Configuring Wireless Active Testing with ThousandEyes

This document explains how to set up Wireless Active Testing on the ThousandEyes platform.

Introduction to Wireless Active Testing

Wireless Active Testing (WAT) helps you proactively detect Wi-Fi issues and adds the ability of pre-connection testing that tests the Wi-Fi onboarding process. It integrates the Cisco Catalyst 9800 Wireless LAN Controller with the ThousandEyes platform to deliver end-to-end network and application testing. Wireless Active Testing (WAT) helps you troubleshoot Wi-Fi network inconsistencies by using the Catalyst Access Point CW9172H with the ThousandEyes Endpoint Agent as an Active Testing Access Point. This enables early detection and resolution of wireless performance issues.

Prerequisites

  • Cisco Wireless CW9172H Access Point

  • IOS-XE 17.18.2 software version of higher

  • Connectivity to ThousandEyes platform (cloud). For details refer System Requirements.

Relevant Acronyms and Terminology

  • WAT: Wireless Active Testing​

  • SSID: Service Set Identifier (name)​

  • BSSID: Basic Service Set Identifier (MAC)​

  • AP: Access Point

  • Active Testing Access Point: A Catalyst access point running Endpoint Agent and performing Wireless Active Testing.

Getting Started

The configuration of Wireless Active Testing with ThousandEyes consists of two stages:

  • Stage 1 - Active Testing Access Point Onboarding : This involves performing the necessary configuration on the Wireless LAN Controller (WLC) to onboard the Access Point and deploy the ThousandEyes Endpoint Agent.

  • Stage 2 - SSID and Test Configuration : This involves configuring the SSID and setting up the test parameters on the ThousandEyes platform to enable Wireless Active Testing.

Stage 1 - Active Testing Access Point Onboarding

To set up this stage of Wireless Active Testing (WAT), see the detailed instructions here.

Stage 2 - SSID and Test Configuration

Validating Agent Registration

  1. After you finish configuring the WLC, the Endpoint Agents running on the Catalyst Access Points appear in the ThousandEyes portal. It may take about 5 to 10 minutes for the Endpoint Agent to register on the ThousandEyes platform after you install it on the WLC.

  2. On the ThousandEyes platform, go to Endpoint Experience > Agent Settings. In Agent Settings, select Add Filter. In the Platform filter, choose Cisco Wireless. This displays only the Endpoint Agents installed on wireless access points.

SSID Configuration

  1. After you confirm that the Endpoint Agents are installed on the access points and registered with the ThousandEyes platform, configure the SSIDs. The Endpoint Agent uses these SSIDs to connect to and cycle between access points broadcasting the selected SSID. To set up an SSID, go to SSID Configurations tab in Agent Settings and select Create SSID Configuration.

  1. The SSID Configuration section contains the following fields:

  • Configuration Name – A name for the configuration.

  • SSID - A list of available SSIDs that will be imported into ThousandEyes when the Active Testing Access Point is onboarded. In this dropdown menu, you can select the preferred SSID for this configuration. Alternatively, you are not limited to these suggestions and may manually configure any arbitrary SSID.

  • Band – Specifies the wireless band.

  • Max Number of APs – Specifies the maximum number of BSSIDs that the Active Testing Access Point will test during one round.

  • Credential Type – Specifies the authentication configuration. Active Testing Access Points must authenticate to connect with SSIDs. In the SSID Configuration section, use the Credential Type field to select the authentication method. The available options are:

    • Password - If you select Password, you must provide the PSK (Pre-Shared Key) used for this SSID.

    • Username/Password - If you select Username/Password, you must choose one of the supported EAP methods: PEAP, LEAP, or EAP-FAST, and provide the corresponding username and password.

    • Certificate - If you select Certificate, you must choose either the LSC (Locally Significant Certificate) option or the Manual option.

      • If you chose the LSC (Locally Significant Certificate) option, further three options are available:

        • EAP Outer Identity - Optional field. Defaults to “anonymous” if not specified.

        • Verify Server Certificate - Enabled by default. When enabled, the agent validates the RADIUS server certificate. If disabled, the agent will not validate the RADIUS certificate.

        • Trusted Server CA Certificate: Optional field. In environments where different Certificate Authorities (CAs) issue infrastructure certificates (such as AP or WLC certificates) and RADIUS server certificates, the client must trust the CA that issued the RADIUS certificate to authenticate securely. Therefore, this setting must be populated with the CA that signs the RADIUS server certificate when multiple CAs are in use. If the same CA signs both the AP/WLC certificate and the RADIUS server certificate and is already trusted by the client device, this field does not need to be provided.

      • If you chose the Manual option, further five options are available:

        • Client Bundle (PKCS #12) - The Client Bundle is a single PKCS#12 file (.p12 or .pfx) file that include the client certificate chain and private key.

        • Private Key Password - Optional field. Password used to unlock the private key in the Client Bundle. Leave empty if the PKCS#12 file has no password.

        • EAP Outer Identity - Optional field. Defaults to “anonymous” if not specified.

        • Verify Server Certificate - Enabled by default. When enabled, the agent validates the RADIUS server certificate. If disabled, the agent will not validate the RADIUS certificate.

        • Trusted Server CA Certificate - Optional field. In environments where different Certificate Authorities (CAs) issue infrastructure certificates (such as AP or WLC certificates) and RADIUS server certificates, the client must trust the CA that issued the RADIUS certificate to authenticate securely. Therefore, this setting must be populated with the CA that signs the RADIUS server certificate when multiple CAs are in use. If the same CA signs both the AP/WLC certificate and the RADIUS server certificate and is already trusted by the client device, this field does not need to be provided.

    • Open (no authentication) - No authentication is required when this option is selected.

Wireless Active Testing Configuration

Once the SSIDs imported from the WLC have been configured on the ThousandEyes platform you can set up Wireless Active Testing. In this section, you’ll create a Wireless Active Testing configuration and associate the configured SSIDs with the Active Testing Access Point.

  1. Go to Endpoint Experience > Test Settings, choose Wireless Active Testing, and then select Add Configuration.

  1. The Wireless Active Testing section consists of three sub-sections:

    • Select SSIDs - provide a name for your Wireless Sensor Configuration and select up to three SSIDs for Wireless Active Testing.

    • Select Agents - select the Endpoint Agents you want to associate with these SSIDs for testing. There are three options for selecting which Endpoint Agents will use the previously selected SSIDs for testing:

      • All Agents – All Endpoint Agents

      • Specific Agents – Only selected Endpoint Agents

      • Agent Labels - Only Endpoint Agents associated with a specific label. Please note that SSID based labels cannot be used within Wireless Sensor Configuration.

    • Review and Create

  1. Enter the relevant information in each of the above sub-sections and proceed by clicking Next. In the final sub-section, review the configuration, and if everything looks correct, click Create. After you complete the configuration, the Active Testing Access Point connects to the configured SSIDs and begins collecting wireless metrics.

It may take up to 20 minutes for the data to appear on the ThousandEyes platform.

Synthetic Tests Configuration

In addition to wireless monitoring, Wireless Active Testing with the ThousandEyes Endpoint Agent lets you set up synthetic tests for critical business applications. The configuration process is the same as for other Endpoint Agents. For detailed instructions and best practices, see Monitoring an Application using Synthetic Tests.

Leveraging Wireless Active Test Data in ThousandEyes

This section covers Wireless Active Testing (WAT) data in the ThousandEyes platform. It explains how to interpret and use the test data generated by WAT.

For more information about viewing Endpoint Agent data, see Viewing Data.

Dashboards

Dashboards make it easy to monitor and visualize large volumes of test data, and help you quickly identify and resolve issues.

To help you track test results efficiently and reduce the need for external assistance, we offer Dashboard Templates. These templates promote consistency and support best practices for managing multiple account organizations.

For more information about dashboards, see the following articles:

Endpoint Agent Views

The view provides the ability to search for an agent and view its performance, associated application performance, and infrastructure performance in a single page.

To utilize the Agent View:

  1. Navigate to Endpoint Experience > Agent Views in the ThousandEyes platform.

  2. Use the Search section to enter and select the specific Endpoint Agent you want to examine.

  1. In the Metrics section, select Connection, and select RSSI from the dropdown correpsonding to Connection.

  2. You can now see the visual representation of the SSIDs tested during the selected time frame along with their corresponding RSSI values.

  3. In the Segment Visualization section, on the Connection tab, you can view wireless data such as SSID, BSSID, channel, PHY mode, connection score, Wi-Fi signal quality, RSSI, and link speed.

  1. For viewing the detailed entries for events, you can refer to the Logs tab in the Logs and Metrics section.

You can refer the Agent Views documentation to learn more about analyzing and troubleshooting.

Local Network Views

The Local Networks view shows wireless data aggregated from multiple endpoint agents, unlike the Single Agent view, which displays data for individual agents. To access this view, go to Endpoint Experience > Views, and then select Local Networks and Wireless.

In this view, the Endpoint table lists all endpoint agents active during the selected time frame, along with relevant wireless metrics.

The BSSID Table provides the same view from the BSSID perspective.

Features Not Supported

Currently, the following Endpoint Agent features are not supported or do not apply to WAT:

  • Real User and Dynamic tests

  • Browser extension

  • Throughput rate

  • Retransmission rate

  • Channel Swap Events

PreviousCisco Secure Client ThousandEyes Endpoint Agent ModuleNextEndpoint Agent Licensing

Last updated