Cisco IOS Software Configuration Guide for Cisco Aironet Access Points Cisco IOS Releases 12.4(3g)JA and 12.3(8)JEB April 2007 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xix Audience Purpose xix xix Organization xx Conventions xxi Related Publications xxiii Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER 1 Overview xxiv 1-1 Features 1-2 Features Introduced in This Release 1-2 Japan Upgrade Utility 1-2 Multiple VLAN and Rate Limiting Support for Point-to-Multipoint Bridging Client MFP Support 1-3 Regulatory Changes for Taiwan 1-3 Universal Workgroup Bridge 1-4 Management Options Roaming Client Devices 1-4 1-4 Net
Contents Using Online Help 2-14 Changing the Location of Help Files Disabling the Web-Browser Interface CHAPTER 3 Using the Command-Line Interface Cisco IOS Command Modes Getting Help 2-14 2-15 3-1 3-2 3-3 Abbreviating Commands 3-3 Using no and default Forms of Commands Understanding CLI Messages 3-4 3-4 Using Command History 3-4 Changing the Command History Buffer Size 3-5 Recalling Commands 3-5 Disabling the Command History Feature 3-5 Using Editing Features 3-6 Enabling and Disabling Editin
Contents Default Settings on the Express Setup Page 4-14 Configuring Basic Security Settings 4-15 Understanding Express Security Settings 4-18 Using VLANs 4-18 Express Security Types 4-19 Express Security Limitations 4-21 Using the Express Security Page 4-21 CLI Configuration Examples 4-22 Configuring System Power Settings for 1130 and 1240 Series Access Points Using the IP Setup Utility 4-28 Obtaining IPSU 4-28 Using IPSU to Find the Access Point’s IP Address Assigning an IP Address Using the CLI Using
Contents Controlling Access Point Access with TACACS+ 5-15 Default TACACS+ Configuration 5-15 Configuring TACACS+ Login Authentication 5-15 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Displaying the TACACS+ Configuration 5-17 Configuring Ethernet Speed and Duplex Settings 5-18 Configuring the Access Point for Wireless Network Management 5-18 Configuring the Access Point for Local Authentication and Authorization Configuring the Authentication Cache and Profile Con
Contents Creating a Banner 5-35 Default Banner Configuration 5-35 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 5-37 5-35 Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode 5-37 Migrating to Japan W52 Domain 5-37 Verifying the Migration 5-39 Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging CLI Command 5-40 CHAPTER 6 Configuring Radio Settings 5-39 6-1 Enabling the Radio Interface 6-2 Configuring the Role in Radio Network 6
Contents Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports 6-29 Configuring the Beacon Period and the DTIM Configure RTS Threshold and Retries 6-30 6-30 Configuring the Maximum Data Retries 6-31 Configuring the Fragmentation Threshold 6-31 Enabling Short Slot Time for 802.
Contents CHAPTER 8 Configuring Spanning Tree Protocol 8-1 Understanding Spanning Tree Protocol 8-2 STP Overview 8-2 350 Series Bridge Interoperability 8-3 Access Point/Bridge Protocol Data Units 8-3 Election of the Spanning-Tree Root 8-4 Spanning-Tree Timers 8-5 Creating the Spanning-Tree Topology 8-5 Spanning-Tree Interface States 8-5 Blocking State 8-7 Listening State 8-7 Learning State 8-7 Forwarding State 8-8 Disabled State 8-8 Configuring STP Features 8-8 Default STP Configuration 8-8 Configuring
Contents Using Debug Messages CHAPTER 10 9-11 Configuring Cipher Suites and WEP 10-1 Understanding Cipher Suites and WEP 10-2 Configuring Cipher Suites and WEP 10-3 Creating WEP Keys 10-3 WEP Key Restrictions 10-5 Example WEP Key Setup 10-5 Enabling Cipher Suites and WEP 10-6 Matching Cipher Suites with WPA and CCKM 10-7 Enabling and Disabling Broadcast Key Rotation 10-7 CHAPTER 11 Configuring Authentication Types 11-1 Understanding Authentication Types 11-2 Open Authentication to the Access P
Contents Understanding Fast Secure Roaming Understanding Radio Management Understanding Layer 3 Mobility 12-3 12-5 12-5 Understanding Wireless Intrusion Detection Services 12-6 Configuring WDS 12-7 Guidelines for WDS 12-8 Requirements for WDS 12-8 Configuration Overview 12-8 Configuring Access Points as Potential WDS Devices 12-9 CLI Configuration Example 12-13 Configuring Access Points to use the WDS Device 12-14 CLI Configuration Example 12-15 Configuring the Authentication Server to Support WDS 12-
Contents CHAPTER 13 Configuring RADIUS and TACACS+ Servers 13-1 Configuring and Enabling RADIUS 13-2 Understanding RADIUS 13-2 RADIUS Operation 13-3 Configuring RADIUS 13-4 Default RADIUS Configuration 13-4 Identifying the RADIUS Server Host 13-5 Configuring RADIUS Login Authentication 13-7 Defining AAA Server Groups 13-9 Configuring RADIUS Authorization for User Privileged Access and Network Services Configuring Packet of Disconnect 13-12 Starting RADIUS Accounting m 13-13 Selecting the CSID Format 13
Contents Using a RADIUS Server to Assign Users to VLANs 14-8 Using a RADIUS Server for Dynamic Mobility Group Assignment Viewing VLANs Configured on the Access Point 14-9 VLAN Configuration Example CHAPTER 15 Configuring QoS 14-9 14-10 15-1 Understanding QoS for Wireless LANs 15-2 QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN 15-2 Precedence of QoS Settings 15-3 Using Wi-Fi Multimedia Mode 15-4 Configuring QoS 15-5 Configuration Guidelines 15-5 Configuring QoS Using
Contents CHAPTER 17 Configuring CDP 17-1 Understanding CDP 17-2 Configuring CDP 17-2 Default CDP Configuration 17-2 Configuring the CDP Characteristics 17-2 Disabling and Enabling CDP 17-3 Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP CHAPTER 18 Configuring SNMP 17-4 17-4 18-1 Understanding SNMP 18-2 SNMP Versions 18-2 SNMP Manager Functions 18-3 SNMP Agent Functions 18-4 SNMP Community Strings 18-4 Using SNMP to Access MIB Variables 18-4 Configuring SNMP 18-5 Def
Contents Setting Up a Repeater As a WPA Client Understanding Hot Standby 19-8 19-8 Configuring a Hot Standby Access Point 19-9 Verifying Standby Operation 19-12 Understanding Workgroup Bridge Mode 19-13 Treating Workgroup Bridges as Infrastructure Devices or as Client Devices Configuring a Workgroup Bridge for Roaming 19-15 Configuring a Workgroup Bridge for Limited Channel Scanning 19-15 Configuring the Limited Channel Set 19-15 Ignoring the CCX Neighbor List 19-16 Configuring a Client VLAN 19-16 Confi
Contents Preparing to Download or Upload a Configuration File by Using FTP 20-13 Downloading a Configuration File by Using FTP 20-13 Uploading a Configuration File by Using FTP 20-14 Copying Configuration Files by Using RCP 20-15 Preparing to Download or Upload a Configuration File by Using RCP 20-16 Downloading a Configuration File by Using RCP 20-16 Uploading a Configuration File by Using RCP 20-17 Clearing Configuration Information 20-18 Deleting a Stored Configuration File 20-18 Working with Software I
Contents Setting a Logging Rate Limit 21-9 Configuring UNIX Syslog Servers 21-10 Logging Messages to a UNIX Syslog Daemon Configuring the UNIX System Logging Facility Displaying the Logging Configuration CHAPTER 22 Wireless Device Troubleshooting 21-10 21-12 22-1 Checking the Top Panel Indicators 22-2 Indicators on 1130 Series Access Points 22-6 Indicators on 1240 Series Access Points 22-9 Indicators on 1300 Outdoor Access Point/Bridges Normal Mode LED Indications 22-11 Power Injector 22-13 Checking
Contents APPENDIX C Error and Event Messages Conventions C-1 C-2 Software Auto Upgrade Messages C-3 Association Management Messages Unzip Messages C-4 C-5 802.
Preface Audience This guide is for the networking professional who installs and manages Cisco Aironet Access Points. To use this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of wireless local area networks. The guide covers two Cisco IOS releases: 12.4(3g)JA and 12.3(8)JEB. Cisco IOS Release 12.
Preface This guide also includes an overview of the access point web-based interface (APWI), which contains all the functionality of the command-line interface (CLI). This guide does not provide field-level descriptions of the APWI windows nor does it provide the procedures for configuring the access point from the APWI. For all APWI window descriptions and procedures, refer to the access point online help, which is available from the Help buttons on the APWI pages.
Preface Chapter 15, “Configuring QoS,” describes how to configure and manage MAC address, IP, and Ethertype filters on the access point using the web-browser interface. Chapter 17, “Configuring CDP,” describes how to configure Cisco Discovery Protocol (CDP) on your access point. CDP is a device-discovery protocol that runs on all Cisco network equipment. Chapter 18, “Configuring SNMP,” describes how to configure the Simple Network Management Protocol (SNMP) on your access point.
Preface Note Caution Warning Waarschuwing Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual. Means reader be careful. In this situation, you might do something that could result equipment damage or loss of data. This warning symbol means danger. You are in a situation that could cause bodily injury.
Preface Advarsel Aviso Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated Safety Warnings" [Oversatte sikkerhetsadvarsler].) Este símbolo de aviso indica perigo.
Preface Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
C H A P T E R 1 Overview Cisco Aironet Access PointsCisco wireless devices (hereafter called access points or wireless devices) provide a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, Cisco Aironet access pointwireless devices are Wi-Fi certified, 802.11a-compliant, 802.11b-compliant, and 802.
Chapter 1 Overview Features Features This section lists features supported on access pointWireless devices running Cisco IOS software. Note The proxy Mobile-IP feature is not supported in Cisco IOS Releases 12.3(2)JA and later. Note Cisco IOS Release 12.3(8)JEB is a maintenance release only. No new features are included in this release. Features Introduced in This Release Table 1-1 lists the new features in Cisco IOS Release 12.4(3g)JA and the supported platforms.
Chapter 1 Overview Features • U regulatory domain = W52 The upgrade utility allows users to migrate their 802.11a radios from J52 to W52. The utility operates on the following devices: • 1130 series access points • 1200 series access points with RM21 and RM22A radios • 1240 series access points Users must migrate all 802.11a radios in their wireless network from J52 to W52. There cannot be a mix of radios in the network operating in the J52 and W52 bands because of overlap.
Chapter 1 Overview Management Options Universal Workgroup Bridge This feature provides the means for Cisco access points configured as workgroup bridges (WGBs) to associate with non-Cisco access points. In addition, the feature provides the WGB with the ability to be continuously in World Mode. See the “Configuring the Role in Radio Network” section on page 6-2 for more information on universal workgroup bridge configuration.
Chapter 1 Overview Network Configuration Examples Root Access Point An access point connected directly to a wired LAN provides a connection point for wireless users. If more than one access point is connected to the LAN, users can roam from one area of a facility to another without losing their connection to the network. As users move out of range of one access point, they automatically connect to the network (associate) through another access point.
Chapter 1 Overview Network Configuration Examples Figure 1-2 Access Point as Repeater Repeater 135444 Access point Bridges The 1200 and 1240 access points and the 1300 access point/bridge can be configured as root or non-root bridges. In this role, an access point establishes a wireless link with a non-root bridge. Traffic is passed over the link to the wired LAN. Access points in root and non-root bridge roles can be configured to accept associations from clients.
Chapter 1 Overview Network Configuration Examples Access Points as Root and Non-root Bridges with Clients 135446 Figure 1-4 Root bridge Non-root bridge When wirless bridges are used in a point-to-multipoint configuration the throughput is reduced depending on the number of non-root bridges that associate with the root bridge. The maximum throughput is about 25 Mbps in a point to point link. The addition of three bridges to form a point-to-multipoint network reduces the throughput to about 12.5 Mbps.
Chapter 1 Overview Network Configuration Examples Central Unit in an All-Wireless Network In an all-wireless network, an access point acts as a stand-alone root unit. The access point is not attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as the focal point for communications, increasing the communication range of wireless users. Figure 1-6 shows an access point in an all-wireless network.
CH A P T E R 2 Using the Web-Browser Interface This chapter describes the web-browser interface that you can use to configure the wireless device. The details regarding the configuration parameters are contained in the help system.
Chapter 2 Note Using the Web-Browser Interface Avoid using both the CLI and the web-browser interfaces to configure the wireless device. If you configure the wireless device using the CLI, the web-browser interface might display an inaccurate interpretation of the configuration. However, the inaccuracy does not necessarily mean that the wireless device is misconfigured.
Chapter 2 Using the Web-Browser Interface Using the Web-Browser Interface for the First Time Using the Web-Browser Interface for the First Time Use the wireless device’s IP address to browse to the management system. See the “Obtaining and Assigning an IP Address” section on page 4-4 for instructions on assigning an IP address to the wireless device. Follow these steps to begin using the web-browser interface: Step 1 Start the browser.
Chapter 2 Using the Web-Browser Interface Using the Management Pages in the Web-Browser Interface Using Action Buttons Table 2-1 lists the page links and buttons that appear on most management pages.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Table 2-1 Common Buttons on Management Pages (continued) Button/Link Description System Software Displays the version number of the firmware that the wireless device is running and provides links to configuration pages for upgrading and managing firmware.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Follow these steps to create an FQDN and enable HTTPS: Step 1 If your browser uses popup-blocking software, disable the popup-blocking feature. Step 2 Browse to the Express Setup page. Figure 2-2 shows the Express Setup page. Figure 2-2 Express Setup Page Step 3 Enter a name for the access point in the System Name field and click Apply. Step 4 Browse to the Services – DNS page. Figure 2-3 shows the Services – DNS page.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-3 Services – DNS Page Step 5 Select Enable for Domain Name System. Step 6 In the Domain Name field, enter your company’s domain name. At Cisco Systems, for example, the domain name is cisco.com. Step 7 Enter at least one IP address for your DNS server in the Name Server IP Addresses entry fields. Step 8 Click Apply. The access point’s FQDN is a combination of the system name and the domain name.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Step 10 Browse to the Services: HTTP Web Server page. Figure 2-4 shows the HTTP Web Server page: Figure 2-4 Services: HTTP Web Server Page Step 11 Select the Enable Secure (HTTPS) Browsing check box and click Apply. Step 12 Enter a domain name and click Apply. Note Although you can enable both standard HTTP and HTTPS, Cisco recommends that you enable one or the other.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Step 14 Another warning window appears stating that the access point’s security certificate is valid but is not from a known source. However, you can accept the certificate with confidence because the site in question is your own access point. Figure 2-6 shows the certificate warning window: Figure 2-6 Step 15 Certificate Warning Window Click View Certificate to accept the certificate before proceeding.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-7 Step 16 Certificate Window On the Certificate window, click Install Certificate. The Microsoft Windows Certificate Import Wizard appears. Figure 2-8 shows the Certificate Import Wizard window.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-8 Step 17 Click Next. The next window asks where you want to store the certificate. Cisco recommends that you use the default storage area on your system. Figure 2-9 shows the window that asks about the certificate storage area. Figure 2-9 Step 18 Certificate Import Wizard Window Certificate Storage Area Window Click Next to accept the default storage area.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-10 Step 19 Click Finish. Windows displays a final security warning. Figure 2-11 shows the security warning. Figure 2-11 Step 20 Certificate Completion Window Certificate Security Warning Click Yes. Windows displays another window stating that the installation is successful. Figure 2-12 shows the completion window.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-12 Import Successful Window Step 21 Click OK. Step 22 On the Certificate window shown in Figure 2-7, which is still displayed, click OK. Step 23 On the Security Alert window shown in Figure 2-6, click Yes. Step 24 The access point login window appears and you must log into the access point again. The default user name is Cisco (case-sensitive) and the default password is Cisco (case-sensitive).
Chapter 2 Using the Web-Browser Interface Using Online Help Using Online Help Click the help icon at the top of any page in the web-browser interface to display online help. Figure 2-13 shows the help and print icons. Figure 2-13 Help and Print Icons When a help page appears in a new browser window, use the Select a topic drop-down menu to display the help index or instructions for common configuration tasks, such as configuring VLANs.
Chapter 2 Using the Web-Browser Interface Disabling the Web-Browser Interface Table 2-2 shows an example help location and Help Root URL for an 1100 series access point. Table 2-2 Step 5 Example Help Root URL and Help Location Files Unzipped at This Location Default Help Root URL Actual Location of Help Files //myserver/myhelp //myserver/myhelp/123-02.JA/1100 http://myserver/myhelp Click Apply.
Chapter 2 Using the Web-Browser Interface Disabling the Web-Browser Interface Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 2-16 OL-11350-01
CH A P T E R 3 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure the wireless device.
Chapter 3 Using the Command-Line Interface Cisco IOS Command Modes Cisco IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode. When you start a session on the wireless device, you begin in user mode, often called user EXEC mode. A subset of the Cisco IOS commands are available in user EXEC mode.
Chapter 3 Using the Command-Line Interface Getting Help Getting Help You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 3-2. Table 3-2 Help Summary Command Purpose help Obtains a brief description of the help system in any command mode. abbreviated-command-entry? Obtains a list of commands that begin with a particular character string.
Chapter 3 Using the Command-Line Interface Using no and default Forms of Commands Using no and default Forms of Commands Most configuration commands also have a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default.
Chapter 3 Using the Command-Line Interface Using Command History Changing the Command History Buffer Size By default, the wireless device records ten command lines in its history buffer. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the wireless device records during the current terminal session: ap# terminal history [size number-of-lines] The range is from 0 to 256.
Chapter 3 Using the Command-Line Interface Using Editing Features Using Editing Features This section describes the editing features that can help you manipulate the command line. It contains these sections: • Enabling and Disabling Editing Features, page 3-6 • Editing Commands Through Keystrokes, page 3-6 • Editing Command Lines that Wrap, page 3-7 Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it.
Chapter 3 Using the Command-Line Interface Using Editing Features Table 3-5 Editing Commands Through Keystrokes (continued) Keystroke1 Capability Purpose Delete entries if you make a mistake Delete or Backspace or change your mind. Ctrl-D Capitalize or lowercase words or capitalize a set of letters. Erase the character to the left of the cursor. Delete the character at the cursor. Ctrl-K Delete all characters from the cursor to the end of the command line.
Chapter 3 Using the Command-Line Interface Searching and Filtering Output of show and more Commands In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left.
Chapter 3 Using the Command-Line Interface Accessing the CLI Accessing the CLI You can open the wireless device’s CLI using Telnet or Secure Shell (SSH). Opening the CLI with Telnet Follow these steps to open the CLI with Telnet. These steps are for a PC running Microsoft Windows with a Telnet terminal application. Check your PC operating instructions for detailed instructions for your operating system. Step 1 Select Start > Programs > Accessories > Telnet.
Chapter 3 Using the Command-Line Interface Accessing the CLI Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 3-10 OL-11350-01
CH A P T E R 4 Configuring the Access Point for the First Time This chapter describes how to configure basic settings on the wireless device for the first time. The contents of this chapter are similar to the instructions in the quick start guide that shipped with the wireless device.
Chapter 4 Configuring the Access Point for the First Time Before You Start Before You Start Before you install the wireless device, make sure you are using a computer connected to the same network as the wireless device, and obtain the following information from your network administrator: • The login and password for the access point.
Chapter 4 Configuring the Access Point for the First Time Before You Start Step 4 Enter the wireless device password in the Password field and press Enter. The default password is Cisco. The Summary Status page appears. Step 5 Click System Software and the System Software screen appears. Step 6 Click System Configuration and the System Configuration screen appears. Step 7 Click the Reset to Defaults button to reset all settings, including the IP address, to factory defaults.
Chapter 4 Configuring the Access Point for the First Time Obtaining and Assigning an IP Address Obtaining and Assigning an IP Address To browse to the wireless device’s Express Setup page, you must either obtain or assign the wireless device’s IP address using one of the following methods: • If you have an 1130AG, 1200, 1240 series access point or 1300 series access point/bridge, connect to the access point console port and assign a static IP address.
Chapter 4 Configuring the Access Point for the First Time Connecting to the 1100 Series Access Point Locally The 1300 series access point/bridge assumes a radio network role of a root access point. To configure it as a bridge, you must manually place it in install mode in order to align the antennas and establish a link. To establish the link you must have two access point/bridges configured in the install mode.
Chapter 4 Configuring the Access Point for the First Time Connecting to the 1130 Series Access Point Locally Connecting to the 1130 Series Access Point Locally If you need to configure the access point locally (without connecting the access point to a wired LAN), you can connect a PC to its console port using a DB-9 to RJ-45 serial cable. Follow these steps to open the CLI by connecting to the access point console port: Step 1 Open the access point cover.
Chapter 4 Configuring the Access Point for the First Time Connecting to the 1300 Series Access Point/Bridge Locally Note When your configuration changes are completed, you must remove the serial cable from the access point.
Chapter 4 Configuring the Access Point for the First Time Default Radio Settings Default Radio Settings Beginning with Cisco IOS Release 12.3(8)JA, access point radios are disabled and no default SSID is assigned. This was done in order to prevent unauthorized users to access a customer’s wireless network through an access point having a default SSID and no security settings. You must create an SSID before you can enable the access point radio interfaces.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Figure 4-1 Step 5 Summary Status Page Click Express Setup. The Express Setup screen appears. Figure 4-2 and Figure 4-3 shows the Express Setup page for the 1100 series access points. Your pages may differ depending on the access point model and configuration you are using.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Figure 4-2 Express Setup Page for 1100 Series Access Points Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 4-10 OL-11350-01
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Figure 4-3 Note Express Setup Page for 1130, 1200, and 1240 Series Access Points Figure 4-3 shows the Express Setup page for an 1130 series access point. The 1200 series is similar, but does not support the universal workgroup bridge role.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Figure 4-4 Step 6 Express Setup Page for the 1300 Series Access Point/Bridge Enter the configuration settings you obtained from your system administrator. The configurable settings include: • • Host Name— The host name, while not an essential setting, helps identify the wireless device on your network. The host name appears in the titles of the management system pages.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings • Note IP Address—Use this setting to assign or change the wireless device’s IP address. If DHCP is enabled for your network, leave this field blank. If the wireless device’s IP address changes while you are configuring the wireless device using the web-browser interface or a Telnet session over the wired LAN, you lose your connection to the wireless device.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings – Custom—The wireless device uses the settings you enter on the Network Interfaces: Radio-802.11b Settings page. Clicking Custom takes you to the Network Interfaces: Radio-802.11b Settings page. • Aironet Extensions—Enable this setting if there are only Cisco Aironetwireless devices on your wireless LAN.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Table 4-1 Default Settings on the Express Setup Page (continued) Setting Default Optimize Radio Network for Throughput Aironet Extensions Enable Configuring Basic Security Settings After you assign basic settings to the wireless device, you must configure security settings to prevent unauthorized access to your network.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Figure 4-5 Express Security Page Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 4-16 OL-11350-01
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings The Express Security page helps you configure basic security settings. You can use the web-browser interface’s main Security pages to configure more advanced security settings.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Understanding Express Security Settings The SSIDs that you create using the Express security page appear in the SSID table at the bottom of the page. You can create up to 16 SSIDs on the wireless device. On dual-radio wireless devices, the SSIDs that you create are enabled on both radio interfaces. In Cisco IOS Release 12.4(3g)JA and 12.3(8)JEB, there is no default SSID.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Express Security Types Table 4-2 describes the four security types that you can assign to an SSID. Table 4-2 Security Types on Express Security Setup Page Security Type Description Security Features Enabled No Security None. This is the least secure option. You should use this option only for SSIDs used in a public space and assign it to a VLAN that restricts access to your network.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Table 4-2 Security Types on Express Security Setup Page (continued) Security Type Description Security Features Enabled EAP Authentication This option enables 802.1X authentication (such as LEAP, PEAP, EAP-TLS, EAP-FAST, EAP-TTLS, EAP-GTC, EAP-SIM, and other 802.1X/EAP based products) Mandatory 802.1X authentication. Client devices that associate using this SSID must perform 802.1X authentication.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Express Security Limitations Because the Express Security page is designed for simple configuration of basic security, the options available are a subset of the wireless device’s security capabilities. Keep these limitations in mind when using the Express Security page: • If the No VLAN option is selected, the static WEP key can be configured once.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings CLI Configuration Examples The examples in this section show the CLI commands that are equivalent to creating SSIDs using each security type on the Express Security page.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Example: Static WEP This example shows part of the configuration that results from using the Express Security page to create an SSID called static_wep_ssid, excluding the SSID from the beacon, assigning the SSID to VLAN 20, selecting 3 as the key slot, and entering a 128-bit key: ssid static_wep_ssid vlan 20 authentication open ! interface Dot11Radio0/1 no ip address no ip route-cache ! encryption vlan 20 key 3 s
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings bridge-group 20 no bridge-group no bridge-group bridge-group 20 block-unknown-source 20 source-learning 20 unicast-flooding spanning-disabled Example: EAP Authentication This example shows part of the configuration that results from using the Express Security page to create an SSID called eap_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 30: Note The following warning message appea
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0/1.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings aaa new-model ! ! aaa group server radius rad_eap server 10.91.104.
Chapter 4 Configuring the Access Point for the First Time Configuring System Power Settings for 1130 and 1240 Series Access Points bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.
Chapter 4 Configuring the Access Point for the First Time Using the IP Setup Utility Using a Power Injector If you use a power injector to provide power to the 1130 or 1240 access point, select Power Injector on the System Software: System Configuration page and enter the MAC address of the switch port to which the access point is connected. dot11 extension power native Command When enabled, the dot11 extension power native shifts the power tables the radio uses from the IEEE 802.
Chapter 4 Configuring the Access Point for the First Time Assigning an IP Address Using the CLI Figure 4-7 IPSU Get IP Address Screen Step 2 When the utility window opens, make sure the Get IP addr radio button in the Function box is selected. Step 3 Enter the wireless device’s MAC address in the Device MAC ID field. The wireless device’s MAC address is printed on the label on the bottom of the unit. It should contain six pairs of hexadecimal digits.
Chapter 4 Configuring the Access Point for the First Time Using a Telnet Session to Access the CLI Command Purpose Step 2 interface bvi1 Enter interface configuration mode for the BVI. Step 3 ip address address mask Assign an IP address and address mask to the BVI. Note If you are connected to the wireless device using a Telnet session, you lose your connection to the wireless device when you assign a new IP address to the BVI.
Chapter 4 Configuring the Access Point for the First Time Configuring the 802.1X Supplicant You can complete the phases in any order, but they must be completed before the supplicant becomes operational. Creating a Credentials Profile Beginning in privileged EXEC mode, follow these steps to create an 802.1X credentials profile: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 4 Configuring the Access Point for the First Time Configuring the 802.1X Supplicant Applying the Credentials Profile to the Wired Port Beginning in the privileged EXEC mode, follow these steps to apply the credentials to the access point’s wired port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface fastethernet 0 Enter the interface configuration mode for the access point’s Fast Ethernet port.
Chapter 4 Configuring the Access Point for the First Time Configuring the 802.1X Supplicant The following example applys the credentials profile test to the ssid testap1 on a repeater access point. repeater-ap>enable Password:xxxxxxx repeater-ap#config terminal Enter configuration commands, one per line. End with CTRL-Z.
Chapter 4 Configuring the Access Point for the First Time Configuring the 802.
CH A P T E R 5 Administering the Access PointWireless Device Access This chapter describes how to administer the wireless device.
Chapter 5 Administering the Access PointWireless Device Access Disabling the Mode Button Disabling the Mode Button You can disable the mode button on access points having a console port by using the [no] boot mode-button command. This command prevents password recovery and is used to prevent unauthorized users from gaining access to the access point CLI. Caution This command disables password recovery.
Chapter 5 Administering the Access PointWireless Device Access Preventing Unauthorized Access to Your Access Point Preventing Unauthorized Access to Your Access Point You can prevent unauthorized users from reconfiguring the wireless device and viewing configuration information. Typically, you want network administrators to have access to the wireless device while you restrict access to users who connect through a terminal or workstation from within the local network.
Chapter 5 Administering the Access PointWireless Device Access Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Table 5-1 shows the default password and privilege level configuration. Table 5-1 Default Password and Privilege Levels Feature Default Setting Username and password Default username is Cisco and the default password is Cisco. Enable password and privilege level Default password is Cisco. The default is level 15 (privileged EXEC level).
Chapter 5 Administering the Access PointWireless Device Access Protecting Access to Privileged EXEC Commands Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The enable password is not encrypted and can be read in the wireless device configuration file. This example shows how to change the enable password to l1u2c3k4y5.
Chapter 5 Administering the Access PointWireless Device Access Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 5 Administering the Access PointWireless Device Access Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 5 Administering the Access PointWireless Device Access Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. You must have at least one username configured and you must have login local set to open a Telnet session to the wireless device.
Chapter 5 Administering the Access PointWireless Device Access Controlling Access Point Access with RADIUS Step 3 Command Purpose enable password level level password Specify the enable password for the privilege level. • For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. • For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces.
Chapter 5 Administering the Access PointWireless Device Access Controlling Access Point Access with RADIUS RADIUS provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.3.
Chapter 5 Administering the Access PointWireless Device Access Controlling Access Point Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations.
Chapter 5 Administering the Access PointWireless Device Access Controlling Access Point Access with RADIUS Defining AAA Server Groups You can configure the wireless device to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Chapter 5 Administering the Access PointWireless Device Access Controlling Access Point Access with RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 5 Administering the Access PointWireless Device Access Controlling Access Point Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
Chapter 5 Administering the Access PointWireless Device Access Controlling Access Point Access with TACACS+ Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Chapter 5 Administering the Access PointWireless Device Access Controlling Access Point Access with TACACS+ authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.
Chapter 5 Administering the Access PointWireless Device Access Controlling Access Point Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 5 Administering the Access PointWireless Device Access Configuring Ethernet Speed and Duplex Settings Configuring Ethernet Speed and Duplex Settings You can assign the wireless device Ethernet port speed and duplex settings. Cisco recommends that you use auto, the default setting, for both the speed and duplex settings on the wireless device Ethernet port.
Chapter 5 Administering the Access PointWireless Device Access Configuring the Access Point for Local Authentication and Authorization Configuring the Access Point for Local Authentication and Authorization You can configure AAA to operate without a server by configuring the wireless device to implement AAA in local mode. The wireless device then handles authentication and authorization. No accounting is available in this configuration.
Chapter 5 Administering the Access PointWireless Device Access Configuring the Authentication Cache and Profile To disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Chapter 5 Administering the Access PointWireless Device Access Configuring the Authentication Cache and Profile ! aaa group server tacacs+ tac_admin server 192.168.133.
Chapter 5 Administering the Access PointWireless Device Access Configuring the Access Point to Provide DHCP Service ! ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! tacacs-server host 192.168.133.231 key 7 105E080A16001D1908 tacacs-server directed-request radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.134.
Chapter 5 Administering the Access PointWireless Device Access Configuring the Access Point to Provide DHCP Service Note When you configure the access point as a DHCP server, it assigns IP addresses to devices on its subnet. The devices communicate with other devices on the subnet but not beyond it. If data needs to be passed beyond the subnet, you must assign a default router. The IP address of the default router should be on the same subnet as the access point configured as the DHCP server.
Chapter 5 Administering the Access PointWireless Device Access Configuring the Access Point to Provide DHCP Service Use the no form of these commands to return to default settings. This example shows how to configure the wireless device as a DHCP server, exclude a range of IP address, and assign a default router: AP# configure terminal AP(config)# ip dhcp excluded-address 172.16.1.1 172.16.1.20 AP(config)# ip dhcp pool wishbone AP(dhcp-config)# network 172.16.1.0 255.255.255.
Chapter 5 Administering the Access PointWireless Device Access Configuring the Access Point for Secure Shell Clear Commands In privileged Exec mode, use the commands in Table 5-3 to clear DHCP server variables. Table 5-3 Clear Commands for DHCP Server Command Purpose clear ip dhcp binding { address | * } Deletes an automatic address binding from the DHCP database. Specifying the address argument clears the automatic binding for a specific (client) IP address.
Chapter 5 Administering the Access PointWireless Device Access Configuring Client ARP Caching Note The SSH feature in this software release does not support IP Security (IPSec). Configuring SSH Before configuring SSH, download the crypto software image from Cisco.com. For more information, refer to the release notes for this release. For information about configuring SSH and displaying SSH settings, refer to Part 5, “Other Security Features” in the Cisco IOS Security Configuration Guide for Release 12.
Chapter 5 Administering the Access PointWireless Device Access Managing the System Time and Date Configuring ARP Caching Beginning in privileged EXEC mode, follow these steps to configure the wireless device to maintain an ARP cache for associated clients: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot11 arp-cache [ optional ] Enable ARP caching on the wireless device.
Chapter 5 Administering the Access PointWireless Device Access Managing the System Time and Date http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080a23d02.shtml If multiple servers are at the same stratum, a configured server is preferred over a broadcast server. If multiple servers pass both tests, the first one to send a time packet is selected.
Chapter 5 Administering the Access PointWireless Device Access Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats: or • For hh:mm:ss, specify the time in hours (24-hour format), minutes, and seconds. The time specified is relative to the configured time zone. • For day, specify the day by date in the month.
Chapter 5 Administering the Access PointWireless Device Access Managing the System Time and Date Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. the wireless device keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 5 Administering the Access PointWireless Device Access Managing the System Time and Date Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time.
Chapter 5 Administering the Access PointWireless Device Access Defining HTTP Access Defining HTTP Access By default, 80 is used for HTTP access, and port 443 is used for HTTPS access. These values can be customized by the user. Follow these steps to define the HTTP access. Step 1 From the access point GUI, click Services > HTTP. The Service: HTTP-Web server window appears. Step 2 On this window, enter the desired HTTP and HTTPS port number.
Chapter 5 Administering the Access PointWireless Device Access Configuring a System Name and Prompt Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 hostname name Manually configure a system name. The default setting is ap. Note When you change the system name, the wireless device radios reset, and associated client devices disassociate and quickly reassociate. Note You can enter up to 63 characters for the system name.
Chapter 5 Administering the Access PointWireless Device Access Configuring a System Name and Prompt Table 5-5 Default DNS Configuration Feature Default Setting DNS enable state Disabled. DNS default domain name None configured. DNS servers No name server addresses are configured. Setting Up DNS Beginning in privileged EXEC mode, follow these steps to set up the wireless device to use the DNS: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 5 Administering the Access PointWireless Device Access Creating a Banner To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command. To disable DNS on the wireless device, use the no ip domain-lookup global configuration command. Displaying the DNS Configuration To display the DNS configuration information, use the show running-config privileged EXEC command.
Chapter 5 Administering the Access PointWireless Device Access Creating a Banner Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day. For c, enter the delimiting character of your choice, such as a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text.
Chapter 5 Administering the Access PointWireless Device Access Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode Configuring a Login Banner You can configure a login banner to appear on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 5 Administering the Access PointWireless Device Access Migrating to Japan W52 Domain The following interface global configuration mode CLI command is used to migrate an access point 802.11a radio to the W52 domain: dot11 migrate j52 w52 After displaying appropriate warnings and entering y, the migration process starts and completes after the access reboots twice. The firmware initialization code reads and initializes the regulatory domain when the radio hardware is reset.
Chapter 5 Administering the Access PointWireless Device Access Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging Verifying the Migration Use the show controllers command to confirm the migration as shown in this typical example: ap#show controllers dot11Radio 1 ! interface Dot11Radio1 Radio AIR-AP1242A, Base Address 0013.5f0e.d1e0, BBlock version 0.00, Software version 5.95.
Chapter 5 Administering the Access PointWireless Device Access Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging In a typical scenario, multiple VLAN support permits users to set up point-to-multipoint bridge links with remote sites, with each remote site on a separate VLAN. This configuration provides the user to separate and control traffic to each site. Rate limiting ensures that no remote site consumes more than a specified amount of the entire link band width.
CH A P T E R 6 Configuring Radio Settings This chapter describes how to configure radio settings for the wireless device.
Chapter 6 Configuring Radio Settings Enabling the Radio Interface Enabling the Radio Interface The wireless device radios are disabled by default. Note In Cisco IOS Release 12.3(8)JA there is no default SSID. You must create a Radio Service Set Identifier (SSID) before you can enable the radio interface. Beginning in privileged EXEC mode, follow these steps to enable the access point radio: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Table 6-1 Device Role in Radio Network Configuration (continued) Role in Radio Network AP1200 AP1100 AP1130 AP1240 1300AP/ BR Universal workgroup bridge1 — — X X X Scanner X X X X X 1. When configuring a universal workgroup bridge using AES-CCM TKIP, the non-root device should use only TKIP or AES-CCM TKIP as ciphers in order to associate to the root device.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Step 3 Command Purpose station-role Set the wireless device role. non-root {bridge | wireless-clients} • Set the role to non-root bridge with or without wireless clients, repeater access point, root access point or bridge, scanner, or workgroup bridge. • Bridge modes are available only on the 1200 and 1240 series access points.
Chapter 6 Configuring Radio Settings Configuring Dual-Radio Fallback Note When you enable the role in the radio network as a Bridge/workgroup bridge and enable the interface using the no shut command, the physical status and the software status of the interface will be up only if the the device on the other end access point or bridge is up. Otherwise, only the physical status of the device will be up. The software status of the device comes up only when the device on the other end is configured and up.
Chapter 6 Configuring Radio Settings Configuring Dual-Radio Fallback Note This feature is supported by the dual-radio access points such as AP1240, AP1230, and AP 1130. Note This feature does not affect the fallback feature for single-radio access points. You can configure dual-radio fallback in three ways: • Radio tracking • Fast Ethernet tracking • MAC-address tracking Radio Tracking You can configure the access point to track or monitor the status of one of its radios.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates Bridge Features Not Supported The following features are not supported when a 1200 or 1240 series access point is configured as a bridge: • Clear Channel Assessment (CCA) • Interoperability with 1400 series bridge • Concatenation • Install mode • EtherChannel and PageP configuration on switch Configuring Radio Data Rates You use the data rate settings to choose the data rates the wireless device uses for data transmission.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates to be made based on resources available to the wireless project, type of traffic the users will be passing, service level desired, and as always, the quality of the RF environment.When you enter throughput for the data rate setting, the wireless device sets all four data rates to basic. Note When a wireless network has a mixed environment of 802.11b clients and 802.11g clients, make sure that data rates 1, 2, 5.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates Step 3 Command Purpose speed Set each data rate to basic or enabled, or enter range to optimize range or throughput to optimize throughput. These options are available for the 802.11b, 2.4-GHz radio: • {[1.0] [11.0] [2.0] [5.5] [basic-1.0] [basic-11.0] [basic-2.0] [basic-5.5] | range | throughput} Enter 1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, and 54.0 to set these data rates to enabled on the 802.11g, 2.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the speed command to remove one or more data rates from the configuration. This example shows how to remove data rates basic-2.0 and basic-5.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Beginning in privileged EXEC mode, follow these steps to set the transmit power on access point radios: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1slot/port Enter interface configuration mode for the radio interface. The } 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Step 3 power local These options are available for the 802.11b, 2.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Limiting the Power Level for Associated Client Devices You can also limit the power level on client devices that associate to the wireless device. When a client device associates to the wireless device, the wireless device sends the maximum power level setting to the client. Note Cisco AVVID documentation uses the term Dynamic Power Control (DTPC) to refer to limiting the power level on associated client devices.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Configuring Radio Channel Settings The default channel setting for the wireless device radios is least congested; at startup, the wireless device scans for and selects the least-congested channel. For the most consistent performance after a site survey, however, we recommend that you assign a static channel setting for each access point.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Step 3 Command Purpose channel frequency | least-congested Set the default channel for the wireless device radio. Table 6-3 through Table 6-6 show the available channels and frequencies for all radios. Table 6-3 and Table 6-4 show the channels and frequencies. To search for the least-congested channel on startup, enter least-congested.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Table 6-4 Channels and Available Frequencies for IEEE 802.11g 2.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Table 6-6 shows the available frequencies for the RM21A and RM22A IEEE 802.11a 5-GHz radios. Table 6-6 Channel ID 34 36 38 40 42 44 46 48 52 56 60 64 100 104 108 112 116 120 124 128 132 136 140 149 153 157 161 165 Channels and Available Frequencies for the RM21A and RM22A IEEE 802.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Dynamic Frequency Selection Access points with 5-GHz radios configured at the factory for use in the United States, Europe, Singapore, Korea, Japan, Israel, and Taiwan now comply with regulations that require radio devices to use Dynamic Frequency Selection (DFS) to detect radar signals and avoid interfering with them. When an access points detects a radar on a certain channel, it avoids using that channel for 30 minutes.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Prior to transmitting on any channels listed in Table 6-7, the access point radio performs a Channel Availability Check (CAC). The CAC is a 60 second scan for the presence of radar signals on the channel. The following sample messages are displayed on the access point console showing the beginning and end of the CAC scan: *Mar 6 07:37:30.423: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5500 MHz for 60 seconds *Mar 6 07:37:30.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Uniform Spreading Required: Yes Current Frequency: 5300 MHz Channel 60 (DFS enabled) Current Frequency: 5300 MHz Channel 60 (DFS enabled) Allowed Frequencies: 5180(36) 5200(40) 5220(44) 5240(48) *5260(52) *5280(56) *53 00(60) *5320(64) *5500(100) *5520(104) *5540(108) *5560(112) *5580(116) *5660(13 2) *5680(136) *5700(140) 5745(149) 5765(153) 5785(157) 5805(161) * = May only be selected by Dynamic Frequency Selection (DFS) Listen Freq
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Blocking Channels from DFS Selection If your regulatory domain limits the channels that you can use in specific locations--for example, indoors or outdoors--you can block groups of channels to prevent the access point from selecting them when DFS is enabled.
Chapter 6 Configuring Radio Settings Configuring Location-Based Services Configuring Location-Based Services This section describes how to configure location-based services using the access point CLI. As with other access point features, you can use a WLSE on your network to configure LBS on multiple access points. LBS settings do not appear on the access point GUI in this release. Understanding Location-Based Services Cisco recommends that you configure a minimum of three access points for LBS.
Chapter 6 Configuring Radio Settings Enabling and Disabling World Mode Command Purpose Step 3 server-address ip-address port port Enter the IP address of the location server and the port on the server to which the access point sends UDP packets that contain location information. Step 4 method {rssi} (Optional) Select the location method that the access point uses when reporting location information to the location server.
Chapter 6 Configuring Radio Settings Disabling and Enabling Short Radio Preambles network there. Cisco client devices running firmware version 5.30.17 or later detect whether the wireless device is using 802.11d or Cisco legacy world mode and automatically use world mode that matches the mode used by the wireless device. You can also configure world mode to be always on. In this configuration, the access point essentially roams between countries changing its settings as required.
Chapter 6 Configuring Radio Settings Configuring Transmit and Receive Antennas • Long—A long preamble ensures compatibility between the wireless device and all early models of Cisco Aironet Wireless LAN Adapters (PC4800 and PC4800A). If these client devices do not associate to the wireless devices, you should use short preambles. You cannot configure short or long radio preambles on the 5-GHz radio.
Chapter 6 Configuring Radio Settings Enabling and Disabling Gratuitous Probe Response Step 3 Command Purpose gain dB Specifies the resultant gain of the antenna attached to the device. Enter a value from –128 to 128 dB. If necessary, you can use a decimal in the value, such as 1.5. Note Step 4 This setting does not affect the behavior of the wireless device; it only informs the WLSE on your network of the device’s antenna gain.
Chapter 6 Configuring Radio Settings Disabling and Enabling Aironet Extensions Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. The optional parameters can be configured independently or combined when you do not want to use the defaults, as shown in the following examples: (config-if)# probe-response gratuitous period 30 (config-if)# probe-response gratuitous speed 12.
Chapter 6 Configuring Radio Settings Configuring the Ethernet Encapsulation Transformation Method Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the dot11 extension aironet command to enable Aironet extensions if they are disabled. Configuring the Ethernet Encapsulation Transformation Method When the wireless device receives data packets that are not 802.
Chapter 6 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding whether multicast packets reach the intended workgroup bridge, so workgroup bridges at the edge of the wireless device's coverage area might lose IP connectivity. When you treat workgroup bridges as client devices, you increase performance but reduce reliability. Note This feature is best suited for use with stationary workgroup bridges.
Chapter 6 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding PSPF is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable PSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1slot/port Enter interface configuration mode for the radio interface. The } 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Step 3 bridge-group group port-protected Enable PSPF.
Chapter 6 Configuring Radio Settings Configuring the Beacon Period and the DTIM For detailed information on protected ports and port blocking, refer to the “Configuring Port-Based Traffic Control” chapter in the Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(12c)EA1. Click this link to browse to that guide: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/configurat ion/guide/3550scg.
Chapter 6 Configuring Radio Settings Configuring the Maximum Data Retries Command Purpose Step 3 rts threshold value Set the RTS threshold. Enter an RTS threshold from 0 to 23472347. Step 4 rts retries value Set the maximum RTS retries. Enter a setting from 1 to 128. Step 5 end Return to privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the command to reset the RTS settings to defaults.
Chapter 6 Configuring Radio Settings Enabling Short Slot Time for 802.11g Radios Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the command to reset the setting to defaults. Enabling Short Slot Time for 802.11g Radios You can increase throughput on the 802.11g, 2.4-GHz radio by enabling short slot time.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics The Stream page appears. Step 4 Click the tab for the radio to configure. Step 5 For both CoS 5 (Video) and CoS 6 (Voice) user priorities, choose Low Latency from the Packet Handling drop-down menu and enter a value for maximum retries for packet discard in the corresponding field. The default value for maximum retries is 3 for the Low Latency setting (Figure 6-3).
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Viewing Voice Reports You can use a browser to access voice reports listing VoWLAN metrics stored on a WLSE. You can view reports for access point groups and for individual access points. To view voice reports, follow these steps: Step 1 Log in to a WLSE. Step 2 Click the Reports tab. Step 3 Click Voice. Step 4 From the Report Name drop-down menu, choose AP Group Metrics Summary: Current.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics • To view a graph of voice bandwidth in use during the last hour, choose Bandwidth In Use (% Allowed) from the Report Name drop-down menu. • To view graphs of voice streams in progress, choose Voice Streams In Progress from the Report Name drop-down menu. • To view a graph of rejected voice streams, choose Rejected Voice Streams from the Report Name drop-down menu. Figure 6-5 is an example of a voice queuing delay graph.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-6 Voice Streaming Progress Viewing Wireless Client Reports In addition to viewing voice reports from an access point perspective, you can view them from a client perspective. For every client, the WLSE displays the access points the client associated with and the WoLAN metrics that were recorded. To view voice reports for wireless clients, follow these steps: Step 1 Log in to a WLSE. Step 2 Click the Reports tab.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-7 Wireless Client Metrics Viewing Voice Fault Summary The Faults > Voice Summary page in WLSE displays a summary of the faults detected with the following voice fault types: • Excessive Voice Bandwidth (CAC) • Degraded Voice QOS (TSM) To view a summary of voice faults, follow these steps: Step 1 Log in to a WLSE. Step 2 Click the Faults tab. Step 3 Click Voice Summary.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-8 Voice Fault Summary Configuring Voice QoS Settings You can use WLSE’s Faults > Voice QoS Settings screen to define the voice QoS thresholds for the following parameters: • Downstream Delay with U-ASPD not used • Downstream Delay with U-ASPD used • Upstream Delay • Downstream Packet Loss Rate • Upstream Packet Loss Rate • Roaming Time Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 6-38 OL-11350-0
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics To view a summary of voice faults, follow these steps: Step 1 Log in to a WLSE. Step 2 Click the Faults tab. Step 3 Click Voice QoS Settings. Step 4 To change a setting, choose a new value from the corresponding drop-down menu.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-10 Fault Settings Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 6-40 OL-11350-01
CH A P T E R 7 Configuring Multiple SSIDs This chapter describes how to configure and manage multiple service set identifiers (SSIDs) on the access point.
Chapter 7 Configuring Multiple SSIDs Understanding Multiple SSIDs Understanding Multiple SSIDs The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or sub-network can use the same SSIDs. SSIDs are case sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSIDs.
Chapter 7 Configuring Multiple SSIDs Understanding Multiple SSIDs Table 7-1 SSID Configuration Methods Supported in Cisco IOS Releases (continued) Cisco IOS Release Supported SSID Configuration Method 12.3(4)JA and 12.3(7)JA Both interface-level and global; all SSIDs saved in global mode post-12.3(4)JA Global only Cisco IOS Release 12.3(7)JA supports configuration of SSID parameters at the interface level on the CLI, but the SSIDs are stored in global mode.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Configuring Multiple SSIDs These sections contain configuration information for multiple SSIDs: Note • Default SSID Configuration, page 7-4 • Creating an SSID Globally, page 7-4 • Using a RADIUS Server to Restrict SSIDs, page 7-7 In Cisco IOS Release 12.3(4)JA and later, you configure SSIDs globally and then apply them to a specific radio interface.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Command Purpose Step 3 authentication client username username password password (Optional) Set an authentication username and password that the access point uses to authenticate to the network when in repeater mode. Set the username and password on the SSID that the repeater access point uses to associate to a root access point, or with another repeater. Step 4 accounting list-name (Optional) Enable RADIUS accounting for this SSID.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Note When you enable guest SSID mode for the 802.11g radio it applies to the 802.11b radio as well since 802.11b and 802.11g operate in the same 2.4Ghz band. Use the no form of the command to disable the SSID or to disable SSID features.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs SSID [buffalo ] : SSID [buffalo ] : Note This command shows only the first 15 characters of the SSID. Use the show dot11 associations client command to see SSIDs having more than 15 characters. Using a RADIUS Server to Restrict SSIDs To prevent client devices from associating to the access point using an unauthorized SSID, you can create a list of authorized SSIDs that clients must use on your RADIUS authentication server.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs Note Devices on your wireless LAN that are configured to associate to a specific access point based on the access point MAC address (for example, client devices, repeaters, hot standby units, or workgroup bridges) might lose their association when you add or delete a multiple BSSID. When you add or delete a multiple BSSID, check the association status of devices configured to associate to a specific access point.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs Figure 7-1 Global SSID Manager Page Step 2 Enter the SSID name in the SSID field. Step 3 Use the VLAN drop-down menu to select the VLAN to which the SSID is assigned. Step 4 Select the radio interfaces on which the SSID is enabled. The SSID remains inactive until you enable it for a radio interface. Step 5 Enter a Network ID for the SSID in the Network ID field.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs Step 7 (Optional) In the Multiple BSSID Beacon Settings section, select the Set SSID as Guest Mode check box to include the SSID in beacons. Step 8 (Optional) To increase the battery life for power-save clients that use this SSID, select the Set Data Beacon Rate (DTIM) check box and enter a beacon rate for the SSID.
Chapter 7 Configuring Multiple SSIDs Assigning IP Redirection for an SSID Assigning IP Redirection for an SSID When you configure IP redirection for an SSID, the access point redirects all packets sent from client devices associated to that SSID to a specific IP address. IP redirection is used mainly on wireless LANs serving handheld devices that use a central software application and are statically configured to communicate with a specific IP address.
Chapter 7 Configuring Multiple SSIDs Assigning IP Redirection for an SSID Guidelines for Using IP Redirection Keep these guidelines in mind when using IP redirection: • The access point does not redirect broadcast, unicast, or multicast BOOTP/DHCP packets received from client devices. • Existing ACL filters for incoming packets take precedence over IP redirection.
Chapter 7 Configuring Multiple SSIDs Including an SSID in an SSIDL IE Including an SSID in an SSIDL IE The access point beacon can advertise only one broadcast SSID. However, you can use SSIDL information elements (SSIDL IEs) in the access point beacon to alert client devices of additional SSIDs on the access point. When you designate an SSID to be included in an SSIDL IE, client devices detect that the SSID is available, and they also detect the security settings required to associate using that SSID.
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID A client, based on its health (software version, virus version, and so on) is placed on a separate VLAN that is specified to download the required software to upgrade the client to the software versions required to access the network. Four VLANs are specified for NAC support, one of which is the normal VLAN where clients having the correct software version are placed.
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID Configuring NAC for MBSSID Note This feature supports only Layer 2 mobility within VLANs. Layer 3 mobility using network ID is not supported in this feature. Note Before you attempt to enable NAC for MBSSID on your access points, you should first have NAC working properly. Figure 3 shows a typical network setup.
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID authentication open authentication network-eap eap_methods ! dot11 ssid mktg vlan mktg-normal backup mktg-infected1, mktg-infected2, authentication open authentication network-eap eap_methods ! interface Dot11Radio0 ! encryption vlan engg-normal key 1 size 40bit 7 482CC74122FD encryption vlan engg-normal mode ciphers wep40 ! encryption vlan mktg-normal key 1 size 40bit 7 9C3A6F2CBFBC encryption vlan mktg-normal mode ciphers wep40 ! ssid engg ! s
CH A P T E R 8 Configuring Spanning Tree Protocol This chapter descibes how to configure Spanning Tree Protocol (STP) on your access point. This chapter contains these sections: • Understanding Spanning Tree Protocol, page 8-2 • Configuring STP Features, page 8-8 • Displaying Spanning-Tree Status, page 8-14 Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Access Points and Bridges for this release.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol Understanding Spanning Tree Protocol This section describes how spanning-tree features work.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol The access point maintains a separate spanning-tree instance for each active VLAN configured on it. A bridge ID, consisting of the bridge priority and the access point MAC address, is associated with each instance. For each VLAN, the access point with the lowest access point ID becomes the spanning-tree root for that VLAN.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol When a access point receives a configuration BPDU that contains superior information (lower access point ID, lower path cost, and so forth), it stores the information for that port. If this BPDU is received on the root port of the access point, the access point also forwards it with an updated message to all attached LANs for which it is the designated access point.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol Spanning-Tree Timers Table 8-1 describes the timers that affect the entire spanning-tree performance. Table 8-1 Spanning-Tree Timers Variable Description Hello timer Determines how often the access point broadcasts hello messages to other access points. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol it can create temporary data loops. Interfaces must wait for new topology information to propagate through the LAN before starting to forward frames. They must allow the frame lifetime to expire for forwarded frames that have used the old topology. Each interface on a access point using spanning tree exists in one of these states: • Blocking—The interface does not participate in frame forwarding.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol 2. While spanning tree waits the forward-delay timer to expire, it moves the interface to the learning state and resets the forward-delay timer. 3. In the learning state, the interface continues to block frame forwarding as the access point learns end-station location information for the forwarding database. 4.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features Forwarding State An interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state. An interface in the forwarding state performs as follows: • Receives and forwards frames received on the port • Learns addresses • Receives BPDUs Disabled State An interface in the disabled state does not participate in frame forwarding or in the spanning tree.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features Table 8-2 Default STP Values When STP is Enabled (continued) Setting Default Value Ethernet port priority 128 Radio port path cost 33 Radio port priority 128 The radio and Ethernet interfaces and the native VLAN on the access point are assigned to bridge group 1 by default.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features STP Configuration Examples These configuration examples show how to enable STP on root and non-root access points with and without VLANs: • Root Bridge Without VLANs, page 8-10 • Non-Root Bridge Without VLANs, page 8-11 • Root Bridge with VLANs, page 8-11 • Non-Root Bridge with VLANs, page 8-13 Root Bridge Without VLANs This example shows the configuration of a root bridge with no VLANs configured and with STP enabled: hostname
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features end Non-Root Bridge Without VLANs This example shows the configuration of a non-root bridge with no VLANs configured with STP enabled: hostname client-bridge-north ip subnet-zero ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ssid tsunami authentication open guest-mode ! speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features ip ssh authentication-retries 3 ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ssid vlan1 vlan 1 infrastructure-ssid authentication open ! speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312 station-role root no cdp enable infrastructure-client ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 ! interface Dot11Radio0.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features bridge 1 route ip bridge 1 priority bridge 2 protocol bridge 2 priority bridge 3 protocol bridge 3 priority ! line con 0 exec-timeout 0 0 line vty 5 15 ! end 9000 ieee 10000 ieee 3100 Non-Root Bridge with VLANs This example shows the configuration of a non-root bridge with VLANs configured with STP enabled: hostname client-bridge-remote ! ip subnet-zero ! ip ssh time-out 120 ip ssh authentication-retries 3 ! bridge irb ! interface Dot
Chapter 8 Configuring Spanning Tree Protocol Displaying Spanning-Tree Status speed auto ! interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 ! interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 2 ! interface FastEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 bridge-group 3 path-cost 400 ! interface BVI1 ip address 1.4.64.24 255.255.0.
Chapter 8 Configuring Spanning Tree Protocol Displaying Spanning-Tree Status Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-11350-01 8-15
Chapter 8 Configuring Spanning Tree Protocol Displaying Spanning-Tree Status Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 8-16 OL-11350-01
CH A P T E R 9 Configuring an Access Point as a Local Authenticator This chapter describes how to configure the access point as a local authenticator to serve as a stand-alone authenticator for a small wireless LAN or to provide backup authentication service. As a local authenticator, the access point performs LEAP, EAP-FAST, and MAC-based authentication for up to 50 client devices.
Chapter 9 Configuring an Access Point as a Local Authenticator Understanding Local Authentication Understanding Local Authentication Many small wireless LANs that could be made more secure with 802.1x authentication do not have access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely on RADIUS servers housed in a distant location to authenticate client devices, and the authentication traffic must cross a WAN link.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Guidelines for Local Authenticators Follow these guidelines when configuring an access point as a local authenticator: • Use an access point that does not serve a large number of client devices. When the access point acts as an authenticator, performance might degrade for associated client devices. • Secure the access point physically to protect its configuration.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Command Purpose Step 3 radius-server local Enable the access point as a local authenticator and enter configuration mode for the authenticator. Step 4 nas ip-address key shared-key Add an access point to the list of units that use the local authenticator. Enter the access point’s IP address and the shared key used to authenticate communication between the local authenticator and other access points.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Step 11 Command Purpose user username { password | nthash } password [ group group-name ] [mac-auth-only] Enter the LEAP and EAP-FAST users allowed to authenticate using the local authenticator. You must enter a username and password for each user.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator AP(config-radsrv)# AP(config-radsrv)# AP(config-radsrv)# AP(config-radsrv)# AP(config-radsrv)# user user user user end 00095125d02b password 00095125d02b group cashiers 00079431f04a password 00079431f04a group cashiers carl password 272165 group managers vic password lid178 group managers Configuring Other Access Points to Use the Local Authenticator You add the local authenticator to the list of servers o
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Each time the access point tries to use the main servers while they are down, the client device trying to authenticate might report an authentication timeout. The client device retries and succeeds when the main servers time out and the access point tries the local authenticator. You can extend the timeout value on Cisco client devices to accommodate expected server timeouts.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator In this example, the local authenticator generates a PAC for the username joe, password-protects the file with the password bingo, sets the PAC to expire in 10 days, and writes the PAC file to the TFTP server at 10.0.0.5: AP# radius local-server pac-generate tftp://10.0.0.5 joe password bingo expiry 10 Configuring an Authority ID All EAP-FAST authenticators are identified by an authority identity (AID).
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Limiting the Local Authenticator to One Authentication Type By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication for client devices. However, you can limit the local authenticator to perform only one or two authentication types.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Username Successes Failures Blocks nicky 0 0 0 jones 0 0 0 jsmith 0 0 0 Router#sh radius local-server statistics Successes : 1 Unknown usernames : 0 Client blocks : 0 Invalid passwords : 0 Unknown NAS : 0 Invalid packet from NAS: 0 NAS : 100.0.0.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Using Debug Messages In privileged exec mode, enter this command to control the display of debug messages for the local authenticator: AP# debug radius local-server { client | eapfast | error | packets} Use the command options to display this debug information: • Use the client option to display error messages related to failed client authentications.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 9-12 OL-11350-01
CH A P T E R 10 Configuring Cipher Suites and WEP This chapter describes how to configure the cipher suites required to use WPA and CCKM authenticated key management, Wired Equivalent Privacy (WEP), WEP features including AES, Message Integrity Check (MIC), Temporal Key Integrity Protocol (TKIP), and broadcast key rotation.
Chapter 10 Configuring Cipher Suites and WEP Understanding Cipher Suites and WEP Understanding Cipher Suites and WEP This section describes how WEP and cipher suites protect traffic on your wireless LAN. Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's radio transmissions.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP • TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is designed to achieve the best possible security on legacy hardware built to run WEP.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Beginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP WEP Key Restrictions Table 10-1 lists WEP key restrictions based on your security configuration.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Note If you enable MIC but you use static WEP (you do not enable any type of EAP authentication), both the access point and any devices with which it communicates must use the same WEP key for transmitting data.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Use the no form of the encryption command to disable a cipher suite. This example sets up a cipher suite for VLAN 22 that enables CKIP (unsupported), CMIC (unsupported), and 128-bit WEP.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Beginning in privileged EXEC mode, follow these steps to enable broadcast key rotation: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
CH A P T E R 11 Configuring Authentication Types This chapter describes how to configure authentication types on the access pointwireless device.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Understanding Authentication Types This section describes the authentication types that you can configure on the access point. The authentication types are tied to the SSIDs that you configure for the access point. If you want to serve different types of client devices with the same access point, you can configure multiple SSIDs.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-1 Sequence for Open Authentication Access point or bridge with WEP key = 123 Client device with WEP key = 321 1. Authentication request 2. Authentication response 3. Association request 4. Association response 5. WEP data frame to wired network 54583 6. Key mismatch, frame discarded Shared Key Authentication to the Access Point Cisco provides shared key authentication to comply with the IEEE 802.11b standard.
Chapter 11 Configuring Authentication Types Understanding Authentication Types EAP Authentication to the Network This authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key.
Chapter 11 Configuring Authentication Types Understanding Authentication Types There is more than one type of EAP authentication, but the access point behaves the same way for each type: it relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID” section on page 11-10 for instructions on setting up EAP on the access point.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-4 Sequence for MAC-Based Authentication Wired LAN Client device Access point or bridge Server 1. Authentication request 2. Authentication success 65584 3. Association request 4. Association response (block traffic from client) 5. Authentication request 6. Success 7.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-5 shows the reassociation process using CCKM.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-6 shows the WPA key management process. Figure 11-6 WPA Key Management Process Wired LAN Client device Access point Authentication server Client and server authenticate to each other, generating an EAP master key Server uses the EAP master key to generate a pairwise master key (PMK) to protect communication between the client and the access point. (However, if the client is using 802.
Chapter 11 Configuring Authentication Types Understanding Authentication Types To support the security combinations in Table 11-1, your Cisco Aironet access points and Cisco Aironet client devices must run the following software and firmware versions: • Cisco IOS Release 12.2(13)JA or later on access points • Install Wizard version 1.2 for 340, 350, and CB20A client devices, which includes these components: – PC, LM, and PCI card driver version 8.4 – Mini PCI and PC-cardbus card driver version 3.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Note When you configure TKIP-only cipher encryption (not TKIP + WEP 128 or TKIP + WEP 40) on any radio interface or VLAN, every SSID on that radio or VLAN must be set to use WPA or CCKM key management. If you configure TKIP on a radio or VLAN but you do not configure key management on the SSIDs, client authentication fails on the SSIDs.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Command Step 3 Purpose authentication open (Optional) Set the authentication type to open for this SSID. [mac-address list-name [alternate]] Open authentication allows any device to authenticate and then [[optional] eap list-name] attempt to communicate with the access point. • (Optional) Set the SSID’s authentication type to open with MAC address authentication.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Step 5 Command Purpose authentication network-eap list-name [mac-address list-name] (Optional) Set the authentication type for the SSID to Network-EAP. Using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the SSID commands to disable the SSID or to disable SSID features. This example sets the authentication type for the SSID batman to Network-EAP with CCKM authenticated key management.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Configuring Additional WPA Settings Use two optional settings to configure a pre-shared key on the access point and adjust the frequency of group key updates. Setting a Pre-Shared Key To support WPA on a wireless LAN where 802.1X-based authentication is not available, you must configure a pre-shared key on the access point. You can enter the pre-shared key as ASCII or hexadecimal characters.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Command Purpose Step 7 broadcast-key [ vlan vlan-id ] { change seconds } [ membership-termination ] [ capability-change ] Use the broadcast key rotation command to configure additional updates of the WPA group key. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Use the no form of the dot11 aaa mac-authen filter-cache command to disable MAC authentication caching.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Step 5 Command Purpose dot1x reauth-period { seconds | server } Enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate. Enter the server keyword to configure the access point to use the reauthentication period specified by the authentication server. If you use this option, configure your authentication server with RADIUS attribute 27, Session-Timeout.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Creating an EAP Method Profile Beginning in privileged exec mode, follow these steps to define a new EAP profile: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 eap profile profile name Enter a name for the profile Step 3 description (Optional)—Enter a description for the EAP profile Step 4 method fast Enter an allowed EAP method or methods.
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Applying an EAP Profile to an Uplink SSID This operation typically applies to repeater access points. Beginning in the privileged exec mode, follow these steps to apply an EAP profile to the uplink SSID. Command Purpose Step 1 configure terminal Enter the global configuration mode. Step 2 interface dot11radio {0 | 1} Enter interface configuration mode for the radio interface. The 2.
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 11-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting LEAP authentication Enable LEAP Set up and enable WEP and enable Network-EAP for the SSID1 EAP-FAST authentication Enable EAP-FAST and enable Set up and enable WEP and enable automatic provisioning or import a Network-EAP for the SSID1 PAC file If radio clients are configured
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 11-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting 802.1X authentication and WPA Enable any 802.1X authentication method Select a cipher suite and enable Open authentication and WPA for the SSID (you can also enable Network-EAP authentication in addition to or instead of Open authentication) Note 802.
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 11-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting If using ACU to configure card Enable Host Based EAP and Use Dynamic WEP Keys in ACU and select Enable network access control using IEEE 802.
CH A P T E R 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services This chapter describes how to configure your access points for wireless domain services (WDS), fast, secure roaming of client devices, radio management, and wireless intrusion detection services (WIDS).
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Understanding WDS Understanding WDS When you configure Wireless Domain Services on your network, access points on your wireless LAN use the WDS device (either an access point, an Integrated Services Router, or a switch configured as the WDS device) to provide fast, secure roaming for client devices and to participate in radio management.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding Fast Secure Roaming Table 12-1 Participating Access Points Supported by WDS Devices (continued) Unit Configured as WDS Device Participating Access Points Supported Integrated Services Router (ISR) 100 (depending on ISR platform) WLSM-equipped switch 600 Role of Access Points Using the WDS Device The access points on your wireless LAN interact with the WDS device in these activ
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Understanding Fast Secure Roaming Figure 12-1 Client Authentication Using a RADIUS Server Wired LAN Access point or bridge Client device RADIUS Server 1. Authentication request 2. Identity request (relay to server) (relay to client) 4. Authentication challenge 5. Authentication response (relay to server) (relay to client) 6. Authentication success 7.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding Radio Management device. The WDS device forwards the client’s credentials to the new access point, and the new access point sends the reassociation response to the client. Only two packets pass between the client and the new access point, greatly shortening the reassociation time. The client also uses the reassociation response to generate the unicast key.
Chapter 12 Understanding Wireless Intrusion Detection Services Figure 12-3 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Required Components for Layer 3 Mobility CiscoWorks Wireless LAN Solution Engine (WLSE) Catalyst 6500 Wireless Domain Services (WDS) on the Wireless LAN Solutions Module (WLSM) CiscoSecure ACS AAA Server 117993 Infrastructure access points (registered with WDS) Click this link to browse to the information pages for the Cisco Structured Wi
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS access points. The WLSE examines the BRIDGE MIB of each CDP-discovered switch to determine if they contain any of the target MAC addresses. If CDP finds any of the MAC addresses, WLSE suppresses the corresponding switch port number. • Excessive management frame detection—Excessive management frames indicate an attack on your wireless LAN.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS • Configuring the Authentication Server to Support WDS, page 12-15 • Configuring WDS Only Mode, page 12-20 • Viewing WDS Information, page 12-21 • Using Debug Messages, page 12-22 Guidelines for WDS Follow these guidelines when configuring WDS: • A WDS access point that also serves client devices supports up to 30 participating access points, but a WDS access point with radios disa
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Figure 12-4 shows the required configuration for each device that participates in WDS.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS On the access point that you want to configure as your primary WDS access point, follow these steps to configure the access point as the main WDS candidate: Step 1 Browse to the Wireless Services Summary page. Figure 12-5 shows the Wireless Services Summary page. Figure 12-5 Wireless Services Summary Page Step 2 Click WDS to browse to the WDS/WNM Summary page.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Step 5 In the Wireless Domain Services Priority field, enter a priority number from 1 to 255 to set the priority of this WDS candidate. The WDS access point candidate with the highest number in the priority field becomes the acting WDS access point.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Figure 12-7 WDS Server Groups Page Step 10 Create a group of servers to be used for 802.1x authentication for the infrastructure devices (access points) that use the WDS access point. Enter a group name in the Server Group Name field. Step 11 Select the primary server from the Priority 1 drop-down menu.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Step 14 Configure the list of servers to be used for 802.1x authentication for client devices. You can specify a separate list for clients using a certain type of authentication, such as EAP, LEAP, PEAP, or MAC-based, or specify a list for client devices using any type of authentication. Enter a group name for the server or servers in the Server Group Name field.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Configuring Access Points to use the WDS Device Follow these steps to configure an access point to authenticate through the WDS device and participate in WDS: Note To participate in WDS, infrastructure access points should run the same version of IOS as the one that WDS runs. Step 1 Browse to the Wireless Services Summary page.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS The access points that you configure to interact with the WDS automatically perform these steps: • Discover and track the current WDS device and relay WDS advertisements to the wireless LAN. • Authenticate with the WDS device and establish a secure communication channel to the WDS device. • Register associated client devices with the WDS device.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Figure 12-9 Step 2 Network Configuration Page Click Add Entry under the AAA Clients table. The Add AAA Client page appears. Figure 12-10 shows the Add AAA Client page.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Figure 12-10 Add AAA Client Page Step 3 In the AAA Client Hostname field, enter the name of the WDS device. Step 4 In the AAA Client IP Address field, enter the IP address of the WDS device. Step 5 In the Key field, enter exactly the same password that is configured on the WDS device. Step 6 From the Authenticate Using drop-down menu, select RADIUS (Cisco Aironet).
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Figure 12-11 User Setup Page Step 10 Enter the name of the access point in the User field. Step 11 Click Add/Edit. Step 12 Scroll down to the User Setup box. Figure 12-12 shows the User Setup box.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Figure 12-12 ACS User Setup Box Step 13 Select CiscoSecure Database from the Password Authentication drop-down menu. Step 14 In the Password and Confirm Password fields, enter exactly the same password that you entered on the access point on the Wireless Services AP page. Step 15 Click Submit.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Step 17 Browse to the System Configuration page, click Service Control, and restart ACS to apply your entries. Figure 12-13 shows the System Configuration page. Figure 12-13 ACS System Configuration Page Configuring WDS Only Mode WDS access points can operate in WDS only mode using the wlccp wds mode wds-only command.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Viewing WDS Information On the web-browser interface, browse to the Wireless Services Summary page to view a summary of WDS status.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Fast Secure Roaming Using Debug Messages In privileged exec mode, use these debug commands to control the display of debug messages for devices interacting with the WDS device: Command Description debug wlccp ap {mn | wds-discovery | state} Use this command to turn on display of debug messages related to client devices (mn), the WDS discovery process, and access point authentication to the W
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Fast Secure Roaming Configuring Access Points to Support Fast Secure Roaming To support fast, secure roaming, the access points on your wireless LAN must be configured to participate in WDS and they must allow CCKM authenticated key management for at least one SSID. Follow these steps to configure CCKM for an SSID: Step 1 Browse to the Encryption Manager page on the access point GUI.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Fast Secure Roaming Figure 12-15 Step 6 Global SSID Manager Page On the SSID that supports CCKM, select these settings: b. If your access point contains multiple radio interfaces, select the interfaces on which the SSID applies. c. Select Network EAP under Authentication Settings. When you enable CCKM, you must enable Network EAP as the authentication type.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Management Frame Protection Step 7 d. Select Mandatory or Optional under Authenticated Key Management. If you select Mandatory, only clients that support CCKM can associate using the SSID. If you select Optional, both CCKM clients and clients that do not support CCKM can associate using the SSID. e. Check the CCKM check box. Click Apply.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Management Frame Protection Infrastructure MFP provides Infrastructure support. Infrastructure MFP utilizes a message integrity check (MIC) across broadcast and directed management frames which can assist in detection of rogue devices and denial of service attacks. Client MFP provides client support.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Management Frame Protection Client MFP can be configured as either required or optional for a particular SSID. To configure Client MFP as required, you must configure the SSID with key management WPA version 2 mandatory. If the key management is not WPAv2 mandatory, an error message is displayed and your CLI command is rejected.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Management Frame Protection Command Description Step 3 dot11 ids mfp detector Configures the access point as an MFP detector. When enabled, the access point validates management frames it receives from other access points. If it receives any frame that does not contain a valid, and expected, MIC IE, it will report the discrepancy to the WDS. The access point must be a member of a WDS.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Radio Management Configuring Radio Management *When you configure access points on your wireless LAN to use WDS, the access points automatically play a role in radio management when they interact with the WDS device. To complete the radio management configuration, you configure the WDS device to interact with the WLSE device on your network.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Radio Management Figure 12-17 WDS/WNM General Setup Page Step 4 Check the Configure Wireless Network Manager check box. Step 5 In the Wireless Network Manager IP Address field, enter the IP address of the WLSE device on your network. Step 6 Click Apply. The WDS access point is configured to interact with your WLSE device.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Access Points to Participate in WIDS Configuring Access Points to Participate in WIDS To participate in WIDS, access points must be configured to participate in WDS and in radio management.
Chapter 12 Configuring Access Points to Participate in WIDS Step 3 Step 4 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Command Purpose monitor frames endpoint ip address IP-address port UDP-port [truncate truncation-length] Configure the radio for monitor mode. Enter the IP address and the UDP port on the WIDS engine on your network. end Return to privileged EXEC mode. • (Optional) Configure a maximum length in bytes for each forwarded frame.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WLSM Failover Configuring Monitor Mode Limits You can configure threshold values that the access point uses in monitor mode. When a threshold value is exceeded, the access point logs the information or sends an alert. Configuring an Authentication Failure Limit Setting an authentication failure limit protects your network against a denial-of-service attack called EAPOL flooding.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WLSM Failover tunnels, which keeps data traffic going between client and SUP. But because of the WLSM failure, the control traffic going between the access point and the WLSM is disrupted (as shown in Figure 12-18), which prevents the access points from accepting new client connections until the WLSM software is back online.
CH A P T E R 13 Configuring RADIUS and TACACS+ Servers This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), that provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS and TACACS+ are is facilitated through AAA and can be enabled only through AAA commands.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Configuring and Enabling RADIUS This section describes how to configure and enable RADIUS.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS RADIUS Operation When a wireless user attempts to log in and authenticate to an access point whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in Figure 13-1: Figure 13-1 Sequence for EAP Authentication Wired LAN Client device Access point or bridge RADIUS Server 1. Authentication request 3. Username (relay to server) (relay to client) 4.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Configuring RADIUS This section describes how to configure your access point to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Identifying the RADIUS Server Host Access point-to-RADIUS-server communication involves several components: • Host name or IP address • Authentication destination port • Accounting destination port • Key string • Timeout period • Retransmission value You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 5 Command Purpose accounting list-name Enable RADIUS accounting for this SSID. For list-name, specify the accounting method list. Click this URL for more information on method lists: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide /scfacct.html Note To enable accounting for an SSID, you must include the accounting command in the SSID configuration.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network-related service requests.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Note When WDS is configured, PoD requests should be directed to the WDS. The WDS forwards the disassociation request to the parent access point and then purges the session from its own internal tables. Note PoD is supported on the Cisco CNS Access Registrar (CAR) RADIUS server, but not on the Cisco Secure ACS Server, v4.0 and earlier.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa accounting network start-stop radius Enable RADIUS accounting for all network-related service requests. Step 3 ip radius source-interface bvi1 Configure the access point to send its BVI IP address in the NAS_IP_ADDRESS attribute for accounting records.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the access point and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the access point and all RADIUS servers.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS This example shows how to set up two main servers and a local authenticator with a server deadtime of 10 minutes: AP(config)# aaa new-model AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654 AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654 AP(config)# radius-server host 10.91.6.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server vsa send [accounting | authentication] Enable the access point to recognize and use VSAs as defined by RADIUS IETF attribute 26. • (Optional) Use the accounting keyword to limit the set of recognized vendor-specific attributes to only accounting attributes.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server key string Specify the shared secret text string used between the access point and the vendor-proprietary RADIUS server. The access point and the RADIUS server use this text string to encrypt passwords and exchange responses. Note The key is a text string that must match the encryption key used on the RADIUS server.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify WISPr RADIUS attributes on the access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server location location Specify the WISPr location-name attribute.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS RADIUS Attributes Sent by the Access Point Table 13-2 through Table 13-6 identify the attributes sent by an access point to a client in access-request, access-accept, and accounting-request packets.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Table 13-4 Attributes Sent in Accounting-Request (start) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 44 Acct-Session-Id 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NAS-Location VSA (attribute 26) Cisco-NAS-Port VSA (attribute 26) Interface Table 13-5 Attributes Sent in Accounting-Request (update) Packets Attr
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Table 13-6 Note Attributes Sent in Accounting-Request (stop) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 42 Acct-Input-Octets 43 Acct-Output-Octets 44 Acct-Session-Id 46 Acct-Session-Time 47 Acct-Input-Packets 48 Acct-Output-Packets 49 Acct-Terminate-Cause 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NA
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Configuring and Enabling TACACS+ This section contains this configuration information: • Understanding TACACS+, page 13-23 • TACACS+ Operation, page 13-24 • Configuring TACACS+, page 13-24 • Displaying the TACACS+ Configuration, page 13-29 Understanding TACACS+ TACACS+ is a security application that provides centralized validation of users attempting to gain access to your access point.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ TACACS+ Operation When an administrator attempts a simple ASCII login by authenticating to an access point using TACACS+, this process occurs: 1. When the connection is established, the access point contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the administrator. The administrator enters a username, and the access point then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 13-25 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 13-25 • Configuring TACACS+ Login Authentication, page 13-26 • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 13-27 • Starting TACACS+ Accounting, page 13-28 Default TACACS+ Configuration TACACS+ and
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Step 5 Command Purpose server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ The aaa authorization exec tacacs+ local command sets these authorization parameters: Note • Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+. • Use the local database if authentication was not performed by using TACACS+. Authorization is bypassed for authenticated administrators who log in through the CLI even if authorization has been configured.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global configuration command. Displaying the TACACS+ Configuration To display TACACS+ server statistics, use the show tacacs privileged EXEC command.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 13-30 OL-11350-01
CH A P T E R 14 Configuring VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN in the following sections:.
Chapter 14 Configuring VLANs Understanding VLANs Understanding VLANs A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams.
Chapter 14 Configuring VLANs Understanding VLANs Figure 14-1 LAN and VLAN Segmentation with Wireless Devices VLAN Segmentation Traditional LAN Segmentation VLAN 1 VLAN 2 VLAN 3 LAN 1 Catalyst VLAN switch Shared hub Floor 3 LAN 2 Catalyst VLAN switch Shared hub Floor 2 LAN 3 Floor 1 Catalyst VLAN switch Trunk port SSID 1 = VLAN 1 SSID 2 = VLAN 2 SSID 3 = VLAN 3 52 Shared hub Related Documents These documents provide more detailed information pertaining to VLAN design and configuration: •
Chapter 14 Configuring VLANs Configuring VLANs Incorporating Wireless Devices into VLANs The basic wireless components of a VLAN consist of an access point and a client associated to it using wireless technology. The access point is physically connected through a trunk port to the network VLAN switch on which the VLAN is configured. The physical connection to the VLAN switch is through the access point’s Ethernet port.
Chapter 14 Configuring VLANs Configuring VLANs Configuring a VLAN Note When you configure VLANs on access points, the Native VLAN must be VLAN1. In a single architecture, client traffic received by the access point is tunneled through an IP-GRE tunnel, which is established on the access point’s Ethernet interface native VLAN. Because of the IP-GRE tunnel, some users may configure another switch port as VLAN1. This misconfiguration causes errors on the switch port.
Chapter 14 Configuring VLANs Configuring VLANs Step 3 Command Purpose ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive. The SSID can consist of up to 32 alphanumeric, case-sensitive, characters.
Chapter 14 Configuring VLANs Configuring VLANs Command Purpose Step 11 end Return to privileged EXEC mode. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 14 Configuring VLANs Configuring VLANs Creating a VLAN Name Beginning in privileged EXEC mode, follow these steps to assign a name to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot11 vlan-name name vlan vlan-id Assign a VLAN name to a VLAN ID. The name can contain up to 32 ASCII characters. Step 3 end Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file. Return to privileged EXEC mode.
Chapter 14 Configuring VLANs Configuring VLANs Using a RADIUS Server for Dynamic Mobility Group Assignment You can configure a RADIUS server to dynamically assign mobility groups to users or user groups. This eliminates the need to configure multiple SSIDs on the access point. Instead, you need to configure only one SSID per access point. When users associate to the SSID, the access point passes their login information to WLSM, which passes the information to the RADIUS server.
Chapter 14 Configuring VLANs VLAN Configuration Example Virtual-Dot11Radio0 Protocols Configured: Address: Bridging Bridge Group 1 Bridging Bridge Group 1 Bridging Bridge Group 1 Virtual LAN ID: Received: 201688 201688 201688 Transmitted: 0 0 0 Received: Transmitted: 2 (IEEE 802.1Q Encapsulation) vLAN Trunk Interfaces: FastEthernet0.2 Virtual-Dot11Radio0.2 Protocols Configured: Dot11Radio0.
Chapter 14 Configuring VLANs VLAN Configuration Example 4. Configure VLAN 1, the Management VLAN, on both the fastEthernet and dot11radio interfaces on the access point. You should make this VLAN the native VLAN. 5. Configure VLANs 2 and 3 on both the fastEthernet and dot11radio interfaces on the access point. 6. Configure the client devices. Table 14-2 shows the commands needed to configure the three VLANs in this example.
Chapter 14 Configuring VLANs VLAN Configuration Example Table 14-3 shows the results of the configuration commands in Table 14-2. Use the show running command to display the running configuration on the access point. Table 14-3 Results of Example Configuration Commands VLAN 1 Interfaces VLAN 2 Interfaces VLAN 3 Interfaces interface Dot11Radio0/0.
Chapter 14 Configuring VLANs VLAN Configuration Example Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-11350-01 14-13
Chapter 14 Configuring VLANs VLAN Configuration Example Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 14-14 OL-11350-01
CH A P T E R 15 Configuring QoS This chapter describes how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 15 Configuring QoS Understanding QoS for Wireless LANs Understanding QoS for Wireless LANs Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 15 Configuring QoS Understanding QoS for Wireless LANs QoS on the wireless LAN focuses on downstream prioritization from the access point. Figure 15-1 shows the upstream and downstream traffic flow. Figure 15-1 Upstream and Downstream Traffic Flow Radio downstream Ethernet downstream Client device Radio upstream Access point Ethernet upstream 81732 Wired LAN • The radio downstream flow is traffic transmitted out the access point radio to a wireless client device.
Chapter 15 Configuring QoS Understanding QoS for Wireless LANs Note This release continues to support existing 7920 wireless phone firmware. Do not attempt to use the new standard (IEEE 802.11e draft 13) QBSS Load IE with the 7920 Wireless Phone until new phone firmware is available for you to upgrade your phones. This example shows how to enable IEEE 802.11 phone support with the legacy QBSS Load element: AP(config)# dot11 phone This example shows how to enable IEEE 802.
Chapter 15 Configuring QoS Configuring QoS Configuring QoS QoS is disabled by default (however, the radio interface always honors tagged 802.1P packets even when you have not configured a QoS policy). This section describes how to configure QoS on your access point.
Chapter 15 Configuring QoS Configuring QoS Figure 15-2 Step 3 QoS Policies Page With selected in the Create/Edit Policy field, type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters. Do not include spaces in the policy name. Note You can also select two preconfigured QoS policies: WMM and Spectralink. When you select either of these, a set of default classifications are automatically populated in the Classification field.
Chapter 15 Configuring QoS Configuring QoS Step 4 Step 5 If the packets that you need to prioritize contain IP precedence information in the IP header TOS field, select an IP precedence classification from the IP Precedence drop-down menu.
Chapter 15 Configuring QoS Configuring QoS • Assured Forwarding — Class 4 High • Class Selector 1 • Class Selector 2 • Class Selector 3 • Class Selector 4 • Class Selector 5 • Class Selector 6 • Class Selector 7 • Expedited Forwarding Step 8 Use the Apply Class of Service drop-down menu to select the class of service that the access point will apply to packets of the type that you selected from the IP DSCP menu.
Chapter 15 Configuring QoS Configuring QoS Step 18 Use the Apply Policies to Interface/VLANs drop-down menus to apply policies to the access point Ethernet and radio ports. If VLANs are configured on the access point, drop-down menus for each VLANs’ virtual ports appear in this section. If VLANs are not configured on the access point, drop-down menus for each interface appear. Step 19 Click the Apply button at the bottom of the page to apply the policies to the access point ports.
Chapter 15 Configuring QoS Configuring QoS IGMP Snooping When Internet Group Membership Protocol (IGMP) snooping is enabled on a switch and a client roams from one access point to another, the clients’ multicast session is dropped. When the access points’ IGMP snooping helper is enabled, the access point sends a general query to the wireless LAN, prompting the client to send in an IGMP membership report.
Chapter 15 Configuring QoS Configuring QoS Table 15-1 Default QoS Radio Access Categories Class of Service Min Contention Window Max Contention Window Fixed Slot Time Local Local Local Cell Cell Cell Transmit Opportunity Admission Control Local Local Background 4 10 6 0 Best Effort 4 10 2 0 Video <100ms Latency 3 2 1 3008 Voice <100ms Latency 2 3 1 1504 Cell Cell Figure 15-4 shows the Radio Access Categories page.
Chapter 15 Configuring QoS Configuring QoS Note In this release, clients are blocked from using an access category when you select Enable for Admission Control. Optimized Voice Settings Using the Admission Control check boxes, you can control client use of the access categories. When you enable admission control for an access category, clients associated to the access point must complete the WMM admission control procedure before they can use that access category.
Chapter 15 Configuring QoS QoS Configuration Examples Enabling Admission Control This section describes how to enable admission control on an SSID. For a list of Cisco IOS commands for enabling admission control using the CLI, consult the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges. Follow these steps to enable admission control on an SSID: Step 1 Open the SSID Manager page. Step 2 Select an SSID.
Chapter 15 Configuring QoS QoS Configuration Examples Figure 15-5 QoS Policies Page for Voice Example The network administrator also enables the QoS element for wireless phones setting on the QoS Policies - Advanced page. This setting gives priority to all voice traffic regardless of VLAN. Giving Priority to Video Traffic This section demonstrates how you could apply a QoS policy to a VLAN on your network dedicated to video traffic.
Chapter 15 Configuring QoS QoS Configuration Examples Figure 15-6 QoS Policies Page for Video Example Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-11350-01 15-15
Chapter 15 Configuring QoS QoS Configuration Examples Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 15-16 OL-11350-01
CH A P T E R 16 Configuring Filters This chapter describes how to configure and manage MAC address, IP, and Ethertype filters on the access point using the web-browser interface.
Chapter 16 Configuring Filters Understanding Filters Understanding Filters Protocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. You can set up individual protocol filters or sets of filters. You can filter protocols for wireless client devices, users on the wired LAN, or both.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Configuring Filters Using the Web-Browser Interface This section describes how to configure and enable filters using the web-browser interface. You complete two steps to configure and enable a filter: 1. Name and configure the filter using the filter setup pages. 2. Enable the filter using the Apply Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-1 MAC Address Filters Page Follow this link path to reach the Address Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the MAC Address Filters tab at the top of the page. Creating a MAC Address Filter Follow these steps to create a MAC address filter: Step 1 Follow the link path to the MAC Address Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 5 Use the Mask entry field to indicate how many bits, from left to right, the filter checks against the MAC address. For example, to require an exact match with the MAC address (to check all bits) enter 0000.0000.0000. To check only the first 4 bytes, enter 0.0.FFFF. Step 6 Select Forward or Block from the Action menu. Step 7 Click Add. The MAC address appears in the Filters Classes field.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface If clients are not filtered immediately, click Reload on the System Configuration page to restart the access point. To reach the System Configuration page, click System Software on the task menu and then click System Configuration. Note Client devices with blocked MAC addresses cannot send or receive data through the access point, but they might remain in the Association Table as unauthenticated client devices.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 3 Click Advanced Security to browse to the Advanced Security: MAC Address Authentication page. Figure 16-4 shows the MAC Address Authentication page. Figure 16-4 Step 4 Click the Association Access List tab to browse to the Association Access List page. Figure 16-5 shows the Association Access List page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 6 Click Apply. ACL Logging ACL logging is not supported on the bridging interfaces of AP platforms. When applied on bridging interface, it will work as if configured without "log" option and logging would not take effect. However, ACL logging will work well for the BVI interfaces as long as a separate ACL is used for the BVI interface.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-6 IP Filters Page Follow this link path to reach the IP Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the IP Filters tab at the top of the page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Creating an IP Filter Follow these steps to create an IP filter: Step 1 Follow the link path to the IP Filters page. Step 2 If you are creating a new filter, make sure (the default) is selected in the Create/Edit Filter Index menu. To edit an existing filter, select the filter name from the Create/Edit Filter Index menu. Step 3 Enter a descriptive name for the new filter in the Filter Name field.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 15 When the filter is complete, click Apply. The filter is saved on the access point, but it is not enabled until you apply it on the Apply Filters page. Step 16 Click the Apply Filters tab to return to the Apply Filters page. Figure 16-7 shows the Apply Filters page. Figure 16-7 Apply Filters Page Step 17 Select the filter name from one of the IP drop-down menus.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-8 Ethertype Filters Page Follow this link path to reach the Ethertype Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the Ethertype Filters tab at the top of the page. Creating an Ethertype Filter Follow these steps to create an Ethertype filter: Step 1 Follow the link path to the Ethertype Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 7 Click Add. The Ethertype appears in the Filters Classes field. To remove the Ethertype from the Filters Classes list, select it and click Delete Class. Repeat Step 4 through Step 7 to add Ethertypes to the filter. Step 8 Select Forward All or Block All from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the Ethertypes in the filter.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 16-14 OL-11350-01
CH A P T E R 17 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 17 Configuring CDP Understanding CDP Understanding CDP Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. Information in CDP packets is used in network management software such as CiscoWorks2000. CDP is enabled on the access point Ethernet port by default.
Chapter 17 Configuring CDP Configuring CDP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is from 10 to 255 seconds; the default is 180 seconds. Step 3 cdp timer seconds (Optional) Set the transmission frequency of CDP updates in seconds. The range is from 5 to 254; the default is 60 seconds.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP This example shows how to enable CDP. AP# configure terminal AP(config)# cdp run AP(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Command Description show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent. show cdp entry entry-name [protocol | version] Display information about a specific neighbor. You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Device ID: idf2-1-lab-l3.cisco.com Entry address(es): IP address: 10.1.1.10 Platform: cisco WS-C3524-XL, Capabilities: Trans-Bridge Switch Interface: GigabitEthernet0/1, Port ID (outgoing port): FastEthernet0/10 Holdtime : 141 sec Version : Cisco Internetwork Operating System Software IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.1)XP, MAINTENANCE IN TERIM SOFTWARE Copyright (c) 1986-1999 by cisco Systems, Inc.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP AP# show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device IDLocal InterfaceHoldtmeCapabilityPlatformPort ID Perdido2Gig 0/6125R S IWS-C3550-1Gig0/6 Perdido2Gig 0/5125R S IWS-C3550-1Gig 0/5 AP# show cdp traffic CDP counters : Total packets output: 50882, Input: 52510 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 C
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 17-8 OL-11350-01
CH A P T E R 18 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.3.
Chapter 18 Configuring SNMP Understanding SNMP Understanding SNMP SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. The SNMP manager can be part of a network management system (NMS) such as CiscoWorks. The agent and management information base (MIB) reside on the access point. To configure SNMP on the access point, you define the relationship between the manager and the agent.
Chapter 18 Configuring SNMP Understanding SNMP Table 18-1 lists the SNMP versions and security levels supported on access points: Table 18-1 SNMP Versions and Security Levels SNMP Version Security Level Authentication Encryption v1 NoAuthNoPriv Community string match None v2C NoAuthNoPriv Community string match None v3 NoAuthNoPriv Username match None v3 AuthNoPriv HMAC-MD5 or HMAC-SHA algorithms None v3 AuthPriv HMAC-MD5 or HMAC-SHA algorithms DES 56-bit encryption For detailed
Chapter 18 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 18 Configuring SNMP Configuring SNMP Configuring SNMP This section describes how to configure SNMP on your access point.
Chapter 18 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the access point.
Chapter 18 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 18 Configuring SNMP Configuring SNMP Configuring SNMP-Server Hosts To configure the recipient of an SNMP trap operation, use the following command in global configuration mode: Command Purpose snmp-server host host [traps | informs][version {1 | 2c | 3 [auth | noauth | priv]} ] community-string [udp-port port] [notification-type] Configures the recipient of an SNMP trap operation.
Chapter 18 Configuring SNMP Configuring SNMP Table 18-4 Notification Types (continued) Notification Type Description syslog Enable syslog traps. wlan-wep Enable WEP traps. Some notification types cannot be controlled with the snmp-server enable global configuration command, such as tty and udp-port. These notification types are always enabled. You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 18-4.
Chapter 18 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified host from receiving traps, use the no snmp-server host host global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command.
Chapter 18 Configuring SNMP Configuring SNMP This example shows how to assign the strings open and ieee to SNMP, to allow read-write access for both, and to specify that open is the community string for queries on non-IEEE802dot11-MIB objects and ieee is the community string for queries on IEEE802dot11-mib objects: bridge(config)# snmp-server view dot11view ieee802dot11 included bridge(config)# snmp-server community open rw bridge(config)# snmp-server community ieee view ieee802dot11 rw This example show
Chapter 18 Configuring SNMP Displaying SNMP Status AP(config)# snmp-server group admin v3 priv read iso write iso AP(config)# snmp-server user joe admin v3 auth md5 xyz123 priv des56 key007 AP(config)# snmp-server user fred admin v3 encrypted auth md5 abc789 priv des56 key99 Note After you enter the last command in this example, the show running-config and show startup-config commands display only a partial SNMP configuration.
CH A P T E R 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This chapter describes how to configure your access point as a repeater, as a hot standby unit, or as a workgroup bridge.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Repeater Access Points Understanding Repeater Access Points A repeater access point is not connected to the wired LAN; it is placed within radio range of an access point connected to the wired LAN to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. You can configure either the 2.4-GHz radio or the 5-GHz radio as a repeater.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Repeater Access Point Figure 19-1 Access Point as a Repeater Access Point (Root Unit) Wired LAN 66000 Access Point (Repeater) Configuring a Repeater Access Point This section provides instructions for setting up an access point as a repeater and includes these sections: • Default Configuration, page 19-4 • Guidelines for Repeaters, page 19-4 • Setting Up a Repeater, page 19-5 • Verifying Repeater
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Repeater Access Point Default Configuration Access points are configured as root units by default. Table 19-1 shows the default values for settings that control the access point’s role in the wireless LAN.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Repeater Access Point Setting Up a Repeater Beginning in Privileged Exec mode, follow these steps to configure an access point as a repeater: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Aligning Antennas AP# configure terminal AP(config)# interface dot11radio 0 AP(config-if)# ssid chicago AP(config-ssid)# infrastructure-ssid AP(config-ssid)# exit AP(config-if)# station-role repeater AP(config-if)# dot11 extensions aironet AP(config-if)# parent 1 0987.1234.h345 900 AP(config-if)# parent 2 7809.b123.c345 900 AP(config-if)# parent 3 6543.a456.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Aligning Antennas Setting Up a Repeater As a LEAP Client You can set up a repeater access point to authenticate to your network like other wireless client devices. After you provide a network username and password for the repeater access point, it authenticates to your network using LEAP, Cisco's wireless authentication method, and receives and uses dynamic WEP keys.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Hot Standby Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Setting Up a Repeater As a WPA Client WPA key management uses a combination of encryption methods to protect communication between client devices and the access point.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Hot Standby Access Point Except for the IP address, the standby access point’s settings should be identical to the settings on the monitored access point. If the monitored access point goes offline and the standby access point takes its place in the network, matching settings ensures that client devices can switch easily to the standby access point.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Hot Standby Access Point Tip To quickly duplicate the monitored access point’s settings on the standby access point, save the monitored access point configuration and load it on the standby access point. See the “Working with Configuration Files” section on page 20-8 for instructions on uploading and downloading configuration files.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Hot Standby Access Point Command Purpose Step 8 iapp standby poll-frequency seconds Sets the number of seconds between queries that the standby access point sends to the monitored access point’s radio and Ethernet ports. The default poll frequency is 2 seconds.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Hot Standby Access Point After you enable standby mode, configure the settings that you recorded from the monitored access point to match on the standby access point. Verifying Standby Operation Use this command to check the status of the standby access point: show iapp standby-status This command displays the status of the standby access point. Table 19-2 lists the standby status messages that can appear.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode Understanding Workgroup Bridge Mode You can configure 1100, 1130, 1200, 1230, and 1240 series access points as workgroup bridges. In workgroup bridge mode, the unit associates to another access point as a client and provides a network connection for the devices connected to its Ethernet port.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode Figure 19-2 shows an access point in workgroup bridge mode.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode bridges, that can associate to an access point or bridge. To increase beyond 20 the number of workgroup bridges that can associate to the access point, the access point must reduce the delivery reliability of multicast packets to workgroup bridges.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring Workgroup Bridge Mode The following example shows how the command is used. In the example, channels 1, 6, and 11 are specified to scan: ap# ap#confure terminal Enter configuration commands, one per line. ap(config)#int d0 ap(config-if)#ssid limited_scan ap(config-if)#station-role workgroup-bridge ap(config-if)#mobile station ap(config-if)#mobile station scan 1 6 11 ap(config-if)#end ap# End with CNTL/Z.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring Workgroup Bridge Mode Command Purpose Step 3 station-role workgroup-bridge Set the radio role to workgroup bridge. If your access point contains two radios, the radio not set to workgroup bridge mode is automatically disabled. Step 4 ssid ssid-string Create the SSID that the workgroup bridge uses to associate to a parent access point or bridge.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode The Workgroup Bridge in a Lightweight Environment This example shows how to configure an 1100 series access point as a workgroup bridge.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode The Workgroup Bridge in a Lightweight Environment • Note The workgroup bridge can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release 12.4(3g)JA or greater (on 32-MB access points) or Cisco IOS Release 12.3(8)JEB or greater (on 16-MB access points). These access points include the AP1121, AP1130, AP1231, AP1240, and AP1310. Cisco IOS Releases prior to 12.4(eg)JA and 12.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode The Workgroup Bridge in a Lightweight Environment • When you delete a workgroup bridge record from the controller, all of the workgroup bridge wired clients’ records are also deleted. • Wired clients connected to a workgroup bridge inherit the workgroup bridge’s QoS and AAA override attributes.
CH A P T E R 20 Managing Firmware and Configurations This chapter describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.3.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Working with the Flash File System The Flash file system on your access point provides several commands to help you manage software image and configuration files. The Flash file system is a single Flash device on which you can store files. This Flash device is called flash:.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Table 20-1 show file systems Field Descriptions (continued) Field Value Type Type of file system. flash—The file system is for a Flash memory device. network—The file system is for a network device. nvram—The file system is for a nonvolatile RAM (NVRAM) device. opaque—The file system is a locally generated pseudo file system (for example, the system) or a download interface, such as brimux.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table 20-2: Table 20-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System For source-url, specify the source URL alias for the local or network file system. These options are supported: • For the local Flash file system, the syntax is flash: • For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password]@location]/directory]/tar-filename.tar • For the Remote Copy Protocol (RCP), the syntax is rcp:[[//username@location]/directory]/tar-filename.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files This example shows how to extract the contents of a tar file located on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local Flash file system. The remaining files in the saved.tar file are ignored. ap# archive tar /xtract tftp://172.20.10.30/saved.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files This section includes this information: • Guidelines for Creating and Using Configuration Files, page 20-9 • Configuration File Types and Location, page 20-9 • Creating a Configuration File by Using a Text Editor, page 20-10 • Copying Configuration Files by Using TFTP, page 20-10 • Copying Configuration Files by Using FTP, page 20-12 • Copying Configuration Files by Using RCP, page 20-15 • Clearing Configuration
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Creating a Configuration File by Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from an access point to a server.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read. • Before uploading the configuration file, you might need to create an empty file on the TFTP server.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Use one of these privileged EXEC commands: • copy system:running-config tftp:[[[//location]/directory]/filename] • copy nvram:startup-config tftp:[[[//location]/directory]/filename] The file is uploaded to the TFTP server. This example shows how to upload a configuration file from an access point to a TFTP server: ap# copy system:running-config tftp://172.16.2.155/tokyo-confg Write file tokyo-confg on host 172.16.2.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Preparing to Download or Upload a Configuration File by Using FTP Before you begin downloading or uploading a configuration file by using FTP, perform these tasks: • Ensure that the access point has a route to the FTP server. The access point and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Connected to 172.16.101.101 Loading 1112 byte file host1-confg:![OK] ap# %SYS-5-CONFIG: Configured from host1-config by ftp from 172.16.101.101 This example shows how to specify a remote username of netadmin1. The software copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the access point startup configuration.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Building configuration...[OK] Connected to 172.16.101.101 ap# This example shows how to store a startup configuration file on a server by using FTP to copy the file: ap# configure terminal ap(config)# ip ftp username netadmin2 ap(config)# ip ftp password mypass ap(config)# end ap# copy nvram:startup-config ftp: Remote host[]? 172.16.101.101 Name of configuration file to write [ap2-confg]? Write file ap2-confg on host 172.16.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Preparing to Download or Upload a Configuration File by Using RCP Before you begin downloading or uploading a configuration file by using RCP, perform these tasks: • Ensure that the workstation acting as the RCP server supports the remote shell (rsh). • Ensure that the access point has a route to the RCP server.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy rcp:[[[//[username@]location]/directory]/filename] system:running-config Using RCP, copy the configuration file from a network server to the running configuration or to the startup configuration file.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy system:running-config rcp:[[[//[username@]location]/directory]/filename] Using RCP, copy the configuration file from an access point running or startup configuration file to a network server.
Chapter 20 Managing Firmware and Configurations Working with Software Images You download an access point image file from a TFTP, FTP, or RCP server to upgrade the access point software. You upload an access point image file to a TFTP, FTP, or RCP server for backup purposes. You can use this uploaded image for future downloads to the same access point or another of the same type. The protocol you use depends on which type of server you are using.
Chapter 20 Managing Firmware and Configurations Working with Software Images The info.ver file is always at the end of the tar file and contains the same information as the info file. Because it is the last file in the tar file, its existence means that all files in the image have been downloaded. Note The tar file sometimes ends with an extension other than .tar.
Chapter 20 Managing Firmware and Configurations Working with Software Images • During upload operations, if you are overwriting an existing file (including an empty file, if you had to create one) on the server, ensure that the permissions on the file are set correctly. Permissions on the file should be world-write. Downloading an Image File by Using TFTP You can download a new image file and replace the current image or keep the current image.
Chapter 20 Managing Firmware and Configurations Working with Software Images The download algorithm verifies that the image is appropriate for the access point model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 1 Step 2 Log into the access point through a Telnet session. archive upload-sw tftp:[[//location]/directory]/image-name.tar Upload the currently running access point image to the TFTP server. • For //location, specify the IP address of the TFTP server. • For /directory/image-name.tar, specify the directory (optional) and the name of the software image to be uploaded.
Chapter 20 Managing Firmware and Configurations Working with Software Images • The password set by the ip ftp password password global configuration command if the command is configured. • The access point forms a password named username@apname.domain. The variable username is the username associated with the current session, apname is the configured host name, and domain is the domain of the access point. The username and password must be associated with an account on the FTP server.
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 3 Command Purpose configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password. Step 6 end Return to privileged EXEC mode.
Chapter 20 Managing Firmware and Configurations Working with Software Images The download algorithm verifies that the image is appropriate for the access point model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device, whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running access point image to the FTP ftp:[[//[username[:password]@]location]/directory]/ server. image-name.tar • For //username:password, specify the username and password. These must be associated with an account on the FTP server.
Chapter 20 Managing Firmware and Configurations Working with Software Images RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the access point to a server by using RCP, the Cisco IOS software sends the first valid username in this list: • The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.
Chapter 20 Managing Firmware and Configurations Working with Software Images Downloading an Image File by Using RCP You can download a new image file and replace or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image. To keep the current image, skip Step 6.
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the access point, and overwrite the current image. archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Note • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 20 Managing Firmware and Configurations Working with Software Images Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running access point image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username.
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 7 Click the Upgrade button. For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the access point image file. Follow the instructions below to use a TFTP server: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.
Chapter 20 Managing Firmware and Configurations Working with Software Images Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 20-34 OL-11350-01
CH A P T E R 21 Configuring System Message Logging This chapter describes how to configure system message logging on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.3.
Chapter 21 Configuring System Message Logging Understanding System Message Logging Understanding System Message Logging By default, access points send the output from system messages and debug privileged EXEC commands to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, or a UNIX syslog server, depending on your configuration. The process also sends messages to the console.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-1 describes the elements of syslog messages. Table 21-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 21-6. Date and time of the message or event.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-2 Default System Message Logging Configuration (continued) Feature Default Setting Timestamps Disabled Synchronous logging Disabled Logging server Disabled Syslog server IP address None configured Server facility Local7 (see Table 21-4 on page 21-11) Server severity Informational (and numerically lower levels; see Table 21-3 on page 21-8) Disabling and Enabling Message Logging Message logging is enab
Chapter 21 Configuring System Message Logging Configuring System Message Logging Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Timestamps on Log Messages By default, log messages are not timestamped. Beginning in privileged EXEC mode, follow these steps to enable timestamping of log messages: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log timestamps.
Chapter 21 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 21-3.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults: Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 21-3 on page 21-8 for a list of level keywords.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Configuring UNIX Syslog Servers The next sections describe how to configure the 4.3 BSD UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 21-3 on page 21-8 for level keywords. Step 4 logging facility facility-type Configure the syslog facility. See Table 21-4 on page 21-11 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode.
Chapter 21 Configuring System Message Logging Displaying the Logging Configuration Displaying the Logging Configuration To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2. To display the logging history file, use the show logging history privileged EXEC command.
CH A P T E R 22 Wireless Device Troubleshooting This chapter provides troubleshooting procedures for basic problems with the wireless device. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at the following URL (select Top Issues and then select Wireless Technologies): http://www.cisco.
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Checking the Top Panel Indicators If your wireless device is not communicating, check the three LED indicators on the top panel to quickly assess the device’s status. Figure 22-1 shows the indicators on the 1200 series access point. Figure 22-2 shows the indicators on the 1100 series access point. Figure 22-3 and Figure 22-4 show the indicators on the 350 series access point.
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Figure 22-2 Indicators on the 1100 Series Access Point Ethernet Status 81597 Radio Figure 22-3 Indicators on the 350 Series Access Point (Plastic Case) CISCO AIRONET 350 SERIES W I R E L E S S AC C E S S P O I N T Radio 49075 S Ethernet Status Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-11350-01 22-3
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Figure 22-4 Indicators on the 350 Series Access Point (Metal Case) CISCO AIRONET 350 SERIES WIRELESS ACCESS POINT ETHERNET ACTIVITY ASSOCIATION STATUS 60511 RADIO ACTIVITY Ethernet Status Radio The indicator signals on the wireless device have the following meanings (for additional details refer to Table 22-1): • The Ethernet indicator signals traffic on the wired LAN.
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Table 22-1 Top Panel Indicator Signals (continued) Message type Ethernet indicator Status indicator Radio indicator Meaning Operating status – Green Blinking green Transmitting/receiving radio packets. Green – – Ethernet link is operational. Blinking green – – Transmitting/receiving Ethernet packets. Red – Red DRAM memory test failure. – Red Red File system failure.
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Indicators on 1130 Series Access Points If your access point is not working properly, check the LED ring on the top panel or the Ethernet and Radio LEDs in the cable bay area. You can use the LED indications to quickly assess the unit’s status. Figure 22-5 shows the access point LEDs.
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators The LED signals are listed in Table 22-2. Table 22-2 LED Signals Cable Bay Area Top of Unit Message type Ethernet LED Radio LED Status LED Meaning Boot loader status Green Green Green DRAM memory test ok. Off Blinking green Light blue Initialize Flash file system. Off Green Pink Flash memory test ok. Green Off Blue Ethernet test ok. Green Green Green Starting Cisco IOS.
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Table 22-2 LED Signals (continued) Cable Bay Area Top of Unit Message type Ethernet LED Radio LED Status LED Meaning Boot loader errors Red Red Red DRAM memory test failure. Off Red Blinking red Flash file system failure. and blue Off Amber Blinking red Environment variable (ENVAR) failure. and light blue Amber Off Blinking red Bad MAC address.
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Indicators on 1240 Series Access Points If your access point is not working properly, check the Status, Ethernet, and Radio LEDs on the 2.4 GHz end of the unit. You can use the LED indications to quickly assess the unit’s status. Figure 22-6 shows the access point LEDs (for additional information refer to the Event Log using the access point browser interface).
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Message type Ethernet LED Radio LED Status LED Meaning Boot loader warnings Off Off Yellow Ethernet link not operational. Red Off Yellow Ethernet failure. Amber Off Yellow Configuration recovery in progress (Mode button pressed for 2 to 3 seconds).
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Figure 22-7 LEDs R S E 117061 I R Radio LED E Ethernet LED S Status LED I Install LED Normal Mode LED Indications During access point/bridge operation the LEDs provide status information as shown in Table 22-4. Table 22-4 LED Indications Ethernet LED Status LED Radio LED Install LED Meaning Off — — — Ethernet link is down or disabled. Blinking green — — — Transmitting and receiving Ethernet packets.
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Table 22-4 LED Indications (continued) Ethernet LED Status LED Radio LED Install LED Meaning Red Amber Red — Loading Firmware error—disconnect and reconnect the power injector power. If the problem continues, contact technical support for assistance. — — Off — Normal operation. — — Blinking green — Transmitting and receiving radio packets—normal operation.
Chapter 22 Wireless Device Troubleshooting Checking the Top Panel Indicators Table 22-5 LED Blinking Error Codes (continued) Blinking Codes LED First Digit Second Digit Description Radio 1 2 Radio not detected—contact technical support for assistance. 1 3 Radio not ready—contact technical support for assistance. 1 4 Radio did not start—contact technical support for assistance. 1 5 Radio failure—contact technical support for assistance.
Chapter 22 Wireless Device Troubleshooting Checking Power • Cisco Aironet Power Injector LR2T—optional transportation version – 12- to 40-VDC input power – Uses 12 to 40 VDC from a vehicle battery Checking Power You can verify the availability of power to the access point/bridge by checking the power injector LED (see Figure 22-8): • Power LED – Green color indicates input power is being supplied to the bridge.
Chapter 22 Wireless Device Troubleshooting Checking Basic Settings Checking Basic Settings Mismatched basic settings are the most common causes of lost connectivity with wireless clients. If the wireless device does not communicate with client devices, check the areas described in this section. SSID Wireless clients attempting to associate with the wireless device must use the same SSID as the wireless device.
Chapter 22 Wireless Device Troubleshooting Resetting to the Default Configuration Resetting to the Default Configuration If you forget the password that allows you to configure the wireless device, you may need to completely reset the configuration. On 1100 and 1200 series access points, you can use the MODE button on the access point or the web-browser interface. On 350 series access points, you can use the web-browser or CLI interfaces.
Chapter 22 Wireless Device Troubleshooting Resetting to the Default Configuration Step 3 Enter your username in the User Name field. Step 4 Enter the wireless device password in the Password field and press Enter. The Summary Status page appears. Step 5 Click System Software and the System Software screen appears. Step 6 Click System Configuration and the System Configuration screen appears. Step 7 Click the Reset to Defaults or Reset to Defaults (Except IP) button.
Chapter 22 Wireless Device Troubleshooting Reloading the Access Point Image Step 6 Use the rename command to change the name of the config.txt file to config.old. ap: rename flash:config.txt flash:config.old Step 7 Use the reload command to reboot the wireless device. ap: reload System configuration has been modified. Save (y/n)?y Building configuration. [OK] Proceed with reload? [confirm] Connection with host lost.
Chapter 22 Wireless Device Troubleshooting Reloading the Access Point Image Follow these steps to reload the access point image file: Step 1 The PC you intend to use must be configured with a static IP address in the range of 10.0.0.2 to 10.0.0.30. Step 2 Make sure that the PC contains the access point image file (such as c1100-k9w7-tar.123-8.JA.tar for an 1100 series access point or c1200-k9w7-tar.123-8.JA.
Chapter 22 Wireless Device Troubleshooting Reloading the Access Point Image Step 7 Click Upload. For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the wireless device image file. Follow the instructions below to use a TFTP server: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).
Chapter 22 Wireless Device Troubleshooting Reloading the Access Point Image Step 3 Let the wireless device boot until it begins to inflate the image. When you see these lines on the CLI, press Esc: Loading "flash:/c350-k9w7-mx.v122_13_ja.20031010/c350-k9w7-mx.v122_13_ja.20031010" ...
Chapter 22 Wireless Device Troubleshooting Reloading the Access Point Image extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_last_flat.gif (318 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_nth.gif (1177 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_leftnav_dkgreen.gif (869 bytes) -- MORE -- Note Step 8 If you do not press the spacebar to continue, the process eventually times out and the wireless device stops inflating the image.
Chapter 22 Wireless Device Troubleshooting Reloading the Access Point Image Step 14 Save the file to a director on your hard drive. Obtaining TFTP Server Software You can download TFTP server software from several websites. Cisco recommends the shareware TFTP utility available at this URL: http://tftpd32.jounin.net Follow the instructions on the website for installing and using the utility.
Chapter 22 Wireless Device Troubleshooting Reloading the Access Point Image Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 22-24 OL-11350-01
A P P E N D I X A Protocol Filters The tables in this appendix list some of the protocols that you can filter on the access point. The tables include: • Table A-1, Ethertype Protocols • Table A-2, IP Protocols • Table A-3, IP Port Protocols In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.
Appendix A Table 0-1 Protocol Filters Ethertype Protocols Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802.2 — 0x00E0 IPX 802.
Appendix A Protocol Filters Table 0-2 IP Protocols Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw —
Appendix A Table 0-3 Protocol Filters IP Port Protocols Protocol Additional Identifier ISO Designator TCP port service multiplexer tcpmux 1 echo — 7 discard (9) — 9 systat (11) — 11 daytime (13) — 13 netstat (15) — 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp-data 20 FTP Control (21) ftp 21 Secure Shell (22) ssh 22 Telnet — 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Locat
Appendix A Protocol Filters Table 0-3 IP Port Protocols (continued) Protocol Additional Identifier ISO Designator TSAP iso-tsap 102 CSO Name Server cso-ns csnet-ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111 tap ident authentication auth 113 sftp — 115 uucp-path — 117 Network News Transfer Protocol Network News readnews nntp 119 USENET News Transfer Protocol Network News readnews nntp 119 Network Time Pro
Appendix A Table 0-3 Protocol Filters IP Port Protocols (continued) Protocol Additional Identifier ISO Designator SNMP Unix Multiplexer smux 199 AppleTalk Routing at-rtmp 201 AppleTalk name binding at-nbp 202 AppleTalk echo at-echo 204 AppleTalk Zone Information at-zis 206 NISO Z39.
A P P E N D I X B Supported MIBs This appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Cisco IOS SNMP agent supports SNMPv1, SNMPv2, and SNMPv3.
Appendix B Supported MIBs Using FTP to Access the MIB Files • CISCO-MEMORY-POOL-MIB • CISCO-PROCESS-MIB • CISCO-PRODUCTS-MIB • CISCO-SMI-MIB • CISCO-TC-MIB • CISCO-SYSLOG-MIB • CISCO-WDS-INFO-MIB • ENTITY-MIB • IF-MIB • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP: Step 1 Use
A P P E N D I X C Error and Event Messages This appendix lists the CLI error and event messages. The appendix contains the following sections: • Conventions, page C-2 • Software Auto Upgrade Messages, page C-3 • Association Management Messages, page C-4 • Unzip Messages, page C-5 • 802.
Appendix C Error and Event Messages Conventions Conventions System error messages are displayed in the format shown in Table C-1. Table C-1 Message Component System Error Message Format Description Example Error identifier A string categorizing the error. STATION-ROLE Software component A string identifying the software component of the error. AUTO_INSTALL Severity Level A numerical string 0-LOG-EMERG—emergency situation, nothing indicating the severity of the is functional error.
Appendix C Error and Event Messages Software Auto Upgrade Messages Software Auto Upgrade Messages Error Message SW-AUTO-UPGRADE-2-FATAL_FAILURE: “Attempt to upgrade software failed, software on flash may be deleted. Please copy software into flash. Explanation Auto upgrade of the software failed. The software on the flash might have been deleted. Copy software into the flash. Recommended Action Copy software before rebooting the unit.
Appendix C Error and Event Messages Association Management Messages Error Message AUTO-INSTALL-4-IP_ADDRESS_DHCP: “The radio is operating in automatic install mode and has set ip address dhcp.” Explanation The radio is operating in automatic install mode and is configured to receive an IP address through DHCP. Recommended Action Use the station-role configuration interface command to configure the radio for a role other than install mode. Error Message AUTO-INSTALL-6_STATUS: “%s” %s. RSSI=-%d dBm.
Appendix C Error and Event Messages Unzip Messages Error Message DOT11-6-ROAMED: “Station %e roamed to %e.” Explanation The indicated station roamed to the indicated new access point. Recommended Action None. Error Message DOT11-4-ENCRYPT_MISMATCH: “Possible encryption key mismatch between interface %s and station %e.” Explanation The encryption setting of the indicated interface and indicated station may be mismatched.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-VERSION_UPGRADE: “Interface %d, upgrading radio firmware.” Explanation When starting the indicated interface, the access point found the wrong firmware version. The radio will be loaded with the required version. Recommended Action None. Error Message DOT11-2-VERSION_INVALID: “Interface %d, unable to find required radio version %x.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-3-RADIO_IF_LO: “Interface %s Radio cannot lock IF freq.” Explanation The radio intermediate frequency (IF) PLL is unable to lock the correct frequency on the indicated interface. Recommended Action Remove unit from network and service. Error Message DOT11-6-FREQ_SCAN: “Interface %s Scanning frequencies for %d seconds.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-DFS_STORE_FAIL: “DFS: could not store the frequency statistics.” Explanation A failure occurred writing the DFS statistics to flash. Recommended Action None. Error Message DOT11-4-NO_SSID: “No SSIDs configured, %d not started.” Explanation All SSIDs were deleted from the configuration. At least one must be configured for the radio to run. Recommended Action Configure at least one SSID on the access point.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message IF-4-MISPLACED_VLAN_TAG: “Detected a misplaced VLAN tag on source Interface %. Dropping packet. Explanation Received an 802.1Q VLAN tag was detected on the indicated interface which could not be parsed correctly. The received packet was encapsulated or deencapsulated incorrectly. Recommended Action None Error Message DOT11-2-FW_LOAD_NET: “Interface %s cannot load on boot. Place image in flash root directory and reload.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-CANT_ASSOC: “Interface %, cannot associate %s.” Explanation The indicated interface device could not associate to an indicated parent access point. Recommended Action Check the configuration of the parent access point and this unit to make sure there is a match. Error Message DOT11-4-CANT_ASSOC: “Interface Dot11Radio 0, cannot associate.” Explanation Parent does not support client MFP.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-MAXRETRIES: “Packet to client %e reached max retries, removing the client.” Explanation The maximum packet send retry limit has been reached and the client is being removed. This error message indicates that the access point attempts to poll the client a certain number of times, but does not receive a response. Therefore, the client is removed from the association table.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-RADIO_NO_FREQ: “Interface &s, all frequencies have been blocked, interface not started.” Explanation The frequencies set for operation are invalid and a channel scan is being forced in order to select a valid operating frequency. Recommended Action None. Error Message DOT11-4-BCN_BURST_NO_MBSSID: “Beacon burst mode is enabled but MBSSID is not enabled, %s is down.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-FLASHING_RADIO: “Interface %s, flashing radio firmware (%s).” Explanation The indicated interface radio has been stopped to load the indicated new firmware. Recommended Action None. Error Message DOT11-4-LOADING_RADIO: “Interface %s, loading the radio firmware (%s).” Explanation The indicated interface radio has been stopped to load new indicated firmware. Recommended Action None.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-UPLINK_LINK_DOWN: “Interface %s, parent lost: %s.” Explanation The connection to the parent access point on the indicated interface was lost for the reason indicated. The unit will try to find a new parent access point. Recommended Action None. Error Message DOT11-4-CANT_ASSOC: Cannot associate: [chars] Explanation The unit could not establish a connection to a parent access point for the displayed reason.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-6-ANTENNA_GAIN: “Interface %s, antenna position/gain changed, adjusting transmitter power.” Explanation The antenna gain has changed so the list of allowed power levels must be adjusted. Recommended Action None. Error Message DOT11-4-DIVER_USED: “Interface %s Mcs rates 8-15 disabled due to only one transmit or receive antenna enabled.” Explanation The rates listed require at least 2 receive or transmit antennas be enabled.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-CCMP_REPLAY: “AES-CCMP TSC replay was detected on packet (TSC 0x%11x received from &e).” Explanation AES-CCMP TSC replay was indicated on a frame. A replay of the AES-CCMP TSC in a received packet almost indicates an active attack. Recommended Action None. Recommended Action Error Message DOT11-4-CKIP_MIC_FAILURE: “CKIP MIC failure was detected on a packet (Digest 0x%x) received from %e).
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-3-TKIP_MIC_FAILURE_REPEATED: “Two TKIP Michael MIC failures were detected within %s seconds on %s interface. The interface will be put on MIC failure hold state for next %d seconds” Explanation Two TKIP Michael MIC failures were detected within the indicated time on the indicated interface. Because this usually indicates an active attack on your network, the interface will be put on hold for the indicated time.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-NO_VLAN_ID: “VLAN id %d from Radius server is not configured for station %e.” Explanation The VLAN ID returned by the Radius server must be configured on the access point. Recommended Action Configure the VLAN ID on the access point. Error Message SOAP-3-ERROR: “Reported on line %d in file %s.%s.” Explanation An internal error occurred on the indicated line number in the indicated filename in the controller ASIC.
Appendix C Error and Event Messages Inter-Access Point Protocol Messages Error Message SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: “IOS crypto FIPS self test passed.” Explanation SOAP FIPS self test passed. Recommended Action None. Error Message SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: “RADIO crypto FIPS self test passed on interface %s %d.” Explanation SOAP FIPS self test passed on a radio interface. Recommended Action None.
Appendix C Error and Event Messages Local Authenticator Messages Local Authenticator Messages Error Message RADSRV-4-NAS_UNKNOWN: Unknown authenticator: [ip-address] Explanation The local RADIUS server received an authentication request but does not recognize the IP address of the network access server (NAS) that forwarded the request. Recommended Action Make sure that every access point on your wireless LAN is configured as a NAS on your local RADIUS server.
Appendix C Error and Event Messages Local Authenticator Messages Error Message DOT1X-SHIM-3-UNSUPPORTED_KM: “Unsupported key management: %X.” Explanation Am error occurred during the initialization of the shim layer. An unsupported key management type was found. Recommended Action None. Error Message DPT1X-SHIM-4-PLUMB_KEY_ERR: “Unable to plumb keys - %s.” Explanation An unexpected error occurred when the shim layer tried to plumb the keys. Recommended Action None.
Appendix C Error and Event Messages WDS Messages out before trying the next configured server. A Radius server marked as dead is skipped by additional requests for the duration of the minutes unless all servers are marked dead. Configuring dead time for 10 minutes means that the server cannot be used for 10 minutes. Explanation You can disable this command if you want this log to disappear. Actually this message is not really a major problem, it is just an informational log.
Appendix C Error and Event Messages Mini IOS Messages Error Message WLCCP-NM-3-WNM_LINK_DOWN: Link to WNM is down Explanation The network manager is not responding to keep-active messages. Recommended Action Check for a problem with the network manager or with the network path to the network manager. Error Message WLCCP-NM-6-WNM_LINK_UP: Link to WNM is up Explanation The network manager is now responding to keep-active messages. Recommended Action None.
Appendix C Error and Event Messages Access Point/Bridge Messages Error Message Saving this config to nvram may corrupt any network management or security files stored at the end of nvram. Continue? [no]: Explanation This warning message displays on the access point CLI interface while saving configuration changes through the CLI. This is due to insufficient space in flash memory. When a radio crashes, .rcore files are created.
Appendix C Error and Event Messages Cisco Discovery Protocol Messages Cisco Discovery Protocol Messages Error Message CDP_PD-2-POWER_LOW: %s - %s %s (%e) Explanation The system is not supplied with sufficient power. Error Message Reconfigure or replace the source of inline power.
Appendix C Error and Event Messages External Radius Server Error Messages Cisco IOS Software Configuration Guide for Cisco Aironet Access Points C-26 OL-11350-01
GLOSSARY 802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4-GHz band. 802.11a The IEEE standard that specifies carrier sense media access control and physical layer specifications for wireless LANs operating in the 5-GHz frequency band. 802.11b The IEEE standard that specifies carrier sense media access control and physical layer specifications for 5.
Glossary beacon A wireless LAN packet that signals the availability and presence of the wireless device. Beacon packets are sent by access points and base stations; however, client radio cards send beacons when operating in computer to computer (Ad Hoc) mode. BOOTP Boot Protocol. A protocol used for the static assignment of IP addresses to devices on the network. BPSK A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 1 Mbps.
Glossary dipole A type of low-gain (2.2-dBi) antenna consisting of two (often internal) elements. domain name The text name that refers to a grouping of networks or network resources based on organization-type or geography; for example: name.com—commercial; name.edu—educational; name.gov—government; ISPname.net—network provider (such as an ISP); name.ar—Argentina; name.au—Australia; and so on. DNS Domain Name System server. A server that translates text names into IP addresses.
Glossary IP subnet mask The number used to identify the IP subnetwork, indicating whether the IP address can be recognized on the LAN or if it must be reached through a gateway. This number is expressed in a form similar to an IP address; for example: 255.255.255.0. isotropic An antenna that radiates its signal in a spherical pattern. M MAC Media Access Control address. A unique 48-bit number used in Ethernet data packets to identify an Ethernet device, such as an access point or your client adapter.
Glossary roaming A feature of some Access Points that allows users to move through a facility while maintaining an unbroken connection to the LAN. RP-TNC A connector type unique to Cisco Aironet radios and antennas. Part 15.203 of the FCC rules covering spread spectrum devices limits the types of antennas that may be used with transmission equipment.
Glossary W WDS Wireless Domain Services (WDS). An access point providing WDS on your wireless LAN maintains a cache of credentials for CCKM-capable client devices on your wireless LAN. When a CCKM-capable client roams from one access point to another, the WDS access point forwards the client’s credentials to the new access point with the multicast key. Only two packets pass between the client and the new access point, greatly shortening the reassociation time. WEP Wired Equivalent Privacy.
INDEX antenna command Numerics Apply button 1130 series indicators 22-6 1240 series indicators 22-9 6-25 2-5 ARP caching 1300 outdoor access point/bridge indicators 350 series bridge interoperability 22-10 8-3 5-26 associations, limiting by MAC address attributes, RADIUS 802.11d 6-22 sent by the access point 802.11e 15-2 vendor-proprietary 802.11g 6-32 vendor-specific 802.11i 6-26 802.1H 6-27 authentication 9-2 13-16 3-9 5-19 RADIUS 802.
Index CCK modulation B 6-11 CDP Back button backoff 2-5 disabling for routing device 6-32 enabling and disabling backup authenticator, local bandwidth 9-1 on an interface 6-13 monitoring banners configuring login cdp run command 5-37 default configuration 5-35 17-3 5-35 Cisco TAC 5-35 clear command 22-15 CLI beacon period command 6-30 18-4 3-2 3-1 abbreviating commands 6-30 command modes 6-26 3-3 3-2 editing features blocking communication between clients 6-28 enabling
Index commands power local abbreviating accounting antenna recall 3-3 authentication client 7-5 beacon dtim-period 6-30 beacon period show slot-time-short 17-3 sort ssid 21-2 dot11 extension aironet dot11 holdoff-time 11-16 dot1x reauth-period 11-17 7-4, 11-10, 14-6 terminal width vlan 6-32 6-29 3-5 3-8 22-21 7-5, 14-6 world-mode wpa-psk 6-23 11-14 commands station role 6-4 community strings 3-6 encapsulation dot1q 14-6 guest-mode configuring overview 10-4 fragment-thr
Index types and location configuring access point as 20-9 uploading receiving IP settings from preparing 5-22 4-12 directories 20-10, 20-13, 20-16 changing reasons for 20-8 using FTP 20-14 creating and removing 20-4 using RCP 20-17 displaying the working 20-4 using TFTP disable web-based management 20-11 connections, secure remote diversity 5-25 countermeasure tkip hold-time command crypto software image 11-17 2-15 6-24 DNS default configuration 5-25 CSID format, selecting
Index duplex, Ethernet port inter-access point protocol messages 5-18 Dynamic Frequency Selection blocking channels CLI commands local authenticator messages 6-17 severity levels 6-18 configuring a channel C-20 setting the display destination device 6-20 confirming DFS enabled system message format 6-18 unzip messages Ethernet indicator E C-3 21-2 C-5 22-4 Ethernet speed and duplex settings EAP authentication, overview EAP-FAST Ethertype filter 11-4 event log 9-1, 9-2 EAP-FAST aut
Index filter output (CLI commands) 3-8 H firmware upgrade version Flash help 2-1 help, for the command line 2-5 Flash device, number of changing the buffer size 20-2 forward-delay time 8-7 fragmentation threshold described 3-4 disabling 3-5 recalling commands 6-31 fragment-threshold command frequencies 3-3 history 20-1 STP 2-14 6-31 history (CLI) 3-5 3-4 history table, level and number of syslog messages 6-14, 6-15, 6-16 Home button FTP accessing MIB files 3-5 HTTPS B-2
Index J M Japan upgrade utility frequency set MAC address 1-2 ACLs, blocking association with 1-2 migrating to W52 domain verfying the migration jitter 4-29 filter 5-37 16-1, 16-3 troubleshooting 5-39 22-15 MAC authentication caching 15-2 16-6 MAC-based authentication 11-15 9-1, 9-2 management K CLI key features 1-2 keystrokes (edit CLI commands) 3-6 3-1 Management Frame Protection 12-25 access points in root mode 12-26 broadcast management frames overview L 12-26 unicast
Index interface configuration line configuration default configuration 3-2 privileged EXEC user EXEC passwords 3-2 encrypting 3-2 overview 3-2 monitoring 5-4 5-6 5-3 setting CDP enable 17-4 monitor mode enable secret 12-31 move the cursor (CLI) multicast messages 5-4 with usernames 3-6 5-7 payload-encapsulation command 6-27 multiple basic SSIDs 5-6 6-27 PEAP authentication 7-7 setting on client and access point multiple VLAN configuring for non-root bridge 5-39 permit tcp
Index displaying the configuration Q identifying the server QBSS 15-3 5-15, 13-19 13-5 limiting the services to the user dot11e parameter 15-3 QoS configuration guidelines dot11e command overview 15-5 local authentication 9-2 method list, defined 13-4 operation of 15-9 overview 15-2 SSID Qos 5-14, 13-11 13-3 13-2 7-2 suggested network environments QBSS Load IE 15-9 13-2 tracking services accessed by user quality of service range See QoS 13-13 4-13 rate limit, logging 21-9
Index request to send (RTS) set-request operation 6-30 restricting access overview severity levels, defining in system messages shared key 5-3 passwords and privilege levels RADIUS show command RFC 17-5 3-2 show dot11 associations command 1157, SNMPv1 show ip interface command 18-2 1901, SNMPv2C roaming 4-4 See SNMP 18-2 Simple Network Time Protocol 1-4 fast secure roaming using CCKM role (mode) 7-6 Simple Network Management Protocol 18-2 1902 to 1907, SNMPv2 See SNTP 12-1 slot-
Index SNMP, FTP MIB files SNMP input and output B-2 snmp-server group command SNMP versions supported status indicators 18-7 status page 18-2 SNTP designated port, defined 22-18 upload and download displaying status location in Flash inferior BPDU 20-19 tar file format, described software upgrade sort (CLI commands) spaces in an SSID speed command C-3 7-6 6-9 described 8-6, 8-8 learning 8-7 listening 8-7 overview 8-5 8-2 summer time 3-9 8-4 8-4 8-5 5-30 switchport protected
Index level keywords, described limiting messages message format overview 21-2 rate limit 21-9 creating 21-8 20-6 displaying the contents of 21-8 extracting 21-2 20-7 image file format Telnet sequence numbers, enabling and disabling setting the display destination device timestamps, enabling and disabling 21-5 21-6 20-19 3-9, 4-30 Temporal Key Integrity Protocol (TKIP) See TACACS+ terminal history command configuring the daemon configuring the logging facility facilities supported term
Index 1300 outdoor access point/bridge power injector 22-13 error messages (CLI) 7-2 vlan command 7-5, 14-6 3-4 system message logging with CiscoWorks SSID 21-2 W 18-4 W52 domain migrating to U WDS unauthorized access 5-3 12-1, 12-9 configuring WDS-only mode universal workgroup bridge 6-2 4-13 UNIX syslog servers common buttons 2-4 compatible browsers daemon configuration facilities supported 21-10 web-browser buttons 21-11 upgrading software images 21-10 with EAP uploading WE
Index world-mode command world mode roaming WPA 6-23 6-22 11-7 WPA migration mode wpa-psk command 11-13 11-14 wraparound (CLI commands) 3-7 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points IN-14 OL-11350-01
