Cisco Wireless ISR and HWIC Access Point Configuration Guide December 2006 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface 9 Audience Purpose 9 9 Organization 10 Conventions 10 Related Publications 12 Obtaining Documentation 13 Cisco.
Contents Configuring Universal Client Mode Configuring Radio Data Rates 7 10 Configuring Radio Transmit Power 12 Limiting the Power Level for Associated Client Devices 13 Configuring Radio Channel Settings 14 DFS Automatically Enabled on Some 5-GHz Radio Channels Enabling and Disabling World Mode 19 20 Enabling and Disabling Short Radio Preambles Configuring Transmit and Receive Antennas 21 22 Disabling and Enabling Access Point Extensions 23 Configuring the Ethernet Encapsulation Transformatio
Contents Configuration Overview 3 Configuring the Local Authenticator Access Point 3 Configuring Other Access Points to Use the Local Authenticator 8 Configuring EAP-FAST Settings 9 Limiting the Local Authenticator to One Authentication Type 11 Unblocking Locked Usernames 11 Viewing Local Authenticator Statistics 11 Using Debug Messages 12 12 CHAPTER 5 Configuring Encryption Types 1 Understand Encryption Types 2 Configure Encryption Types 3 Creating WEP Keys 3 Creating Cipher Suites 5 Enabling and D
Contents RADIUS Attributes Sent by the Access Point CHAPTER Configuring VLANs 8 18 1 Understanding VLANs 2 Related Documents 3 Incorporating Wireless Devices into VLANs 4 Configuring VLANs 4 Configuring a VLAN 5 Assigning Names to VLANs 7 Using a RADIUS Server to Assign Users to VLANs 7 Viewing VLANs Configured on the Access Point 8 VLAN Configuration Example CHAPTER Configuring QoS 9 9 1 Understanding QoS for Wireless LANs 2 QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a W
Contents Message Traceback Reports 2 Association Management Messages 802.
Contents Cisco Wireless Router and HWIC Configuration Guide 8 OL-6415-04
Preface The Preface provides information on the following topics: • Audience • Purpose • Organization • Related Publications • Obtaining Documentation Audience This guide is for the networking professional who installs and manages Cisco stationary routers with wireless capabilities. You should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of wireless LANs.
Preface Organization Organization This guide consists of the following chapters: Chapter 1, “Overview,” lists the software and hardware features of the wireless device and describes the role of the wireless device in your network. Chapter 2, “Configuring Radio Settings,” describes how to configure settings for the wireless device radio such as the role in the radio network, data rates, transmit power, channel settings, and others.
Preface Conventions Interactive examples use these conventions: • Terminal sessions and system displays are in screen font. • Information you enter is in boldface screen font. • Nonprinting characters, such as passwords or tabs, are in angle brackets (< >). Notes, cautions, and timesavers use these conventions and symbols: Tip Means the following will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information.
Preface Related Publications Warnung Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der Warnhinweise).
Preface Obtaining Documentation Table 1 Related and Referenced Documents (continued) Cisco Product Document Title Cisco 800 series routers Cisco 850 Series and Cisco 870 Series Routers Hardware Installation Guide Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide Regulatory Compliance and Safety Information for Cisco 800 Series and SOHO Series Routers Upgrading Memory in Cisco 800 Ro
Preface Documentation Feedback You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Product Documentation DVD Cisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product. The Product Documentation DVD is updated regularly and may be more current than printed documentation.
Preface Cisco Product Security Overview You can send comments about Cisco documentation to bug-doc@cisco.com. You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Cisco Product Security Overview Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.
Preface Obtaining Technical Assistance Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.htm The link on this page has the current PGP key ID in use. Obtaining Technical Assistance Cisco Technical Support provides 24-hour-a-day award-winning technical assistance.
Preface Obtaining Additional Publications and Information For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Preface Obtaining Additional Publications and Information • iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions.
C H A P T E R 1 Overview Cisco wireless devices provide a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, Cisco wireless devices are Wi-Fi certified, 802.11b-compliant, 802.11g-compliant, or 802.11a-compliant wireless LAN transceivers.
Chapter 1 Overview Network Configuration Example Network Configuration Example This section describes the wireless device role in common wireless network configurations. The access point default configuration is as a root unit connected to a wired LAN or as the central unit in an all-wireless network. Root Unit on a Wired LAN An access point connected directly to a wired LAN provides a connection point for wireless users. Figure 1-1 shows access points acting as root units on a wired LAN.
Chapter 1 Overview Features Features This section lists features supported on access points running Cisco IOS software. • Access Point Link Role Flexibility—This feature allows the user to configure root and non-root bridging mode functionality, universal client mode, and support of a WGB client device, in addition to a root access point on the radio interface. Note Root/Non-Root bridging mode is supported only on modular ISR platforms, such as Cisco 3800 series , Cisco 2800 and Cisco 1841 series.
Chapter 1 Overview Features • VLANs—Assign VLANs to the SSIDs on the wireless device (one VLAN per SSID) to differentiate policies and services among users. • QoS—Use this feature to support quality of service for prioritizing traffic from the Ethernet to the access point. The access point also supports the voice-prioritization schemes used by 802.11b wireless phones such as the Cisco 7920 and Spectralink's Netlink™.
Chapter 1 Overview • Microsoft WPS IE SSIDL—This feature allows the access point to broadcast a list of configured SSIDs (the SSIDL) in the Microsoft Wireless Provisioning Services Information Element (WPS IE). A client with the ability to read the SSIDL can alert the user to the availability of the SSIDs. This feature provides a bandwidth-efficient, software-upgradeable alternative to multiple broadcast SSIDs (MB/SSIDs). • HTTP Web Server v1.
Chapter 1 Overview Cisco Wireless Router and HWIC Configuration Guide 1-6 OL-6415-04
C H A P T E R 2 Configuring Radio Settings This chapter describes how to configure radio settings for the wireless device.
Chapter 2 Configuring Radio Settings Enabling the Radio Interface Enabling the Radio Interface The wireless device radios are disabled by default. Note In Cisco IOS Release 12.4 there is no default SSID. You must create a Radio Service Set Identifier (SSID) before you can enable the radio interface. Beginning in privileged EXEC mode, follow these steps to enable the wireless device radio: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 2 Configuring Radio Settings Configuring Network or Fallback Role Configuring Network or Fallback Role You can also configure a fallback role for root access points. The wireless device automatically assumes the fallback role when its Ethernet port is disabled or disconnected from the wired LAN. Thefallback role is Shutdown—the wireless device shuts down its radio and disassociates all client devices.
Chapter 2 Configuring Radio Settings Configuring Network or Fallback Role Bridge Features Not Supported The following features are not supported when a Cisco ISR series access point is configured as a bridge: • Clear Channel Assessment (CCA) • Interoperability with 1400 series bridge • Concatenation • Install mode • EtherChannel and PageP configuration on switch For root and non-root bridging mode operations, only bridge-group mode using BVI interface is supported.
Chapter 2 Configuring Radio Settings Configuring Network or Fallback Role ip address 30.0.0.1 255.0.0.0 duplex auto speed auto ! interface Dot11Radio0/0/0 no ip address ! encryption vlan 1 mode ciphers tkip ! ssid airlink2-bridge ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root bridge ! interface Dot11Radio0/0/0.
Chapter 2 Configuring Radio Settings Configuring Network or Fallback Role ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! dot11 ssid airlink2-bridge vlan 1 authentication open authentication key-management wpa wpa-psk ascii 0 12345678 ! dot11 priority-map avvid ip cef ! ! bridge irb ! ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/1 no ip address duplex auto speed auto bridge-group 1 bridge-group 1 spanning-di
Chapter 2 Configuring Radio Settings Universal Client Mode line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end Universal Client Mode Universal client mode is a wireless radio station role that allows the radio to act as a wireless client to another access point or repeater. This feature is exclusive to the integrated radio running in the Cisco 870, 1800, 2800, and 3800 Integrated Services Routers.
Chapter 2 Configuring Radio Settings Configuring Universal Client Mode c2801(config-if)#station-role ? non-root Non-root (bridge) root Root access point or bridge c2801(config-if)#station-role non-root ? bridge Bridge non-rootThis CLI enables non-root bridge mode. This CLI enables universal client mode DHCP IP DHCP addressing is supported in the Dot11Radio interface configured in universal client mode.
Chapter 2 Configuring Radio Settings Configuring Universal Client Mode no service password-encryption ! hostname C1803W_UC ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging no logging console ! no aaa new-model ! resource policy ! ! dot11 ssid hurricane authentication open authentication key-management wpa wpa-psk ascii 0 allyouneedislove ! dot11 ssid tsunami authentication open guest-mode ! dot11 priority-map avvid ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 100.
Chapter 2 Configuring Radio Settings Configuring Radio Data Rates ! encryption mode ciphers tkip ! ssid hurricane ! speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role non-root ! End Configuring Radio Data Rates You use the data rate settings to choose the data rates the wireless device uses for data transmission. The rates are expressed in megabits per second.
Chapter 2 Configuring Radio Settings Configuring Radio Data Rates Step 3 Command Purpose speed Set each data rate to basic or enabled, or enter range to optimize range or throughput to optimize throughput. These options are available for the 802.11b, 2.4-GHz radio: • {[1.0] [11.0] [2.0] [5.5] [basic-1.0] [basic-11.0] [basic-2.0] [basic-5.5] | range | throughput} Enter 1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, and 54.0 to set these data rates to enabled on the 802.11g, 2.
Chapter 2 Configuring Radio Settings Configuring Radio Transmit Power Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the speed command to remove one or more data rates from the configuration. This example shows how to remove data rates basic-2.0 and basic-5.
Chapter 2 Configuring Radio Settings Configuring Radio Transmit Power Beginning in privileged EXEC mode, follow these steps to set the transmit power on access point radios: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Step 3 power local Set the transmit power for the 802.11g, 2.
Chapter 2 Configuring Radio Settings Configuring Radio Channel Settings Step 3 Command Purpose power client Set the maximum power level allowed on client devices that associate to the wireless device. These options are available for 802.11b, 2.4-GHz clients (in mW): Note { 1 | 5 | 20 | 30 | 50 | 100 | maximum} The settings allowed in your regulatory domain might differ from the settings listed here. These options are available for 802.11g, 2.
Chapter 2 Configuring Radio Settings Configuring Radio Channel Settings Beginning in privileged EXEC mode, follow these steps to set the wireless device’s radio channel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio {0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 2 Configuring Radio Settings Configuring Radio Channel Settings Table 2-4 shows the available frequencies for the 802.11g 2.4 GHz radio. Table 2-4 Channels and Available Frequencies for 802.11g 2.
Chapter 2 Configuring Radio Settings Configuring Radio Channel Settings Regulatory Domains Channel Identifier Center Frequency (MHz) CCK OFDM CCK OFDM CCK OFDM 13 2472 – – X X X X 14 2484 – – – – X – Americas (–A) EMEA (–N) Japan (–P) Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04 2-17
Chapter 2 Configuring Radio Settings Configuring Radio Channel Settings Table 2-6 shows the available frequencies for the RM21A and RM22A IEEE 802.11a 5-GHz radios. Table 2-6 Channel ID 34 36 38 40 42 44 46 48 52 56 60 64 100 104 108 112 116 120 124 128 132 136 140 149 153 157 161 165 Channels and Available Frequencies for the 802.
Chapter 2 Configuring Radio Settings Configuring Radio Channel Settings DFS Automatically Enabled on Some 5-GHz Radio Channels Access points with 5-GHz radios configured at the factory for use in Europe now comply with regulations that require radio devices to use Dynamic Frequency Selection (DFS) to detect radar signals and avoid interfering with them. Radios configured for use in other regulatory domains do not use DFS.
Chapter 2 Configuring Radio Settings Enabling and Disabling World Mode Confirming that DFS is Enabled Use the show controller dot11radio1 command to confirm that DFS is enabled.
Chapter 2 Configuring Radio Settings Enabling and Disabling Short Radio Preambles Beginning in privileged EXEC mode, follow these steps to enable world mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1} Enter interface configuration mode for the radio interface. Step 3 world-mode dot11d country_code code { both | indoor | outdoor } | legacy Enable world mode. • Enter the dot11d option to enable 802.11d world mode.
Chapter 2 Configuring Radio Settings Configuring Transmit and Receive Antennas Command Purpose Step 3 no preamble-short Disable short preambles and enable long preambles. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Short preambles are enabled by default. Use the preamble-short command to enable short preambles if they are disabled.
Chapter 2 Configuring Radio Settings Disabling and Enabling Access Point Extensions Disabling and Enabling Access Point Extensions By default, the wireless device uses Cisco Access Point extensions to detect the capabilities of Cisco Access Point client devices and to support features that require specific interaction between the wireless device and associated client devices.
Chapter 2 Configuring Radio Settings Enabling and Disabling Reliable Multicast to Workgroup Bridges Beginning in privileged EXEC mode, follow these steps to configure the encapsulation transformation method: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 2 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding Beginning in privileged EXEC mode, follow these steps to configure the encapsulation transformation method: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 } Enter interface configuration mode for the 2.4-GHz radio interface. Step 3 infrastructure-client Enable reliable multicast messages to workgroup bridges.
Chapter 2 Configuring Radio Settings Configuring Beacon Period and DTIM Use the no form of the command to disable PSPF. Configuring Protected Ports To prevent communication between client devices associated to different access points on your wireless LAN, you must set up protected ports on the switch to which the wireless devices are connected.
Chapter 2 Configuring Radio Settings Configuring RTS Threshold and Retries Command Purpose Step 3 beacon period value Set the beacon period. Enter a value in Kilomicroseconds. Step 4 beacon dtim-period value Set the DTIM. Enter a value in Kilomicroseconds. Step 5 end Return to privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 2 Configuring Radio Settings Configuring Fragmentation Threshold Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the command to reset the setting to defaults. Configuring Fragmentation Threshold The fragmentation threshold determines the size at which packets are fragmented (sent as several pieces instead of as one block).
Chapter 2 Configuring Radio Settings Performing a Carrier Busy Test Performing a Carrier Busy Test You can perform a carrier busy test to check the radio activity on wireless channels. During the carrier busy test, the wireless device drops all associations with wireless networking devices for 4 seconds while it conducts the carrier test and then displays the test results.
Chapter 2 Configuring Radio Settings Performing a Carrier Busy Test Cisco Wireless ISR and HWIC Access Point Configuration Guide 2-30 OL-6415-04
C H A P T E R 3 Configuring Multiple SSIDs This chapter describes how to configure and manage multiple service set identifiers (SSIDs) on the access point.
Chapter 3 Configuring Multiple SSIDs Understanding Multiple SSIDs Understanding Multiple SSIDs The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or subnetwork can use the same SSIDs. SSIDs are case sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSIDs. You can configure up to 16 SSIDs on your HWIC-APs and assign different configuration settings to each SSID.
Chapter 3 Configuring Multiple SSIDs Configuring Multiple SSIDs Configuring Multiple SSIDs This section contains configuration information for multiple SSIDs: Note • Creating an SSID Globally, page 3-3 • Using a RADIUS Server to Restrict SSIDs, page 3-5 In Cisco IOS Release 12.4(15)T and later, you configure SSIDs globally and then apply them to a specific radio interface. Follow the instructions in the “Creating an SSID Globally” section on page 3-3 to configure SSIDs globally.
Chapter 3 Configuring Multiple SSIDs Configuring Multiple SSIDs Command Purpose Step 5 vlan vlan-id (Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. You can assign only one SSID to a VLAN. Step 6 guest-mode (Optional) Designate the SSID as your access point’s guest-mode SSID. The access point includes the SSID in its beacon and allows associations from client devices that do not specify an SSID.
Chapter 3 Configuring Multiple SSIDs Configuring Multiple SSIDs Viewing SSIDs Configured Globally Use this command to view configuration details for SSIDs that are configured globally: router# show running-config ssid ssid-string Using Spaces in SSIDs In Cisco IOS Release 12.4(15)T, you can include spaces in an SSID, but trailing spaces (spaces at the end of an SSID) are invalid. However, any SSIDs created in previous versions having trailing spaces are recognized.
Chapter 3 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs The allowed list of SSIDs from the RADIUS server are in the form of Cisco VSAs. The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the access point and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use.
Chapter 3 Configuring Multiple SSIDs Enabling MBSSID and SSIDL at the same time • When multiple BSSIDs are enabled on the access point, the SSIDL IE does not contain a list of SSIDs; it contains only extended capabilities. • Any Wi-Fi certified client device can associate to an access point using multiple BSSIDs. • You can enable multiple BSSIDs on access points that participate in WDS.
Chapter 3 Configuring Multiple SSIDs Enabling MBSSID and SSIDL at the same time Use the no form of the command to disable SSIDL IEs.
Chapter 3 Configuring Multiple SSIDs Enabling MBSSID and SSIDL at the same time ! dot11 ssid 1841-tkip-psk vlan 2 authentication open authentication key-management wpa wpa-psk ascii 0 12345678 information-element ssidl advertisement ! dot11 ssid 1841-aes-psk vlan 3 authentication open authentication key-management wpa wpa-psk ascii 0 12345678 information-element ssidl advertisement wps ! interface Dot11Radio0/0/0 no ip address no snmp trap link-status ! encryption vlan 1 key 1 size 128bit 0 12345678901234
Chapter 3 Configuring Multiple SSIDs Enabling MBSSID and SSIDL at the same time Cisco Wireless ISR and HWIC Access Point Configuration Guide 3-10 OL-6415-04
C H A P T E R 4 Configuring an Access Point as a Local Authenticator This chapter describes how to configure the access point as a local authenticator to serve as a stand-alone authenticator for a small wireless LAN or to provide backup authentication service. As a local authenticator, the access point performs LEAP, EAP-FAST, and MAC-based authentication for up to 1000 client devices.
Chapter 4 Configuring an Access Point as a Local Authenticator Understand Local Authentication Understand Local Authentication Many small wireless LANs that could be made more secure with 802.1x authentication do not have access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely on RADIUS servers housed in a distant location to authenticate client devices, and the authentication traffic must cross a WAN link.
Chapter 4 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator Guidelines for Local Authenticators Follow these guidelines when configuring an access point as a local authenticator: • Use an access point that does not serve a large number of client devices. When the access point acts as an authenticator, performance might degrade for associated client devices. • Secure the access point physically to protect its configuration.
Chapter 4 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator Command Purpose Step 3 radius-server local Enable the access point as a local authenticator and enter configuration mode for the authenticator. Step 4 nas ip-address key shared-key Add an access point to the list of units that use the local authenticator. Enter the access point’s IP address and the shared key used to authenticate communication between the local authenticator and other access points.
Chapter 4 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator Step 11 Command Purpose user username { password | nthash } password [ group group-name ] [mac-auth-only] Enter the LEAP and EAP-FAST users allowed to authenticate using the local authenticator. You must enter a username and password for each user.
Chapter 4 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator router(config-radsrv)# router(config-radsrv)# router(config-radsrv)# router(config-radsrv)# router(config-radsrv)# user user user user end 00095125d02b password 00095125d02b group cashiers 00079431f04a password 00079431f04a group cashiers carl password 272165 group managers vic password lid178 group managers This example shows how to set up EAP-FAST authentication: Router#show run Building configuration...
Chapter 4 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.1.66 255.255.255.0 no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.
Chapter 4 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator Configuring Other Access Points to Use the Local Authenticator You add the local authenticator to the list of servers on the access point the same way that you add other servers. For detailed instructions on setting up RADIUS servers on your access points, see Chapter 7, “Configuring RADIUS Servers.
Chapter 4 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator Configuring EAP-FAST Settings The default settings for EAP-FAST authentication are suitable for most wireless LANs. However, you can customize the credential timeout values, authority ID, and server keys to match your network requirements. Configuring PAC Settings This section describes how to configure Protected Access Credential (PAC) settings.
Chapter 4 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator Configuring an Authority ID All EAP-FAST authenticators are identified by an authority identity (AID). The local authenticator sends its AID to an authenticating client, and the client checks its database for a matching AID. If the client does not recognize the AID, it requests a new PAC.
Chapter 4 Configuring an Access Point as a Local Authenticator Configure a Local Authenticator Limiting the Local Authenticator to One Authentication Type By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication for client devices. However, you can limit the local authenticator to perform only one or two authentication types.
Chapter 4 Configure a Local Authenticator The second section lists stats for each access point (NAS) authorized to use the local authenticator.
C H A P T E R 5 Configuring Encryption Types This chapter describes how to configure the encryption types required to use WPA authenticated key management, Wired Equivalent Privacy (WEP), AES-CCM, Temporal Key Integrity Protocol (TKIP), and broadcast key rotation.
Chapter 5 Configuring Encryption Types Understand Encryption Types Understand Encryption Types This section describes how encryption types protect traffic on your wireless LAN. Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's radio transmissions.
Chapter 5 Configuring Encryption Types Configure Encryption Types Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation. When you enable broadcast key rotation, only wireless client devices using 802.1x authentication (such as LEAP, EAP-TLS, or PEAP) can use the access point.
Chapter 5 Configuring Encryption Types Configure Encryption Types Step 3 Command Purpose encryption [vlan vlan-id] key 1-4 size { 40 | 128 } encryption-key [0|7] [transmit-key] Create a WEP key and set up its properties. • (Optional) Select the VLAN for which you want to create a key. • Name the key slot in which this WEP key resides. You can assign up to 4 WEP keys for each VLAN. • Enter the key and set the size of the key, either 40-bit or 128-bit.
Chapter 5 Configuring Encryption Types Configure Encryption Types Table 5-1 WEP Key Restrictions (continued) Security Configuration WEP Key Restriction Cipher suite with TKIP and 40-bit WEP or Cannot configure a WEP key in key slot 1 and 4 128-bit WEP Broadcast key rotation Keys in slots 2 and 3 are overwritten by rotating broadcast keys Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation.
Chapter 5 Configuring Encryption Types Configure Encryption Types Step 3 Command Purpose encryption [vlan vlan-id] mode ciphers {[aes-ccm | tkip]} {[wep128 | wep40]} Enable a cipher suite containing the encryption you need. Table 5-3 lists guidelines for selecting a cipher suite that matches the type of authenticated key management you configure. • (Optional) Select the VLAN for which you want to enable WEP and WEP features. • Set the cipher options and WEP level.
Chapter 5 Configuring Encryption Types Configure Encryption Types Table 5-3 Cipher Suites Compatible with WPA Authenticated Key Management Types WPA Compatible Cipher Suites • encryption mode ciphers aes-ccm • encryption mode ciphers aes-ccm wep128 • encryption mode ciphers aes-ccm wep40 • encryption mode ciphers aes-ccm tkip • encryption mode ciphers aes-ccm tkip wep128 • encryption mode ciphers aes-ccm tkip wep128 wep40 • encryption mode ciphers tkip wep128 wep40 • Note When you confi
Chapter 5 Configuring Encryption Types Configure Encryption Types Step 3 Command Purpose broadcast-key change seconds [ vlan vlan-id ] [ membership-termination ] [ capability-change ] Enable broadcast key rotation. • Enter the number of seconds between each rotation of the broadcast key. • (Optional) Enter a VLAN for which you want to enable broadcast key rotation.
Chapter 5 Configuring Encryption Types Configure Encryption Types • TKIP • AES • TKIP+AES • WEP 40-bit • WEP 128-bit Universal client configuration ! dot11 ssid test10 authentication open authentication key-management wpa wpa-psk ascii 7 11584B5643475D5B5C737B ! ! interface Dot11Radio0/1/0 ip address dhcp ! encryption mode ciphers aes-ccm ! ssid test10 ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.
Chapter 5 Configuring Encryption Types Configure Encryption Types Debugging To determine if the universal client has associated to the access point, the user can issue the 'show dot11 association all' command for a detailed output of which access point it was associating to and how it has associated to the access point. The "show dot11 association" command will have the following output: c2801_uc# c2801_uc#sh dot11 ass all Address : 0015.2b06.17d0 IP Address : 200.1.1.
Chapter 5 Configuring Encryption Types Configure Encryption Types SSID Hops to Infra Tunnel Address Key Mgmt type Current Rate Supported Rates Signal Strength Signal Quality Power-save : : : : : : : : : Packets Input : Bytes Input : Duplicates Rcvd : Decrypt Failed : MIC Failed : Packets Redirected: symbol -1 0.0.0.0 NONE 11.0 1.0 2.0 5.5 11.
Chapter 5 Configuring Encryption Types Configure Encryption Types Cisco Wireless ISR and HWIC Access Point Configuration Guide 5-12 OL-6415-04
C H A P T E R 6 Configuring Authentication Types This chapter describes how to configure authentication types on the access point.
Chapter 6 Configuring Authentication Types Understand Authentication Types Understand Authentication Types This section describes the authentication types that you can configure on the access point. The authentication types are tied to the SSIDs that you configure for the access point. If you want to serve different types of client devices with the same access point, you can configure multiple SSIDs. See Chapter 3, “Configuring Multiple SSIDs,” for complete instructions on configuring multiple SSIDs.
Chapter 6 Configuring Authentication Types Understand Authentication Types Figure 6-1 Sequence for Open Authentication Access point or bridge with WEP key = 123 Client device with WEP key = 321 1. Authentication request 2. Authentication response 3. Association request 4. Association response 5. WEP data frame to wired network 54583 6. Key mismatch, frame discarded Shared Key Authentication to Access Point Cisco provides shared key authentication to comply with the IEEE 802.11b standard.
Chapter 6 Configuring Authentication Types Understand Authentication Types EAP Authentication to Network This authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key.
Chapter 6 Configuring Authentication Types Understand Authentication Types There is more than one type of EAP authentication, but the access point behaves the same way for each type: it relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID” section on page 6-9 for instructions on setting up EAP on the access point.
Chapter 6 Configuring Authentication Types Understand Authentication Types Figure 6-4 Sequence for MAC-Based Authentication Wired LAN Client device Access point or bridge Server 1. Authentication request 2. Authentication success 65584 3. Association request 4. Association response (block traffic from client) 5. Authentication request 6. Success 7.
Chapter 6 Configuring Authentication Types Understand Authentication Types Note Unicast and multicast cipher suites advertised in WPA information element (and negotiated during 802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned VLAN. If the RADIUS server assigns a new vlan ID which uses a different cipher suite from the previously negotiated cipher suite, there is no way for the access point and client to switch back to the new cipher suite.
Chapter 6 Configuring Authentication Types Understand Authentication Types Software and Firmware Requirements for WPA and WPA-TKIP Table 6-1 lists the firmware and software requirements required on access points and Cisco client devices to support WPA key management and WPA-TKIP encryption protocols. To support the security combinations in Table 6-1, your access points and client devices must run the following software and firmware versions: • Cisco IOS Release 12.
Chapter 6 Configuring Authentication Types Configure Authentication Types Configure Authentication Types This section describes how to configure authentication types. You attach configuration types to the access point’s SSIDs. See Chapter 3, “Configuring Multiple SSIDs,” for details on setting up multiple SSIDs.
Chapter 6 Configuring Authentication Types Configure Authentication Types Command Step 3 Purpose authentication open (Optional) Set the authentication type to open for this SSID. [mac-address list-name [alternate]] Open authentication allows any device to authenticate and then attempt to communicate with the access point. [[optional] eap list-name] Note • The following EAP methods are supported: EAP-MD5, EAP_SIM, EAP-TTLS, EAP-LEAP, EAP-PEAP (v0 and v1), EAP-TLS, AND EAP-FAST.
Chapter 6 Configuring Authentication Types Configure Authentication Types Step 4 Step 5 Command Purpose authentication shared [mac-address list-name] [eap list-name] (Optional) Set the authentication type for the SSID to shared key. authentication network-eap list-name [mac-address list-name] Note Because of shared key's security flaws, Cisco recommends that you avoid using it. Note You can assign shared key authentication to only one SSID.
Chapter 6 Configuring Authentication Types Configure Authentication Types Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the SSID commands to disable the SSID or to disable SSID features. This example sets the authentication type for the SSID batman to Network-EAP authenticated key management. Client devices using the batman SSID authenticate using the adam server list.
Chapter 6 Configuring Authentication Types Configure Authentication Types Configuring Additional WPA Settings Use two optional settings to configure a pre-shared key on the access point and adjust the frequency of group key updates. Setting a Pre-Shared Key To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must configure a pre-shared key on the access point. You can enter the pre-shared key as ASCII or hexadecimal characters.
Chapter 6 Configuring Authentication Types Configure Authentication Types Command Purpose Step 6 broadcast-key [ vlan vlan-id ] { change seconds } [ membership-termination ] [ capability-change ] Use the broadcast key rotation command to configure additional updates of the WPA group key. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 6 Configuring Authentication Types Configure Authentication Types Use the no form of the dot11 aaa mac-authen filter-cache command to disable MAC authentication caching.
Chapter 6 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Command Purpose Step 6 countermeasure tkip hold-time seconds Configure a TKIP MIC failure holdtime. If the access point detects two MIC failures within 60 seconds, it blocks all the TKIP clients on that interface for the holdtime period. Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 6 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 6-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting EAP-FAST authentication with WPA Enable EAP-FAST and Wi-Fi Protected Access (WPA) and enable automatic provisioning or import a PAC file. Select a cipher suite that includes TKIP, set up and enable WEP, and enable Network-EAP and WPA for the SSID.
Chapter 6 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 6-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting If using ACU to configure card Create a WEP key, enable Host Based EAP, and enable Use Static WEP Keys in ACU and select Enable network access control using IEEE 802.
C H A P T E R 7 Configuring RADIUS Servers This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS), that provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Configuring and Enabling RADIUS This section describes how to configure and enable RADIUS.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS RADIUS Operation When a wireless user attempts to log in and authenticate to an access point whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in Figure 7-1: Figure 7-1 Sequence for EAP Authentication Wired LAN Client device Access point or bridge RADIUS Server 1. Authentication request 3. Username (relay to server) (relay to client) 4. Authentication challenge 5.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Configuring RADIUS This section describes how to configure your access point to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Identifying the RADIUS Server Host Access point-to-RADIUS-server communication involves several components: • Host name or IP address • Authentication destination port • Accounting destination port • Key string • Timeout period • Retransmission value You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.(Optional) For acct-port port-number, specify the UDP destination port for accounting requests.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Defining AAA Server Groups You can configure the access point to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network-related service requests.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Selecting the CSID Format You can select the format for MAC addresses in Called-Station-ID (CSID) and Calling-Station-ID attributes in RADIUS packets. Use the dot11 aaa csid global configuration command to select the CSID format. Table 7-1 lists the format options with corresponding MAC address examples. Table 7-1 CSID Format Options Option MAC Address Example default 0007.85b3.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Command Purpose Step 6 radius-server attribute 32 include-in-access-req format %h Configure the access point to send its system name in the NAS_ID attribute for authentication. Step 7 end Return to privileged EXEC mode. Step 8 show running-config Verify your settings. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server vsa send [accounting | authentication] Enable the access point to recognize and use VSAs as defined by RADIUS IETF attribute 26. • (Optional) Use the accounting keyword to limit the set of recognized vendor-specific attributes to only accounting attributes.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server key string Specify the shared secret text string used between the access point and the vendor-proprietary RADIUS server. The access point and the RADIUS server use this text string to encrypt passwords and exchange responses. Note The key is a text string that must match the encryption key used on the RADIUS server.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify WISPr RADIUS attributes on the access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server location location Specify the WISPr location-name attribute.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS RADIUS Attributes Sent by the Access Point Table 7-2 through Table 7-6 identify the attributes sent by an access point to a client in access-request, access-accept, and accounting-request packets.
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Table 7-4 Attributes Sent in Accounting-Request (start) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 44 Acct-Session-Id 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NAS-Location VSA (attribute 26) Cisco-NAS-Port VSA (attribute 26) Interface Table 7-5 Attributes Sent in Accounting-Request (update) Packets Attribute ID Descr
Chapter 7 Configuring RADIUS Servers Configuring and Enabling RADIUS Table 7-6 Note Attributes Sent in Accounting-Request (stop) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 42 Acct-Input-Octets 43 Acct-Output-Octets 44 Acct-Session-Id 46 Acct-Session-Time 47 Acct-Input-Packets 48 Acct-Output-Packets 49 Acct-Terminate-Cause 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NAS-Location VS
C H A P T E R 8 Configuring VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN.
Chapter 8 Configuring VLANs Understanding VLANs Understanding VLANs A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams.
Chapter 8 Configuring VLANs Understanding VLANs Figure 8-1 LAN and VLAN Segmentation with Wireless Devices Related Documents These documents provide more detailed information pertaining to VLAN design and configuration: • Cisco IOS Switching Services Configuration Guide. Click this link to browse to this document: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_c/index.htm • Cisco Internetwork Design Guide. Click this link to browse to this document: http://www.cisco.
Chapter 8 Configuring VLANs Configuring VLANs Incorporating Wireless Devices into VLANs The basic wireless components of a VLAN consist of an access point and a client associated to it using wireless technology. The access point is physically connected through a trunk port to the network VLAN switch on which the VLAN is configured. The physical connection to the VLAN switch is through the access point’s Ethernet port.
Chapter 8 Configuring VLANs Configuring VLANs Configuring a VLAN Note When you configure VLANs on access points, the Native VLAN must be VLAN1. In a single architecture, client traffic received by the access point is tunneled through an IP-GRE tunnel, which is established on the access point’s Ethernet interface native VLAN. Because of the IP-GRE tunnel, some users may confgure another switch port as VLAN1. This misconfiguration causes errors on the switch port.
Chapter 8 Configuring VLANs Configuring VLANs Command Purpose encapsulation dot1q vlan-id [native] Enable a VLAN on the radio interface. Step 8 exit Return to global configuration mode. Step 9 interface fastEthernet0.x Enter interface configuration mode for the Ethernet VLAN subinterface. Step 10 encapsulation dot1q vlan-id [native] Enable a VLAN on the Ethernet interface. Step 11 end Return to privileged EXEC mode.
Chapter 8 Configuring VLANs Configuring VLANs Assigning Names to VLANs You can assign a name to a VLAN in addition to its numerical ID. VLAN names can contain up to 32 ASCII characters. The access point stores each VLAN name and ID pair in a table. Guidelines for Using VLAN Names Keep these guidelines in mind when using VLAN names: • The mapping of a VLAN name to a VLAN ID is local to each access point, so across your network, you can assign the same VLAN name to a different VLAN ID.
Chapter 8 Configuring VLANs Configuring VLANs new cipher suite. Currently, the WPA protocol does not allow the cipher suite to be changed after the initial 802.11 cipher negotiation phase. In this scenario, the client device is disassociated from the wireless LAN. The VLAN-mapping process consists of these steps: 1. A client device associates to the access point using any SSID configured on the access point. 2. The client begins RADIUS authentication. 3.
Chapter 8 Configuring VLANs VLAN Configuration Example VLAN Configuration Example This example shows how to use VLANs to manage wireless devices on a college campus. In this example, three levels of access are available through VLANs configured on the wired network: • Management access—Highest level of access; users can access all internal drives and files, departmental databases, top-level financial information, and other sensitive information.
Chapter 8 Configuring VLANs VLAN Configuration Example Table 8-2 shows the commands needed to configure the three VLANs in this example.
Chapter 8 Configuring VLANs VLAN Configuration Example Notice that when you configure a bridge group on the radio interface, these commands are set automatically: bridge-group 2 subscriber-loop-control bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding bridge-group 2 spanning-disabled When you configure a bridge group on the FastEthernet interface, these commands are set automatically: no bridge-group 2 source-learning bridge-group 2 spanning-disabled
Chapter 8 Configuring VLANs VLAN Configuration Example Cisco Wireless ISR and HWIC Access Point Configuration Guide 8-12 OL-6415-04
C H A P T E R 9 Configuring QoS This chapter describes how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 9 Configuring QoS Understanding QoS for Wireless LANs Understanding QoS for Wireless LANs Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 9 Configuring QoS Understanding QoS for Wireless LANs QoS on the wireless LAN focuses on downstream prioritization from the access point. Figure 9-1 shows the upstream and downstream traffic flow. Figure 9-1 Upstream and Downstream Traffic Flow • The radio downstream flow is traffic transmitted out the access point radio to a wireless client device. This traffic is the main focus for QoS on a wireless LAN.
Chapter 9 Configuring QoS Understanding QoS for Wireless LANs Note This release continues to support existing 7920 wireless phone firmware. Do not attempt to use the new standard (IEEE 802.11e draft 13) QBSS Load IE with the 7920 Wireless Phone until new phone firmware is available for you to upgrade your phones. This example shows how to enable IEEE 802.11 phone support with the legacy QBSS Load element: AP(config)# dot11 phone This example shows how to enable IEEE 802.
Chapter 9 Configuring QoS Configuring QoS Configuring QoS QoS is disabled by default (however, the radio interface always honors tagged 802.1P packets even when you have not configured a QoS policy). This section describes how to configure QoS on your access point.
Chapter 9 Configuring QoS Configuring QoS Note In this release, clients are blocked from using an access category when you select Enable for Admission Control. Using the Admission Control check boxes, you can control client use of the access categories. When you enable admission control for an access category, clients associated to the access point must complete the WMM admission control procedure before they can use that access category.
A P P E N D I X A Channel Settings This appendix lists the radio channels supported by Cisco access products in the regulatory domains of the world. IEEE 802.11b (2.4-GHz Band) The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11b 22-MHz-wide channel are shown in Table A-1. Table A-1 Channels for IEEE 802.
Appendix A Channel Settings IEEE 802.11g (2.4-GHz Band) Note Mexico is included in the Americas ( –A) regulatory domain; however, channels 1 through 8 are for indoor use only while channels 9 through 11 can be used indoors and outdoors. Users are responsible for ensuring that the channel set configuration is in compliance with the regulatory standards of Mexico. IEEE 802.11g (2.4-GHz Band) The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.
Appendix A Channel Settings IEEE 802.
Appendix A Channel Settings IEEE 802.
A P P E N D I X B Protocol Filters The tables in this appendix list some of the protocols that you can filter on the access point. The tables include: • Table A-1, Ethertype Protocols • Table A-2, IP Protocols • Table A-3, IP Port Protocols In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.
Appendix B Table B-1 Protocol Filters Ethertype Protocols Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802.2 — 0x00E0 IPX 802.
Appendix B Protocol Filters Table B-2 IP Protocols Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw —
Appendix B Table B-3 Protocol Filters IP Port Protocols Protocol Additional Identifier ISO Designator TCP port service multiplexer tcpmux 1 echo — 7 discard (9) — 9 systat (11) — 11 daytime (13) — 13 netstat (15) — 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp-data 20 FTP Control (21) ftp 21 Secure Shell (22) ssh 22 Telnet — 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Locat
Appendix B Protocol Filters Table B-3 IP Port Protocols (continued) Protocol Additional Identifier ISO Designator TSAP iso-tsap 102 CSO Name Server cso-ns csnet-ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111 tap ident authentication auth 113 sftp — 115 uucp-path — 117 Network News Transfer Protocol Network News readnews nntp 119 USENET News Transfer Protocol Network News readnews nntp 119 Network Time Pro
Appendix B Table B-3 Protocol Filters IP Port Protocols (continued) Protocol Additional Identifier ISO Designator SNMP Unix Multiplexer smux 199 AppleTalk Routing at-rtmp 201 AppleTalk name binding at-nbp 202 AppleTalk echo at-echo 204 AppleTalk Zone Information at-zis 206 NISO Z39.
A P P E N D I X C Supported MIBs This appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Cisco IOS SNMP agent supports both SNMPv1 and SNMPv2.
Appendix C Supported MIBs Using FTP to Access the MIB Files • CISCO-MEMORY-POOL-MIB • CISCO-PROCESS-MIB • CISCO-PRODUCTS-MIB • CISCO-SMI-MIB • CISCO-TC-MIB • CISCO-SYSLOG-MIB • ENTITY-MIB • IF-MIB • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP: Step 1 Use FTP to access the serve
A P P E N D I X D Error and Event Messages This appendix lists the CLI error and event messages. How to Read System Messages System messages begin with a percent (%) and are structured as follows: The text in bold are required elements of the system message, the text in italics are optional elements of the system message. %FACILITY-SEVERITY-MNEMONIC: Message-text FACILITY is a code consisting of two or more uppercase letters that indicate the facility to which the message refers.
Appendix D Error and Event Messages Message Traceback Reports Message Traceback Reports Some messages describe internal errors and contain traceback reports. This information is very important and should be included when you report a problem to your technical support representative.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-ENCRYPT_MISMATCH: Possible encryption key mismatch between interface [interface] and station [mac-address] Explanation The encryption setting of the indicated interface and indicated station may be mismatched. Recommended Action Check the encryption configuration of this interface and the failing station to ensure that the configurations match. 802.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-3-RADIO_OVER_TEMPERATURE: Interface [inerface] Radio over temperature detected Explanation The radio’s internal temperature exceeds maximum limits on the indicated radio interface. Recommended Action Take steps necessary to reduce the internal temperature. These steps will vary based on your specific installation.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-2-NO_CHAN_AVAIL: Interface [interface], no channel available Explanation No frequency is available, likely because RADAR has been detected within the previous 30 minutes. Recommended Action None. Error Message DOT11-6-DFS_SCAN_COMPLETE: DFS scan complete on frequency [frequency] MHz Explanation The device has completed its Dynamic Frequency Scan (DFS) frequency scanning process on the displayed frequency.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-NO_MBSSID_VLAN: No VLANs configured in MBSSID mode. [characters] not started Explanation No VLAN configured in MBSSID mode. The indicated interface was not started. Recommended Action Add at least one SSID with the VLAN on the indicated interface configuration. Error Message DOT11-4-NO_MBSSID_SHR_AUTH: More than 1 SSID with shared authentication method in non-MBSSID mode.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-CANT_ASSOC: Interface [interface], cannot associate [characters] Explanation The indicated interface device could not associate to an indicated parent access point. Recommended Action Check the configuration of the parent access point and this unit to make sure there is a match.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-3-POWERS_INVALID: Interface [interface], no valid power levels available Explanation The radio driver found no valid power level settings. Recommended Action Investigate and correct the power source and settings. Error Message DOT11-4-RADIO_INVALID_FREQ: Operating frequency [frequency] invalid performing a channel scan Explanation The indicated frequency is invalid for operation.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-2-NO_FIRMWARE: Interface [interface], no radio firmware file [characters] was found.” Explanation When trying to flash new firmware, the file for the radio was not found in the Flash file system. Recommended Action The wrong image has been loaded into the unit. Locate the correct image based on the type of radio used. Error Message DOT11-2-BAD_FIRMWARE: Interface [interface], radio firmware file [characters] is invalid.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-BRIDGE_LOOP: Bridge loop detected between WGB [mac-address] and device [mac-address] Explanation The indicated workgroup bridge reported the address of one of its indicated Ethernet clients and the access point already had that address marked as being somewhere else on the network. Recommended Action Click Refresh on the Associations page on the access point GUI, or enter the clear dot11 statistics command on the CLI.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC failure report from the station [mac-address] on the packet (TSC=0x0) encrypted and protected by [key] key Explanation The access point received an EAPOL-key from the indicated station notifying the access point that TKIP Michael MIC failed on a packet transmitted by this access point. Recommended Action None.
Appendix D Error and Event Messages Local Authenticator Messages Local Authenticator Messages Error Message RADSRV-4-NAS_UNKNOWN: Unknown authenticator: [ip-address] Explanation The local RADIUS server received an authentication request but does not recognize the IP address of the network access server (NAS) that forwarded the request. Recommended Action Make sure that every access point on your wireless LAN is configured as a NAS on your local RADIUS server.
GLOSSARY 802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4-GHz band. 802.11a The IEEE standard that specifies carrier sense media access control and physical layer specifications for wireless LANs operating in the 5-GHz frequency band. 802.11b The IEEE standard that specifies carrier sense media access control and physical layer specifications for 5.
Glossary beacon A wireless LAN packet that signals the availability and presence of the wireless device. Beacon packets are sent by access points and base stations; however, client radio cards send beacons when operating in computer to computer (Ad Hoc) mode. BOOTP Boot Protocol. A protocol used for the static assignment of IP addresses to devices on the network. BPSK A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 1 Mbps.
Glossary DNS Domain Name System server. A server that translates text names into IP addresses. The server maintains a database of host alphanumeric names and their corresponding IP addresses. DSSS Direct sequence spread spectrum. A type of spread spectrum radio transmission that spreads its signal continuously over a wide frequency band. E EAP Extensible Authentication Protocol. An optional IEEE 802.
Glossary M MAC Media Access Control address. A unique 48-bit number used in Ethernet data packets to identify an Ethernet device, such as an access point or your client adapter. modulation Any of several techniques for combining user information with a transmitter’s carrier signal. multipath The echoes created as a radio signal bounces off of physical objects. multicast packet A single data message (packet) sent to multiple addresses.
Glossary roaming A feature of some Access Points that allows users to move through a facility while maintaining an unbroken connection to the LAN. RP-TNC Reverse Polarity Threaded Neill Concelman connector. Part 15.203 of the FCC rules covering spread spectrum devices limits the types of antennas that may be used with transmission equipment.
Glossary WMM Wireless MultiMedia. workstation A computing device with an installed client adapter. WPA Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol) for data protection and 802.
INDEX EAP Numerics 4, 3 authentication types 802.11d 20 Network-EAP 802.11e 2 open 802.11g 28 shared key 3 authenticator 1 802.1H 23 802.
Index commands CSID format, selecting accounting antenna 13 3 22 authentication client 3 beacon dtim-period 27 beacon period D Data Beacon Rate data rate setting 27 bridge-group data retries 25 broadcast-key 10 27 default configuration 14 countermeasure tkip hold-time dot11 extension aironet RADIUS 16 dot11 aaa mac-authen filter-cache dot11 holdoff-time 26 delivery traffic indication message (DTIM) 14 DFS 23 22 documentation 29 dot1x client-timeout 15 Cisco 1800 series ro
Index encryption command 4 J error and event messages how to read 1 jitter 1 message traceback reports 2 2 error messages K 802.
Index quality of service N See QoS names, VLAN 7 Network-EAP 4 R radio O activity OFDM 13 29 congestion Orthogonal Frequency Division Multiplexing (OFDM) See OFDM 14 interface 2 preamble 21 RADIUS attributes P packet retries command packet size (fragment) 27 28 24 18 WISPr setting on client and access point 18 14 16 access point as local server 14 accounting power level 13 23 26 authentication 7 authorization 11 See QoS prioritization 13 2 protected ports 26 multiple
Index regulatory ssid command domains static WEP 15, 16, 18, 2 regulatory domains with open authentication, setting on client and access point 16 1 Remote Authentication Dial-In User Service with shared key authentication, setting on client and access point 16 See RADIUS request to send (RTS) 27 station role command restricting access RADIUS 3, 9, 5 3 switchport protected command 26 1 RFC 1042 T 23 roaming 2, 5 role (mode) Tables 3 related documents role in radio network 2 Temp
Index world-mode command WPA 21 6 WPA migration mode wpa-psk command 12 13 Cisco Wireless ISR and HWIC Access Point Configuration Guide IN-6 OL-6415-04
Index Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04 IN-7
Index Cisco Wireless ISR and HWIC Access Point Configuration Guide IN-8 OL-6415-04
Index Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04 IN-9
Index Cisco Wireless ISR and HWIC Access Point Configuration Guide IN-10 OL-6415-04
Index Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04 IN-11
Index Cisco Wireless ISR and HWIC Access Point Configuration Guide IN-12 OL-6415-04
Index Cisco Wireless ISR and HWIC Access Point Configuration Guide OL-6415-04 IN-13
Index Cisco Wireless ISR and HWIC Access Point Configuration Guide IN-14 OL-6415-04
