do all the stuff it needs to do to make it all happen. That’s called an “Autonomous” or “Standalone” AP.

The standalone AP is great but it doesn’t scale very well.  Then along come a way to better scale. The controller architecture (split-MAC they called it) and the “lightweight” AP.

Important: It’s not dumb or thin, it’s lightweight, in the same way other protocols were written to a portion of the spec and called the “lightweight” variant of that protocol.
A lightweight AP only does the real-time stuff an “AP” is supposed to do and the controller does all the non-real-time stuff.

The glue that holds the AP to the controller is an IETF standard protocol called CAPWAP.

For this lightweight architecture, an AP grabs packet out of thin air and then only does real-time stuff to it. Encryption/decryption is a good example of real-time stuff an AP does. It then takes that 802.11 packet and puts it in to a CAPWAP envelope and sends it to the controller.

The controller then converts the 802.11 packet to 802.3 (Ethernet), applies the correct policy, and puts it in the right VLAN.

This is the default operational mode of a lightweight AP and it’s called “Local Mode” which also can be called “Connected Mode”.

But what if you have a bunch of small branch offices with just a few AP’s each. You:

  1. don’t want the expense of controllers in each location (or the management burden) and you
  2. don’t want your print-job to go from your mobile device, all the way across your WAN, just to make a U-turn and come back across your WAN and print to a printer you’re physically 5 feet away from.

Flexconnect

Flexconnect changes how packets are processed by allowing the AP to convert the 802.11 packet directly in to Ethernet and placing it on the VLAN that is trunked to the AP. This takes the controller out of the data path, even though the controller is responsible for firmware updates, configurations, RRM, and IPS. This default behavior of Flexconnect is called FlexConnect Local Switching.

Please keep in mind there are constraints you need to consider before using Flexconnect.  See the Restrictions on Flexconnect section of the configuration guide.

Now for the “flex” in FlexConnect.

For some SSID’s you may want to change the data path.  For example maybe you want all your employee traffic to stay at a branch but you want your guest traffic to go back to the controller for inspection.

So for that SSID you can use FlexConnect Central Switching. For this SSID (WLAN), it will act like a Local Mode AP, but for other SSID’s (WLANs) it’s in Local Switching.

Data Path vs. Authenticators

The other thing to consider is where 802.1x RADIUS authentications will take place.  By default it uses central authentication, you can also select local authentication.  These are options in the FlexConnect for how 802.1x authentication is done. Even though you may select local or central switching, all 802.1x authentication, by default, is done by the controller.

So what if the controller goes away? Well then your 802.1x authenticator goes away. Unless you have local authentication configured.  If you select local authentication for your FlexConnect AP, then you need to configure your AP as a RADIUS authenticator, which includes telling your RADIUS server about that AP and setting up a RADIUS key.

For more information refer to the FlexConnect section of the Configuration Guide.  Here is the link if you’re using version 8.3 code.  To find the configuration guide for the code version you’re running, click here.

Is My WLAN Controller Healthy (or, how do I program my stereo’s equalizer)?

old-stereo

When I was young, maybe early teens, I remember having a friend who’s dad was super proud of his stereo system.  I remember it had a stereophonic hifi turntable, 2 cassette decks (for dubbing), and it was even hooked to his reel-to-reel. I remember thinking of how powerful it was… I mean, LOOK at all those buttons, knobs, and sliders!  We got in trouble once because we messed with the equalizer.  He had just recently got it sounding like he wanted it and we… well… undid his work.

Now later in life I learned that just about no one knew how to properly set an equalizer, and this included my friend’s dad (nor did he know it should be tuned for each type of music).  He just did the best he could, trying to decipher the instructions, and taking best guesses.  Take this equalizer in the picture… it has 10 sliders from 31 Hz (sub bass) on the left to 16 Khz (high tones) on the right.  Now this picture will do nothing but make a muddy mix, the highs and mids louder and pulling down the low-mid sounds… so yeah… but that’s not the point. (But if you want a good reference for setting your EQ check this out.)

My point is there are a lot of buttons, knobs, and sliders, and they all work together.  For some of them, if they’re just a little off, it could change the sound in a major way.  Just like on an enterprise class wireless system.  Am I right?

So now then how do I configure my equalizer Cisco Wireless LAN Controller?  Great question.  Glad you asked.

When I log on to a controller I want to first see if it’s healthy.  Go through each row of the table below to see what I tend to look for in determining health.  This is not an exhaustive list, but it’s a solid start.  If your WLAN is “healthy” based on this list and you’re still having trouble, then we’d start troubleshooting.

(Please note that as I begin to use this as a reference I may find ways to make it better.  Be sure to check back later for updates.  Use the comment section below if you have ideas, too.)

What I’m Looking For Resources
Monitor Top Tab
What version of code is the controller running? I like to see the controller running the latest MD release for whatever code train it’s running. This is often referred to as a Maintenance Release or MR.

Be sure to check release notes before upgrading code, noting support for the equipment that is deployed.

There are (typically) no reasons to use any code earlier than 7.6 in a production environment.

What is the uptime? Is there a reasonable explanation for when it last rebooted?  It should never reboot on it’s own.
Are any 2.4 or 5 GHz radios listed as Down and you’re not sure why? Since there are only 3 usable channels in 2.4 GHz and 12-20+ in 5 GHz it’s not uncommon to see some 2.4 GHz radios turned off so AP’s can be packed in tighter to accommodate a lot of clients.
Do you have any Excluded or Disabled Clients? It is recommended to keep the client exclusion policies turned on. Clients can be excluded for:

Excessive 802.11 Association or Authentication failures

Excessive 802.1x Authentication failures

Duplicate IP (referenced as Identity Theft or IP Reuse)

Excessive Web Authentication failures

Any disabled clients were done manually.

Is there an excessive amount of Active Rogue AP’s? Where there is not a firm line that indicates there are “too many” rogue AP’s, however if the number of active rogue AP’s is more than 50% of the total number of AP’s, it’d be a good idea to understand why and possibly take mitigating actions.
Are there any Active Rogue Clients? A “Rogue AP” is one that your AP’s can hear that is not part of your own network. In fact a rogue AP may not be rogue at all, it may simply be an AP used by a neighbor for their own use.  A “Rouge Client” is a client device that is connected to a Rogue AP.
Anything “interesting” in the Most Recent Traps? Look for major events like AP Disassociated, Failed to…, Signature attack, Potential denial of service, temperature too high, etc.
MONITOR -> Access Points -> Radios -> 802.11a/n/ac Look for failures in:

Load Profile (failed means more than 20 clients)

Noise Profile (failed means over -70 dBm)

Interference Profile (failed means more than 25%)

Coverage Profile (failed means a detected coverage hole)

A failure does not necessarily indicate a systemic problem, only an indicator a configured threshold has been crossed.
If you notice a lot of failures in the same area you may want to investigate.

MONITOR -> Access Points -> Radios -> 802.11b//n Look for failures in:

Load Profile (failed means more than 20 clients)

Noise Profile (failed means over -70 dBm)

Interference Profile (failed means more than 25%)

Coverage Profile (failed means a detected coverage hole)

A failure does not necessarily indicate a systemic problem, only an indicator a configured threshold has been crossed.

If you notice a lot of failures in the same area you may want to investigate.

WLANS Top Tab
Are there more than 5 active WLAN’s? The number of SSIDs should be kept to a minimum to avoid a negative performance impact because of excessive management traffic. Each SSID requires a separate beacon message that will be broadcast at the lowest mandatory data rate and can significantly impact the performance in a high-density design.

If you have 20 SSIDs and your 802.11b/g radios are left with the default settings, then the wireless cell is going to slow down to 1Mbps for a significant time window to send beacons and listen for responses.  This happens regardless of how many clients are communicating.  Issues will be very difficult to troubleshoot.

Within Each WLAN
General Tab
Is Broadcast SSID turned on? This is sometimes mistaken for a security feature.  It is recommended to leave Broadcast SSID as some client devices will not roam (or roam efficiently) with it turned off.
Security -> Layer 2 Tab
Is “Fast Transition” set to “Adaptive” (only on 8.3 or newer code) 802.11r Fast Transition is a feature introduced in 8.3 code.  At the time of this writing only Apple iOS10 devices support it.
Fast Transition can be Enabled, Disabled, or Adaptive.  If you want devices that support and do not support 802.11r then be sure to make Fast Transition “Adaptive”.
If WPA is enabled, is TKIP checked and AES unchecked? For those SSID’s that require data encryption and for those SSID’s that need to support legacy clients that do not support WPA2, only use WPA with TKIP and not with AES.
It is desirable to not have WPA enabled at all.
When WPA first came out the preferred encryption type was TKIP (104 bit key + 24 bit initialization vector = 128 bits total).  Later when WPA2 came along AES (256 bits) was added.  Most devices that NEED to use WPA will not be able to use AES.  If AES is enabled it could cause newer devices to use WPA with AES which will not allow 11n or faster data rates.

Read more at this Cisco Support Forums article.

If WPA2 is enabled (and it always should be except for guests or special cases), is AES enabled and TKIP disabled? For those SSID’s that require data encryption, make sure WPA2 with AES is selected and not TKIP.  AES (or no encryption at all) is required to get 11n or faster data rates.
There may be other options. Only select AES unless you are addressing a specific need and understand the implications.
If 802.1x is enabled, is CCKM enabled? Comment thanks to Javier Contreras Albesa: CCKM should not be recommended as a general feature to be turned on, unless you have client supporting it (792x phones, WGB, etc). 802.1x allows for a client authentication of several types (certificate, user ID and password, etc.).  Each time a client roams the authentication need to take place again.  CCKM is a mechanism Cisco has created to expedite that procedure, for devices that support it.

Read more about CCKM on the article 802.11 WLAN Roaming and Fast-Secure Roaming on CUWN

WIRELESS Top Tab
Any AP’s showing administratively down? Are there radios that are showing down?  Is there a known reason for them showing down? It is not uncommon to have some AP’s with radios that are administratively disabled.  It’s good to at least know why.
Are than any AP’s showing something other than PoE/Full Power or Power Injector / Normal Mode? Make sure there is a good reason if there are any AP’s showing something other than full or normal power mode. Most AP’s have a minimum power requirement of 802.1af (15.4W). Some AP’s, including 802.11n AP’s,  need higher power levels in order to enable the fastest data rates.  If a newer AP has reduced power it’s likely the fastest data rates will not be enabled.
What mode(s) is(are) the AP’s in? Make note and understand the implications of AP’s in Flexconnect or Connected (sometimes listed as Local) mode.  If there is a mix of Flexconnect and Connected/Local mode AP’s, make sure you understand why and the implications. AP’s in Connected/Local mode will tunnel all client data traffic to the controller and then be placed on the appropriate VLAN.  AP’s in Flexconnect mode will (typically) place client data traffic on an appropriate VLAN that is trunked to the AP.  Be sure to understand the implications of the desired design.
WIRELESS -> Access Points -> Radios -> 802.11a/n/ac
What channel sets are in use?

UNII-1: 36-48 (4 channels)

UNII-2: 52-65 (4 channels)

UNII-2b Extended: 100-144 (12 channels)

UNII-3: 149-161 (4 channels)

Generally (in the US) it is recommended to use UNII-1, UNII-2, and UNII-3.  Unless you are needing to support legacy devices (pre 802.11n), you should also enable UNII-2b Extended channels, allowing DFS to ensure they are allowed to be used.
How many channels do AP’s use (1 for 20 MHz, 2 for 40 MHz, 4 for 80 MHz) Do AP’s show multiple channels in the Channel column?  If yes, does the number of channels appear to be (at least generally) consistent?
If there are AP’s showing 4 channels in use (80 MHz wide) it will be important to understand why and the implications relating to channel availability.
Are any AP’s showing a channel number without an *asterisk? It is desired to have Radio Resource Management (RRM) manage channel assignments.  If your deployment has specific needs it is best to tune RRM so it makes the best decisions.  Note any channel that does not have an asterisk (*) following it and understand why this radio has a static (manual) setting.
Are any Power Levels showing a number without an *asterisk? It is desired to have Radio Resource Management (RRM) manage transmit power level assignments.  If your deployment has specific needs it is best to tune RRM so it makes the best decisions.  Note any Transmit Power that does not have an asterisk (*) following it and understand why this radio has a static (manual) setting.
Are than any power level 8’s? Power levels range between 1 (100%) and 8 (effectively off).  A power level of 7 is as low as it can go before it is turned off.
Do the power levels tend to be 3’s, 4’s, and 5’s? RRM should have the ability to increase or decrease transmit power levels to account for the always changing RF environment. If AP’s are mostly on power level 1 or 2, they may be placed too far apart from each other. If AP’s are mostly on 6, 7, or 8, AP’s may be too close to each other. In some cases you can account for AP’s being further apart or closer together by modifying the Power Threshold under WIRELESS -> Access Points -> 802.11a/n/ac -> RRM -> TPC.  Start with increments of 3.  Add 3 to get radios to generally be louder.  Subtract 3 to get radios to generally be quieter. The default is -70.
WIRELESS -> Access Points -> Radios -> 802.11b/g/n
Are there any channels in use besides 1, 6, and 11 and is there a reasonable mix of them? Make sure only channel 1, 6, and 11 is in use and there is a reasonable mix of them.  Never use other channels outside of the US.
Are any AP’s showing a channel number without an *asterisk? It is desired to have Radio Resource Management (RRM) manage channel assignments.  If your deployment has specific needs it is best to tune RRM so it makes the best decisions.  Note any channel that does not have an asterisk (*) following it and understand why this radio has a static (manual) setting.
Are any Power Levels showing a number without an *asterisk? Power levels range between 1 (100%) and 8 (effectively off).  A power level of 7 is as low as it can go before it is turned off.
Do the power levels tend to be 3’s, 4’s, and 5’s? RRM should have the ability to increase or decrease transmit power levels to account for the always changing RF environment.
If AP’s are mostly on power level 1 or 2, they may be placed too far apart from each other.
If AP’s are mostly on 6, 7, or 8, AP’s may be too close to each other.
In some cases you can account for AP’s being further apart or closer together by modifying the Power Threshold under WIRELESS -> Access Points -> 802.11a/n/ac -> RRM -> TPC.  Start with increments of 3.  Add 3 to get radios to generally be louder.  Subtract 3 to get radios to generally be quieter.
The default is -70.
WIRELESS -> 802.11a/n/ac -> Network
Are the supported, mandatory, and disabled data rates following best practices? Generally, if the lowest data rates are MANDATORY then clients will tend to experience roaming issues, stickiness, or unexplained dropped connections.

  1. Highly consider disabling all 802.11b data rates of 1, 2, 5.5, and 11.
  2. It is a best practice to AT LEAST make 12 Mbps Mandatory.
Comments thanks to Paul Chapman: Additionally, with 802.11b/g, by not having any mandatory rates above 11Mbps (default setting), you are allowing 802.11b clients on the cell. Unless you have to support them, b-clients are highly undesirable.

I would recommend setting the lowest mandatory rate to the speed you expect to support when clients start to roam, probably 24 Mbps. At a minimum set at least 1 mandatory rate above 11Mbps to prevent b-clients from coming onto the network.

Cisco White Paper: Cisco Wireless LAN Controller Configuration Best Practices

WIRELESS -> 802.11a/n/ac -> RRM -> TPC
Is Coverage Optimal Mode (TPCv1) selected? This is a default and is a best practice for most WiFi deployments.  Typically, TPCv2 is used in very specific circumstances.
Is Power Level Assignment Method set to Automatic? Since the RF environment is constantly changing, it is a best practice to use RRM. If the default settings of RRM are not appropriate for your environment, considering tuning it before changing the assignment method to fixed.
What is the Power Threshold set to? The default is typically -70 dBm.  If it is something other than that, it is important to know why.
WIRELESS -> 802.11a/n/ac -> RRM -> DCA
Is Channel Assignment Method set to Automatic? Since the RF environment is constantly changing, it is a best practice to use RRM. If the default settings of RRM are not appropriate for your environment, considering tuning it before changing the assignment method to fixed.
Is Channel Width following best practices? For high density client environments, it is a best practice to use 20 MHz.  It is typically not a best practice to use 80 MHz at all.  If the version of code you’re using has BEST as an option, this is typically recommended.
Are Extended UNII-2 Channels Enabled? Without UNII-2 Extended there are 12 channels available, or 6 with 40 MHz channels.  By using UNII-2 Extended, an additional 9 channels are available (or 12 channels if you have an AP that follows the new FCC rules (FCC Order 14-30)). Unless you are need to support older client devices that do not support UNII-2 Extended channels, be sure to use them.  It is rare devices do not support them.
Is ED-RRM Enabled? Event Driven RRM allows the RRM process to make immediate changes should a catastrophic interferer cause issue between RRM decision cycles.
WIRELESS -> 802.11b/g/n -> Network
Are the supported, mandatory, and disabled data rates following best practices? Generally, if the lowest data rates are MANDATORY then clients will tend to experience roaming issues, stickiness, or unexplained dropped connections.
WIRELESS -> 802.11b/g/n -> RRM -> TPC
Is Coverage Optimal Mode (TPCv1) selected? This is a default and is a best practice for most WiFi deployments.  Typically, TPCv2 is used in very specific circumstances.
Is Power Level Assignment Method set to Automatic? Since the RF environment is constantly changing, it is a best practice to use RRM. If the default settings of RRM are not appropriate for your environment, considering tuning it before changing the assignment method to fixed.
What is the Power Threshold set to? The default is typically -70 dBm.  If it is something other than that, it is important to know why.
WIRELESS -> 802.11b/g/n -> RRM -> DCA
Is Channel Assignment Method set to Automatic? Since the RF environment is constantly changing, it is a best practice to use RRM. If the default settings of RRM are not appropriate for your environment, considering tuning it before changing the assignment method to fixed.
Are channels other than 1, 6, and 11 in use? It’s important to use channels 1, 6, and 11 for RRM.  Any other channel set should be avoided.
Is ED-RRM Enabled? Event Driven RRM allows the RRM process to make immediate changes should a catastrophic interferer cause issue between RRM decision cycles.

Of course there may be other areas of your controller configuration that may provide health indicators and what works for you (and is healthy for you) may not be what is listed above.  This is simply a way to objectively gauge the health of your controller configuration.

For more insight in to how to tune your configuration, I recommend 3 Steps to Tuning a Cisco WLAN Controller From Default Settings.

Please let me know what you think in the comments section below.

I would like to acknowledge and thank contributors to this article: