In this post, we will look at how a 6GHz client device can discover an AP. Clients have a couple of methods for discovering APs, and we’ll explore both of them in a series of posts:
1. Out of Band Discovery (6GHz BSSID Discovery via Legacy bands – 2.4GHz/5.0GHz): This method (also known as RNR – Reduced Neighbor Report) involves clients seeking out 6GHz APs by initially scanning the more familiar 2.4GHz and 5.0GHz bands. Since many 6GHz APs are also configured to support these legacy bands, this is a preferred method for most AP vendors and client devices.
2. In-Band Discovery (6GHz BSSID Discovery via 6GHz band): Here, clients directly search for 6GHz APs within the 6GHz band. However, it’s important to note that not all client devices support this method. For example, Apple devices currently rely on “Out of Band Discovery”, so if your AP only enables the 6GHz band, these devices won’t be able to discover it.
Now, let’s shift our focus to the various “In-Band Discovery” methods available:
a. Preferred Scan Channel (PSC): This method involves clients scanning specific preferred channels (15 out of 59) within the 6GHz band to find APs efficiently.
b. Fast Initial Link Setup (FILS): FILS is all about speeding up the initial connection process by allowing clients to communicate with APs more rapidly.
c. Unsolicited Probe Responses (UPR): In this method, APs actively send out probe responses to help clients discover them without the clients initiating the probe request.
In my testing setup shown below, I used a Cisco CW9166I AP (A special thanks to Nicholas Swiatecki for providing me these APs) with a Cisco 9800 running on IOS-XE 17.12.1. It’s worth noting that this release marked the first 9800 IOS-XE version to support 6GHz in AU regulatory domains. However, in this lab setup, I had to use US regulatory settings (due to the AP’s previously provisioned with Meraki and was in US regulatory).
To configure these discovery options in Cisco 9800, you’ll typically find the settings under “RF Profile.” Here, I’ve provided my 6GHz RF profile, where I’ve left the discovery settings at their default values. Pay special attention to “PSC enforcement,” which is disabled by default under RRM > DCA (Radio Resource Management) in the 6GHz RF profile.
Within the 802.11ax section of the RF Profile, you’ll find the option to enable FILS and UPR discovery mechanisms. This information is particularly relevant when you’re exclusively utilizing the 6GHz band without enabling 2.4GHz or 5GHz on the AP.
Here is the CLI of my “MRNL-6GHz” RF profile configuration. Other than disabling low data rates (anything below 24Mbps) & modifying TPC min and max everything else is left to default settings.
C9800-3#sh run| be ap dot11 6ghz rf-profile MRNL-6GHz ap dot11 6ghz rf-profile MRNL-6GHz rate RATE_12M disable rate RATE_18M disable rate RATE_24M mandatory rate RATE_6M disable rate RATE_9M disable tx-power max 20 tx-power min 8 no shutdown
You can use “show run all” to see all parameters configured
C9800-3#sh run all | be ap dot11 6ghz rf-profile MRNL-6GHz ap dot11 6ghz rf-profile MRNL-6GHz channel chan-width maximum WIDTH_MAX channel chan-width minimum WIDTH_20MHz channel foreign client-aware-fra client-count-reset 1 client-aware-fra client-reset-util 5 client-network-preference default coverage data rssi threshold -80 coverage exception 25 coverage level 3 coverage voice rssi threshold -80 dot11ax bcast-probe-response time-interval 20 dot11ax multi-bssid-profile default-multi-bssid-profile no dot11ax spatial-reuse obss-pd dot11ax spatial-reuse obss-pd non-srg-max -62 no dot11ax spatial-reuse obss-pd srg dot11ax spatial-reuse obss-pd srg srg-max -62 dot11ax spatial-reuse obss-pd srg srg-min -82 high-density clients count 200 high-density rx-sop threshold auto load-balancing denial 3 load-balancing window 5 ndp-mode auto rate RATE_12M disable rate RATE_18M disable rate RATE_24M mandatory rate RATE_36M supported rate RATE_48M supported rate RATE_54M supported rate RATE_6M disable rate RATE_9M disable no rssi-check rssi-threshold -127 trap threshold clients 12 trap threshold interference 10 trap threshold noise -70 trap threshold utilization 80 tx-power max 20 tx-power min 8 tx-power v1 threshold -70 no shutdown
I’ve linked the RF Profile mentioned above to the RF tag named ‘rft1-MRNL.’ If you’ve been following my previous post on “9800 FlexConnect Basics“, you’ll recall that I used “MRN-Flex” Flex profile which assign VLAN 129 for local switched clients. I have associated it with the ‘st2-mrn-us’ site tag. In this setup, I’ve configured the ‘mrn-psk’ SSID to broadcast exclusively on the 6GHz band. It’s important to note that when using the 6GHz band, security is restricted to WPA3 only. Mixed mode also known as transition mode, which combines WPA2 and WPA3, is not supported.
Here is the CLI equivalent of the above configuration for my WLAN profile.
wlan wp1-psk 101 mrn-psk radio policy dot11 6ghz security ft no security wpa wpa2 security wpa psk set-key ascii 0 Cisco123 no security wpa akm dot1x security wpa akm ft sae security wpa akm sae security wpa akm sae pwe h2e security wpa wpa3 security pmf mandatory no shutdown
I have set my AP 6GHz radio to 160MHz channel width (if no one using the spectrum it is all yours at the moment 
) while channel 37 is the Primary channel.
Next, I captured CH37 with 160MHz width using Airtool with my Macbook Pro (M2). Here is the PCAP and screenshot below showing FILS discovery frames (did not expect to see them as we selected “none” under 6GHz Discovery frames in RF profile) sent in addition to the Beacon Frames with the default RF profile configuration settings that we used.
I’ve got a Pixel 6, a Win 11 Dell Laptop with Intel AX211, a Windows 11 PC with Netgear USB adapter AXE3000, and a Macbook Pro M2, all of which are 6GHz-capable clients. However, due to Apple’s lack of support for ‘In-band Discovery,’ my MacBook can’t detect this SSID for connection. Here’s filtered traffic for my Pixel 6’s MAC address as it connects to the SSID, without any control frames.
If you examine the details closely, you’ll notice a significant difference in how APs handle probe requests from clients. In legacy bands like 2.4GHz and 5.0GHz, APs individually respond to each probe request from clients by sending unicast Probe Response frames. However, in the 6GHz band, APs always transmit a Probe Response to the broadcast MAC address, allowing every client to process it. This approach effectively reduces the load on the AP, particularly in densely populated environments where numerous clients may simultaneously send probe requests.
Here is another capture taken including all three clients(Pix6, Intel AX211, Netgear USB) association to the given SSID
In upcoming posts, we will look at FILS, PSC, UPR and RNR (‘Out of band Discovery’) in detail.
Refereces
1. AP Discovery Methods for 6GHz Wi-Fi (Cisco Blog)
2. The Road to Discover AP in 6GHz (Extreme Blog)
2. iPadpro Wi-Fi6E Scanning & SSID Discovery (Jiri’s blog)