Cisco Aironet 1200 Series Access Point Software Configuration Guide Software Release 12.03T Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xiii Audience and Scope Organization xiii Conventions xiv Related Publications xiii xv Obtaining Documentation xv Cisco.
Contents CHAPTER 2 Using the Management Interfaces 2-1 Using the Web-Browser Interface 2-2 Using the Web-Browser Interface for the First Time 2-2 Using the Management Pages in the Web-Browser Interface Navigating Using the Map Windows 2-3 2-2 Using the Command-Line Interface 2-4 Preparing to Use a Terminal Emulator 2-4 Connecting the Serial Cable 2-5 Setting Up the Terminal Emulator 2-5 Changing Settings with the CLI 2-5 Selecting Pages and Settings 2-6 Applying Changes to the Configuration 2-7 Using
Contents Settings on the AP Radio Advanced Page 3-17 Ethernet Configuration 3-23 Entering Identity Information 3-23 Settings on the Ethernet Identification Page 3-24 Entering Ethernet Hardware Information 3-24 Settings on the Ethernet Hardware Page 3-25 Entering Advanced Configuration Information 3-27 Settings on the Ethernet Advanced Page 3-27 CHAPTER 4 Configuring VLANs 4-1 Entering VLAN Information 4-2 Settings on the VLAN Setup page 4-2 VLAN Summary Status Link 4-3 VLAN (802.1Q) Tagging 4-3 802.
Contents Guidelines for Wireless VLAN Deployment CHAPTER 5 Configuring Filters and QoS 4-21 5-1 Filter Setup 5-2 Protocol Filtering 5-2 Creating a Protocol Filter 5-3 Enabling a Protocol Filter 5-5 MAC Address Filtering 5-6 Creating a MAC Address Filter 5-7 QoS Configuration 5-10 Entering Information on the AP Radio Quality of Service Setup Page Settings on the Quality of Service Setup Page 5-11 Generate QBSS Element 5-11 Use Symbol Extensions 5-11 Send IGMP General Query 5-12 Traffic Category 5-12
Contents Registration 6-10 Tunneling 6-10 Proxy Mobile IP Security 6-11 The Proxy Mobile IP Setup Page 6-11 General 6-12 Settings on the Proxy Mobile IP General Page 6-13 Authentication Server 6-13 Settings on the Authenticator Configuration Page 6-14 Local SA Bindings 6-15 Settings on the Local SA Bindings Page 6-15 Statistics 6-16 Settings on the Proxy Mobile IP Statistics Page 6-16 View Subnet Map Table 6-18 Settings on the Subnet Map Table Page 6-18 Configuring Proxy Mobile IP 6-18 Configuring Proxy
Contents Settings on the Association Table Advanced Page 7-17 Event Notification Setup 7-19 Event Display Setup Page 7-19 Settings on the Event Display Setup Page 7-19 Event Handling Setup Page 7-21 Settings on the Event Handling Setup Page 7-23 Event Notifications Setup Page 7-24 Settings on the Event Notifications Setup Page 7-25 Should Notify-Disposition Events generate SNMP Traps? 7-25 SNMP Trap Destination 7-25 SNMP Trap Community 7-25 Should Notify-Disposition Events generate Syslog Messages? 7-25
Contents Authenticating Client Devices Using MAC Addresses or EAP Enabling MAC-Based Authentication in Cisco Secure ACS 8-26 Summary of Settings for Authentication Types 8-27 RADIUS Attributes Sent by the Access Point Setting Up Backup Authentication Servers 8-29 8-31 Setting Up Administrator Authorization 8-32 Creating a List of Authorized Management System Users Setting up Centralized Administrator Authentication System Flow Notes 8-37 Authorization Parameters 8-38 CHAPTER 9 Network Management 8-
Contents Retrieving Firmware and Web Page Files Distributing Firmware 10-7 10-8 Distributing a Configuration 10-9 Limiting Distributions 10-10 Downloading, Uploading, and Resetting the Configuration Downloading the Current Configuration 10-11 Uploading a Configuration 10-12 Uploading from a Local Drive 10-12 Uploading from a File Server 10-12 Resetting the Configuration 10-13 Restarting the Access Point 10-14 CHAPTER 11 Management System Setup 11-1 SNMP Setup 11-2 Settings on the SNMP Setup Page 11
Contents Log Headings 13-14 Saving the Log 13-14 Event Log Summary Page 13-14 Using Command-Line Diagnostics 13-15 Entering Diagnostic Commands 13-16 Diagnostic Command Results 13-17 :eap_diag1_on 13-17 :eap_diag2_on 13-18 :vxdiag_arpshow 13-18 :vxdiag_checkstack 13-20 :vxdiag_hostshow 13-21 :vxdiag_i 13-22 :vxdiag_ipstatshow 13-23 :vxdiag_memshow 13-24 :vxdiag_muxshow 13-25 :vxdiag_routeshow 13-26 :vxdiag_tcpstatshow 13-27 :vxdiag_udpstatshow 13-28 Tracing Packets 13-28 Reserving Access Point Memory for
Contents IEEE 802.
Preface The Cisco Aironet 1200 Series Access Point Software Configuration Guide describes how to configure Cisco Aironet 1200 Series Access Points using the web-based management system. This manual also briefly describes how to use the console-based management system. Audience and Scope This guide is for the network manager responsible for configuring a wireless network.
Preface Conventions Chapter 9, “Network Management,” describes how to browse to other devices on your network. The chapter also describes how to use Cisco Discovery Protocol (CDP), assign a specific network port to a MAC address, and how to enable wireless network accounting. Chapter 10, “Managing Firmware and Configurations,” describes how to update firmware on your access point and how to distribute firmware and configurations to other access points.
Preface Related Publications Related Publications The following documents provide more information about access points and related products: • Quick Start Guide: Cisco Aironet 1200 Series Access Points describes how to attach cables, power on, and assign an IP address and default gateway for the access point.
Preface Obtaining Documentation Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription. Registered Cisco.
Preface Obtaining Technical Assistance Obtaining Technical Assistance For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. Cisco TAC Website The Cisco TAC website (http://www.cisco.
Preface Obtaining Additional Publications and Information Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations. Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
C H A P T E R 1 Overview Cisco Aironet access points are wireless LAN transceivers that serve as the center point of a stand-alone wireless network or as the connection point between wireless and wired networks. In large installations, wireless users within radio range of an access point can roam throughout a facility while maintaining seamless, uninterrupted access to the network. Your access point can contain two radios: a 2.
Chapter 1 Overview Key Features Key Features This section describes the key features of the access point firmware. The following are the key features of this firmware version: • Multiple IEEE 802.11 service set identifiers (SSIDs) allow you to create different levels of network access and to access virtual LANs (VLANs).You can configure up to 16 separate SSIDs to support up to 16 VLANs for each access point radio.
Chapter 1 Overview Management Options • Secure Shell (SSH) support for providing a strong user authentication and encryption of management traffic. SSH is a software package that provides a cryptographically secure replacement for or an alternative to Telnet. It provides strong host-to-host and user authentication as well as secure encrypted communications over a non secure network. The feature operates as follows: – The SSH server on the access point listens to its TCP port 22 for requests.
Chapter 1 Overview Quality of Service Support What is QoS? QoS refers to the ability of a network to provide improved service to selected network traffic over various underlying technologies including Ethernet and wireless LANs.
Chapter 1 Overview VLAN Support VLAN Support Version 12.01T1 supports VLAN technology by mapping SSIDs to VLANs. With the multiple-SSID capability, the access point can support up to 16 VLAN subnets. What is a VLAN? A switched network can be logically segmented into virtual local area networks (VLANs), on a physical or geographical basis, or by functions, project teams, or applications.
Chapter 1 Overview VLAN Support Figure 1-1 LAN Segmentation and VLAN Segmentation with Wireless Components Traditional LAN segmentation VLAN segmentation VLAN 1 VLAN 2 VLAN 3 LAN 1 Catalyst VLAN switch Shared hub Floor 3 LAN 2 Catalyst VLAN switch Shared hub Floor 2 LAN 3 SSID 0 SSID 0 Floor 1 Catalyst VLAN switch SSID 0 Trunk SSID 1 = VLAN1 SSID 2 = VLAN2 port SSID 3 = VLAN3 SSID 1 SSID 2 SSID 3 81652 Shared hub Related Documents The following documents provide more detailed informa
Chapter 1 Overview VLAN Support In fundamental terms, the key to configuring an access point to connect to a specific VLAN is by configuring an SSID to map to that VLAN. Because VLANs are identified by a VLAN ID, it follows that if an SSID on an access point is configured to map to a specific VLAN ID, a connection to the VLAN is established. When this connection is made, associated wireless client devices having the same SSID are able to access the VLAN through the access point.
Chapter 1 Overview Network Configuration Examples Figure 1-2 VLAN Example VLAN segmentation VLAN 01 VLAN 02 VLAN 03 Catalyst VLAN switch Catalyst VLAN switch Router Catalyst VLAN switch Trunk port Students SSID: Student Faculty SSID: Faculty Management SSID: Management 81661 Access point SSID Student=VLAN 01, SSID Faculty=VLAN 02, and SSID Management=VLAN 03. Network Configuration Examples This section describes the access point’s role in three common wireless network configurations.
Chapter 1 Overview Network Configuration Examples Figure 1-3 Access Points as Root Units on a Wired LAN Access Point (Root Unit) Access Point (Root Unit) 65999 Wired LAN Repeater Unit that Extends Wireless Range An access point can be configured as a stand-alone repeater to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication.
Chapter 1 Overview Network Configuration Examples Figure 1-4 Access Point as Repeater Access Point (Root Unit) Wired LAN 66000 Access Point (Repeater) Central Unit in an All-Wireless Network In an all-wireless network, an access point acts as a stand-alone root unit. The access point is not attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as the focal point for communications, increasing the communication range of wireless users.
C H A P T E R 2 Using the Management Interfaces This chapter describes the interfaces you can use to configure the access point. You can use a web-browser interface, a command-line interface through a terminal emulator or a Telnet session, or a Simple Network Management Protocol (SNMP) application. The access point’s management system web pages are organized the same way for the web browser and command-line interfaces. The examples in this manual show the web-browser interface.
Chapter 2 Using the Management Interfaces Using the Web-Browser Interface Using the Web-Browser Interface The web-browser interface contains management pages that you use to change access point settings, upgrade and distribute firmware, and monitor and configure other wireless devices on the network. Note The access point management system is fully compatible with Microsoft Internet Explorer versions 4.0 or later and Netscape Communicator versions 4.0 or later.
Chapter 2 Using the Management Interfaces Using the Web-Browser Interface Table 2-1 Common Buttons on Management Pages (continued) Button/Link Description Associations Displays the Association Table page, which provides a list of all devices on the wireless network and links to the devices. Setup Displays the Setup page, which contains links to the management pages with configuration settings. Logs Displays the Event Log page, which lists system events and their severity levels.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface The Network Map window appears when you click Network Map in the Map window. You use the Network Map window to open a new browser window displaying information for any device on your wireless network. Figure 2-2 shows the Network Map window. Figure 2-2 The Network Map Window Click the name of a wireless device to open a new browser window displaying a Station page listing the access point’s local information for that device.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Connecting the Serial Cable Connect a DB-9 to RJ-45 serial cable to the COM port on a computer and to the RJ-45 serial port on the access point. Figure 2-3 shows the serial port connection. Connecting the Serial Cable DB-9 to RJ-45 serial cable Note 74005 Figure 2-3 RJ-45 serial connector The Cisco part number for the DB-9 to RJ-45 serial cable is AIR-CONCAB1200. Browse to http://www.cisco.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Table 2-2 Common Functions on CLI Pages Function Description Press Enter three times Refreshes the page and cancel changes to settings. Ctrl-R Refreshes the page and cancel changes to settings. = Returns to the home page without applying changes. :back Moves back one page without applying changes. :bottom Jumps to the bottom of a long page, such as Event Log.
Chapter 2 Using the Management Interfaces Using SNMP Applying Changes to the Configuration The CLI’s auto-apply feature is on by default, so changes you make to any page are applied automatically when you move to another management page. To apply changes and stay on the current page, type apply and press Enter. Using a Telnet Session Follow these steps to browse to the CLI pages with Telnet: Step 1 On your computer’s Start menu, select Programs > Accessories > Telnet.
Chapter 2 Using the Management Interfaces Using SNMP Supported MIBs The access point supports the following MIBs: • Standard MIB-II (RFC1213-MIB.my) Supported branches: – system (1.3.6.1.2.1.1) – interfaces (1.3.6.1.2.1.2) – ip (1.3.6.1.2.1.4) – tcp (1.3.6.1.2.1.6) – udp (1.3.6.1.2.1.7) – snmp (1.3.6.1.2.1.11) To download this MIB, browse to http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml and click SNMP v1 MIBs. Scroll down the list of files and select RFC1213-MIB.my.
C H A P T E R 3 Radio Configuration and Basic Settings This chapter describes how to use the pages in the access point management system to configure the access point. The main Setup page provides links to all the pages containing access point settings. This chapter contains the following sections: Note • Basic Settings, page 3-2 • Radio Configuration, page 3-7 • Ethernet Configuration, page 3-23 See Chapter 8, “Security Setup” for information on setting up the access point’s security features.
Chapter 3 Radio Configuration and Basic Settings Basic Settings Basic Settings This section describes the basic settings on the Express Setup page. If you need to set up an access point quickly with a simple configuration, or change or update a basic setting, you can enter all the access point’s essential settings for basic operation on the Express Setup page. The page contains radio settings for both the 2.4-GHz internal radio and the 5-GHz external radio module.
Chapter 3 Radio Configuration and Basic Settings Basic Settings Entering Basic Settings The Express Setup page contains the following settings: • System Name • MAC Address • System Serial Number • Configuration Server Protocol • Default IP Address • Default IP Subnet Mask • Default Gateway • Radio Service Set ID (SSID) • Role in Radio Network • Radio Network Optimization (Optimize Radio Network For) • Radio Network Compatibility (Ensure Compatibility With) • Security Setup Link •
Chapter 3 Radio Configuration and Basic Settings Basic Settings Configuration Server Protocol Set the Configuration Server Protocol to match the network's method of IP address assignment. Click the Configuration Server link to jump to the Boot Server Setup page, which contains detailed settings for configuring the access point to work with your network’s BOOTP or DHCP servers for automatic assignment of IP addresses.
Chapter 3 Radio Configuration and Basic Settings Basic Settings The menu contains the following options: • Root Access Point—A wireless LAN transceiver that connects an Ethernet network with wireless client stations. Use this setting if the access point is connected to the wired LAN. Figure 3-2 shows an access point operating as a root unit in a network.
Chapter 3 Radio Configuration and Basic Settings Basic Settings Figure 3-3 Repeater Access Point Access Point (Root Unit) Wired LAN 66000 Access Point (Repeater) • Site Survey Client—A wireless device that depends on an access point for its connection to the network. Use this setting when performing a site survey for a repeater access point. When you select this setting, clients are not allowed to associate.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Radio Network Compatibility (Ensure Compatibility With) You use this setting to automatically configure the access point to be compatible with other devices on your wireless LAN. This setting appears twice on the page, once for the internal radio and once for the external radio module. You can use the same setting or different settings for each radio.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Entering Identity Information Use the AP Radio Identification pages to enter basic locating and identity information for the access point radios. The internal radio and the radio module both have an AP Radio Identity page. Both pages contain the same settings. Figure 3-4 shows the AP Radio Identification page for the internal radio.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Primary Port Settings Two options allow you to designate the radio port as the Primary Port and select whether the radio port adopts or assumes the identity of the primary port. • Primary Port?—The primary port determines the access point’s MAC and IP addresses. Ordinarily, the access point’s primary port is the Ethernet port, which is connected to the wired LAN, so this setting is usually set to no.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration LEAP Password Use this field if the radio is set up as a repeater and authenticates to the network using LEAP. When the radio authenticates using LEAP, the access point uses this password for authentication. Follow the steps in the “Setting Up a Repeater Access Point” section on page 12-2 set up the radio as a LEAP client.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Settings on the AP Radio Hardware Page The AP Radio Hardware page contains the following settings: • Service Set ID (SSID) • Allow Broadcast SSID to Associate? • Enable World Mode • Data Rates • Transmit Power • Frag. Threshold • RTS Threshold • Max. RTS Retries • Max.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration • No—Devices that do not specify an SSID (devices that are “broadcasting” in search of an access point or bridge to associate with) are not allowed to associate with the access point or bridge. With No selected, the SSID used by the client must exactly match one of the radio’s SSID. Enable World Mode When you select yes from the world-mode pull-down menu, the access point adds channel carrier set information to its beacon.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Transmit Power This setting determines the power level of radio transmission. The default power setting is the highest transmit power allowed in your regulatory domain. Note Government regulations define the highest allowable power level for radio devices. This setting must conform to established standards for the country in which you use the access point. To reduce interference or to conserve power, select a lower power setting.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Note If client devices using power-save mode wake up too often when associated to the access point, increase the data beacon rate setting. Default Radio Channel The default channel settings on the radios are the lowest channel numbers for your regulatory domain.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Figure 3-8 AP Radio Restrict Searched Channels Page for the Internal Radio The page lists all the channels in the access point’s regulatory domain. Click the Search check boxes beside the channels to include channels in the scan for less-congested channels. All the channels are included in the scan by default.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Figure 3-9 AP Radio Advanced Page for Internal Radio Follow this link path to reach the AP Radio Advanced pages: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Advanced in one of the AP Radio rows under Network Ports.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Settings on the AP Radio Advanced Page The AP Radio Advanced pages contain the following settings: • Requested Status • Packet Forwarding • Default Multicast Address Filters • Maximum Multicast Packets/Second • Radio Cell Role • SSID For Use By Infrastructure Stations • Disallow Infrastructure Stations on Any Other SSID • Use Aironet Extensions • Classify Workgroup Bridges as Network Infrastructure • Require Use of Rad
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Default Multicast Address Filters MAC address filters allow or disallow the forwarding of multicast packets sent to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Use Aironet Extensions Select yes or no to use Cisco Aironet 802.11 extensions. This setting must be set to yes (the default setting) to enable these features: • Load balancing—The access point uses Aironet extensions to direct client devices to an access point that provides the best connection to the network based on factors such as number of users, bit error rates, and signal strength.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration A Cisco Aironet Workgroup Bridge provides a wireless LAN connection for up to eight Ethernet-enabled devices. Refer to the “Overview” section on page 1-2 of the Cisco Aironet Workgroup Bridge Software Configuration Guide for a description of workgroup bridges. Require Use of Radio Firmware x.xx This setting affects the firmware upgrade process when you load new firmware for the access point.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration Temporal Key Integrity Protocol This setting enables the temporal key integrity protocol (TKIP, also known as WEP key hashing), which defends against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in encrypted packets to calculate the WEP key. WEP key hashing removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs.
Chapter 3 Radio Configuration and Basic Settings Radio Configuration If this access point is a repeater, type the MAC address of one or more root-unit access points with which you want this access point to associate. With MAC addresses in these fields, the repeater access point always tries to associate with the specified access points instead of with other less-efficient access points.
Chapter 3 Radio Configuration and Basic Settings Ethernet Configuration Non-Root Mobility This setting applies mainly to repeater access points that you intend to use in a roaming environment. The drop-down menu enables you to select either stationary or mobile settings: • Stationary—The radio firmware does not aggressively scan for a better root association, which makes the association more stable but does not allow the access point to roam.
Chapter 3 Radio Configuration and Basic Settings Ethernet Configuration Settings on the Ethernet Identification Page The Ethernet Identification page contains the following settings: • Primary Port Settings • Default IP Address • Default IP Subnet Mask The page also displays the access point’s MAC address, its current IP address, its current IP subnet mask, and the maximum packet data length allowed.
Chapter 3 Radio Configuration and Basic Settings Ethernet Configuration Figure 3-11 The Ethernet Hardware Page Follow this link path to reach the Ethernet Hardware page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Hardware in the Ethernet row under Network Ports.
Chapter 3 Radio Configuration and Basic Settings Ethernet Configuration • 10-Base-T / Half Duplex—Ethernet network connector for 10-Mbps transmission speed over twisted-pair wire and operating in half-duplex mode. • 10-Base-T / Full Duplex—Ethernet network connector for 10-Mbps transmission speed over twisted-pair wire and operating in full-duplex mode. • 100-Base-T / Half Duplex—Ethernet network connector for 100-Mbps transmission speed over twisted-pair wire and operating in half-duplex mode.
Chapter 3 Radio Configuration and Basic Settings Ethernet Configuration Entering Advanced Configuration Information You use the Ethernet Advanced page to assign special configuration settings for the access point’s Ethernet port. Figure 3-12 shows the Ethernet Advanced page. Figure 3-12 The Ethernet Advanced Page Follow this link path to reach the Ethernet Advanced page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Advanced in the Ethernet row under Network Ports.
Chapter 3 Radio Configuration and Basic Settings Ethernet Configuration • Blocking—The port is blocking transmission. Blocking is always displayed when there are no clients associated to the access point. • Broken—This state reports an Ethernet port failure. Requested Status This setting is useful for troubleshooting problems on your network. Up, the default setting, enables the Ethernet port for normal operation. Down disables the access point’s Ethernet port.
Chapter 3 Radio Configuration and Basic Settings Ethernet Configuration Maximum Multicast Packets/Second Use this setting to control the number of multicast packets that can pass through the Ethernet port each second. If you enter 0, the access point passes an unlimited number of multicast packets. If you enter a number other than 0, the device passes only that number of multicast packets per second.
Chapter 3 Radio Configuration and Basic Settings Ethernet Configuration Cisco Aironet 1200 Seres Access Point Software Configuration Guide 3-30 OL-2159-05
C H A P T E R 4 Configuring VLANs This chapter describes VLANs and provides information about configuring them on an access point. The chapter guides you through the process for configuring a typical example VLAN deployment.
Chapter 4 Configuring VLANs Entering VLAN Information Entering VLAN Information To access the VLAN setup page (see Figure 4-1). click VLAN in the Associations section of the Setup page. You can also access the page from the AP Radio Advanced page in the Network Ports section of the Setup page. Figure 4-1 VLAN Setup page Follow this link path to reach the VLAN Setup page: 1. On the Summary Status page, click Setup. The Setup page appears. 2. In the Associations section, click VLAN.
Chapter 4 Configuring VLANs Entering VLAN Information • VLAN ID • VLAN Name • Existing VLANs VLAN Summary Status Link Clicking this link takes you to a page containing a listing of existing VLANs on the access point. The list provides you with configuration information for each VLAN. Figure 4-2 shows a typical VLAN Summary Status page. Figure 4-2 VLAN Summary Status page Clicking the VLAN Detailed Setup link takes you to the VLAN Setup page. VLAN (802.1Q) Tagging Determines whether the IEEE 802.
Chapter 4 Configuring VLANs VLAN Security Policy Single VLAN ID which allows Unencrypted packets Identifies the number of the VLAN on which unencrypted packets can pass between the access point and the switch. This setting is configurable. Optionally allow Encrypted packets on the unencrypted VLAN Determines whether the access point passes encrypted packets on an unencrypted VLAN. This setting permits a client device to associate to the access point allowing both WEP and non-WEP associations.
Chapter 4 Configuring VLANs VLAN Security Policy Note • Default Policy Group—Ability to apply a policy group (set of Layer 2, 3, and 4 filters) for each VLAN.
Chapter 4 Configuring VLANs VLAN Security Policy management traffic as well as the RADIUS traffic is routed to the access point through the native VLAN. It is recommended that you restrict user access to the native (default) VLAN of the access points through the use of Layer-3 ACLs and policies on the wired infrastructure side. You may or may not wish to map the native VLAN of the access point to an SSID (for example, to the wireless ESS).
Chapter 4 Configuring VLANs RADIUS-Based VLAN Access Control If a client or infrastructure device (such as a workgroup bridge) sends a probe request with a secondary SSID, the access point or bridge responds with a probe response with a secondary SSID. You can map the primary SSID to the VLAN ID on the wired infrastructure in different ways. For example, in an enterprise rollout scenario, the primary SSID could be mapped to the unencrypted VLAN on the wired side to provide guest VLAN access.
Chapter 4 Configuring VLANs Criteria for Deploying Wireless VLANs Figure 4-4 RADIUS-Based VLAN Access Control SSID = Engineering EAP -Req uest -Suc (use cess r-id: (use John r-id: ) John , VLA N-id =24 EAP SSID = Guest ) RADIUS server Access point/bridge SSID = Marketing 81663 Enterprise network 802.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example • Common devices used to access the WLAN, such as the following: – Security mechanisms (static WEP, MAC authentication and EAP authentication supported by each device type) – Wired network resources, such as servers, commonly accessed by WLAN device groups – QoS level needed by each device group • Revisions to the existing wired VLAN deployment: – Existing policies for VLAN access – Localized wired VLANs or flat Layer 2 switched network pol
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example • Maintenance workers use specialized hand-held devices to access information specific to maintenance issues (such as trouble tickets). They access the information from a server in an Application Servers VLAN. The handhelds only support static 40- or 128-bit WEP. • Existing wired VLANs are localized per building and use Layer 3 policies to prevent users from accessing critical applications.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Using the Configuration Screens Using the example outlined above, this section describes how to use the configuration screens to configure VLANs on your access point. To create and enable VLANs on your access point you must complete the following procedures: 1. Obtain and record the VLAN ID and setup information for the switch to which your access point will communicate. 2. Create and configure the VLANs on your access point. 3.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Figure 4-6 VLAN Setup Page Step 4 Enter 1 in the Default VLAN ID field. Step 5 Enter Native VLAN in the VLAN Name field. Step 6 Click Add New. The VLAN ID #1 Setup Page appears (Figure 4-7).
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Figure 4-7 Step 7 Step 8 VLAN ID #1 Setup Page Make the following entries on this page: a. VLAN Name: Native VLAN (should be displayed) b. VLAN Enable: Enable c. Default Priority: default d. Default Policy Group: None e. Enhanced MIC verification for WEP: None f. Temporal Key Integrity Protocol: Cisco g. WEP Key 1: Enter 26 hexadecimal characters. h.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Creating the Full- and Part-Time VLANs The full- and part-time VLANs are essentially the same except for their names and SSIDs. Follow these steps to create these VLANs. Step 1 On the VLAN Setup page, make the following changes: a. VLAN (802.1Q) Tagging: Enabled b. Native VLAN ID: 0 c. Single VLAN which allows Unencrypted packets: 0 d. Optionally allow Encrypted packets on the unencrypted VLAN: yes e. VLAN ID: 2 f.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Creating the Guest VLAN Step 1 Create a “Guest” VLAN using the following configuration: a. VLAN (802.1Q) Tagging: Disabled b. Native VLAN ID: 0 c. Single VLAN ID which allows Unencrypted packets: 0 d. Optionally allow Encrypted packets on the unencrypted VLAN: yes e. VLAN ID: 4 f. VLAN Name: Guest Step 2 Click Add New. The VLAN ID #4 page appears. Step 3 Make the following entries on this page: a. VLAN Name: Guest a.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Step 3 Make the following entries on this page: a. VLAN Name: Maintenance b. VLAN Enable: Enabled c. Default Priority: default d. Default policy group: [0] None e. Enhanced MIC verification for WEP: None f. Temporal Key Integrity Protocol: None g. WEP Key Rotation Interval: 0 h. Alert?: no i. WEP Key 1: Set a 128-bit key. Step 4 Click OK to return to the VLAN Setup page.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Figure 4-8 Step 3 AP Radio Internal Service Sets page In the Existing SSIDs field, highlight the Test AP 2 (primary) SSID and click Edit. The AP Radio Primary SSID page appears (Figure 4-9).
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Step 4 Make the following changes to this page: a. Rename the Primary SSID to Guest VLAN b. Maximum under of Associations: 0 c. Default VLAN ID: [1] Native VLAN Note Associating the Default VLAN ID to the native VLAN field is known as mapping the VLAN to the SSID. The mapping process is how the access point is able to “connect” to the VLAN on the switch. d. Classify Workgroup Bridges as Network Infrastructure: yes e.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Enabling VLAN (802.1Q) Tagging and Identifying the Native VLAN When you have finished creating and configuring the VLANs and their associated SSIDs, you must enable VLAN IEEE 802.1Q tagging to make them operational. You must also identify the native VLAN. Follow these steps to enable VLAN IEEE 802.1Q tagging and identify the native VLAN. Step 1 Browse to the Summary Status page and click VLAN in the Associations section.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Figure 4-11 AP Radio Service Sets Page Step 5 Verify that the SSIDs you created appear in the Existing SSIDs field. Step 6 If the VLANs and SSIDs verified in Steps 2 and 5 are correct, go to Step 7. If not, review the procedures and correct the problem. Step 7 In the VLAN (802.1Q) field, click Enable. Step 8 In the Native VLAN ID field, enter 1. Step 9 Click OK. The 802.
Chapter 4 Configuring VLANs Guidelines for Wireless VLAN Deployment Creating an SSID for Infrastructure Devices You must map the native VLAN to an SSID for infrastructure devices (such as workgroup bridges and repeaters) so that they can communicate in the VLAN environment. Follow these steps. Step 1 From the Setup page, click Service Sets. Step 2 Create a new SSID called Infrastructure and map it to the Native VLAN. Step 3 Return to the AP Radio Service Sets page.
Chapter 4 Configuring VLANs Guidelines for Wireless VLAN Deployment Cisco Aironet 1200 Series Access Point Software Configuration Guide 4-22 OL-2159-05
C H A P T E R 5 Configuring Filters and QoS This chapter provides information and configuration procedures for setting up filters. The chapter also provides information and procedures for setting up QoS using filters you create.
Chapter 5 Configuring Filters and QoS Filter Setup Filter Setup This section describes how to set up filtering to control the flow of data through the access point. You can filter data based on protocols and MAC addresses. Each type of filtering is explained in the following sections: • Protocol Filtering, page 5-2 • MAC Address Filtering, page 5-6 Protocol Filtering Protocol filters prevent or allow the use of specific protocols through the access point.
Chapter 5 Configuring Filters and QoS Filter Setup Figure 5-2 Protocol Filters Page Follow this link path to reach the AP Radio or Ethernet Protocol Filters page: 1. On the Summary Status page, click Setup. 2. Click Filters in the AP Radio: Internal, AP Radio: Module, or Ethernet row under Network Ports. The left side of the Protocol Filters page contains links to the Ethertype Filters, the IP Protocol Filters, and the IP Port Filters pages.
Chapter 5 Configuring Filters and QoS Filter Setup Step 5 Click Add New. The Filter Set page appears. Figure 5-4 shows the Filter Set page. Figure 5-4 Filter Set Page Step 6 Select forward or block from the Default Disposition drop-down menu. This setting is the default action for the protocols you include in the filter set. You can override this setting for specific protocols.
Chapter 5 Configuring Filters and QoS Filter Setup Step 9 Select forward or block from the Disposition drop-down menu to forward or block the protocol traffic, or leave this setting at default to use the default disposition that you selected for the filter set in Step 6. Step 10 Select a priority for the protocol from the Priority drop-down menu.
Chapter 5 Configuring Filters and QoS Filter Setup Step 3 Select the protocol filter set that you want to enable from the Ethertype, IP Protocol, or IP Port drop-down menu. Step 4 Click OK. The filter set is enabled. MAC Address Filtering MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses.
Chapter 5 Configuring Filters and QoS Filter Setup Creating a MAC Address Filter Follow these steps to create a MAC address filter: Step 1 Follow the link path to the Address Filters page. Step 2 Type a destination MAC address in the New MAC Address Filter: Dest MAC Address field. You can type the address with colons separating the character pairs (00:40:96:12:34:56, for example) or without any intervening characters (004096123456, for example).
Chapter 5 Configuring Filters and QoS Filter Setup Figure 5-7 Step 7 AP Radio Advanced Page Click Advanced Primary SSID Setup. The AP Radio Primary SSID page appears. Figure 5-8 shows the AP Radio Primary SSID page.
Chapter 5 Configuring Filters and QoS Filter Setup Figure 5-8 AP Radio Primary SSID Page Select Open, Shared Key, or Network-EAP to set the authentications the access point recognizes. See Chapter 8, “Security Overview,” for a description of authentication types. If you use open or shared authentication as well as EAP authentication, select Require EAP under Open or Shared to block client devices that are not using EAP from authenticating through the access point.
Chapter 5 Configuring Filters and QoS QoS Configuration Note The Ethernet Advanced page contains the Default Unicast and Multicast Address Filter settings for the Ethernet port. These settings work as described above, but you should use extra caution changing the settings on the Ethernet Advanced page because they can lock you out of your access point. To reach the Ethernet Advanced page, click Advanced in the Ethernet row of the Network Ports section at the bottom of the Setup page.
Chapter 5 Configuring Filters and QoS QoS Configuration Figure 5-9 AP Radio Quality of Service Setup Page Follow this link path to reach the Quality of Service setup page: 1. On the Summary Status page, click Setup. The Setup page appears. 2. In the Associations section, click Protocol Filters. The Protocol Filters Setup page appears. 3. Click Quality of Service for AP Radio for the radio you want to configure. The AP Radio Quality of Service page appears.
Chapter 5 Configuring Filters and QoS Applying QoS Send IGMP General Query Configures the access point to perform IP multicast filtering on behalf of its clients. When Internet Group Membership Protocol (IGMP) snooping is enabled on a switch, and a client roams from one access point to another, the multicast session is dropped.
Chapter 5 Configuring Filters and QoS Applying QoS The best example of this is the negotiations between the access point and a Symbol VoIP WLAN handset. A protocol has been defined by Symbol that allows the handset to be identified by the access point and given interactive voice classification. Follow these steps to enable this feature. Step 1 Browse to the Setup screen on the access point. Step 2 Click Protocol Filters in the Associations section. The Protocol Filters Setup page appears (Figure 5-10).
Chapter 5 Configuring Filters and QoS Applying QoS By VLAN The default priority of a VLAN can be set, and the access point uses this setting for all traffic on that VLAN except when overridden by a filter setting. This filter setting is applied through the policy group on the VLAN. Follow these steps to set up a VLANs QoS default priority. Step 1 From the Setup page, click VLAN in the Associations section. The VLAN Setup page appears.
Chapter 5 Configuring Filters and QoS Applying QoS By Filter Access point filters already allow the classification of traffic based upon Ethertype, Internet Protocol, or IP Port. An example of a filter classifying traffic is shown on Figure 5-13. Figure 5-13 Filters Priority Setting The filters can be applied on interfaces or as a part of a VLAN policy group. The access point has a default filter to classify all Spectralink voice traffic with voice priority.
Chapter 5 Configuring Filters and QoS Applying QoS Figure 5-15 shows how the Spectralink filter is applied. Figure 5-15 Applying the Spectralink Filter By CoS Value Traffic that comes to the access point over an Ethernet trunk is already classified by its Class of Service (CoS) settings, and is used by the access point. By DSCP Value The differentiated services code point (DSCP) values in the IP packets can be used to classify the traffic based on the DSCP-to-CoS mappings shown in Figure 5-16.
Chapter 5 Configuring Filters and QoS A Wireless QoS Deployment Example Follow these steps to access the DSCP-to-CoS Conversion page. Step 1 From the Summary Status page, click Setup. The Setup page appears. Step 2 In the Associations section, click Protocol Filters. The Protocol Filters Setup page appears. Step 3 Click DSCP-to-CoS Conversion.
Chapter 5 Configuring Filters and QoS A Wireless QoS Deployment Example Step 5 Click Add New. The VLAN ID #xx page appears. Step 6 Set VLAN Enable setting to Enable. Step 7 In the Default Priority Group drop-down menu, select Interactive Voice. (Figure 5-18). Figure 5-18 VLAN ID #xx page Note Wireless phones do not support Enhanced MIC verification for WEP or TKIP. No changes are required for these settings. If your wireless phone has a WEP key set, go the the next section.
Chapter 5 Configuring Filters and QoS A Wireless QoS Deployment Example WEP Set on the Wireless Phone If WEP is set on your wireless phone, you must set an identical WEP key for the interactive voice VLAN. Follow these steps to set the WEP key. Step 1 Enter the phone’s WEP key in the WEP Key 1 Encryption Key field. Step 2 In the Key Size drop-down menu, select the WEP key size set on the phone. Step 3 Click Apply or OK. The configuration is complete.
Chapter 5 Configuring Filters and QoS A Wireless QoS Deployment Example Step 4 Click OK. You are returned to the Setup page. Step 5 In the Associations section, click SSIDs: Int. The AP Radio: Internal Service Sets page appears. Step 6 Enter a valid SSID in the Service Set ID (SSID) field (Figure 5-20). Figure 5-20 AP Radio: Internal Service Sets page Step 7 Click Add New. The AP Radio: Internal SSID #x page appears. Step 8 In the Default VLAN ID drop-down menu, select [12] Voice (Figure 5-21).
Chapter 5 Configuring Filters and QoS A Wireless QoS Deployment Example Figure 5-21 AP Radio: Internal Service Sets page Step 9 Leave all other settings at the default settings and click OK. You are returned to the AP Radio: Internal Service Sets page. Step 10 Click OK again to return to the Setup page. Your configuration is complete.
Chapter 5 Configuring Filters and QoS A Wireless QoS Deployment Example Cisco Aironet 1200 Series Access Point Software Configuration Guide 5-22 OL-2159-05
C H A P T E R 6 Configuring Proxy Mobile IP This chapter describes how to enable and configure your access point’s proxy Mobile IP feature.
Chapter 6 Configuring Proxy Mobile IP Proxy Mobile IP Proxy Mobile IP These sections explain how access points conduct proxy Mobile IP: Note Additional information can be found in the Proxy Mobile IP Deployment Guide, which is available on Cisco.com. Introduction to Mobility in IP The advent of wireless technologies such IEEE 802.11b has presented a tremendous opportunity to those who rely on networking resources.
Chapter 6 Configuring Proxy Mobile IP Introduction to Mobility in IP The Nomadic Approach A nomadic node is a device that moves, or roams from one network to another. In order to use that network, the device must renew its IP address and re-establish connectivity to any applications that were in progress. There are advantages and disadvantages to the nomadic approach. ISPs treat all devices as nomads.
Chapter 6 Configuring Proxy Mobile IP Introduction to Mobility in IP Figure 6-2 The Mobile IP Environment CN HA CN, Correspondent Node Destination IP host in session with a Mobile Node Internet COA MN MN, Mobile Node An IP host that maintains network connectivity using its "home" IP address, regardless of which subnet (or network) it is connected to 90541 MN HA, Home Agent Maintains an association between the MN's "home" IP address and its care of address (loaned address) on the foreign network
Chapter 6 Configuring Proxy Mobile IP Introduction to Mobility in IP Figure 6-3 The Mobile IP Traffic Pattern Correspondent Host Home Agent Internet Foreign Agent MN Mobile Node 90542 - Traffic is sent from the MN directly to the Correspondent Host - The Host replies to the source address of theMN - The traffic is routed to the HA - The HA tunnels the traffic to the CoA of the FA - The FA forwards the traffic to the MN When the mobile node roams back to its home network, it drops its registration
Chapter 6 Configuring Proxy Mobile IP Introduction to Mobility in IP Proxy Mobile IP supports Mobile IP for wireless nodes without requiring specialized software for those devices. The wireless access point acts as a proxy on behalf of wireless clients that are not aware of the fact that they have roamed onto a different Layer 3 network. The access point handles the IRDP communications to the foreign agent and handles registrations to the home agent.
Chapter 6 Configuring Proxy Mobile IP Introduction to Mobility in IP Issues to Consider While Deploying Proxy Mobile IP When deploying proxy Mobile IP, consider these key issues: • Proxy Mobile IP is currently not supported with VLANs. Do not enable VLANs if you plan to use proxy Mobile IP. • Enabling proxy Mobile IP on the access point requires software release 12.01T1 or later.
Chapter 6 Configuring Proxy Mobile IP Introduction to Mobility in IP • A home agent. The home agent is a router on the visiting client’s home network that serves as the anchor point for communication with the access point and the visiting client. The home agent tunnels packets from a correspondent node on the Internet to the visiting client device by way of a tunnel to a foreign agent. • A foreign agent.
Chapter 6 Configuring Proxy Mobile IP Introduction to Mobility in IP client devices. Rather than waiting for agent advertisements, an access point can send out an agent solicitation. This solicitation forces any agents on the network to immediately send an agent advertisement. When an access point determines that a client device is connected to a foreign network, it acquires a care-of address for the visiting client.
Chapter 6 Configuring Proxy Mobile IP Introduction to Mobility in IP When a client device associates to an access point and the access point determines that the client is visiting from another network, the access point performs a longest-match lookup on its subnet map table and obtains the home agent address for the visiting client. When the access point has the home agent address, it can proceed to the registration step.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Data packets addressed to the visiting client are routed to its home network, where the home agent intercepts and tunnels them to the care-of address toward the visiting client. Tunneling has two primary functions: encapsulation of the data packet to reach the tunnel endpoint, and decapsulation when the packet is delivered at that endpoint. The tunnel mode that the access point supports is IP Encapsulation within IP Encapsulation.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Figure 6-5 Proxy Mobile IP Setup page Follow this link path to reach the Proxy Mobile IP Setup page: 1. On the Summary Status page, click Setup. 2. In the Services section of the Setup page, click Proxy Mobile IP.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Settings on the Proxy Mobile IP General Page Enable Proxy Mobile IP This setting enables the proxy Mobile IP feature on the access point. The default setting is no. Note Proxy Mobile IP must also be enabled for the SSID you intend to use to support the feature. Otherwise, proxy Mobile IP will not work. See the “Configuring Proxy Mobile IP” section on page 6-18 for additional information.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Settings on the Authenticator Configuration Page 802.1X Protocol Version (for EAP Authentication) This drop-down menu allows you to select the draft of the 802.1X protocol the access point’s radio will use. EAP operates only when the radio firmware on client devices complies with the same 802.1X Protocol draft as the management firmware on the access point.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Local SA Bindings Selecting the Local SA Bindings link takes you to the Local SA Bindings page (Figure 6-8). You use this page to identify valid clients that are able to establish contact with a foreign agent in another network segment or network other than the client’s home network.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Existing SA Bindings This field contains a listing of previously configured security association bindings. The information contains the beginning and ending IP address range and their associated group SPI and key settings. Statistics Selecting the Statistics link takes you to the Proxy Mobile IP Statistics page (Figure 6-9). Two buttons are available on this page: • Refresh—Click this button to refresh the data on the screen.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Active AAP This informational field lists the IP address of the active authoritative access point. MN IP Addresses This informational field lists the IP addresses of the mobile nodes, which are client devices that the access point is servicing. Solicitations Sent The number of agent solicitations messages the access point has sent.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Registration Requests Denied by HA The number of times the home agent rejected registration requests. Gratuitious ARPs sent The number of times the access point sent gratuitious Address Resolution Protocol messages (ARPs). Gratuitious ARPs are sent by the home agent on behalf of a roaming mobile node to update the ARP caches on the local hosts.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP • Access points configured as authoritative access points must be enabled for proxy Mobile IP before regular access points. • All proxy Mobile IP enabled access points in the network must be configured to use the same authoritative access points. For example, one access point cannot be configured with two authoritative access points and another access point be configured with three different authoritative access points.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Figure 6-11 A Sample Network AP30 with PMIP 802.11b Client 10.30.0.251 AP20 with PMIP .2 .2 10.30.0.X/24 10.20.0.X/24 .1 .10 .1 Routers using Mobile IP ForeignRouter (Foreign Agent) .1 10.10.0.X/24 .1 ACS and DNS Server 10.0.0.4/24 90543 HomeRouter (Home Agent) Follow these steps to create a Proxy Mobile IP configuration. Step 1 Browse to the access point’s Setup page.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Step 3 Select the SSID on which proxy Mobile IP will be supported and click Edit. The AP Radio: Internal Primary SSID page appears (Figure 6-13). Figure 6-13 AP Radio: Internal Service Sets Page Step 4 Enable proxy Mobile IP for this SSID. Step 5 Click OK twice. You are returned to the Setup page. Step 6 In the Services section, click Proxy Mobile IP. The Proxy Mobile IP Setup page appears (Figure 6-14).
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Figure 6-15 Proxy Mobile IP General Page Step 8 Set the Enable Proxy Mobile IP setting to yes. Step 9 Enter the IP address of the access point in the Authoritative AP 1 field. Step 10 Click OK. You are returned to the Proxy Mobile IP Setup page.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Step 15 Click View Subnet Map Table. The access point sees the home agent if an entry exists for the desired subnet and displays it on the Subnet Map Table page (Figure 6-17). Figure 6-17 Subnet Map Table Step 16 Check the IP addresses in the HA Address column. The home agent’s IP address should appear in this column. Step 17 Return to the Proxy Mobile IP Setup Page and click Statistics. The Proxy Mobile IP Statistics page appears.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Figure 6-18 Authenticator Configuration Page Step 2 Perform the following: a. In the Server Name/IP field, enter the IP address or domain name of the ACS server. b. In the Shared Secret field, enter the shared secret key used on the ACS server. c. Check the MIP Authentication box. Step 3 Click Apply or OK. You are returned to the Proxy Mobile IP Setup page.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Step 5 Define an entry for each Proxy Mobile IP-enabled access point (Figure 6-20). Figure 6-20 Network Configuration Screen for an Access Point Client Step 6 Add a User entry for each mobile node (client device). Use the “cisco-av-pair” syntax as detailed in Figure 6-21.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Figure 6-22 Passed Authentication Screen Step 8 In the Services section of the Setup page, click Proxy Mobile IP. The Proxy Mobile IP Setup page appears. Step 9 Click General. The Proxy Mobile IP General page appears. Step 10 Set the Enable Proxy Mobile IP radio button to yes. Step 11 Enter the IP address of the authoritative access point in the Authoritative AP 1: field.
C H A P T E R 7 Configuring Other Settings This chapter covers configuration settings not covered in Chapters 3, 4, and 5.
Chapter 7 Configuring Other Settings Server Setup Server Setup This section describes how to configure the server to support access point features. You use separate management system pages to enter server settings.
Chapter 7 Configuring Other Settings Server Setup Settings on the Time Server Setup Page The Time Server Setup page contains the following settings: • Simple Network Time Protocol • Default Time Server • GMT Offset (hr) • Use Daylight Savings Time • Manually Set Date and Time The page also displays the IP address of the current time server, if one is assigned. Simple Network Time Protocol Select Enabled or Disabled to turn Simple Network Time Protocol (SNTP) on or off.
Chapter 7 Configuring Other Settings Server Setup Entering Boot Server Settings You use the Boot Server Setup page to configure the access point for your network's BOOTP or DHCP servers for automatic assignment of IP addresses. Figure 7-2 shows the Boot Server Setup page: Figure 7-2 Boot Server Setup Page Follow this link path to reach the Boot Server Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Boot Server under Services.
Chapter 7 Configuring Other Settings Server Setup • DHCP Minimum Lease Duration (min) • DHCP Client Identifier Type • DHCP Client Identifier Value • DHCP Class Identifier Configuration Server Protocol Use the Configuration Server Protocol pull-down menu to select your network’s method of IP address assignment. The menu contains the following options: • None—Your network does not have an automatic system for IP address assignment.
Chapter 7 Configuring Other Settings Server Setup DHCP Requested Lease Duration (min) This setting specifies the length of time the access point requests for an IP address lease from your DHCP server. Enter the number of minutes the access point should request. DHCP Minimum Lease Duration (min) This setting specifies the shortest amount of time the access point accepts for an IP address lease. The access point ignores leases shorter than this period.
Chapter 7 Configuring Other Settings Server Setup DHCP Client Identifier Value Use this setting to include a unique identifier in the access point’s DHCP request packet. This field contains the access point’s MAC address by default. If you select Other - Non Hardware from the DHCP Client Identifier Type pull-down menu, you can enter up to 255 alphanumeric characters. If you select any other option from the DHCP Client Identifier Type pull-down menu, you can enter up to 12 hexadecimal characters.
Chapter 7 Configuring Other Settings Server Setup • Extra Web Page File • Default Web Root URL Allow Non-Console Browsing Select yes to allow browsing to the management system. If you select no, the management system is accessible only through the console and Telnet interfaces. HTTP Port This setting determines the port through which your access point provides web access. Your System Administrator should be able to recommend a port setting.
Chapter 7 Configuring Other Settings Server Setup Entering Name Server Settings You use the Name Server Setup page to configure the access point to work with your network’s Domain Name System (DNS) server. Figure 7-4 shows the Name Server Setup page: Figure 7-4 The Name Server Setup Page Follow this link path to reach the Name Server Setup page: • On the Summary Status page, click Setup • On the Setup page, click Name Server under Services.
Chapter 7 Configuring Other Settings Server Setup mycompany.com The Current Domain line under the entry field lists the domain that is serving the access point.
Chapter 7 Configuring Other Settings Routing Setup • FTP Directory • FTP User Name • FTP User Password File Transfer Protocol Use the drop-down menu to select FTP or TFTP (Trivial File Transfer Protocol). TFTP is a relatively slow, low-security protocol that requires no username or password. Default File Server Enter the IP address or DNS name of the file server where the access point should look for FTP files. FTP Directory Enter the file server directory that contains the firmware image files.
Chapter 7 Configuring Other Settings Routing Setup Figure 7-6 Routing Setup Page Follow this link path to reach the Routing Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Routing under Services. Entering Routing Settings The Routing Setup page contains the following settings: • Default Gateway • New Network Route Settings • Installed Network Routes list Default Gateway Enter the IP address of your network’s default gateway in this entry field.
Chapter 7 Configuring Other Settings Association Table Display Setup Installed Network Routes list The list of installed routes provides the destination network IP address, the gateway, and the subnet mask for each installed route. Association Table Display Setup You use the Association Table Filters and the Association Table Advanced pages to customize the display of information in the access point’s Association Table. Association Table Filters Page Figure 7-7 shows the Association Table Filters page.
Chapter 7 Configuring Other Settings Association Table Display Setup • Restore Current Defaults—Applies the currently saved default settings to the Association Table and returns you to the Association Table page. • Restore Factory Defaults—Applies the factory default settings to the Association Table and returns you to the Association Table page.
Chapter 7 Configuring Other Settings Association Table Display Setup Settings on the Association Table Filters Page The Association Table Filters page contains the following settings: • Stations to Show • Fields to Show • Packets To/From Station • Bytes To/From Station • Primary Sort • Secondary Sort Stations to Show Select the station types that you want to be displayed in the Association Table.
Chapter 7 Configuring Other Settings Association Table Display Setup Packets To/From Station Use these settings to display packet volume information in the Association Table. Select Total to display the total number of packets to and from each station on the network. Select Alert to display the number of alert packets to and from each station on the network for which you have activated alert monitoring. Select the Alert checkbox on a device’s Station page to activate alert monitoring for that device.
Chapter 7 Configuring Other Settings Association Table Display Setup Figure 7-8 Association Table Advanced Page Follow this link path to reach the Association Table Advanced page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Advanced under Associations.
Chapter 7 Configuring Other Settings Association Table Display Setup Handle Station Alerts as Severity Level This setting determines the Severity Level at which Station Alerts are reported in the Event Log. This setting also appears on the Event Handling Setup page. You can choose from four Severity Levels: • Fatal Severity Level (System, Protocol, Port)— Fatal-level events indicate an event that prevents operation of the port or device. For operation to resume, the port or device usually must be reset.
Chapter 7 Configuring Other Settings Event Notification Setup Default Activity Timeout (seconds) Per Device Class These settings determine the number of seconds the access point continues to track an inactive device depending on its class. A setting of zero tells the access point to track a device indefinitely no matter how long it is inactive. A setting of 300 equals 5 minutes; 1800 equals 30 minutes; 28800 equals 8 hours.
Chapter 7 Configuring Other Settings Event Notification Setup How should time generally be displayed? You use this pull-down menu to determine whether the events in the Event Log are displayed as system uptime or wall-clock time. If you select system uptime, the events are displayed either since the boot or since the last time the Event Log was displayed. If you select wall-clock time, the events are displayed in a YY:MM:DD HH:MM:SS format.
Chapter 7 Configuring Other Settings Event Notification Setup Table 7-2 Event Display Severity Levels (continued) Severity Level Description System warning The Warning settings indicate that a failure has occurred. Protocol warning • System refers to the access point as a whole. Port warning • Protocol refers to a specific communications protocol in use, such as HTTP or IP. • Port refers to the access point’s Ethernet or radio network interface.
Chapter 7 Configuring Other Settings Event Notification Setup Figure 7-10 The Event Handling Setup Page Follow this link path to reach the Event Handling Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Event Handling under Event Log.
Chapter 7 Configuring Other Settings Event Notification Setup Settings on the Event Handling Setup Page The Event Handling Setup page contains the following settings: • Disposition of Events • Handle Station Events as Severity Level • Maximum number of bytes stored per Alert packet • Maximum memory reserved for Detailed Event Trace Buffer (bytes) • Download Detailed Event Trace Buffer • Clear Alert Statistics • Purge Trace Buffer Disposition of Events The event settings control how events ar
Chapter 7 Configuring Other Settings Event Notification Setup If your browser is Netscape Communicator, click the links with your left mouse button to view the trace data. Click the links with your right mouse button and select Save Link As to save the data in a file. Clear Alert Statistics Click this button to reset the alert tallies to 0. The Clear Alert Statistics button clears the by-MAC-address alert statistics.
Chapter 7 Configuring Other Settings Event Notification Setup Follow this link path to reach the Event Notifications Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Event Notifications under Event Log.
Chapter 7 Configuring Other Settings Event Notification Setup Should Syslog Messages use the Cisco EMBLEM Format? When this setting is enabled, the access point generates EMBLEM (Baseline Manageability Specification) standard compliant system log messages: ipaddress Counter: [yyyy mmm dd hh:mm:ss TimeZone +/– hh:mm]: %FACILTY- SEVERITY-MNEMONIC: Message-text Example without timestamp: 192.168.12.83: %APBR-6-STA_ASSOC_OK: [AP350-12] Station [TEST-LPT]000750abcd2a Associated Example with timestamp: 192.
C H A P T E R 8 Security Setup This chapter describes how to set up your access point’s security features.
Chapter 8 Security Setup Security Overview Security Overview This section describes the types of security features you can enable on the access point. The security features protect wireless communication between the access point and other wireless devices, control access to your network, and prevent unauthorized entry to the access point management system. On an access point with two radios, you can assign different security settings to each radio.
Chapter 8 Security Setup Security Overview WEP encryption scrambles the communication between the access point and client devices to keep the communication private. Both the access point and client devices use the same WEP key to encrypt and unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on the network. Multicast messages are addressed to multiple devices on the network.
Chapter 8 Security Setup Security Overview Figure 8-2 Sequence for EAP Authentication Wired LAN Access point or bridge Client device Server 1. Authentication request 3. Username (relay to server) (relay to client) 4. Authentication challenge 5. Authentication response (relay to server) (relay to client) 6. Authentication success 7. Authentication challenge (relay to server) (relay to client) 8. Authentication response 9. Successful authentication (relay to server) 65583 2.
Chapter 8 Security Setup Security Overview • MAC address—The access point relays the wireless client device’s MAC address to a RADIUS server on your network, and the server checks the address against a list of allowed MAC addresses. If you don’t have a RADIUS server on your network, you can create the list of allowed MAC addresses on the access point’s Address Filters page. Devices with MAC addresses not on the list are not allowed to authenticate.
Chapter 8 Security Setup Security Overview Figure 8-4 Sequence for Open Authentication Access point or bridge with WEP key = 123 Client device with WEP key = 321 1. Authentication request 54583 2. Authentication response • Shared key—Cisco provides shared key authentication to comply with the IEEE 802.11b standard. However, because of shared key’s security flaws, we recommend that you avoid using it.
Chapter 8 Security Setup Setting Up WEP Protecting the Access Point Configuration with User Manager The access point’s user manager feature prevents unauthorized entry to the access point management system. You create a list of administrators authorized to view and adjust the access point settings; unauthorized users are locked out. See the “Setting Up Administrator Authorization” section on page 8-32 for instructions on using the user manager.
Chapter 8 Security Setup Setting Up WEP Note Use this page to configure the radio unless you have enabled VLANs. If VLANs are enabled, you must set the radio data encryption for each enabled VLAN through the VLAN Setup page. Follow these steps to set up WEP keys and enable WEP: Step 1 Follow the link path to the AP Radio Data Encryption page. Step 2 Before you can enable WEP, you must enter a WEP key in at least one of the Encryption Key fields.
Chapter 8 Security Setup Setting Up WEP Table 8-1 Key Slot WEP Key Setup Example (continued) Access Point Associated Device Transmit? Transmit? – – 3 4 Key Contents – – not set not set Key Contents not set FEDCBA09876543211234567890 Because the access point’s WEP key 1 is selected as the transmit key, WEP key 1 on the other device must contain the same contents.
Chapter 8 Security Setup Enabling Additional WEP Security Features Using SNMP to Set Up WEP You can use SNMP to set the WEP level on the access point. Consult the “Using SNMP” section on page 2-7 for details on using SNMP. Access points use the following SNMP variables to set the WEP level: • dot11ExcludeUnencrypted.2 • awcDot11AllowEncrypted.2 Table 8-2 lists the SNMP variable settings and the corresponding WEP levels .
Chapter 8 Security Setup Enabling Additional WEP Security Features Use the AP Radio Advanced page to enable MIC. Both the internal radio and the radio module have an AP Radio Advanced page. Both pages contain the same settings. Figure 8-7 shows the AP Radio Advanced page for the internal radio. Figure 8-7 AP Radio Advanced Page for Internal Radio Follow this link path to browse to the AP Radio Advanced page: 1. On the Summary Status page, click Setup. 2.
Chapter 8 Security Setup Enabling Additional WEP Security Features Follow these steps to enable MIC: Step 1 Follow the steps in the “Setting Up WEP” section on page 8-7 to set up and enable WEP. You must set up and enable WEP with full encryption before MIC becomes active. If WEP is off or if you set it to optional, MIC is not enabled.
Chapter 8 Security Setup Enabling Additional WEP Security Features Step 2 Follow this link path to browse to the AP Radio Advanced page: a. On the Summary Status page, click Setup. b. On the Setup page, click Advanced in the AP Radio row under Network Ports for the internal radio or the radio module. Step 3 Select Cisco from the Temporal Key Integrity Protocol pull-down menu. Step 4 Make sure yes is selected for the Use Aironet Extensions setting.
Chapter 8 Security Setup Setting Up Open or Shared Key Authentication Follow these steps to enable broadcast key rotation: Step 1 Follow the steps in the “Setting Up WEP” section on page 8-7 to set up and enable WEP. Step 2 Follow this link path to browse to the AP Radio Advanced page: a. On the Summary Status page, click Setup. b. On the Setup page, click Advanced in the AP Radio row under Network Ports for the internal radio or the radio module.
Chapter 8 Security Setup Setting Up EAP Authentication Setting Up EAP Authentication During EAP authentication, the access point relays authentication messages between the RADIUS server on your network and the authenticating client device.
Chapter 8 Security Setup Setting Up EAP Authentication Note Step 2 You can use the same server for both EAP authentication and MAC-address authentication. Use the 802.1X Protocol Version (for EAP authentication) pull-down menu to select the draft of the 802.1X protocol the access point’s radio will use. EAP operates only when the radio firmware on client devices complies with the same 802.1X Protocol draft as the management firmware on the access point.
Chapter 8 Security Setup Setting Up EAP Authentication Step 6 Enter the shared secret used by your RADIUS server in the Shared Secret entry field. The shared secret on the access point must match the shared secret on the RADIUS server. The shared secret can contain up to 64 alphanumeric characters. Step 7 Enter the number of seconds the the access point should wait before authentication fails in the Retran Int (sec) field.
Chapter 8 Security Setup Setting Up EAP Authentication Step 14 Enter a WEP key in slot 1 of the Encryption Key fields. The access point uses this key for multicast data signals (signals sent from the access point to several client devices at once). This key does not need to be set on client devices. Step 15 Select 128-bit encryption from the Key Size pull-down menu. Step 16 If the key in slot 1 is the only WEP key set up, select it as the transmit key. Step 17 Click OK.
Chapter 8 Security Setup Setting Up EAP Authentication Note Restarting the service clears the Logged-in User Report, refreshes the Max Sessions counter, and temporarily interrupts all Cisco Secure ACS services. Setting a Session-Based WEP Key Timeout You can set a timeout value for the session-based WEP key. When the timeout value elapses, the server issues a new dynamic WEP key for authenticated client devices.
Chapter 8 Security Setup Setting Up EAP Authentication Step 2 Follow this link path to browse to the radio’s AP Radio Identification page: a. On the Summary Status page, click Setup. b. On the Setup page, click Identification in the AP Radio row under Network Ports for the internal radio or the radio module. Figure 8-9 shows the AP Radio Identification page for the internal radio.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Setting Up MAC-Based Authentication MAC-based authentication allows only client devices with specified MAC addresses to associate and pass data through the access point. Client devices with MAC addresses not in a list of allowed MAC addresses are not allowed to associate with the access point.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Note Step 2 Step 2 and Step 3 describe entering MAC addresses in the access point management system. If you will enter MAC addresses only in a list used by the authentication server, skip to Step 4. Type a MAC address in the Dest MAC Address field. You can type the address with colons separating the character pairs (00:40:96:12:34:56, for example) or without any intervening characters (004096123456, for example).
Chapter 8 Security Setup Setting Up MAC-Based Authentication You can configure up to four servers for authentication services, so you can set up backup authenticators. If you set up more than one server for the same service, the server first in the list is the primary server for that service, and the others are used in list order when the previous server times out. Step 7 Enter the name or IP address of the authentication server in the Server Name/IP entry field.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Figure 8-12 AP Radio Advanced Page Step 16 Select Disallowed from the pull-down menu for Default Unicast Address Filter for each authentication type requiring MAC-based authentication. For example, if the radio is configured for both open and Network-EAP authentication, you could set Default Unicast Address Filter under Open to Disallowed but leave Default Unicast Address Filter under Network-EAP set to Allowed.
Chapter 8 Security Setup Setting Up MAC-Based Authentication When you set Default Unicast Address Filter to disallowed, the radio discards all unicast traffic except packets sent to the MAC addresses listed as allowed on the authentication server or on the access point’s Address Filters page. Note Step 17 Client devices associated to the radio are not immediately affected when you set the Default Unicast Address Filter to disallowed. Click OK. You return automatically to the Setup page.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Enabling MAC-Based Authentication in Cisco Secure ACS Cisco Secure Access Control Server for Windows NT/2000 Servers (Cisco Secure ACS) can authenticate MAC addresses sent from the access point. The access point works with ACS to authenticate MAC addresses using Secure Password Authentication Protocol (Secure PAP).
Chapter 8 Security Setup Summary of Settings for Authentication Types Summary of Settings for Authentication Types Table 8-5 lists the access point settings required to enable each authentication type and combinations of authentication types. Table 8-5 Settings for Authentication Types Authentication Types Required Settings LEAP On the Authenticator Configuration page (shown in Figure 8-13): • Select an 802.
Chapter 8 Security Setup Summary of Settings for Authentication Types Table 8-5 Settings for Authentication Types (continued) Authentication Types Required Settings EAP-TLS, EAP-MD5, and static WEP under 802.11 Open The access point does not support this combination of authentication types. When you select Require EAP on the Authenticator Configuration page to authenticate clients using EAP-TLS and EAP-MD5, non-EAP client devices are blocked from using the access point.
Chapter 8 Security Setup RADIUS Attributes Sent by the Access Point RADIUS Attributes Sent by the Access Point Tables 8-6 through 8-10 identify the attributes sent by an access point to a client in access-request, access-accept, and accounting-request packets.
Chapter 8 Security Setup RADIUS Attributes Sent by the Access Point Table 8-8 Attributes Sent in Accounting-Request (start) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 31 Calling-Station-ID (MAC address) 32 NAS-Identifier 41 Acct-Delay-Time 44 Acct-Session-Id 45 Acct-Authentic VSA (attribute 26) SSID VSA (attribute 26) nas-location VSA (attribute 26) vlan-id VSA (attribute 26) auth-algo-type Table 8-9 Attributes Sent in Accounting-Request (update)
Chapter 8 Security Setup Setting Up Backup Authentication Servers Table 8-10 Attributes Sent in Accounting-Request (stop) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 41 Acct-Delay-Time 42 Acct-Input-Octets 43 Acct-Output-Octets 44 Acct-Session-Id 45 Acct-Authentic 46 Acct-Session-Time 47 Acct-Input-Packets 48 Acct-Output-Packets 49 Acct-Terminate-Cause Setting Up Backup Authentication Servers You can configure up to four servers for authentication se
Chapter 8 Security Setup Setting Up Administrator Authorization Figure 8-13 Authenticator Configuration Page with Primary and Backup Servers Setting Up Administrator Authorization Administrator authorization protects the access point management system from unauthorized access. Use the access point’s user management pages to define a list of users who are authorized to view and change the access point management system. Use the Security Setup page to reach the user management pages.
Chapter 8 Security Setup Setting Up Administrator Authorization Figure 8-14 Security Setup Page Follow this link path to reach the Security Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Security. Creating a List of Authorized Management System Users Follow these steps to create a list of users authorized to view and change the access point management system: Step 1 Follow the link path to the Security Setup page.
Chapter 8 Security Setup Setting Up Administrator Authorization Figure 8-16 User Management Window Step 4 Enter a username and password for the new user. Step 5 Select the capabilities you want to assign to the new user. Capabilities include: • Write—The user can change system settings. When you assign Write capability to a user, the user also automatically receives Admin capability. • SNMP—Designates the username as an SNMP community name.
Chapter 8 Security Setup Setting up Centralized Administrator Authentication Figure 8-17 User Manager Setup Page Step 8 Select User Manager: Enabled to restrict use of the access point management system to users in the user list. Note You must define a full administrator user—a user with write, identity, and firmware capabilities—before you can enable the user manager.
Chapter 8 Security Setup Setting up Centralized Administrator Authentication Step 6 Click Back. You are returned to the Security Setup page. Step 7 Click User Manager. The User Manager Setup page appears. Step 8 Enable User Manager and click OK. You are returned to the Security Setup page. Step 9 Click Authentication Server. The Authenticator Configuration page appears. See Figure 8-18. Figure 8-18 Authenticator Configuration page Step 10 Configure the server as follows: a.
Chapter 8 Security Setup Setting up Centralized Administrator Authentication System Flow Notes The following notes help to identify and describe the flow between the access point and its authentication server. • The authentication server is initialized to listen for socket requests on the pre-determined UDP or TCP ports specified on the Authenticator Configuration page (UDP 1812 for RADIUS servers or TCP 49 for TACACS+ servers).
Chapter 8 Security Setup Setting up Centralized Administrator Authentication • If the user entry is not accessed within 5 minutes, the next access causes a new server request to be sent to the authentication server so the user and new privileges are cached again. If the response is a rejection, a reject response is issued just as if the local database entry was not found.
C H A P T E R 9 Network Management This section describes how to browse to other devices on your network, how to use Cisco Discovery Protocol with your wireless networking equipment, how to assign a specific network port to a MAC address, and how to enable wireless network accounting.
Chapter 9 Network Management Using the Association Table Using the Association Table The management system’s Association Table page lists all the devices, both wireless and wired to the root LAN, of which the access point is aware. Figure 9-1 shows an example of the Association Table page. Figure 9-1 Association Table Page Click the Association link at the top of any main management system page to go to the Association Table.
Chapter 9 Network Management Using the Association Table Using Station Pages Click a device’s MAC address in the Association Table’s MAC Addr. column to display a Station page for the device. Station pages provide an overview of a network device’s status and data traffic history. The information on a Station page depends on the device type; a Station page for an access point, for example, contains different information than the Station page for a PC card client adapter.
Chapter 9 Network Management Using the Association Table Information on Station Pages Station Identification and Status The yellow table at the top of the Station page lists the following information: • System Name—The name assigned to the device. • Device—The type and model number of the device. • MAC Address—A unique identifier assigned by the manufacturer. • IP Address—The IP address of the device. When you click the IP address link, the browser attempts to display the device’s home page.
Chapter 9 Network Management Using the Association Table To Station Information Fields in the To Station column in the second table on the Station page contain the following information: • Alert—Click this box if you want detailed packet trace information captured for the Association Table page. This option is only available to users with Administrator capability. • Packets OK—Reports the number of good packets coming to the station.
Chapter 9 Network Management Using the Association Table The following four fields appear only on the Station page for an access point: • Stations Associated—Displays, by number and class, all stations associated with the access point. • Uptime—Displays the cumulative time the device has been operating since the last reset. • Software Version—Displays the version level of Cisco software on the device. • Announcement Packets—Total number of Announcement packets since the device was last reset.
Chapter 9 Network Management Using the Association Table Figure 9-3 Ping Window Performing a Link Test Follow these steps to perform a link test between the access point and the device described on the Station page: Step 1 To customize the size and number of packets sent during the link test, enter the number of packets and size of the packets in the Number of Pkts. and Pkt. Size fields. Step 2 Click Link Test. The link test runs using the values in the Number of Pkts. and Pkt. Size fields.
Chapter 9 Network Management Using the Network Map Window Figure 9-4 Link Test Results Window Clearing and Updating Statistics Use the Clear Stats and Refresh buttons to clear and update the Station page statistics. • Clear Stats—Clears all packet, octet and error counts and resets the counters to 0. • Refresh—Updates the counts to their latest accumulated values, and saves the Alert selections.
Chapter 9 Network Management Using Cisco Discovery Protocol Note Your Internet browser must have Java enabled to use the map windows. Figure 9-5 Network Map Window Click the name of a wireless device to open a new browser window displaying a Station page displaying the access point’s local information for that device. Click Go beside the device name to open a new browser window displaying that device’s home page, if available. Some devices, such as PC card clients, do not have browser-based interfaces.
Chapter 9 Network Management Using Cisco Discovery Protocol Figure 9-6 CDP Setup Page Follow this link path to reach the CDP Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Cisco Services. 3. On the Cisco Services Setup page, click Cisco Discovery Protocol (CDP).
Chapter 9 Network Management Assigning Network Ports Assigning Network Ports Use the Port Assignments page to assign a specific network port to a repeater access point or to a non-root bridge. When you assign specific ports, your network topology remains constant even when devices reboot. Figure 9-7 shows the Port Assignments page. Figure 9-7 Port Assignments Page Follow this link path to reach the Port Assignments page: 1. On the Summary Status page, click Setup. 2.
Chapter 9 Network Management Enabling Wireless Network Accounting Settings on the Port Assignments Page The Port Assignments page contains these settings for the internal radio ports and the radio module ports: • ifIndex—Lists the port’s designator in the Standard MIB-II (RFC1213-MIB.my) interface index. • dot1dBasePort—Lists the port’s designator in the Bridge MIB (RFC1493; BRIDGE-MIB.my) interface index. • AID—Lists the port’s 802.11 radio drivers association identifier.
Chapter 9 Network Management Enabling Wireless Network Accounting Figure 9-8 Accounting Setup Page Follow this link path to reach the Accounting Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Accounting under Services. Settings on the Accounting Setup Page The Accounting Setup page contains these settings: • Enable accounting—Select Enabled to turn on accounting for your wireless network.
Chapter 9 Network Management Enabling Wireless Network Accounting • Port—The communication port setting used by the access point and the server. The default setting, 1813, is the correct setting for Cisco Aironet access points and Cisco secure ACS. • Shared Secret—Enter the shared secret used by your RADIUS server. The shared secret on the device must match the shared secret on the RADIUS server. • Retran Int (sec.
Chapter 9 Network Management Enabling Wireless Network Accounting Table 9-1 Accounting Attributes the Access Point Sends to the Accounting Server (continued) Attribute Definition Acct-Authentic The method with which the client device is authenticated to the network. This value is always 1, which represents RADIUS authentication. The access point sends this attribute to the server with all three status types.
Chapter 9 Network Management Enabling Wireless Network Accounting Cisco Aironet 1200 Series Access Point Software Configuration Guide 9-16 OL-2159-05
C H A P T E R 10 Managing Firmware and Configurations This section describes how to update the firmware version on the access point, how to distribute firmware to other access points, how to distribute the access point’s configuration to other access points, and how to download, upload, and reset the access point configuration. You use the Cisco Services Setup page as a starting point for all these activities.
Chapter 10 Managing Firmware and Configurations Updating Firmware Updating Firmware You use the Cisco Services Setup page to update the access point’s firmware. You can perform the update by browsing to a local drive or by using FTP to update the firmware from a file server. Figure 10-1 shows the Cisco Services Setup page. Figure 10-1 Cisco Services Setup Page Follow this link path in the browser interface to reach the Cisco Services Setup page: 1. On the Summary Status page, click Setup. 2.
Chapter 10 Managing Firmware and Configurations Updating Firmware Figure 10-2 Update All Firmware Through Browser Page Follow these steps to update all three firmware components through the browser: Step 1 If you know the exact path and filename of the new firmware image file, type it in the New File for All Firmware entry field. If you aren’t sure of the exact path to the new firmware image file, click Browse... next to the New File entry field.
Chapter 10 Managing Firmware and Configurations Updating Firmware Figure 10-3 Update Firmware Through Browser Page Follow these steps to update one of the firmware components through the browser: Step 1 If you know the exact path and filename of the new firmware component, type it in the New File for [component] entry field. If you aren’t sure of the exact path to the new component, click Browse... next to the component’s New File entry field.
Chapter 10 Managing Firmware and Configurations Updating Firmware Figure 10-4 Update All Firmware From File Server Page Follow these steps to update all three firmware components from a file server: Step 1 Click the File Server Setup link to enter the FTP settings. The FTP Setup page appears. Figure 10-5 shows the FTP Setup page. Figure 10-5 FTP Setup Page Step 2 Enter the FTP settings on the FTP Setup page. a. Select FTP or TFTP from the File Transfer Protocol pull-down menu.
Chapter 10 Managing Firmware and Configurations Updating Firmware e. In the FTP Password entry field, enter the password associated with the user name. If you selected TFTP, you can leave this field blank. f. Click OK. You return automatically to the Update All Firmware Through File Server page. Step 3 On the Update All Firmware Through File Server page, type the filename of the new firmware image file in the New File for All Firmware entry field.
Chapter 10 Managing Firmware and Configurations Updating Firmware Retrieving Firmware and Web Page Files You can retrieve and download the following files from an access point to your computer’s hard drive: • System firmware • Web pages • Internal radio firmware • Module radio firmware These files can be downloaded selectively or at one time, depending on which page you select from which to retrieve them.
Chapter 10 Managing Firmware and Configurations Distributing Firmware Distributing Firmware Use the Distribute Firmware page to distribute the access point’s firmware to other Cisco Aironet access points. Figure 10-7 shows the Distribute Firmware page. The access point sends its firmware to all the access points on your network that: • Are running access point firmware version 10.
Chapter 10 Managing Firmware and Configurations Distributing a Configuration To distribute the firmware components individually, select no for Distribute All Firmware, and click the checkboxes for the components you want to distribute. Step 3 Click Start. The access point’s firmware is distributed to the access points on your network. To cancel the distribution, click Abort. When the distribution is complete, the access points that received the firmware automatically reboot.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Follow these steps to distribute the access point’s configuration to other access points: Step 1 Follow the link path to reach the Distribute Configuration page. Step 2 Click Start. The access point’s configuration, except for its IP identity and its User List, is distributed to the access points on your network. To cancel the distribution, click Abort.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Figure 10-9 System Configuration Setup Page Follow this link path in the browser interface to reach the System Configuration Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Cisco Services Setup. 3. On the Cisco Services page, click Manage System Configuration.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Uploading a Configuration You can upload a configuration file to the access point from your hard drive or a mapped network drive, or you can upload a configuration from a file server.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Step 2 Enter the FTP settings on the FTP Setup page. a. Select FTP or TFTP from the File Transfer Protocol pull-down menu. FTP (File Transfer Protocol) is the standard protocol that supports transfers of data between local and remote computers. TFTP (Trivial File Transfer Protocol) is a relatively slow, low-security protocol that requires no user name or password. b.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Note To completely reset all access point settings to defaults, follow the steps in the “Resetting the Configuration” section on page 10-13. Follow these steps to reset the configuration to default settings: Step 1 Follow the link path to reach the System Configuration Setup page. Figure 10-9 shows the System Configuration Setup page. The link path is listed under Figure 5-9.
C H A P T E R 11 Management System Setup This chapter explains how to set up your access point to use SNMP, Telnet, or the console port to manage the access point.
Chapter 11 Management System Setup SNMP Setup SNMP Setup Use the SNMP Setup page to configure the access point to work with your network’s SNMP station. Figure 11-1 shows the SNMP Setup page. Figure 11-1 SNMP Setup Page Follow this link path to reach the SNMP Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click SNMP in the Services section of the page.
Chapter 11 Management System Setup SNMP Setup The Browse Management Information Base (MIB) link at the bottom of the SNMP Setup page leads to the Database Query page. Using the Database Query Page Use the Database Query page to to find and change the value of many access point managed objects. Figure 11-2 shows the Database Query page. Figure 11-2 Database Query Page Follow this link path to reach the Database Query page: 1. On the Summary Status page, click Setup. 2.
Chapter 11 Management System Setup Console and Telnet Setup Changing Settings with the Database Query Page Follow these steps to change an access point setting from the Database Query page: Step 1 Type the object identifier (OID) in the OID field. You can use the integer or ASCII version of the OID. If you use the integer version of the OID, you must type the entire OID string (1.3.7.2.13.78.5.6, for example).
Chapter 11 Management System Setup Console and Telnet Setup Settings on the Console/Telnet Page The Console/Telnet Setup page contains the following settings: • Baud Rate—The rate of data transmission expressed in bits per second. Select a baud rate from 110 to 115,200, depending on the capability of the computer you use to open the access point management system. • Parity—An error-detecting process based on the addition of a parity bit to make the total number of bits Odd or Even.
Chapter 11 Management System Setup Console and Telnet Setup Cisco Aironet 1200 Series Access Point Software Configuration Guide 11-6 OL-2159-05
C H A P T E R 12 Special Configurations This chapter describes how to set up the access point in network roles other than as a root unit on a wired LAN. You can set up an access point as a repeater to extend the range of a wireless network, and you can use Hot Standby mode to use an access point as a backup unit in areas where you need extra reliability. Both configurations require two access points that support and rely upon each other.
Chapter 12 Special Configurations Setting Up a Repeater Access Point Setting Up a Repeater Access Point A repeater access point is not connected to the wired LAN; it is placed within radio range of an access point connected to the wired LAN to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. Note Non-Cisco client devices might have difficulty communicating with repeater access points.
Chapter 12 Special Configurations Setting Up a Repeater Access Point Figure 12-1 Access Point as Repeater Access Point (Root Unit) Wired LAN 66000 Access Point (Repeater) You can set up a chain of several repeater access points, but throughput for client devices at the end of the repeater chain will be quite low. Because each repeater must receive and then re-transmit each packet on the same channel, throughput is cut in half for each repeater you add to the chain.
Chapter 12 Special Configurations Setting Up a Repeater Access Point Note • You can also rely on the DHCP server to assign a default IP subnet mask. Default Gateway (also on the Express Setup page) Note You can also rely on the DHCP server to assign a default gateway.
Chapter 12 Special Configurations Using Hot Standby Mode Step 15 Also on the AP Radio Data Encryption page, select the same Authentication Types that are on the root access point. Step 16 On the AP Radio Advanced page, enter the root access point’s MAC address in the Specified access point 1 entry field. Step 17 On the Express Setup page, select Repeater Access Point as the Role in Radio Network. The access point reboots when you apply this setting.
Chapter 12 Special Configurations Using Hot Standby Mode Note The Current State field varies depending on the hot standby status. It can display Hot Standby is not running, Hot Standby is initializing, or Hot Standby is monitoring and protecting. The change appears after you refresh the screen. Follow this link path to reach the Hot Standby page: • On the Summary Status page, click Setup. • On the Setup page, click Cisco Services under Services.
Chapter 12 Special Configurations Using Hot Standby Mode Follow these steps to enable hot standby mode: Step 1 Step 2 Step 3 On the standby access point, duplicate the settings on the monitored access point.
Chapter 12 Special Configurations Using Hot Standby Mode Note If you need to browse to the standby access point from a workstation that is on a different subnet than the standby access point, set the IP address on the standby radio interface to a subnet that is compatible with the workstation’s IP address. Use the Internal or Module Radio ID page to enter a new IP address for the standby radio.
C H A P T E R 13 Diagnostics and Troubleshooting This chapter describes the diagnostic pages in the management system and provides troubleshooting procedures for basic problems with the access point. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at http://www.cisco.com/tac/. Select Wireless LAN under Top Issues.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Using Diagnostic Pages The management system contains three diagnostic pages that provide detailed statistics and event records for the access point: • The Network Diagnostics Page provides access to radio diagnostics tests and provides links to the VLAN Summary Status and SSID statistics pages for the access point radios. • The Network Ports Page lists statistics on data transmitted and received by the access point.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Radio Diagnostics Tests Click Radio Diagnostics Tests to access the Radio Diagnostics page and conduct a carrier test (Figure 13-2). Figure 13-2 Radio Diagnostics Page The carrier test helps you determine which radio frequencies contain the most radio activity and noise that could interfere with radio signals to and from the access point.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages The bar graph on the left side of the window displays the percentage used for each frequency; the highest current percentage used is labeled on the top left of the graph. In this example, the highest percentage used for any frequency is 77. The access point’s available frequencies are listed vertically across the bottom of the graph, from 2412 to 2462 GHz.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages The following links are available on this page: • Service Set Detailed Setup—takes you to the AP Radio Module Service Sets page, from which you can create, remove, or edit your SSID configuration. • Idx(#)—takes you to the AP Radio Primary SSID page of the number selected where you can edit its configuration. Network Ports Page The Network Ports page contains a table listing information for the access point’s Ethernet and radio ports.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages There are three links at the top of the page that take you to the following pages: • Network Diagnostics—displays the Cisco Network Diagnostics page where you can select diagnostic tests. • VLAN—displays the VLAN Summary Status page, where you can view the configuration of existing VLANs. A VLAN Detailed Setup link on this page leads to the VLAN Setup page, where you can create a new VLAN, edit, or remove an existing VLAN.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Data Transmitted • Unicast pkts.—The number of packets transmitted in point-to-point communication. • Multicast pkts.—The number of packets transmitted that were sent as a transmission to a set of nodes. • Total bytes—Total number of bytes transmitted from the port. • Errors—The number of packets determined to be in error. • Discards—The number of packets discarded by the access point due to errors or network congestion.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Configuration Information • The top row of the Configuration section of the table contains a Set Properties link that leads to the Ethernet Hardware page. • Status of “fec0”— “Fast Ethernet Controller” is part of Motorola's naming convention for the Ethernet device used by the access point. This field displays one of the three possible operating states for the port.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Transmit Statistics • Unicast Packets—The number of packets transmitted in point-to-point communication. • Multicast Packets—The number of packets transmitted that were sent as a transmission to a set of nodes. • Total Bytes—Total number of bytes transmitted from the port. • Total Errors—The number of packets determined to be in error.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Figure 13-8 AP Radio Port Page Like the Network Ports and Ethernet Port pages, the AP Radio Port page lists statistics in a table divided into sections. Each row in the table is explained below. Configuration Information • The top row of the Configuration section of the table contains a Set Properties link that leads to the AP Radio Hardware page.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages • SSID—The unique identifier that client devices use to associate with the access point radio. The SSID helps client devices distinguish between multiple wireless networks in the same vicinity. • Operational Rates—The data transmission rates supported and enabled by the access point for communication with client devices. • Transmit Power (mW)—The power level of radio transmission.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages • Discarded Packets—The number of packets discarded by the access point due to errors or network congestion. • Forwarded Packets—The number of packets transmitted by the port that were acceptable or passable through the filters. • Max Retry Packets—The number of times request to send (RTS) reached the maximum retry number. Click Set Properties to display the AP Radio Hardware page, where you can set the maximum RTS value.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Event Log Page The Event Log page lists access point events and provides links to the Event Display Setup and Event Log Summary pages. You can also open Station pages for devices listed in the event log. Figure 13-9 shows an Event Log page example. Figure 13-9 Event Log Page 209.165.201.7 209.165.201.7 Click the Logs link at the top of any main management system page to reach the Event Log page.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Log Headings The event log is divided into three columns: • Time—The time the event occurred. The log records time as cumulative days, hours, and minutes since the access point was turned on, or as wall-clock time if a time server is specified or if the time has been manually set on the access point. • Severity—Events are classified as one of four severity levels depending on the event’s impact on network operations.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics Figure 13-10 Event Log Summary Page Click the Severity heading on the Event Log page to reach the Event Log Summary page. Using Command-Line Diagnostics You can view diagnostic information about your access point with diagnostic commands. Enter the commands in the command-line interface (CLI) to display the information. You can open the CLI with Telnet or with a terminal emulator through the access point’s serial port.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics Table 13-1 CLI Diagnostic Commands (continued) Command Information Displayed :vxdiag_ipstatshow IP statistics :vxdiag_memshow Free and allocated memory on the access point :vxdiag_muxshow Networking protocols installed on the access point :vxdiag_routeshow Current routing information :vxdiag_tcpstatshow TCP statistics :vxdiag_udpstatshow UDP statistics Entering Diagnostic Commands Follow these steps to enter diagnost
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics Diagnostic Command Results This section describes the information displayed on the CLI for the diagnostic commands listed in Table 13-1. :eap_diag1_on Use the :eap_diag1_on command to display authentication progress for client devices authenticating through the access point.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :eap_diag2_on Use the :eap_diag2_on command to display the packet contents of each authentication step for client devices authenticating through the access point. The packet contents for one authentication step might look like this example: EAP: Sending Identity Request 00c15730: 01 00 00 28 01 21 00 28 01 00 6e 65 74 77 6f 72 *...(.!.(..
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics Table 13-2 Flag Definitions (continued) Flag Value Definition 0x80 Subnet mask present 0x100 Generate new routes on use 0x200 External daemon resolves name 0x400 Generated by ARP 0x800 Manually added (static) 0x1000 Just discard packets (during updates) 0x2000 Modified by management protocol 0x4000 Protocol-specific routing flag 0x8000 Protocol-specific routing flag • Use—number of packets forwarded • Interface
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_checkstack Use the :vxdiag_checkstack command to display a summary of the stack activity for each access point task.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_hostshow Use the :vxdiag_hostshow command to display remote hosts and their IP addresses and aliases. The remote host information might look like this example: Clock: 96470 sec hostname -------localhost 10.84.139.161 10.84.139.136 10.84.139.138 10.84.139.167 10.84.139.160 10.84.139.137 AP_North.cisco.com 10.84.139.164 10.84.139.169 10.84.139.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_i Use the :vxdiag_i command to display a list of current tasks on the access point.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_ipstatshow Use the :vxdiag_ipstatshow command to display IP statistics for the access point.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_memshow Use the :vxdiag_memshow command to display information on the access point’s free and allocated memory.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_muxshow Use the :vxdiag_muxshow command to display all the networking protocols installed on the access point.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_routeshow Use the :vxdiag_routeshow command to display current routing information for the access point. The routing information might look like the following example: ROUTE NET TABLE destination gateway flags Refcnt Use Interface ---------------------------------------------------------------------0.0.0.0 10.84.139.129 3 1 1932 emac0 10.84.139.128 10.84.139.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_tcpstatshow Use the :vxdiag_tcpstatshow command to display Transmission Control Protocol (TCP) statistics for the access point.
Chapter 13 Diagnostics and Troubleshooting Tracing Packets :vxdiag_udpstatshow Use the :vxdiag_udpstatshow command to display User Datagram Protocol (UDP) statistics for the access point.
Chapter 13 Diagnostics and Troubleshooting Tracing Packets Step 3 Enter the number of bytes of memory the access point should use for packet tracing in the Maximum memory reserved for Detailed Event Trace Buffer (bytes) entry field. If you want to create a detailed packet trace, for example, enter 1000000; if you need a simple, less-detailed packet trace, for example, enter 100000. Step 4 Click OK. The access point reboots.
Chapter 13 Diagnostics and Troubleshooting Tracing Packets Tracing Packets for Ethernet and Radio Ports Follow these steps to set up the access point’s Ethernet or radio ports for packet tracing: Step 1 To trace all the packets sent and received through the access point’s Ethernet or radio ports, browse to the Network Ports page. Browse to the Network Ports page by clicking Current Associations on the Summary Status page or by clicking the gray Network button at the top of most management system pages.
Chapter 13 Diagnostics and Troubleshooting Checking the Top Panel Indicators A portion of the Headers Only packet trace file might look like this example: ===Beginning of AP_North Detailed Trace Log=== 04:46:14 +17174.384615 Station Alert: 00:01:64:43:ef:41Aironet:40:6f:e6Aironet:40:6f:e6 0x0000 04:47:37 + 83.326923 Station Alert: 00:01:64:43:ef:41Aironet:40:6f:e6Aironet:36:14:5a 0x0000 04:49:06 + 88.307692 Station Alert: 00:01:64:43:ef:41Aironet:40:6f:e6broadcastARP 04:49:06 + 0.
Chapter 13 Diagnostics and Troubleshooting Checking the Top Panel Indicators Figure 13-11 Top Panel Indicator Lights Radio Status 74046 Ethernet • The Ethernet indicator signals traffic on the wired LAN, or Ethernet infrastructure. This indicator blinks green when a packet is received or transmitted over the Ethernet infrastructure. • The status indicator signals operational status.
Chapter 13 Diagnostics and Troubleshooting Checking the Top Panel Indicators Table 13-3 Top Panel Indicator Signals (continued) Message type Ethernet Status Radio Meaning indicator indicator indicator Operational – Error/warning Steady green Blinking Transmitting/receiving green radio packets. Blinking Steady green green – – Blinking Maximum retries or amber buffer full occurred on one of the radios. Steady green Blinking Steady amber green – Transmitting/receiving packets.
Chapter 13 Diagnostics and Troubleshooting Checking Basic Settings Checking Basic Settings Mismatched basic settings are the most common causes of lost connectivity with wireless clients. If the access point does not communicate with client devices, check the following settings. SSID Wireless clients attempting to associate with the access point must use the same SSID as the access point. The default SSID is tsunami.
Chapter 13 Diagnostics and Troubleshooting Checking Basic Settings Table 13-4 802.1x Protocol Drafts and Compliant Client Firmware Draft 101 Firmware Version Draft 7 Draft 8 PC/PCI cards 4.13 — x — PC/PCI cards 4.16 — x — PC/PCI cards 4.23 — x — PC/PCI cards 4.25 and later — — x WGB34x/352 8.58 — x — WGB34x/352 8.61 or later — — x — x — — x x — x x AP34x/35x 11.05 and earlier AP34x/35x 11.06 and later BR352 11.06 and later 2 1 1.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 3 Click Apply or OK to apply the setting. The access point reboots. Resetting to the Default Configuration If you forget the password that allows you to configure the access point, you might need to completely reset the configuration. Follow the steps below to delete the current configuration and return all access point settings to the factory defaults.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 9 Type yes, and press Enter to confirm the command. Note Step 10 The resetall command is valid for only 2 minutes immediately after the access point reboots. If you do not enter and confirm the resetall command during that 2 minutes, reboot the access point again. After the access point reboots and the Express Setup screen appears, reconfigure the access point by using the terminal emulator or an Internet browser.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Cisco Aironet 1200 Series Access Point Software Configuration Guide 13-38 OL-2159-05
A P P E N D I X A Channels, Power Levels, and Antenna Gains This appendix lists the IEEE 802.11a and IEEE 802.11b channels supported by the world's regulatory domains as well as the maximum power levels and antenna gains allowed per domain.
Appendix A Channels, Power Levels, and Antenna Gains Channels Channels IEEE 802.11a The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11a 20-MHz-wide channel are listed in Table A-1 . Table A-1 Note Channels for IEEE 802.
Appendix A Channels, Power Levels, and Antenna Gains Maximum Power Levels and Antenna Gains IEEE 802.11b The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11b 22-MHz-wide channel are listed in Table A-2 Table A-2 Channels for IEEE 802.
Appendix A Channels, Power Levels, and Antenna Gains Maximum Power Levels and Antenna Gains Table A-3 Maximum Power Levels Per Antenna Gain for IEEE 802.11a Maximum Power Level (mW) with 6-dBi Antenna Gain Regulatory Domain Americas (-A) (160 mW EIRP maximum on channels 36-48, 800 mW EIRP maximum on channels 52-64) 40 Japan (-J) (10 mW/MHz EIRP maximum) 40 Singapore (-S) (100 mW EIRP maximum) 20 Taiwan (-T) (800 mW EIRP maximum) 40 IEEE 802.
Appendix A Channels, Power Levels, and Antenna Gains Maximum Power Levels and Antenna Gains Table A-4 Maximum Power Levels Per Antenna Gain for IEEE 802.11b (continued) Regulatory Domain Israel (–I) (100 mW EIRP maximum) China (–C) (10 mW EIRP maximum) Japan (–J) (10 mW/MHz EIRP maximum) Antenna Gain (dBi) Maximum Power Level (mW) 0 100 2.2 50 5.2 30 6 30 8.5 5 12 5 13.5 5 21 1 0 5 2.2 5 5.2 n/a 6 n/a 8.5 n/a 12 n/a 13.5 n/a 21 n/a 0 50 2.2 30 5.2 30 6 30 8.
Appendix A Channels, Power Levels, and Antenna Gains Maximum Power Levels and Antenna Gains Cisco Aironet 1200 Series Access Point Software Configuration Guide A-6 OL-2159-05
A P P E N D I X B Protocol Filter Lists The tables in this appendix list the protocols available on the Protocol Filters pages described in the “Protocol Filtering” section on page 5-2.
Appendix B Table B-1 Protocols on the Ethertype Filters Page Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802.2 — 0x00E0 IPX 802.
Appendix B Protocol Filter Lists Table B-2 Protocols on the IP Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw — 255 Table B-3 Protocols on the IP Port Protocol Filters Page Protocol Additional Identifier ISO Designator TCP port service multiplexer tcpmux 1 e
Appendix B Table B-3 Protocol Filter Lists Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator BOOTP Client — 68 TFTP — 69 gopher — 70 rje netrjs 77 finger — 79 Hypertext Transport Protocol HTTP www 80 ttylink link 87 Kerberos v5 Kerberos krb5 88 supdup — 95 hostname hostnames 101 TSAP iso-tsap 102 CSO Name Server cso-ns csnet-ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3
Appendix B Protocol Filter Lists Table B-3 Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator SNMP Traps snmp-trap 162 ISO CMIP Management Over IP CMIP Management 163 Over IP cmip-man CMOT ISO CMIP Agent Over IP cmip-agent 164 X Display Manager Control Protocol xdmcp 177 NeXTStep Window Server NeXTStep 178 Border Gateway Protocol BGP 179 Prospero — 191 Internet Relay Chap IRC 194 SNMP Unix Multiplexer smux 199 AppleTalk Rout
Appendix B Table B-3 Protocol Filter Lists Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator rfs_server remotefs 556 Kerberos kadmin kerberos-adm 749 network dictionary webster 765 SUP server supfilesrv 871 swat for SAMBA swat 901 SUP debugging supfiledbg 1127 ingreslock — 1524 Prospero non-priveleged prospero-np 1525 RADIUS — 1812 Concurrent Versions System CVS 2401 Cisco IAPP — 2887 Radio Free Ethernet RFE 5002
A P P E N D I X C Event Log Messages This appendix lists the SNMP and SYSLOG event notifications generated by the access point.
Appendix C Event Log Messages Message Formats Message Formats Event messages appear in either the default format or in the Cisco EMBLEM format.
Appendix C Event Log Messages Message Formats Syslog Severity EMBLEM Severity SystemFatal ProtocolFatal PortFatal LOG_EMERG (0) SystemAlert ProtocolAlert PortAlert ExternalAlert LOG_ALERT (1) SystemWarning ProtocolWarning PortWarning ExternalWarning LOG_WARNING (4) SystemInfo ProtocolInfo PortInfo ExternalInfo LOG_INFO (6) Cisco Aironet 1200 Series Access Point Software Configuration Guide OL-2159-05 C-3
Appendix C Event Log Messages Message Descriptions Message Descriptions Table C-1 lists the event log messages. Table C-1 Event Log Messages and Descriptions EMBLEM Mnemonic Possible Cause or Recommended Action Protocol Info Deauthenticating host, reason reason host: host MAC address reason: see “Statuses and Reasons” section on page C-28 STA_DEAUTH None. Protocol Info Station host Authenticated host: host MAC address STA_AUTH_OK None.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Protocol Info Deauthentication from host, reason reason host: host MAC address RCV_DEAUTH None. Protocol Info Received Unexpected 802.11 Management packet from host, subtype=subtype, length=length host: host MAC address subtype: the 802.11 Frame Control subtype length: the length of the 802.11 packet PRO80211_ MNGPKT_ LATE None.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Severity Event Description System Warning Host srcaddr has requested that PRTR_SYSIP_ this system's IP Address be set to REQ newaddr srcaddr: Source host's IP address newaddr: Requested new IP address IPSU is trying to set this access point’s IP address. Verify that the IPSU user is legitimate.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action STA_NOWEP A misconfigured or rogue client device is on your wireless LAN. Find and correct or remove the client device.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Severity Event Description Protocol Warning PRO80211_ Received Truncated 802.11 MNGPKT_TRNC Management Packet from srchost (was pktlen bytes, need reqlen bytes) srchost: MAC address of host pktlen: actual length of received packet reqlen: required length of packet Your wireless LAN contains a confused or rogue device.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Severity Event Description Protocol Warning RCV_TRNC_ Received Truncated DAUTHREQ Deauthentication from srchost (was pktlen bytes, need reqlen bytes) srchost: MAC address of host pktlen: actual length of received packet reqlen: required length of packet Your wireless LAN contains a confused or rogue device.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Port Warning Failed to Address Packet from srchost to desthost on port ifDescr srchost: MAC address of source host desthost: MAC address of destination host ifDescr: Name of network interface PRTR_ADDR_ ERR A device attempting to authenticate might have roamed during the authentication exchange.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action PRTR_RCV_ MCAST Your wireless LAN contains a confused or rogue device. Find and correct or remove the device.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Severity Event Description External Warning Sorry, IPv6 protocol analysis not PRTR_IPV6_ yet implemented (source srchost, ERR destination desthost, port ifDescr srchost: MAC address of source host desthost: MAC address of destination host ifDescr: Name of network interface External Warning Packet from srchost to desthost is using unknow
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Received ARP packet from srchost to desthost on port ifDescr of unrecognized length-byte IP address) srchost: MAC address of source host desthost: MAC address of destination host ifDescr: Name of network interface length: ARP packet length PRTR_ARP_IP_ BAD There is a problem with the ARP table on a device on your network.
Appendix C Event Log Messages Message Descriptions Table C-1 Severity Event Log Messages and Descriptions (continued) Event Description EMBLEM Mnemonic Possible Cause or Recommended Action System Fatal Failed to Set System IP Address PRTR_SYSIP_ REQ_FAILED to netaddr (DB_Status=status) netaddr: new IP address number status: see “Statuses and Reasons” section on page C-28 There is an IP address conflict on your network. Find and correct the conflicting addresses.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Severity Event Description Protocol Fatal Port ifDescr is not an 802.11 network ifDescr: Name of network interface PRO80211_BIND Reboot the access point. _ERR2 Protocol Fatal Unknown port ifDescr ifDescr: Name of network interface PRO80211_ PORT_UNKN Reboot the access point. Protocol Fatal Can not bind 802.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action NIC MAC for device ifDescr cannot be Enabled (error status) ifDescr: Name of network interface status: network interface card status DEVAWC_ DISABLE The access point radio might have failed or it might be misconfigured. Reset the access point radio configuration parameters to defaults and reconfigure the radio parameters.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action RCV_ ASSOCRSP_ ENC WEP is misconfigured. Correct the WEP mismatch. Protocol Warning RCV_ WEP Unavailable in Associate ASSOCRSP_ Response from Parent host, though this system requires WEP UNENC host: MAC address of host WEP is misconfigured. Correct the WEP mismatch.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Hot standby AP state indicates that the monitor mode setup failed HSTNDBY_ MON_FAILED Verify root access point operaton. System Info Hot Standby Disabled HSTNDBY_DIS_ None.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Port Warning MAC-Address Authentication denied for Station clientAddr clientAddr: client MAC address MACAUTH_ DENY A rogue 802.11 device might be on your network. Check your facility for rogue devices.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action EAP_AUTH_ FAILED Either the client device or the authentication server might be misconfigured. Check the client and server configurations. Protocol Info Station clientAddr User username EAP-Authenticated clientAddr: client MAC address username: EAP_AUTH_OK Either the client device or the authentication server might be misconfigured.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) Severity EMBLEM Mnemonic Event Description Possible Cause or Recommended Action System Fatal Rebooting System due to change SYS_REBOOT_ in 802.1X Protocol Version 1X_VER None. System Information Verify the following: Hot Standby Enable failed HSTNDBY_EN_ FAILED Root access point operation. Hot standby access point and root access point configurations match.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) Severity Event Description System Fatal Installation Keys Restored! Rebooting System EMBLEM Mnemonic Possible Cause or Recommended Action SYS_REBOOT_ INSTKEY Reconfigure the access point. System Information RADIUS Accounting Start failed ACCT_CON_ to get RADIUS ACCT manager FAILED If this message appears continuously, reboot the access point.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Acct session creation fail at creating receive RevBuffer AMNGR_ SESFAIL_ NORBUF If this message appears continuously, reboot the access point. System Information Acct session creation fail at creating send Buffer AMNGR_ SESFAIL_ NOSBUF If this message appears continuously, reboot the access point.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action SSHD_CON_ INIT_FAILED Reboot the access point. Severity Event Description Protocol Warning Unable to start SSH connection Protocol Information SSHD_LOGIN_ Disconnect remote user from FAILED ipAddr after exceeding max number of login attempts ipAddr: IP address of SSH client None.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action System Fatal BKey1Proc's semBCreate returns error BKR_KEY1_ LOCKERR Correct the system configuration and reboot the access point. System Warning BKey1Proc:forwardTbl pointer is NULL BKP_FTBL_ERR Correct the radio configuration and reboot the access point.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action BKey1Proc can't access AWC_MIB's DefaultKey for devEnhCtrl Index radioIndex BKR_KEY1_ NOMIBDKEY Correct the system configuration and reboot the access point. System Warning BKey1Proc is started before proper initialization BKR_KEY1_ NOT_INIT Ignore this message unless it appears after bootup.
Appendix C Event Log Messages Message Descriptions Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action System Fatal BKeyXmit NO MIB access, BKey rotation stopped for VLAN vlanID. vlanID: numeric VLAN identifier BKR_XMIT_ NOMIB Correct the system configuration and reboot the access point. System Warning BKeyXmit radio is not OK BKR_XMIT_ RADIO_BAD Correct the radio configuration and reboot the access point. Protocol Warning VLAN (802.
Appendix C Event Log Messages Statuses and Reasons Table C-1 Event Log Messages and Descriptions (continued) EMBLEM Mnemonic Possible Cause or Recommended Action Severity Event Description External Alert DDP_ROGUEAP Check for a rogue access point Possible rogue AP rogueHost on your network. detected: Reason reasonText rogueHost: rogue AP MAC address reasonText: one of “Not running 802.
Appendix C Event Log Messages Statuses and Reasons • Too Many Stations in BSS • Basic Rate Not Supported • Short Preambles Not Supported • PBCC Modulation Not Supported • Channel Agility Not Supported Cisco Aironet 1200 Series Access Point Software Configuration Guide OL-2159-05 C-29
Appendix C Event Log Messages Statuses and Reasons Cisco Aironet 1200 Series Access Point Software Configuration Guide C-30 OL-2159-05
I N D EX shared secret Numerics 8-17 authentication types 802.
Index System Configuration Setup page C uploading the configuration Cancel button CDP MIB 2-3 Console/Telnet Setup page centralized administrator authentication 8-35 assigning RADIUS or TACACS servers authorization parameters examples of 8-38 8-35 Database Query page, gets and sets 8-37 data rate, radio 3-14 defined restrict searched channels 3-14 3-14 channels, supported by regulatory domains checkstack command C-2 11-5 description of search for less-congested channel 7-26 DHCP A-2,
Index setting up in Cisco Secure ACS setting up on the access point setting WEP key timeout EIRP, maximum updating to a new version 8-18 flow control 8-15 frequencies A-4 to A-5 EMBLEM format 2-5 fragment threshold 8-19 FTP 7-26 10-2 3-13 A-2, A-3 7-10 encryption.
Index Ethernet identifying 13-32 locate unit by flashing LEDs radio traffic status 4-21 Native VLAN configuration Native VLAN creating 13-32 Network-EAP 4-3 8-3 network infrastructure, classify workgroup bridges as 3-19 3-19 locate unit by flashing LEDs 4-5 4-11 Native VLAN ID setting 10-10 9-6 load balancing logs mapping to SSID 13-33 13-32 limiting distributions link test 4-19 13-33 network map window 13-13 Network Ports page 2-4 13-5 M O MAC address 3-3 MAC address filters
Index configuring hardware settings 6-18 configuring on a wired LAN identity settings 6-19 configuring security associations on a CiscoSecure ACS server 6-23 general page explained how it works 6-12 6-8 local SA bindings link security 6-15 3-9 radio indicator 13-32 radio modulation 3-22 radio power level 3-13 settings on the statistics page setup page explained 6-14 backup servers 6-16 settings on the subnet map table page shared secret 6-18 6-11 8-31 8-17 wireless network account
Index Security Setup page terminal emulator 8-33 2-4 user manager 8-32 TFTP security, VLAN 4-4 timeout per device class setting serial number, radio GMT offset 7-4 7-3 manually set date and time 7-10 name server TKIP 7-9 time server 7-2 tracing packets web server 7-7 transmit antenna session-based WEP key, timeout value severity levels 8-6 3-7 Database Query page SNMP Setup page supported MIBs using to set WEP Speed setting SSID 3-4 13-28 transmit power 3-15 3-13 U Admin.
Index creating SSID for infrastructure devices enabling VLAN (802.
Index Cisco Aironet 1200 Series Access Point Software Configuration Guide IN-8 OL-2159-01
