Cisco Aironet 1200 Series Access Point Software Configuration Guide Software Release 11.40T April, 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E NT S Preface xiii Audience and Scope xiii Organization xiii Conventions xiv Related Publications xv Obtaining Documentation xvi World Wide Web xvi Documentation CD-ROM xvi Ordering Documentation xvi Documentation Feedback xvii Obtaining Technical Assistance xvii Cisco.
Contents CHAPTER 2 Using the Management Interfaces 2-1 Using the Web-Browser Interface 2-2 Using the Web-Browser Interface for the First Time 2-2 Using the Management Pages in the Web-Browser Interface 2-2 Navigating Using the Map Windows 2-4 Using the Command-Line Interface 2-5 Preparing to Use a Terminal Emulator 2-6 Connecting the Serial Cable 2-6 Setting Up the Terminal Emulator 2-7 Changing Settings with the CLI 2-7 Selecting Pages and Settings 2-9 Applying Changes to the Configuration 2-9 Using a T
Contents Radio Network Compatibility (Ensure Compatibility With) 3-7 SNMP Admin.
Contents Settings on the Name Server Setup Page 3-54 Entering FTP Settings 3-55 Settings on the FTP Setup Page 3-55 Routing Setup 3-56 Entering Routing Settings 3-57 Default Gateway 3-57 New Network Route Settings 3-58 Installed Network Routes list 3-58 Association Table Display Setup 3-59 Association Table Filters Page 3-59 Settings on the Association Table Filters Page 3-60 Association Table Advanced Page 3-62 Settings on the Association Table Advanced Page 3-63 Event Notification Setup 3-65 Event Displa
Contents Using SNMP to Set Up WEP 4-12 Enabling Additional WEP Security Features 4-13 Enabling Message Integrity Check (MIC) 4-13 Enabling Temporal Key Integrity Protocol (TKIP) 4-15 Enabling Broadcast WEP Key Rotation 4-17 Setting Up Open or Shared Key Authentication 4-18 Setting Up EAP Authentication 4-19 Enabling EAP on the Access Point 4-19 Enabling EAP in Cisco Secure ACS 4-24 Setting a Session-Based WEP Key Timeout 4-25 Setting up a Repeater Access Point as a LEAP Client 4-26 Setting Up MAC-Based Aut
Contents Using Cisco Discovery Protocol 5-13 Settings on the CDP Setup Page 5-14 MIB for CDP 5-14 Assigning Network Ports 5-14 Settings on the Port Assignments Page 5-16 Enabling Wireless Network Accounting 5-16 Settings on the Accounting Setup Page 5-17 Accounting Attributes 5-19 CHAPTER 6 Managing Firmware and Configurations 6-1 Updating Firmware 6-2 Updating with the Browser from a Local Drive 6-2 Full Update of the Firmware Components 6-3 Selective Update of the Firmware Components 6-4 Updating from
Contents CHAPTER 7 Management System Setup 7-1 SNMP Setup 7-2 Settings on the SNMP Setup Page 7-2 Using the Database Query Page 7-3 Settings on the Database Query Page 7-4 Changing Settings with the Database Query Page 7-4 Console and Telnet Setup 7-5 Settings on the Console/Telnet Page 7-5 CHAPTER 8 Special Configurations 8-1 Setting Up a Repeater Access Point 8-1 Using Hot Standby Mode 8-6 CHAPTER 9 Diagnostics and Troubleshooting 9-1 Using Diagnostic Pages 9-2 Radio Diagnostics Page 9-2 Antenna
Contents Using Command-Line Diagnostics 9-19 Entering Diagnostic Commands 9-20 Diagnostic Command Results 9-20 :eap_diag1_on 9-21 :eap_diag2_on 9-21 :vxdiag_arpshow 9-22 :vxdiag_checkstack 9-24 :vxdiag_hostshow 9-25 :vxdiag_i 9-26 :vxdiag_ipstatshow 9-27 :vxdiag_memshow 9-28 :vxdiag_muxshow 9-29 :vxdiag_routeshow 9-30 :vxdiag_tcpstatshow 9-31 :vxdiag_udpstatshow 9-32 Tracing Packets 9-32 Reserving Access Point Memory for a Packet Trace Log File 9-32 Tracing Packets for Specific Devices 9-33 Tracing Packets
Contents APPENDIX A Channels, Power Levels, and Antenna Gains A-1 Channels A-2 Maximum Power Levels and Antenna Gains A-3 APPENDIX B Protocol Filter Lists B-1 INDEX Cisco Aironet 1200 Series Access Point Software Configuration Guide OL-2159-01 xi
Contents Cisco Aironet 1200 Series Access Point Software Configuration Guide xii OL-2159-01
Preface The Cisco Aironet 1200 Series Access Point Software Configuration Guide describes how to configure Cisco Aironet 1200 Series Access Points using the web-based management system. This manual also briefly describes how to use the console-based management system. Audience and Scope This guide is for the network manager responsible for configuring a wireless network.
Preface Conventions Chapter 3, “Configuration,” describes the how to use the web-based management system to configure the access point. Chapter 4, “Security Setup,” describes how to set up and enable the access point’s security features. Chapter 5, “Network Management,” describes how to use the web-based management system to browse to other devices on a wireless network.
Preface Related Publications Tip Caution Means the following are useful tips. Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Related Publications The following documents provide more information about access points and related products: • Quick Start Guide: Cisco Aironet 1200 Series Access Points describes how to attach cables, power on, and assign an IP address and default gateway for the access point.
Preface Obtaining Documentation Obtaining Documentation The following sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following URL: http://www.cisco.com Translated documentation is available at the following URL: http://www.cisco.com/public/countries_languages.
Preface Obtaining Technical Assistance Documentation Feedback If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730. You can e-mail your comments to bug-doc@cisco.com.
Preface Obtaining Technical Assistance • Order Cisco learning materials and merchandise • Register for online skill assessment, training, and certification programs You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL: http://www.cisco.com Technical Assistance Center The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution.
Preface Obtaining Technical Assistance All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register: http://www.cisco.com/register/ If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.
Preface Obtaining Technical Assistance Cisco Aironet 1200 Series Access Point Software Configuration Guide xx OL-2159-01
C H A P T E R 1 Overview Cisco Aironet access points are wireless LAN transceivers that serve as the center point of a stand-alone wireless network or as the connection point between wireless and wired networks. In large installations, wireless users within radio range of an access point can roam throughout a facility while maintaining seamless, uninterrupted access to the network.
Chapter 1 Overview Key Features Key Features This section describes the key features of the access point firmware. The following are the key features of this firmware version: • Use accounting to collect data on wireless devices—You can enable accounting on the access point to send accounting data about wireless client devices to a RADIUS server on your network. See the “Enabling Wireless Network Accounting” section on page 5-16 for instructions on enabling accounting.
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section describes the access point’s role in three common wireless network configurations. The access point’s default configuration is as a root unit connected to a wired LAN or as the central unit in an all-wireless network. The repeater role requires a specific configuration.
Chapter 1 Overview Network Configuration Examples Root Unit on a Wired LAN An access point connected directly to a wired LAN provides a connection point for wireless users. If more than one access point is connected to the LAN, users can roam from one area of a facility to another without losing their connection to the network. As users move out of range of one access point, they automatically connect to the network (associate) through another access point.
Chapter 1 Overview Network Configuration Examples Repeater Unit that Extends Wireless Range An access point can be configured as a stand-alone repeater to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. The repeater forwards traffic between wireless users and the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN. The data is sent through the route that provides the best performance for the client.
Chapter 1 Overview Network Configuration Examples Central Unit in an All-Wireless Network In an all-wireless network, an access point acts as a stand-alone root unit. The access point is not attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as the focal point for communications, increasing the communication range of wireless users. Figure 1-3 shows an access point in an all-wireless network.
C H A P T E R 2 Using the Management Interfaces This chapter describes the interfaces you can use to configure the access point. You can use a web-browser interface, a command-line interface through a terminal emulator or a Telnet session, or a Simple Network Management Protocol (SNMP) application. The access point’s management system web pages are organized the same way for the web browser and command-line interfaces. The examples in this manual show the web-browser interface.
Chapter 2 Using the Management Interfaces Using the Web-Browser Interface Using the Web-Browser Interface The web-browser interface contains management pages that you use to change access point settings, upgrade and distribute firmware, and monitor and configure other wireless devices on the network. Note The access point management system is fully compatible with Microsoft Internet Explorer versions 4.0 or later and Netscape Communicator versions 4.0 or later.
Chapter 2 Using the Management Interfaces Using the Web-Browser Interface Note It’s important to remember that clicking your browser’s Back button is the same as clicking Cancel: if you make changes on a management page, your changes are not applied when you click Back. Changes are only applied when you click Apply or OK. Table 2-1 lists the page links and buttons that appear on most management pages.
Chapter 2 Using the Management Interfaces Using the Web-Browser Interface Navigating Using the Map Windows The Map window appears when you click Map at the top of any management page. You can use the Map window to jump quickly to any system management page, or to a map of your entire wireless network. Note Your Internet browser must have Java enabled to use the map windows.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Figure 2-2 The Network Map Window Click the name of a wireless device to open a new browser window displaying a Station page listing the access point’s local information for that device. Click Go beside the device name to open a new browser window displaying that device’s home page, if available. Some devices, such as PC Card clients, might not have home pages.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Preparing to Use a Terminal Emulator To use a terminal emulator to open the CLI, you need to: 1. Connect a nine-pin, female DB-9 to RJ-45 serial cable to the RJ-45 serial port on the access point and to the COM port on a computer. 2. Set up a terminal emulator to communicate with the access point. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Setting Up the Terminal Emulator Follow these steps to set up the terminal emulator: Step 1 Open a terminal emulator. Step 2 Enter these settings for the connection: Step 3 • Bits per second (baud rate): 9600 • Data bits: 8 • Parity: none • Stop bits: 1 • Flow control: none Press = to display the home page of the access point.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Table 2-2 Common Functions on CLI Pages (continued) Function Description :bottom Jumps to the bottom of a long page, such as Event Log. When you are at the bottom of a page, this function becomes :top. :down Moves down one page length (24 lines) on a long page, such as Event Log. When you are at the bottom of a long page, this function becomes :up. You can also enter diagnostic commands in the CLI.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Selecting Pages and Settings When you type names and settings that appear in brackets you jump to that page or setting. HyperTerminal jumps to the page or setting as soon as it recognizes a unique name, so you only need to type the first few characters in the page or setting name. To jump from the home page to the Setup page, for example, you only need to type se.
Chapter 2 Using the Management Interfaces Using SNMP Using SNMP You use an SNMP management application to configure the access point with SNMP. Follow these steps to configure the access point with SNMP: Step 1 Compile the MIB you need to use in your SNMP management application. MIBs supported by the access point are listed in Supported MIBs. Step 2 Use a web browser, a Telnet session, or the console interface to open the Express Setup page in the access point management system.
Chapter 2 Using the Management Interfaces Using SNMP To download this MIB, browse to http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml and click SNMP v1 MIBs. Scroll down the list of files and select RFC1213-MIB.my. • Cisco Discovery Protocol MIB (CISCO-CDP-MIB-V1SMI.my) – Supported branch: ciscoCdpMIB (1.3.6.1.4.1.9.23) To download this MIB, browse to http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml and click SNMP v1 MIBs.
Chapter 2 Using the Management Interfaces Using SNMP Cisco Aironet 1200 Series Access Point Software Configuration Guide 2-12 OL-2159-01
C H A P T E R 3 Configuration This chapter describes how to use the pages in the access point management system to configure the access point. The main Setup page provides links to all the pages containing access point settings.
Chapter 3 Configuration Basic Settings Basic Settings This section describes the basic settings on the Express Setup page. If you need to set up an access point quickly with a simple configuration, or change or update a basic setting, you can enter all the access point’s essential settings for basic operation on the Express Setup page. Figure 3-1 shows the Express Setup page. Figure 3-1 Express Setup Page Follow this link path to reach the Express Setup page: 1.
Chapter 3 Configuration Basic Settings Entering Basic Settings The Express Setup page contains the following settings: • System Name • MAC Address • Configuration Server Protocol • Default IP Address • Default IP Subnet Mask • Default Gateway • Radio Service Set ID (SSID) • Role in Radio Network • Radio Network Optimization (Optimize Radio Network For) • Radio Network Compatibility (Ensure Compatibility With) • SNMP Admin.
Chapter 3 Configuration Basic Settings Configuration Server Protocol Set the Configuration Server Protocol to match the network's method of IP address assignment. Click the Configuration Server link to jump to the Boot Server Setup page, which contains detailed settings for configuring the access point to work with your network’s BOOTP or DHCP servers for automatic assignment of IP addresses.
Chapter 3 Configuration Basic Settings Radio Service Set ID (SSID) The SSID is a unique identifier that client devices use to associate with the access point. The SSID helps client devices distinguish between multiple wireless networks in the same vicinity. Several access points on a network or sub-network can share an SSID. The SSID can be any alphanumeric, case-sensitive entry from two to 32 characters long.
Chapter 3 Configuration Basic Settings • Repeater Access Point—An access point that transfers data between a client and another access point or repeater. Use this setting for access points not connected to the wired LAN. Figure 3-3 shows an access point operating as a repeater in a network. Note Non-Cisco client devices might have difficulty communicating with repeater access points.
Chapter 3 Configuration Basic Settings • Site Survey Client—A wireless device that depends on an access point for its connection to the network. Use this setting when performing a site survey for a repeater access point. When you select this setting, clients are not allowed to associate. Radio Network Optimization (Optimize Radio Network For) You use this setting to select either preconfigured settings for the access point radio or customized settings for the access point radio.
Chapter 3 Configuration Filter Setup Filter Setup This section describes how to set up filtering to control the flow of data through the access point. You can filter data based on protocols and MAC addresses. Each type of filtering is explained in the following sections: • Protocol Filtering, page 3-8 • MAC Address Filtering, page 3-13 Protocol Filtering Protocol filters prevent or allow the use of specific protocols through the access point.
Chapter 3 Configuration Filter Setup Follow this link path to reach the AP Radio Protocol Filters page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Filters in the AP Radio row under Network Ports. The left side of the Protocol Filters page contains links to the Ethertype Filters, the IP Protocol Filters, and the IP Port Filters pages. These links also appear on the main Setup page under Associations. Use the Protocol Filters pages to assign protocols to a filter set.
Chapter 3 Configuration Filter Setup Figure 3-6 Filter Set Page Step 6 Select forward or block from the Default Disposition pull-down menu. This setting is the default action for the protocols you include in the filter set. You can override this setting for specific protocols. Step 7 In the Default Time to Live fields, enter the number of milliseconds unicast and multicast packets should stay in the access point’s buffer before they are discarded.
Chapter 3 Configuration Filter Setup Figure 3-7 Protocol Filter Set Page Step 9 Select forward or block from the Disposition pull-down menu to forward or block the protocol traffic, or leave this setting at default to use the default disposition that you selected for the filter set in Step 6. Step 10 Select a priority for the protocol from the Priority pull-down menu.
Chapter 3 Configuration Filter Setup Note The time-to-live values you enter should be compatible with the priority you select for the protocol. For example, if you select interactiveVoice as the priority and enter high time-to-live values, voice packets will stay in the access point buffer longer than necessary, causing delivery of stale, useless packets. Step 12 Select Alert? yes to send an alert to the event log when a user transmits or receives the protocol through the access point.
Chapter 3 Configuration Filter Setup Enabling a Protocol Filter Follow these steps to enable a protocol filter: Step 1 Complete the steps listed in the “Creating a Protocol Filter” section on page 3-9 to define a protocol filter. Step 2 Follow the link path to the Ethernet Protocol Filters page or the AP Radio Protocol Filters page. Step 3 Select the protocol filter set that you want to enable from the Ethertype, IP Protocol, or IP Port pull-down menu. Step 4 Click OK. The filter set is enabled.
Chapter 3 Configuration Filter Setup Figure 3-8 Address Filters Page Follow this link path to reach the Address Filters page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Address Filters under Associations. Creating a MAC Address Filter Follow these steps to create a MAC address filter: Step 1 Follow the link path to the Address Filters page. Step 2 Type a destination MAC address in the New MAC Address Filter: Dest MAC Address field.
Chapter 3 Configuration Filter Setup Note If you plan to disallow traffic to all MAC addresses except those you specify as allowed, put your own MAC address in the list of allowed MAC addresses. If you plan to disallow multicast traffic, add the broadcast MAC address (ffffffffffff) to the list of allowed addresses. Step 3 Click Allowed to pass traffic to the MAC address or click Disallowed to discard traffic to the MAC address. Step 4 Click Add.
Chapter 3 Configuration Filter Setup Figure 3-9 Step 7 AP Radio Advanced Page Select Disallowed from the pull-down menu for Default Unicast Address Filter. This setting affects packets sent from the Ethernet to the radio. The access point discards all unicast traffic except packets sent to the MAC addresses listed as allowed on the Address Filters page.
Chapter 3 Configuration Filter Setup Select Disallowed or Allowed from the pull-down menu for Default Multicast Address Filter. The access point discards all multicast traffic except packets sent to the MAC addresses listed as allowed on the Address Filters page. Step 8 Click OK. You return automatically to the Setup page. If clients are not filtered immediately, click WARM RESTART SYSTEM NOW on the Manage System Configuration page to restart the access point.
Chapter 3 Configuration Radio Configuration Radio Configuration This section describes how to configure the access point’s radio. You use the AP Radio pages in the management system to set the radio configuration. The radio pages include: • AP Radio Identification—Contains the basic locating and identity information for the access point Radio port. See the “Entering Identity Information” section on page 3-18 for instructions on using the AP Radio Identification page.
Chapter 3 Configuration Radio Configuration Figure 3-10 The AP Radio Identification Page Follow this link path to reach the AP Radio Identification page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Identification in the AP Radio row under Network Ports.
Chapter 3 Configuration Radio Configuration Primary Port Settings Two options allow you to designate the access point’s radio port as the Primary Port and select whether the radio port adopts or assumes the identity of the primary port. • Primary Port?—The primary port determines the access point’s MAC and IP addresses. Ordinarily, the access point’s primary port is the Ethernet port, which is connected to the wired LAN, so this setting is usually set to no.
Chapter 3 Configuration Radio Configuration Service Set ID (SSID) The SSID is a unique identifier that client devices use to associate with the access point. The SSID helps client devices distinguish between multiple wireless networks in the same vicinity. The SSID can be any alphanumeric entry from two to 32 characters long. You can also enter this setting on the Express Setup page.
Chapter 3 Configuration Radio Configuration Follow this link path to reach the AP Radio Hardware page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Hardware in the AP Radio row under Network Ports. Settings on the AP Radio Hardware Page The AP Radio Hardware page contains the following settings: • Service Set ID (SSID) • Allow Broadcast SSID to Associate? • Enable World Mode • Data Rates • Transmit Power • Frag. Threshold • RTS Threshold • Max.
Chapter 3 Configuration Radio Configuration Service Set ID (SSID) The SSID is a unique identifier that client devices use to associate with the access point. The SSID helps client devices distinguish between multiple wireless networks in the same vicinity. The SSID can be any alphanumeric entry up to 32 characters long. You can also enter this setting on the Express Setup and AP Radio Identification pages.
Chapter 3 Configuration Radio Configuration Data Rates You use the data rate settings to choose the data rates the access point uses for data transmission. The rates are expressed in megabits per second. The access point always attempts to transmit at the highest data rate set to Basic. If there are obstacles or interference, the access point steps down to the highest rate that allows data transmission. For each of four rates (1, 2, 5.
Chapter 3 Configuration Radio Configuration The Optimize Radio Network For setting on the Express Setup page selects the data rate settings automatically. When you select Optimize Radio Network For Throughput on the Express Setup page, all four data rates are set to basic. When you select Optimize Radio Network For Range on the Express Setup page, the 1.0 data rate is set to basic, and the other data rates are set to Yes. Transmit Power This setting determines the power level of radio transmission.
Chapter 3 Configuration Radio Configuration Max. RTS Retries The maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio. Enter a value from 1 to 128. Max. Data Retries The maximum number of attempts the access point makes to send a packet before giving up and dropping the packet. Beacon Period The amount of time between beacons in Kilomicroseconds. One Kµsec equals 1,024 microseconds.
Chapter 3 Configuration Radio Configuration Search for Less-Congested Radio Channel When you select yes from the Search for less-congested radio channel pull-down menu, the access point scans for the radio channel that is least busy and selects that channel for use. The access point scans at power-up and when the radio settings are changed. Note If you need to keep the access point assigned to a specific channel to keep from interfering with other access points, you should leave this setting at no.
Chapter 3 Configuration Radio Configuration Receive Antenna and Transmit Antenna Pull-down menus for the receive and transmit antennas offer three options: Note • Diversity—This default setting tells the access point to use the antenna that receives the best signal. If your access point has two fixed (non-removeable) antennas, you should use this setting for both receive and transmit.
Chapter 3 Configuration Radio Configuration Entering Advanced Configuration Information Use the AP Radio Advanced page to assign special configuration settings for the access point’s radio. Figure 3-15 shows the AP Radio Advanced page.
Chapter 3 Configuration Radio Configuration Follow this link path to reach the AP Radio Advanced page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Advanced in the AP Radio row under Network Ports.
Chapter 3 Configuration Radio Configuration Requested Status This setting is useful for troubleshooting problems on your network. Up, the default setting, turns the radio on for normal operation. Down turns the access point’s radio off. The Current Status line under the setting displays the current status of the radio port. This field can also display Error, meaning the port is operating but is in an error condition. Packet Forwarding This setting is always set to Enabled for normal operation.
Chapter 3 Configuration Radio Configuration Note If you plan to discard traffic to all MAC addresses except those you specify (the Disallowed setting), be sure to enter your own MAC address as allowed on the Address Filters page to avoid being locked out of the access point. Maximum Multicast Packets/Second Use this setting to control the number of multicast packets that can pass through the radio port each second. If you enter 0, the access point passes an unlimited number of multicast packets.
Chapter 3 Configuration Radio Configuration Use Aironet Extensions Select yes or no to use Cisco Aironet 802.11 extensions. This setting must be set to yes (the default setting) to enable these features: • Load balancing—The access point uses Aironet extensions to direct client devices to an access point that provides the best connection to the network based on factors such as number of users, bit error rates, and signal strength.
Chapter 3 Configuration Radio Configuration Enhanced MIC verification for WEP This setting enables Message Integrity Check (MIC), a security feature that protects your WEP keys by preventing attacks on encrypted packets called bit-flip attacks. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate.
Chapter 3 Configuration Radio Configuration Broadcast WEP Key rotation interval (sec) This option enables broadcast key rotation by setting a key rotation interval. With broadcast, or multicast, WEP key rotation enabled, the access point provides a dynamic broadcast WEP key and changes it at the interval you select.
Chapter 3 Configuration Radio Configuration Default Unicast Address Filter Unicast MAC address filters allow or disallow the forwarding of unicast packets sent to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.
Chapter 3 Configuration Ethernet Configuration For complete instructions on setting up repeater access points, see the “Setting Up a Repeater Access Point” section on page 8-1. Radio Modulation Select Standard or MOK for the radio modulation the access point uses. • Standard—This default setting is the modulation type specified in IEEE 802.11, the wireless standard published by the Institute of Electrical and Electronics Engineers (IEEE) Standards Association.
Chapter 3 Configuration Ethernet Configuration • Ethernet Advanced—Contains settings for the operational status of the access point’s Ethernet port. You can also use this page to make temporary changes in port status to help with troubleshooting network problems. • Ethernet Port—Lists key information on the access point’s Ethernet port. Entering Identity Information You use the Ethernet Identification page to enter basic locating and identity information for the access point’s Ethernet port.
Chapter 3 Configuration Ethernet Configuration • Default IP Subnet Mask The page also displays the access point’s MAC address, its serial number, its current IP address, and its current IP subnet mask. Primary Port Settings Two options allow you to designate the access point’s Ethernet port as the Primary Port and select whether the Ethernet port adopts or assumes the identity of the primary port. • Primary Port?—The primary port determines the access point’s MAC and IP addresses.
Chapter 3 Configuration Ethernet Configuration Default IP Subnet Mask Enter an IP subnet mask to identify the subnetwork so the IP address can be recognized on the LAN. If DHCP or BOOTP is not enabled, this field is the subnet mask. If DHCP or BOOTP is enabled, this field provides the subnet mask only if no server responds to the access point’s request. The current IP subnet mask displayed under the setting shows the IP subnet mask currently assigned to the access point.
Chapter 3 Configuration Ethernet Configuration Settings on the Ethernet Hardware Page The Ethernet Hardware page contains one setting: Speed The Speed drop-down menu lists five options for the type of connector, connection speed, and duplex setting used by the port. The option you select must match the actual connector type, speed, and duplex settings used to link the port with the wired network.
Chapter 3 Configuration Ethernet Configuration Entering Advanced Configuration Information You use the Ethernet Advanced page to assign special configuration settings for the access point’s Ethernet port. Figure 3-18 shows the Ethernet Advanced page. Figure 3-18 The Ethernet Advanced Page Follow this link path to reach the Ethernet Advanced page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Advanced in the Ethernet row under Network Ports.
Chapter 3 Configuration Ethernet Configuration The Current Status line under the setting displays the current status of the Ethernet port. This field can also display Error, meaning the port is in an error condition. Packet Forwarding This setting is always set to Enabled for normal operation. For troubleshooting, you might want to set packet forwarding to Disabled, which prevents data from moving between the Ethernet and the radio.
Chapter 3 Configuration Server Setup Note For most configurations, you should leave Default Multicast Address Filter set to Allowed. If you intend to set it to Disallowed, add the broadcast MAC address (ffffffffffff) to the list of allowed addresses on the Address Filters page before changing the setting. Note If you plan to discard traffic to all MAC addresses except those you specify (the Disallowed setting), be sure to enter your own MAC address as allowed on the Address Filters page.
Chapter 3 Configuration Server Setup Entering Time Server Settings You use the Time Server Setup page to enter time server settings. Figure 3-19 shows the Time Server Setup page: Figure 3-19 Time Server Setup Page Follow this link path to reach the Time Server Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Time Server under Services.
Chapter 3 Configuration Server Setup Simple Network Time Protocol Select Enabled or Disabled to turn Simple Network Time Protocol (SNTP) on or off. If your network uses SNTP, select Enabled. Default Time Server If your network has a default time server, enter the server’s IP address in the Default Time Server entry field. The Current Time Server line under the entry field reports the time server the access point is currently using. Note The DHCP or BOOTP server can override the default time server.
Chapter 3 Configuration Server Setup Entering Boot Server Settings You use the Boot Server Setup page to configure the access point for your network's BOOTP or DHCP servers for automatic assignment of IP addresses. Figure 3-20 shows the Boot Server Setup page: Figure 3-20 Boot Server Setup Page Follow this link path to reach the Boot Server Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Boot Server under Services.
Chapter 3 Configuration Server Setup • Read .ini File from File Server • BOOTP Server Timeout (sec) • DHCP Multiple-Offer Timeout (sec) • DHCP Requested Lease Duration (min) • DHCP Minimum Lease Duration (min) • DHCP Class Identifier Configuration Server Protocol Use the Configuration Server Protocol pull-down menu to select your network’s method of IP address assignment. The menu contains the following options: • None—Your network does not have an automatic system for IP address assignment.
Chapter 3 Configuration Server Setup • If specified by server—The access point loads configuration settings from an .ini file on the server if the server’s DHCP or BOOTP response specifies that an .ini file is available. This is the default setting. The Load Now button under the pull-down menu tells the access point to read an .ini file immediately. The Current Boot Server line under the pull-down menu lists the server that responded to the access point’s boot request.
Chapter 3 Configuration Server Setup DHCP Class Identifier Your DHCP server can be set up to send responses according to the group to which a device belongs. Use this field to enter the access point’s group name. The DHCP server uses the group name to determine the response to send to the access point. The access point’s DHCP class identifier is a vendor class identifier.
Chapter 3 Configuration Server Setup Settings on the Web Server Setup Page The Web Server Setup page contains the following settings: • Allow Non-Console Browsing • HTTP Port • Default Help Root URL • Extra Web Page File • Default Web Root URL Allow Non-Console Browsing Select yes to allow browsing to the management system. If you select no, the management system is accessible only through the console and Telnet interfaces.
Chapter 3 Configuration Server Setup • Hard Drive—you can copy the help files to the hard drive of the computer you use to manage the wireless LAN. If you use this location, enter the full directory URL. Your entry might look like this: file:///[drive letter]:\[folder or subdirectory]\wireless\help Extra Web Page File If you need to create an alternative to the access point’s management system, you can create HTML pages and load them into the access point.
Chapter 3 Configuration Server Setup Entering Name Server Settings You use the Name Server Setup page to configure the access point to work with your network’s Domain Name System (DNS) server. Figure 3-22 shows the Name Server Setup page: Figure 3-22 The Name Server Setup Page Follow this link path to reach the Name Server Setup page: • On the Summary Status page, click Setup • On the Setup page, click Name Server under Services.
Chapter 3 Configuration Server Setup Settings on the Name Server Setup Page The Name Server Setup page contains the following settings: • Domain Name System • Default Domain • Domain Name Servers • Domain Suffix Domain Name System If your network uses a Domain Name System (DNS), select Enabled to direct the access point to use the system. If your network does not use DNS, select Disabled. Default Domain Enter the name of your network's IP domain in the entry field.
Chapter 3 Configuration Server Setup “mycomputer.mycompany.com.” With domain suffix set to “mycompany.com,” the computer's name would be displayed on management system pages as simply “mycomputer.” Entering FTP Settings You use the FTP Setup page to assign File Transfer Protocol settings for the access point. All non-browser file transfers are governed by the settings on this page.
Chapter 3 Configuration Routing Setup File Transfer Protocol Use the pull-down menu to select FTP or TFTP (Trivial File Transfer Protocol). TFTP is a relatively slow, low-security protocol that requires no username or password. Default File Server Enter the IP address or DNS name of the file server where the access point should look for FTP files. FTP Directory Enter the file server directory that contains the firmware image files. FTP User Name Enter the username assigned to your FTP server.
Chapter 3 Configuration Routing Setup Figure 3-24 Routing Setup Page Follow this link path to reach the Routing Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Routing under Services. Entering Routing Settings The Routing Setup page contains the following settings: • Default Gateway • New Network Route Settings • Installed Network Routes list Default Gateway Enter the IP address of your network’s default gateway in this entry field. The entry 255.255.255.
Chapter 3 Configuration Routing Setup New Network Route Settings You can define additional network routes for the access point. To add a route to the installed list, fill in the three entry fields and click Add. To remove a route from the list, highlight the route and click Remove. The three entry fields include: • Dest Network—Enter the IP address of the destination network. • Gateway—Enter the IP address of the gateway used to reach the destination network.
Chapter 3 Configuration Association Table Display Setup Association Table Display Setup You use the Association Table Filters and the Association Table Advanced pages to customize the display of information in the access point’s Association Table. Association Table Filters Page Figure 3-25 shows the Association Table Filters page. Figure 3-25 Association Table Filters Page Follow this link path to reach the Association Table Filters page: 1. On the Summary Status page, click Setup. 2.
Chapter 3 Configuration Association Table Display Setup • Save as Default—Saves your selections as new default settings and returns you to the Association Table page. • Restore Current Defaults—Applies the currently saved default settings to the Association Table and returns you to the Association Table page. • Restore Factory Defaults—Applies the factory default settings to the Association Table and returns you to the Association Table page.
Chapter 3 Configuration Association Table Display Setup • Parent—A wireless client device’s parent device, which is usually an access point. • Device—A device’s type, such as a 350 series access point or a PC Client Card. Non-Aironet devices appear as “Generic 802.11” devices. • SW Version—The current version of firmware on a device. • Class—A device’s role in the wireless LAN. Classes include: – AP—an access point station. – Client or PS Client—a client or power-save client station.
Chapter 3 Configuration Association Table Display Setup Primary Sort This setting determines the information that appears in the first column in the Association Table. Secondary Sort This setting determines the information that appears in the second column in the Association Table.
Chapter 3 Configuration Association Table Display Setup Follow this link path to reach the Association Table Advanced page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Advanced under Associations.
Chapter 3 Configuration Association Table Display Setup Maximum number of bytes stored per Station Alert packet This setting determines the maximum number of bytes the access point stores for each Station Alert packet when packet tracing is enabled. If you use 0 (the default setting), the access point does not store bytes for Station Alert packets; it only logs the event. See the “Event Handling Setup Page” section on page 3-68 for instructions on enabling packet tracing.
Chapter 3 Configuration Event Notification Setup Event Notification Setup You use the Event Display Setup, Event Handling Setup, and Event Notifications Setup pages to customize the display of access point events (alerts, warnings, and normal activity). Event Display Setup Page You use the Event Display Setup page to determine how time should be displayed on the Event Log. In addition, you can determine what severity level is significant enough to display an event.
Chapter 3 Configuration Event Notification Setup Settings on the Event Display Setup Page The Event Display Setup page contains the following settings: • How should time generally be displayed? • How should Event Elapsed (non-wall-clock) Time be displayed? • Severity Level at which to display events How should time generally be displayed? You use this pull-down menu to determine whether the events in the Event Log are displayed as system uptime or wall-clock time.
Chapter 3 Configuration Event Notification Setup Table 3-1 Event Display Severity Levels Severity Level Description *silent* The *silent* setting directs the access point to not display any events immediately on the console, the console log, or the GUI log. System Fatal The Fatal settings indicate an event that prevents operation of the port or device. For operation to resume, the port or device usually must be reset.
Chapter 3 Configuration Event Notification Setup Table 3-1 Event Display Severity Levels (continued) Severity Level Description System warning The Warning settings indicate that a failure has occurred. Protocol warning Port warning External warning System information Protocol information Port information External information • System refers to the access point as a whole. • Protocol refers to a specific communications protocol in use, such as HTTP or IP.
Chapter 3 Configuration Event Notification Setup displaying them on the console, or notify someone of the occurrence after displaying and recording the event. Figure 3-28 shows the Event Handling Setup page.
Chapter 3 Configuration Event Notification Setup Follow this link path to reach the Event Handling Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Event Handling under Event Log.
Chapter 3 Configuration Event Notification Setup Handle Station Events as Severity Level You use this setting to set a severity level for Station Alerts. Use the pull-down menu to choose one of the sixteen severity levels. Table 3-1 on page 3-67 lists the severity levels in the menu. The *silent* option is not available for station events, however. Maximum memory reserved for Detailed Event Trace Buffer (bytes) Enter the number of bytes reserved for the Detailed Event Trace Buffer.
Chapter 3 Configuration Event Notification Setup Event Notifications Setup Page You use the Event Notifications Setup page to enable and configure notification of fatal, alert, warning, and information events to destinations external to the access point, such as an SNMP server or a Syslog system. Note For event notifications to be sent to an external destination, the events must be set to Notify on the Event Handling Setup page.
Chapter 3 Configuration Event Notification Setup Settings on the Event Notifications Setup Page The Event Notifications Setup page contains the following settings: • Should Notify-Disposition Events generate SNMP Traps? • SNMP Trap Destination • SNMP Trap Community • Should Notify-Disposition Events generate Syslog Messages? • Syslog Destination Address • Syslog Facility Number Should Notify-Disposition Events generate SNMP Traps? Select yes to send event notifications to an SNMP server.
Chapter 3 Configuration Event Notification Setup Syslog Destination Address Type the IP address or the host name of the server running Syslog. The Network Default Syslog Destination line under the syslog destination address field lists the syslog destination address provided by the DHCP or BOOTP server. This default syslog destination is only used if the syslog destination address field is blank. Syslog Facility Number Type the Syslog Facility number for the notifications.
C H A P T E R 4 Security Setup This chapter describes how to set up your access point’s security features.
Chapter 4 Security Setup Security Overview Security Overview This section describes the types of security features you can enable on the access point. The security features protect wireless communication between the access point and other wireless devices, control access to your network, and prevent unauthorized entry to the access point management system. Levels of Security Security is vital for any wireless network, and you should enable all the security features available on your network.
Chapter 4 Security Setup Security Overview If you don’t enable any security features on your access point, anyone with a wireless networking device is able to join your network. If you enable open or shared-key authentication with WEP encryption, your network is safe from casual outsiders but vulnerable to intruders who use a hacking algorithm to calculate the WEP key.
Chapter 4 Security Setup Security Overview both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof. See the “Enabling Message Integrity Check (MIC)” section on page 4-13 for instructions on enabling MIC. • TKIP (Temporal Key Integrity Protocol, also known as WEP key hashing)—This feature defends against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in encrypted packets to calculate the WEP key.
Chapter 4 Security Setup Security Overview When you enable EAP on your access points and client devices, authentication to the network occurs in the steps shown in Figure 4-2: Figure 4-2 Sequence for EAP Authentication Wired LAN Access point or bridge Client device Server 1. Authentication request 3. Username and password (relay to server) (relay to client) 4. Authentication challenge 5. Authentication response (relay to server) (relay to client) 6. Authentication success 7.
Chapter 4 Security Setup Security Overview When mutual authentication is complete, the RADIUS server and the client determine a WEP key that is unique to the client and provides the client with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The client loads this key and prepares to use it for the logon session.
Chapter 4 Security Setup Security Overview Figure 4-3 Sequence for MAC-Based Authentication Wired LAN Access point or bridge Client device Server 1. Authentication request • 3. MAC address (relay to server) (relay to client) 4. Successful authentication 65584 2. Identity request Open—Allows any device to authenticate and then attempt to communicate with the access point.
Chapter 4 Security Setup Security Overview During shared key authentication, the access point sends an unencrypted challenge text string to any device attempting to communicate with the access point. The device requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point allows the requesting device to authenticate.
Chapter 4 Security Setup Setting Up WEP Setting Up WEP Use the AP Radio Data Encryption page to set up WEP. You also use the AP Radio Data Encryption page to select an authentication type for the access point. Figure 4-6 shows the AP Radio Data Encryption page. Figure 4-6 AP Radio Data Encryption Page Follow this link path to reach the AP Radio Data Encryption page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Security. 3.
Chapter 4 Security Setup Setting Up WEP Follow these steps to set up WEP keys and enable WEP: Step 1 Follow the link path to the AP Radio Data Encryption page. Step 2 Before you can enable WEP, you must enter a WEP key in at least one of the Encryption Key fields. Note If you enable broadcast key rotation and EAP authentication to provide client devices with dynamic WEP keys, you can enable WEP without entering the keys.
Chapter 4 Security Setup Setting Up WEP Table 4-1 shows an example WEP key setup that would work for the access point and an associated device: Table 4-1 WEP Key Setup Example Access Point Associated Device Key Slot Transmit? Key Contents Transmit? Key Contents 1 x 12345678901234567890abcdef 2 – – – 09876543210987654321fedcba x 09876543210987654321fedcba not set – – not set 3 4 not set – 12345678901234567890abcdef FEDCBA09876543211234567890 Because the access point’s WEP key 1 is sel
Chapter 4 Security Setup Setting Up WEP The three settings in the pull-down menu include: • No Encryption (default)—The access point communicates only with client devices that are not using WEP. Use this option to disable WEP. • Optional—Client devices can communicate with the access point either with or without WEP. Note • Full Encryption—Client devices must use WEP when communicating with the access point. Devices not using WEP are not allowed to communicate.
Chapter 4 Security Setup Enabling Additional WEP Security Features Table 4-2 SNMP Variable Settings and Corresponding WEP Levels SNMP Variable Note WEP Full WEP Off WEP Optional dot11ExcludeUnencrypted.2 true false false awcDot11AllowEncrypted.2 true false true Access points do not use the SNMP variable dot11PrivacyInvoked, so it is always set to disabled.
Chapter 4 Security Setup Enabling Additional WEP Security Features Note To use MIC, the Use Aironet Extensions setting on the AP Radio Advanced page must be set to yes (the default setting). Use the AP Radio Advanced page to enable MIC. Figure 4-7 shows the AP Radio Advanced page.
Chapter 4 Security Setup Enabling Additional WEP Security Features Follow this link path to browse to the AP Radio Advanced page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Advanced in the AP Radio row under Network Ports. Follow these steps to enable MIC: Step 1 Follow the steps in the “Setting Up WEP” section on page 4-9 to set up and enable WEP. You must set up and enable WEP with full encryption before MIC becomes active.
Chapter 4 Security Setup Enabling Additional WEP Security Features Note When you enable TKIP, all WEP-enabled client devices associated to the access point must support WEP key hashing. WEP-enabled devices that do not support key hashing cannot communicate with the access point. Note To use TKIP, the Use Aironet Extensions setting on the AP Radio Advanced page must be set to yes (the default setting). Tip When you enable TKIP, you do not need to enable broadcast key rotation.
Chapter 4 Security Setup Enabling Additional WEP Security Features Enabling Broadcast WEP Key Rotation EAP authentication provides dynamic unicast WEP keys for client devices but uses static multicast keys. With broadcast, or multicast, WEP key rotation enabled, the access point provides a dynamic broadcast WEP key and changes it at the interval you select.
Chapter 4 Security Setup Setting Up Open or Shared Key Authentication Tip Step 4 Use a short rotation interval if the traffic on your wireless network contains numerous broadcast or multicast packets. Click OK. Broadcast key rotation is enabled. Setting Up Open or Shared Key Authentication Cisco recommends Open authentication as preferable to Shared Key authentication. The challenge queries and responses used in Shared Key leave the access point particularly vulnerable to intruders.
Chapter 4 Security Setup Setting Up EAP Authentication Setting Up EAP Authentication During EAP authentication, the access point relays authentication messages between the RADIUS server on your network and the authenticating client device.
Chapter 4 Security Setup Setting Up EAP Authentication Follow this link path to reach the Authenticator Configuration page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Security. 3. On the Security Setup page, click Authentication Server. Follow these steps to enable EAP on the access point: Step 1 Follow the link path to the Authenticator Configuration page. You can configure up to four servers for authentication services, so you can set up backup authenticators.
Chapter 4 Security Setup Setting Up EAP Authentication Table 4-3 802.1x Protocol Drafts and Compliant Client Firmware Firmware Version Draft 7 Draft 8 Draft 101 PC/PCI cards 4.13 — x — PC/PCI cards 4.16 — x — PC/PCI cards 4.23 — x — PC/PCI cards 4.25 and later — — x WGB34x/352 8.58 — x — WGB34x/352 8.61 or later — — x AP34x/35x 11.05 and earlier AP34x/35x 11.06 and — x — later2 — x x 1 — x x BR352 11.06 and later 1.
Chapter 4 Security Setup Setting Up EAP Authentication Step 6 Enter the number of seconds the access point should wait before authentication fails. If the server does not respond within this time, the access point tries to contact the next authentication server in the list if one is specified. Other backup servers are used in list order when the previous server times out. Step 7 Select EAP Authentication under the server.
Chapter 4 Security Setup Setting Up EAP Authentication Table 4-4 Access Point EAP Settings for Various Client Configurations Access Point Configuration Network-EAP authentication Open authentication with Require EAP check box selected Client Devices Allowed to Authenticate • Cisco Aironet client devices with LEAP enabled • Repeater access points with LEAP enabled • Non-Cisco Aironet devices with EAP enabled • Cisco Aironet devices with EAP-TLS or EAP-MD5 enabled through Windows XP Note Step 1
Chapter 4 Security Setup Setting Up EAP Authentication Enabling EAP in Cisco Secure ACS Cisco Secure Access Control Server for Windows NT/2000 Servers (Cisco Secure ACS) is network security software that helps authenticate users by controlling access to a network access server (NAS) device, such as an access server, PIX Firewall, router, or wireless access point or bridge.
Chapter 4 Security Setup Setting Up EAP Authentication Tip To save your changes and apply them later, click Submit. When you are ready to implement the changes, select System Configuration > Service Control and click Restart. Note Restarting the service clears the Logged-in User Report, refreshes the Max Sessions counter, and temporarily interrupts all Cisco Secure ACS services. Setting a Session-Based WEP Key Timeout You can set a timeout value for the session-based WEP key.
Chapter 4 Security Setup Setting Up EAP Authentication Step 5 Select the check box for [027] Session-Timeout and enter the number of seconds for your timeout value in the [027] Session-Timeout entry field. Step 6 Click Submit + Restart. The timeout value is enabled.
Chapter 4 Security Setup Setting Up EAP Authentication Figure 4-9 AP Radio Identification Page Step 3 Enter the network username you set up for the access point in Step 1 in the LEAP User Name entry field. Step 4 Enter the network password you set up for the access point in Step 1 in the LEAP Password entry field. Step 5 Click OK. Step 6 Follow the steps in the “Enabling EAP on the Access Point” section on page 4-19 to enable Network-EAP on the repeater access point.
Chapter 4 Security Setup Setting Up MAC-Based Authentication Setting Up MAC-Based Authentication MAC-based authentication allows only client devices with specified MAC addresses to associate and pass data through the access point. Client devices with MAC addresses not in a list of allowed MAC addresses are not allowed to associate with the access point.You can create a list of allowed MAC addresses in the access point management system and on a server used for MAC-based authentication.
Chapter 4 Security Setup Setting Up MAC-Based Authentication Figure 4-10 Address Filters Page Note Step 2 and Step 3 describe entering MAC addresses in the access point management system. If you will enter MAC addresses only in a list used by the authentication server, skip to Step 4. Step 2 Type a MAC address in the Dest MAC Address field.
Chapter 4 Security Setup Setting Up MAC-Based Authentication Step 4 If you plan to create a MAC address list that will be checked by the authentication server, select Yes for the option called Lookup MAC Address on Authentication Server if not in Existing Filter List. With this option enabled, the access point checks the authentication server’s MAC address list when a client device attempts to authenticate. Step 5 Click Apply to save the list of MAC addresses in the access point management system.
Chapter 4 Security Setup Setting Up MAC-Based Authentication Step 8 Enter the port number the server uses for authentication. The default setting, 1812, is the port setting for Cisco’s RADIUS server, the Cisco Secure Access Control Server (ACS), and for many other RADIUS servers. Check your server’s product documentation to find the correct port setting. Step 9 Enter the shared secret used by the server in the Shared Secret entry field.
Chapter 4 Security Setup Setting Up MAC-Based Authentication Figure 4-12 AP Radio Advanced Page Step 15 Select Disallowed from the pull-down menu for Default Unicast Address Filter for each authentication type requiring MAC-based authentication. For example, if the access point is configured for both open and Network-EAP authentication, you could set Default Unicast Address Filter under Open to Disallowed but leave Default Unicast Address Filter under Network-EAP set to Allowed.
Chapter 4 Security Setup Setting Up MAC-Based Authentication devices to authenticate using MAC addresses. To force all client devices to authenticate using MAC addresses, select Disallowed for all the enabled authentication types. When you set Default Unicast Address Filter to disallowed, the access point discards all unicast traffic except packets sent to the MAC addresses listed as allowed on the authentication server or on the access point’s Address Filters page.
Chapter 4 Security Setup Summary of Settings for Authentication Types Note The access point sends MAC address queries to the server using lower-case characters. If your server allows case-sensitive usernames and passwords, you must enter MAC addresses in the server’s database using lower-case characters. Step 3 When the User Setup screen appears, enter the MAC address in the Cisco Secure PAP Password and Confirm Password entry fields.
Chapter 4 Security Setup Summary of Settings for Authentication Types Table 4-5 Settings for Authentication Types Authentication Types Required Settings LEAP On the Authenticator Configuration page (shown in Figure 4-13): • Select an 802.1x protocol draft that matches the protocol draft used by client devices that associate with the access point. • Enter the name or IP address, type, port, shared secret, and timeout value for your RADIUS server. • Select the EAP check box under the server.
Chapter 4 Security Setup Summary of Settings for Authentication Types Table 4-5 Settings for Authentication Types (continued) Authentication Types Required Settings EAP-TLS, EAP-MD5, and static WEP under 802.11 Open The access point does not support this combination of authentication types. When you select Require EAP on the Authenticator Configuration page to authenticate clients using EAP-TLS and EAP-MD5, non-EAP client devices are blocked from using the access point.
Chapter 4 Security Setup Setting Up Backup Authentication Servers Setting Up Backup Authentication Servers You can configure up to four servers for authentication services on the Authenticator Configuration page, so you can set up backup authenticators. If you set up more than one server for the same service, the server first in the list is the primary server for that service, and the other servers are used in list order when the previous server times out.
Chapter 4 Security Setup Setting Up Administrator Authorization Figure 4-13 Authenticator Configuration Page with Primary and Backup Servers Setting Up Administrator Authorization Administrator authorization protects the access point management system from unauthorized access. Use the access point’s user management pages to define a list of users who are authorized to view and change the access point management system. Use the Security Setup page to reach the user management pages.
Chapter 4 Security Setup Setting Up Administrator Authorization Figure 4-14 Security Setup Page Follow this link path to reach the Security Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Security. Creating a List of Authorized Management System Users Follow these steps to create a list of users authorized to view and change the access point management system: Step 1 Follow the link path to the Security Setup page.
Chapter 4 Security Setup Setting Up Administrator Authorization Step 3 Click Add New User. The User Management window appears. Figure 4-16 shows the User Management window. Figure 4-16 User Management Window Step 4 Enter a username and password for the new user. Step 5 Select the capabilities you want to assign to the new user. Capabilities include: • Write—The user can change system settings. When you assign Write capability to a user, the user also automatically receives Admin capability.
Chapter 4 Security Setup Setting Up Administrator Authorization • Firmware—The user can update the access point's firmware. When you assign Firmware capability to a user, the user also automatically receives Write and Admin capabilities. • Admin—The user can view most system screens. To allow the user to view all system screens and make changes to the system, select Write capability. Step 6 Click Apply.
Chapter 4 Security Setup Setting Up Administrator Authorization • Step 9 Protect Legal Credit Page—Select yes to restrict access to the Legal Credits page to users in the user list. Select no to allow any user to view the Legal Credits page. Click OK. You return automatically to the Security Setup page.
C H A P T E R 5 Network Management This section describes how to browse to other devices on your network, how to use Cisco Discovery Protocol with your wireless networking equipment, how to assign a specific network port to a MAC address, and how to enable wireless network accounting.
Chapter 5 Network Management Using the Association Table Using the Association Table The management system’s Association Table page lists all the devices, both wireless and wired to the root LAN, of which the access point is aware. Figure 5-1 shows an example of the Association Table page. Figure 5-1 Association Table Page Click the Association link at the top of any main management system page to go to the Association Table.
Chapter 5 Network Management Using the Association Table Setting the Display Options You use the display options to select the device types to be listed in the table. The default selections list only the access point and any devices with which it is associated. To change the selections, click a display option and then click Apply. To modify the table further, click additional display filters, which is a link to the Association Table Filters page.
Chapter 5 Network Management Using the Association Table Figure 5-2 Station Page 209.165.201.
Chapter 5 Network Management Using the Association Table Information on Station Pages Station Identification and Status The yellow table at the top of the Station page lists the following information: • System Name—The name assigned to the device. • Device—The type and model number of the device. • MAC Address—A unique identifier assigned by the manufacturer. • IP Address—The device’s IP address. When you click the IP address link, the browser attempts to display the device’s home page.
Chapter 5 Network Management Using the Association Table • Status—This field indicates the device’s operating status. Possible statuses include: – OK—The device is operating properly. – EAP Pending – EAP Autenticated – IP Forwarding Agent – BootP/DHCP Client—The device is using BOOTP or DHCP protocol – ARP Proxy Server – IP Virtual Router – WEP—WEP is enabled on the device.
Chapter 5 Network Management Using the Association Table From Station Information Fields in the To Station column contain the following information: • Alert—Click this box if you want detailed packet trace information captured for the Association Table page. This option is only available to users with Administrator capability. • Packets OK—Reports the number of good packets sent from the station. • Total Bytes OK—Reports the number of good bytes sent from the station.
Chapter 5 Network Management Using the Association Table • Uptime—Displays the cumulative time the device has been operating since the last reset. • Software Version—Displays the version level of Cisco software on the device. • Announcement Packets—Total number of Announcement packets since the device was last reset.
Chapter 5 Network Management Using the Association Table Performing a Ping Follow these steps to ping the device described on the Station page: Step 1 To customize the size and number of packets sent during the ping, enter the number of packets and size of the packets in the Number of Pkts. and Pkt. Size fields. Step 2 Click Ping. The ping runs using the values in the Number of Pkts. and Pkt. Size fields, and a ping window appears listing the test results. To run the ping again, click Test Again.
Chapter 5 Network Management Using the Association Table Note If you need to stop the link test before the test is complete, click Stop Test. A results window appears listing the test results. To run the test again, click Test Again. To run a continuous link test, click Continuous Test. Figure 5-4 shows a link test results window. Figure 5-4 Link Test Results Window Clearing and Updating Statistics Use the Clear Stats and Refresh buttons to clear and update the Station page statistics.
Chapter 5 Network Management Using the Network Map Window Deauthenticating and Disassociating Client Devices Use the Deauthenticate and Disassociate buttons to deauthenticate and disassociate the client device from the access point. These buttons appear only on Station pages for devices that are associated with the access point, and only users with administrator capability can operate them. • Deauthenticate—Forces a client to re-authenticate with the access point.
Chapter 5 Network Management Using the Network Map Window Figure 5-5 Network Map Window Click the name of a wireless device to open a new browser window displaying a Station page displaying the access point’s local information for that device. Click Go beside the device name to open a new browser window displaying that device’s home page, if available. Some devices, such as PC card clients, do not have browser-based interfaces.
Chapter 5 Network Management Using Cisco Discovery Protocol Using Cisco Discovery Protocol Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. Information in CDP packets is used in network management software such as CiscoWorks2000. Use the CDP Setup page to adjust the access point’s CDP settings. CDP is enabled by default.
Chapter 5 Network Management Assigning Network Ports Settings on the CDP Setup Page The CDP Setup page contains the following settings: • Enabled/Disabled—Select Disabled to disable CDP on the access point; select Enabled to enable CDP on the access point. CDP is enabled by default. • Packet hold time—The number of seconds other CDP-enabled devices should consider the access point’s CDP information valid.
Chapter 5 Network Management Assigning Network Ports Figure 5-7 Port Assignments Page Follow this link path to reach the Port Assignments page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Port Assignments in the Association section near the top of the page.
Chapter 5 Network Management Enabling Wireless Network Accounting Settings on the Port Assignments Page • ifIndex—Lists the port’s designator in the Standard MIB-II (RFC1213-MIB.my) interface index. • dot1dBasePort—Lists the port’s designator in the Bridge MIB (RFC1493; BRIDGE-MIB.my) interface index. • AID—Lists the port’s 802.11 radio drivers association identifier. • Station—Enter the MAC address of the device to which you want to assign the port in the port’s Station entry field.
Chapter 5 Network Management Enabling Wireless Network Accounting Figure 5-8 Accounting Setup Page Follow this link path to reach the Accounting Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Accounting under Services. Settings on the Accounting Setup Page The Accounting Setup page contains these settings: • Enable accounting—Select Enabled to turn on accounting for your wireless network.
Chapter 5 Network Management Enabling Wireless Network Accounting • Minimum delay time to report stop (sec.)—Enter the number of seconds the access point waits before sending a stop report to the server when a client device disassociates from the access point. The delay reduces accounting activity for client devices that disassociate from the access point and then quickly reassociate. • Server Name/IP—Enter the name or IP address of the server to which the access point sends accounting data.
Chapter 5 Network Management Enabling Wireless Network Accounting Accounting Attributes Table 5-1 lists the accounting attributes the access point sends to the accounting server. Table 5-1 Accounting Attributes the Access Point Sends to the Accounting Server Attribute Definition Acct-Status-Type The client device’s current accounting status; possible statuses include ACCT_START, ACCT_STOP, and ACCT_UPDATE.
Chapter 5 Network Management Enabling Wireless Network Accounting Table 5-1 Accounting Attributes the Access Point Sends to the Accounting Server (continued) Attribute Definition NAS-Identifier The network access server (NAS) sending the accounting data; for wireless networks, the name of the access point sending the accounting information. The access point sends this attribute to the server with all three status types.
Chapter 5 Network Management Enabling Wireless Network Accounting Table 5-1 Accounting Attributes the Access Point Sends to the Accounting Server (continued) Attribute Definition Acct-Delay-Time The delay between the time the event occurred and the time that the attribute was sent to the server. The access point sends this attribute to the server with all three status types. RADIUS_IPADR The IP address of the access point sending the accounting information.
Chapter 5 Network Management Enabling Wireless Network Accounting Cisco Aironet 1200 Series Access Point Software Configuration Guide 5-22 OL-2159-01
C H A P T E R 6 Managing Firmware and Configurations This section describes how to update the firmware version on the access point, how to distribute firmware to other access points, how to distribute the access point’s configuration to other access points, and how to download, upload, and reset the access point configuration. You use the Cisco Services Setup page as a starting point for all these activities.
Chapter 6 Managing Firmware and Configurations Updating Firmware Updating Firmware You use the Cisco Services Setup page to update the access point’s firmware. You can perform the update by browsing to a local drive or by using FTP to update the firmware from a file server. Figure 6-1 shows the Cisco Services Setup page. Figure 6-1 Cisco Services Setup Page Follow this link path in the browser interface to reach the Cisco Services Setup page: 1. On the Summary Status page, click Setup. 2.
Chapter 6 Managing Firmware and Configurations Updating Firmware Full Update of the Firmware Components To update all the firmware components at the same time, click Through Browser on the Fully Update Firmware line on the Cisco Services Setup page. The Update All Firmware Through Browser page appears. Figure 6-2 shows the Update All Firmware Through Browser page.
Chapter 6 Managing Firmware and Configurations Updating Firmware Selective Update of the Firmware Components To update firmware components individually, click Through Browser on the Selectively Update Firmware line on the Cisco Services Setup page. The Update Firmware Through Browser page appears. Figure 6-3 shows the Update Firmware Through Browser page.
Chapter 6 Managing Firmware and Configurations Updating Firmware Updating from a File Server When you update the firmware from a file server, you load new firmware through FTP or TFTP from a file server. You can update the three firmware components—the management system firmware, the firmware web pages, and the radio firmware—individually or all at once. It is simplest to update all the components at once, but in some situations you might want to update them individually.
Chapter 6 Managing Firmware and Configurations Updating Firmware Figure 6-5 Step 2 FTP Setup Page Enter the FTP settings on the FTP Setup page. a. Select FTP or TFTP from the File Transfer Protocol pull-down menu. FTP (File Transfer Protocol) is the standard protocol that supports transfers of data between local and remote computers. TFTP (Trivial File Transfer Protocol) is a relatively slow, low-security protocol that requires no user name or password. b.
Chapter 6 Managing Firmware and Configurations Updating Firmware Selective Update of the Firmware Components To update firmware components individually, click From File Server on the Selectively Update Firmware line on the Cisco Services Setup page. The Update Firmware From File Server page appears. Figure 6-6 shows the Update Firmware From File Server page.
Chapter 6 Managing Firmware and Configurations Distributing Firmware Distributing Firmware You use the Distribute Firmware page to distribute the access point’s firmware to other Cisco Aironet access points. Figure 6-7 shows the Distribute Firmware page. The access point sends its firmware to all the access points on your network that: • Are running access point firmware version 10.
Chapter 6 Managing Firmware and Configurations Distributing a Configuration Follow these steps to distribute firmware to other access points: Step 1 Follow the link path to reach the Distribute Firmware page. Step 2 To distribute all three firmware components at once, verify that yes is selected for Distribute All Firmware. This is the default setup for the Distribute Firmware page.
Chapter 6 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Figure 6-8 Distribute Configuration Page Follow this link path in the browser interface to reach the Distribute Configuration page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Cisco Services Setup. 3. On the Cisco Services page, click Distribute Configuration to other Cisco Devices.
Chapter 6 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Figure 6-9 System Configuration Setup Page Follow this link path in the browser interface to reach the System Configuration Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Cisco Services Setup. 3. On the Cisco Services page, click Manage System Configuration.
Chapter 6 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration • To save the current non-default configuration including the access point’s IP address, click Download Non-Default System Configuration. • To save the current default and non-default configuration including the access point’s IP address, click Download All System Configuration.
Chapter 6 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Uploading from a File Server Follow these steps to upload a configuration file from a file server: Step 1 Before you load a configuration file from a server, you need to enter FTP settings for the server. If you have already entered the FTP settings, skip to Step 3. Follow this link path in the browser interface to reach the FTP Setup page: a. On the Summary Status page, click Setup b.
Chapter 6 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration e. In the FTP Password entry field, enter the password associated with the user name. If you selected TFTP, you can leave this field blank. f. Click OK. You return automatically to the Setup page. Step 3 Follow the link path in the web browser to reach the System Configuration Setup page. Step 4 Click Read Config File From Server.
Chapter 6 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration • Reset All System Factory Defaults—this button returns all access point settings to their factory defaults except: – The users in the User Manager list – The SNMP Administrator Community name Note To completely reset all access point settings to defaults, follow the steps in the “Resetting to the Default Configuration” section on page 9-43.
Chapter 6 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Cisco Aironet 1200 Series Access Point Software Configuration Guide 6-16 OL-2159-01
C H A P T E R 7 Management System Setup This chapter explains how to set up your access point to use SNMP, Telnet, or the console port to manage the access point.
Chapter 7 Management System Setup SNMP Setup SNMP Setup Use the SNMP Setup page to configure the access point to work with your network’s SNMP station. Figure 7-1 shows the SNMP Setup page. Figure 7-1 SNMP Setup Page Follow this link path to reach the SNMP Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click SNMP in the Services section of the page.
Chapter 7 Management System Setup SNMP Setup • System Name—The name of the access point. The name in this field is reported to your SNMP's management station as the name of the device when you use SNMP to communicate with the access point. • System Location—Use this field to describe the physical location of the access point, such as the building or room in which it is installed. • System Contact—Use this field to name the system administrator responsible for the access point.
Chapter 7 Management System Setup SNMP Setup Settings on the Database Query Page The Database Query page contains the following entry fields and buttons: • OID—Type the object identifier (OID) in the OID field. You can use the integer or ASCII version of the OID. If you use the integer version of the OID, you must type the entire OID string (1.3.7.2.13.78.5.6, for example). If you use the ASCII name, you can often use the object's name as specified in the appropriate MIB (enableSNMP, for example).
Chapter 7 Management System Setup Console and Telnet Setup Console and Telnet Setup Use the Console/Telnet Setup page to configure the access point to work with a terminal emulator or through Telnet. Figure 7-3 shows the Console/Telnet Setup page. Figure 7-3 Console/Telnet Setup Page Follow this link path to reach the Console/Telnet Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Console/Telnet in the Services section of the page.
Chapter 7 Management System Setup Console and Telnet Setup • Data Bits—The default setting is 8. • Stop Bits—The default setting is 1. • Flow Control—Defines the way that information is sent between pieces of equipment to prevent loss of data when too much information arrives at the same time on one device. The default setting is None. • Terminal Type—The preferred setting is ANSI, which offers graphic features such as reverse video buttons and underlined links.
C H A P T E R 8 Special Configurations This chapter describes how to set up the access point in network roles other than as a root unit on a wired LAN. You can set up an access point as a repeater to extend the range of a wireless network, and you can use Hot Standby mode to use an access point as a backup unit in areas where you need extra reliability. Both configurations require two access points that support and rely upon each other.
Chapter 8 Special Configurations Setting Up a Repeater Access Point Figure 8-1 Access Point as Repeater Access Point (Root Unit) Wired LAN 66000 Access Point (Repeater) You can set up a chain of several repeater access points, but throughput for client devices at the end of the repeater chain will be quite low. Because each repeater must receive and then re-transmit each packet on the same channel, throughput is cut in half for each repeater you add to the chain.
Chapter 8 Special Configurations Setting Up a Repeater Access Point If you use EAP authentication on your wireless network, you can set up the repeater access point to authenticate using LEAP. See the “Setting up a Repeater Access Point as a LEAP Client” section on page 4-26 for instructions on enabling LEAP on a repeater.
Chapter 8 Special Configurations Setting Up a Repeater Access Point Step 6 For a 350 series access point, plug an Ethernet cable into the access point’s Ethernet port. Plug the other end of the Ethernet cable into the side of the power injector labelled To AP. Note The repeater access point will not be connected to the wired LAN, so do not run Ethernet cable from the power injector to a switch. Step 7 Plug the power injector’s power cable into an electrical outlet.
Chapter 8 Special Configurations Setting Up a Repeater Access Point Step 13 Also on the Express Setup page, enter the same settings in the Default IP Subnet Mask and Default Gateway fields that are on the root access point. Step 14 On the Boot Server Setup page, select none for the Configuration Server Protocol. This setting will maintain a fixed IP address for the repeater access point. If the root access point configuration has not been changed from the factory defaults, skip to Step 18.
Chapter 8 Special Configurations Using Hot Standby Mode Using Hot Standby Mode Hot Standby mode designates an access point as a backup for another access point. The standby access point is placed near the access point it monitors, configured exactly the same as the monitored access point. The standby access point associates with the monitored access point as a client and queries the monitored access point regularly through both the Ethernet and the radio.
Chapter 8 Special Configurations Using Hot Standby Mode Follow these steps to enable Hot Standby mode: Step 1 Step 2 On the standby access point, duplicate the settings that are entered on the monitored access point.
Chapter 8 Special Configurations Using Hot Standby Mode Note If the monitored access point malfunctions and the standby access point takes its place, repeat the hot standby setup on the standby access point when you repair or replace the monitored access point. The standby access point does not revert to standby mode automatically.
C H A P T E R 9 Diagnostics and Troubleshooting This chapter describes the diagnostic pages in the management system and provides troubleshooting procedures for basic problems with the access point. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at http://www.cisco.com/tac. Select Wireless LAN under Top Issues.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages Using Diagnostic Pages The management system contains three diagnostic pages that provide detailed statistics and event records for the access point: • The Radio Diagnostics Page provides the antenna alignment test and carrier test utilities. • The Network Ports Page lists statistics on data transmitted and received by the access point. • The Event Log Page lists network events. Each page is described in the sections below.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages Antenna Alignment Test The antenna alignment test measures signal strength and quality between a repeater access point and other wireless networking devices. For best results during the antenna alignment test, turn off all wireless networking devices within range of the access point except the device with which you are trying to align the access point’s antenna.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages Figure 9-2 Antenna Alignment Test Window In this example, only one wireless networking device is in range of the access point, making it easy to see the relevant data. If results for several devices were displayed, it would be difficult to focus on the device with which you were trying to align the access point’s antenna. Each data sample is listed in the data columns.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages • Signal Quality—The quality of the signal link between the access point and the other device. Carrier Test The carrier test measures the amount of radio activity on each frequency available to the access point. Use the carrier test to determine the best frequency for the access point to use.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages The bar graph on the left side of the window displays the percentage used for each frequency; the highest current percentage used is labeled on the top left of the graph. In this example, the highest percentage used for any frequency is 77. The access point’s available frequencies are listed vertically across the bottom of the graph, from 2412 to 2462 GHz.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages Click the Network link at the top of any main management system page to reach the Network Ports page, or click Network Ports on the Summary Status home page. The Network Diagnostics link at the top of the Network Ports page leads to the Cisco Network Diagnostics page, where you can select diagnostic tests. The Network Ports table is divided into three sections: identifying information and status, data received, and data transmitted.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages Data Received • Unicast pkts.—The number of packets received in point-to-point communication. • Multicast pkts.—The number of packets received that were sent as a transmission to a set of nodes. • Total bytes—The total number of bytes received. • Errors—The number of packets determined to be in error. • Discards—The number of packets discarded by the access point due to errors or network congestion. • Forwardable pkts.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages Ethernet Port Page When you click Ethernet in the Network Ports table, the browser displays the Ethernet Port page. This page lists detailed statistics on the access point’s Ethernet port. Figure 9-5 shows an Ethernet Port page example. Figure 9-5 Ethernet Port Page 172.16.24.0 Like the Network Ports page, the Ethernet Port page lists statistics in a table divided into sections.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages Configuration Information • The top row of the Configuration section of the table contains a Set Properties link that leads to the Ethernet Hardware page. • Status of “fec0”— “Fast Ethernet Controller” is part of Motorola's naming convention for the Ethernet device used by the access point. This field displays one of the three possible operating states for the port.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages • Carrier Sense Lost—The number of disconnects from the Ethernet network. Carrier sense lost events are usually caused by disconnected wiring. • Late Collisions—Packet errors that probably were caused by over-long wiring problems. Late collisions could also indicate a failing NIC card. • Overrun Packets—Ethernet packets that were discarded because the access point had a temporary overload of packets to handle.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages AP Radio Page When you click AP Radio in the Network Ports table, the browser displays the AP Radio Port page. This page lists detailed statistics on the access point’s radio. Figure 9-6 shows an AP Radio Port page example. Figure 9-6 AP Radio Port Page Like the Network Ports and Ethernet Port pages, the AP Radio Port page lists statistics in a table divided into sections. Each row in the table is explained below.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages Configuration Information • The top row of the Configuration section of the table contains a Set Properties link that leads to the AP Radio Hardware page. See the “Entering Radio Hardware Information” section on page 3-21 for details on the AP Radio Hardware page. • Status of “awc0”—awc0 (Aironet Wireless Communications) is part of Cisco Aironet's naming convention for this radio.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages • Discarded Packets—Packets discarded due to errors or network congestion. • Forwardable Packets—Packets received by the port that were acceptable or passable through the filters. • Filtered Packets—Packets that were stopped or screened by the filters set up on the port. • Packet CRC Errors—Cyclic redundancy check (CRC) errors that were detected in a received packet. • Packet WEP Errors—Encryption errors received through this port.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages • Canceled AID—Packets dropped by a repeater because it roamed to a different parent during a retransmission attempt. • Lifetime Exceeded—Fragmented packets that were dropped because it took too long to deliver a fragment. Display Options Figure 9-6 shows the basic AP Radio Port page. Three display options provide more details on the port configuration and operating statistics.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages Event Log Page The Event Log page lists access point events and provides links to the Event Display Setup and Event Log Summary pages. You can also open Station pages for devices listed in the event log. Figure 9-7 shows an Event Log page example. Figure 9-7 Event Log Page 209.165.201.7 209.165.201.7 Click the Logs link at the top of any main management system page to reach the Event Log page.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages • Purge Log—Permanently deletes all events from the log. • Additional Display Filters—A link to the Event Display Setup page, where you can change time and severity level settings. Log Headings The event log is divided into three columns: • Time—The time the event occurred.
Chapter 9 Diagnostics and Troubleshooting Using Diagnostic Pages Event Log Summary Page The Event Log Summary page lists the total number of events that occurred at each severity level. Figure 9-8 shows an Event Log Summary page example. Figure 9-8 Event Log Summary Page Click the Severity heading on the Event Log page to reach the Event Log Summary page.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics Using Command-Line Diagnostics You can view diagnostic information about your access point with diagnostic commands. Enter the commands in the command-line interface (CLI) to display the information. You can open the CLI with Telnet or with a terminal emulator through the access point’s serial port. Table 9-1 lists the access point’s diagnostic commands.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics Entering Diagnostic Commands Follow these steps to enter diagnostic commands in the CLI: Note Step 1 These steps describe opening the CLI with Telnet. If the access point is configured to block Telnet access, follow the instructions in the “Preparing to Use a Terminal Emulator” section on page 2-6 to open the CLI by using a terminal emulator through a serial cable connected to the access point’s serial port.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics :eap_diag1_on Use the :eap_diag1_on command to display authentication progress for client devices authenticating through the access point.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics The first group of characters in the packet contents (00c15730, for example) is the hexadecimal address of the memory buffer that contains the packet. The middle group of characters (01 00 00 28 01 21 00 28 01 00 6e 65 74 77 6f 72, for example) is the packet contents in hexadecimal format. The last group of characters (*...(.!.(..networ*, for example) is an ASCII representation of the packet contents.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics Table 9-2 Flag Definitions Flag Value Definition 0x8 Host or net is unreachable. 0x10 Created dynamically (by redirect). 0x20 Modified dynamically (by redirect). 0x40 Message confirmed. 0x80 Subnet mask is present. 0x100 Generate new routes on use. 0x200 External daemon resolves name. 0x400 Generated by ARP. 0x800 Manually added (static). 0x1000 Just discard packets (during updates).
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_checkstack Use the :vxdiag_checkstack command to display a summary of the stack activity for each access point task.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_hostshow Use the :vxdiag_hostshow command to display remote hosts and their IP addresses and aliases. The remote host information might look like this example: Clock: 96470 sec hostname -------localhost 10.84.139.161 10.84.139.136 10.84.139.138 10.84.139.167 10.84.139.160 10.84.139.137 AP_North.cisco.com 10.84.139.164 10.84.139.169 10.84.139.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_i Use the :vxdiag_i command to display a list of current tasks on the access point.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics • Delay—delay interval in system clock-ticks (1/52 second) that must elapse before the task runs Follow the steps in the “Entering Diagnostic Commands” section on page 9-20 to open the CLI and enter the :vxdiag_i command. :vxdiag_ipstatshow Use the :vxdiag_ipstatshow command to display IP statistics for the access point.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics • Fragdropped—number of fragmented packets received that were dropped • Fragtimeout—number of fragmented packets received that timed out • Forward—number of packets forwarded • Cantforward—number of packets received for an unreachable destination • Redirectsent—number of packets forwarded in the same subnet • Unknownprotocol—number of packets received with unknown protocol information • Nobuffers—number of packets dropp
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics • avg block—the average block size; simply put, the number in the bytes column divided by the number in the blocks column • max block—the maximum contiguous memory block available Follow the steps in the “Entering Diagnostic Commands” section on page 9-20 to open the CLI and enter the :vxdiag_memshow command. :vxdiag_muxshow Use the :vxdiag_muxshow command to display all the networking protocols installed on the access point.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_routeshow Use the :vxdiag_routeshow command to display current routing information for the access point. The routing information might look like the following example: ROUTE NET TABLE destination gateway flags Refcnt Use Interface ---------------------------------------------------------------------0.0.0.0 10.84.139.129 3 1 1932 emac0 10.84.139.128 10.84.139.
Chapter 9 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_tcpstatshow Use the :vxdiag_tcpstatshow command to display Transmission Control Protocol (TCP) statistics for the access point.
Chapter 9 Diagnostics and Troubleshooting Tracing Packets :vxdiag_udpstatshow Use the :vxdiag_udpstatshow command to display User Datagram Protocol (UDP) statistics for the access point.
Chapter 9 Diagnostics and Troubleshooting Tracing Packets a packet trace log file. Use the instructions in the “Tracing Packets for Specific Devices” section on page 9-33 and the “Tracing Packets for Ethernet and Radio Ports” section on page 9-34 to select devices and ports to be traced.
Chapter 9 Diagnostics and Troubleshooting Tracing Packets Step 2 Find the wireless device for which you want to trace packets and click the device’s MAC address. The device’s Station page appears. Step 3 On the device’s Station page, click the alert checkbox in the To Station header to trace packets sent to the device. Click the alert checkbox in the From Station header to trace packets the device sends. Note Copying packets into access point memory slows the access point’s performance.
Chapter 9 Diagnostics and Troubleshooting Tracing Packets Step 2 To trace packets sent or received through the access point’s Ethernet port, click Ethernet in the yellow header row. To trace packets sent or received through the access point’s radio port, click AP Radio in the yellow header row. The Ethernet Port or AP Radio Port page appears. Step 3 Click the alert checkbox in the Receive header to trace packets received through the Ethernet or radio port.
Chapter 9 Diagnostics and Troubleshooting Tracing Packets Packets Stored in a Log File Follow these steps to view traced packets stored in a log file: Step 1 Browse to the Event Handling Setup page. Follow this link path to the Event Handling Setup page: a. On the Summary Status page, click Setup. b. On the Setup page, click Event Handling under Event Log. Step 2 Click Headers Only to view only the packet headers; click All Data to view all the collected packet information.
Chapter 9 Diagnostics and Troubleshooting Checking the Top Panel Indicators A portion of the All Data packet trace file might look like this example: ===Beginning of AP_North Detailed Trace Log=== 04:46:14 +17174.
Chapter 9 Diagnostics and Troubleshooting Checking the Top Panel Indicators Figure 9-9 Top Panel Indicator Lights Radio Status 74046 Ethernet • The Ethernet indicator signals traffic on the wired LAN, or Ethernet infrastructure. This indicator blinks green when a packet is received or transmitted over the Ethernet infrastructure. • The status indicator signals operational status. Blinking green indicates that the access point is operating normally but is not associated with any wireless devices.
Chapter 9 Diagnostics and Troubleshooting Checking the Top Panel Indicators Table 9-3 Top Panel Indicator Signals Message type Ethernet Status Radio Meaning indicator indicator indicator Association status – Steady green – Blinking – green – Steady green Operational Error/warning – At least one wireless client device is associated with the unit. No client devices are associated; check the unit’s SSID and WEP settings. Blinking Transmitting/receiving green radio packets.
Chapter 9 Diagnostics and Troubleshooting Checking Basic Settings Finding an Access Point by Blinking the Top Panel Indicators If you need to find the physical location of a particular access point, you can put the top panel indicators into blinking mode. Follow these instructions to blink the access point’s top panel indicators: Step 1 Browse to the access point’s Cisco Services Setup page: a. On the Summary Status page, click Setup. b. On the Setup page, click Cisco Services.
Chapter 9 Diagnostics and Troubleshooting Checking Basic Settings Note If you use Network-EAP as the authentication type, you must select key 1 as the access point’s transmit key. The access point uses the WEP key you enter in key slot 1 to encrypt multicast data signals it sends to EAP-enabled client devices.
Chapter 9 Diagnostics and Troubleshooting Checking Basic Settings Table 9-4 802.1x Protocol Drafts and Compliant Client Firmware (continued) Draft 101 Firmware Version Draft 7 Draft 8 PC/PCI cards 4.23 — x — PC/PCI cards 4.25 and later — — x WGB34x/352 8.58 — x — WGB34x/352 8.61 or later — — x — x — — x x — x x AP34x/35x 11.05 and earlier AP34x/35x 11.06 and later BR352 11.06 and later 2 1 1.
Chapter 9 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 3 • Draft 7—No radio firmware versions compliant with Draft 7 have LEAP capability, so you should not need to select this setting. • Draft 8—Select this option if LEAP-enabled client devices that associate with this access point use radio firmware versions 4.13, 4.16, or 4.23. • Draft 10—This is the default setting in access point firmware versions 11.06 and later.
Chapter 9 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 3 In the Connection Description window, enter a name and select an icon for the connection and click OK. Step 4 In the Connect To window, select the port to which the cable is connected and click OK. Step 5 In the Port Settings window, enter the following settings: • 9600 baud, • 8 data bits, • No parity, • 1 stop bit, and • No flow control Step 6 Click OK, and press Enter.
A P P E N D I X A Channels, Power Levels, and Antenna Gains This appendix lists the channels supported by the world's regulatory domains as well as the maximum power levels and antenna gains allowed per domain.
Appendix A Channels, Power Levels, and Antenna Gains Channels Channels The channel identifiers, channel center frequencies, and regulatory domains of each 22-MHz-wide channel are shown in Table A-1.
Appendix A Channels, Power Levels, and Antenna Gains Maximum Power Levels and Antenna Gains Note France is included in the ETSI regulatory domain; however, channels 1 through 9 can be used in France at up to 10 mW EIRP, and channels 10 through 13 may be used at up to 100 mW EIRP. Users are responsible for ensuring that the channel set configuration is in compliance with the regulatory standards of France.
Appendix A Channels, Power Levels, and Antenna Gains Maximum Power Levels and Antenna Gains Table A-2 Maximum Power Levels Per Antenna Gain (continued) Regulatory Domain ETSI (100 mW EIRP maximum) Israel (100 mW EIRP maximum) China (10 mW EIRP maximum) Antenna Gain (dBi) Maximum Power Level (mW) 0 100 2.2 50 5.2 30 6 30 8.5 5 12 5 13.5 5 21 1 0 100 2.2 50 5.2 30 6 30 8.5 5 12 5 13.5 5 21 1 0 5 2.2 5 5.2 n/a 6 n/a 8.5 n/a 12 n/a 13.
Appendix A Channels, Power Levels, and Antenna Gains Maximum Power Levels and Antenna Gains Table A-2 Maximum Power Levels Per Antenna Gain (continued) Regulatory Domain Japan (10 mW/MHz EIRP maximum) Antenna Gain (dBi) Maximum Power Level (mW) 0 50 2.2 30 5.2 30 6 30 8.5 n/a 12 n/a 13.
Appendix A Channels, Power Levels, and Antenna Gains Maximum Power Levels and Antenna Gains Cisco Aironet 1200 Series Access Point Software Configuration Guide A-6 OL-2159-01
A P P E N D I X B Protocol Filter Lists The tables in this appendix list the protocols available on the Protocol Filters pages described in the “Protocol Filtering” section on page 3-8.
Appendix B Table B-1 Protocol Filter Lists Protocols on the Ethertype Filters Page Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.
Appendix B Protocol Filter Lists Table B-2 Protocols on the IP Protocol Filters Page Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Prot
Appendix B Table B-3 Protocol Filter Lists Protocols on the IP Port Protocol Filters Page Protocol Additional Identifier ISO Designator TCP port service multiplexer tcpmux 1 echo — 7 discard (9) — 9 systat (11) — 11 daytime (13) — 13 netstat (15) — 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp-data 20 FTP Control (21) ftp 21 Secure Shell (22) ssh 22 Telnet — 23 Simple Mail Transport Protocol SMTP mail 25 ti
Appendix B Protocol Filter Lists Table B-3 Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator gopher — 70 rje netrjs 77 finger — 79 Hypertext Transport Protocol HTTP www 80 ttylink link 87 Kerberos v5 Kerberos krb5 88 supdup — 95 hostname hostnames 101 TSAP iso-tsap 102 CSO Name Server cso-ns csnet-ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111
Appendix B Table B-3 Protocol Filter Lists Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator NETBIOS Name Service netbios-ns 137 NETBIOS Datagram Service netbios-dgm 138 NETBIOS Session Service netbios-ssn 139 Interim Mail Access Protocol v2 Interim Mail Access Protocol 143 IMAP2 Simple Network Management Protocol SNMP 161 SNMP Traps snmp-trap 162 ISO CMIP Management Over IP CMIP Management 163 Over IP cmip-man CMOT ISO CMIP Agent
Appendix B Protocol Filter Lists Table B-3 Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator Interactive Mail Access Protocol imap3 v3 220 Unix Listserv ulistserv 372 syslog — 514 Unix spooler spooler 515 talk — 517 ntalk — 518 route RIP 520 timeserver timed 525 newdate tempo 526 courier RPC 530 conference chat 531 netnews — 532 netwall wall 533 UUCP Daemon UUCP uucpd 540 Kerberos rlogin klogin 543 Kerbe
Appendix B Table B-3 Protocol Filter Lists Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator Concurrent Versions System CVS 2401 Cisco IAPP — 2887 Radio Free Ethernet RFE 5002 Cisco Aironet 1200 Series Access Point Software Configuration Guide B-8 OL-2159-01
I N D EX EAP 4-5 A port setting 4-21 Access Point Radio Port page 9-12 shared secret 4-21 accounting on RADIUS server 5-16 authentication types activity timeout 3-64, 5-8 LEAP 4-22 administrator authorization 4-38 Network-EAP 4-4 Aironet extensions 3-33 open 4-7 antennas shared key 4-8 alignment test 9-3 summary of settings 4-34 gains A-3 receive and transmit 3-28 B Apply button 2-3 AP Radio Advanced page 3-30 backup authentication servers 4-37 AP Radio Hardware page 3-21 basic setting
Index beacons, period and rate 3-26 diagnostics 9-19 bit-flip attack 4-3 terminal emulator settings 2-6 blinking top panel indicators 9-40 client devices BOOTP protocol 3-48 browsing to 5-2 BOOTP server timeout 3-49 deauthenticating 5-11 Boot Server Setup page 3-47 disassociating 5-11 broadcast SSID 3-23 EAP settings 4-23 broadcast WEP key rotation 4-17 in network map 2-5 browsing to network devices 5-2 Station page information 5-5 cold restart 6-15 configuration C distributing the confi
Index AP Radio Port page 9-12 Ethernet encapsulation type 3-33 Ethernet Port page 9-9 Ethernet indicator 9-38 Event Log page 9-16 Ethernet Port page 9-9 Network Ports page 9-6 ETSI regulatory domain A-2 packet tracing 9-32 Event Log page 9-16 Radio Diagnostics page 9-2 Event notification distribute configuration 6-9 Event Display Setup page 3-65 distribute firmware 6-8 Event Handling Setup page 3-68 diversity, antenna 3-28 Express Setup page 3-3 DNS server 3-53 extended statistics 3-64
Index G K gateway 3-4 key features 1-2 key hashing, WEP 4-15 Kilomicroseconds, in beacon period 3-26 H help, setting up 3-50 hexadecimal digits 4-10 Home button 2-3 L LEAP hops 5-8 enabling on a repeater access point 4-26 Hot Standby mode 8-6 with Network-EAP setting 4-18 HTTP port 3-51, 6-8, 6-9 HyperTerminal 2-9 LED indicators Ethernet 9-38 locate unit by flashing LEDs 9-40 radio traffic 9-38 I status 9-38 initialization vector 4-15 link test 5-8 IP subnet mask 3-4 load balancing 3-33 I
Index memory, conserving 3-64 P memory use diagnostics 9-28 Message Integrity Check 4-3 packet tracing 9-32 Mexico, regulatory domain A-2 parity 2-7 MIB files password reset 9-43 access point MIB 2-11 pings 5-8 Cisco Discovery Protocol MIB 2-11 ports, assigning to MAC addresses 5-14 IEEE802dot11-MIB 2-11 power level maximum A-3 to A-5 standard MIB-II 2-10 MIC 4-13 power level setting 3-25 monitored access point 8-6 preamble 3-37 multicast packets 3-31 primary port 3-20 protocol filters e
Index primary port 3-20 S radio indicator 9-38 radio modulation 3-37 search for less-congested channel radio power level 3-25 restrict searched channels 3-27 RADIUS server security backup servers 4-37 Cisco Secure ACS 4-24 shared secret 4-21 overview 4-2 wireless network accounting 5-16 Security Setup page 4-39 receive antenna 3-28 user manager 4-38 server setup regulatory domains A-2 boot server 3-47 regulatory domains A-2 FTP 3-55 related publications, obtaining xv name server 3-53
Index statistics 5-10 user management status indicator 9-38 capabilities 4-40 stop bits 2-7 creating list of authorized users 4-39 System Configuration Setup page 6-10 user information 4-39 system name 3-3 V T vendor class identifier 3-50 Telnet interface enabling Telnet 7-6 W setup page 7-5 temporal key integrity protocol 3-34 warm restart 6-15 terminal emulator 2-6 Web-based interface TFTP 3-56 common buttons 2-3 timeout per device class setting 3-64 compatible browsers 2-2 timeout v
Index Windows XP, using EAP with 4-20 World mode 3-23 Cisco Aironet 1200 Series Access Point Software Configuration Guide IN-8 OL-2159-01
