Cisco Aironet Access Point Software Configuration Guide 340 and 350 Series Software Release 12.01T Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xv Audience and Scope xvi Organization xvi Conventions xvii Related Publications xviii Obtaining Documentation xix World Wide Web xix Documentation CD-ROM xix Ordering Documentation xix Documentation Feedback xx Obtaining Technical Assistance xx Cisco.
Contents VLAN Support 1-6 What is a VLAN? 1-6 Related Documents 1-9 Incorporating Wireless Devices into VLANs 1-9 A VLAN Example 1-10 Network Configuration Examples 1-12 Root Unit on a Wired LAN 1-12 Repeater Unit that Extends Wireless Range 1-13 Central Unit in an All-Wireless Network 1-14 CHA PTER 2 Using the Management Interfaces 15 Using the Web-Browser Interface 16 Using the Web-Browser Interface for the First Time 16 Using the Management Pages in the Web-Browser Interface 16 Navigating Using the M
Contents System Name 3-3 Configuration Server Protocol 3-3 Default IP Address 3-4 Default IP Subnet Mask 3-4 Default Gateway 3-4 Radio Service Set ID (SSID) 3-4 Role in Radio Network 3-5 Radio Network Optimization (Optimize Radio Network For) 3-7 Radio Network Compatibility (Ensure Compatibility With) 3-7 SNMP Admin.
Contents 802.
Contents CHA PTER 5 Configuring Filters and Quality of Service 5-1 Filter Setup 5-2 Protocol Filtering 5-2 Creating a Protocol Filter 5-3 Enabling a Protocol Filter 5-5 MAC Address Filtering 5-6 Creating a MAC Address Filter 5-7 QoS Configuration 5-10 Entering Information on the Quality of Service Setup Page 5-10 Settings on the Quality of Service Setup Page 5-11 Generate QBSS Element 5-11 Use Symbol Extensions 5-11 Send IGMP General Query 5-12 Traffic Category 5-12 Applying QoS 5-12 By Station 5-12 By V
Contents Agent Discovery 6-4 Subnet Map Exchange 6-5 Registration 6-6 Tunneling 6-7 Proxy Mobile IP Security 6-8 The Proxy Mobile IP Setup Page 6-9 General 6-10 Settings on the Proxy Mobile IP General Page 6-10 Authentication Server 6-11 Settings on the Authenticator Configuration Page 6-12 Local SA Bindings 6-13 Settings on the Local SA Bindings Page 6-14 Statistics 6-15 Settings on the Proxy Mobile IP Statistics Page 6-16 View Subnet Map Table 6-18 Settings on the Subnet Map Table Page 6-19 Configuring P
Contents Manually Set Date and Time 7-3 Entering Boot Server Settings 7-4 Settings on the Boot Server Setup Page 7-4 Configuration Server Protocol 7-5 Use Previous Configuration Server Settings 7-5 Read .
Contents FTP Directory 7-11 FTP User Name 7-11 FTP User Password 7-11 Routing Setup 7-11 Entering Routing Settings 7-12 Default Gateway 7-12 New Network Route Settings 7-12 Installed Network Routes List 7-13 Association Table Display Setup 7-13 Association Table Filters Page 7-13 Settings on the Association Table Filters Page 7-14 Stations to Show 7-14 Fields to Show 7-14 Packets To/From Station 7-15 Bytes To/From Station 7-15 Primary Sort 7-15 Secondary Sort 7-15 Association Table Advanced Page 7-16 Setti
Contents How should Event Elapsed (non-wall-clock) Time be displayed? 7-19 Severity Level at which to display events 7-20 Event Handling Setup Page 7-21 Settings on the Event Handling Setup Page 7-22 Disposition of Events 7-23 Handle Station Events as Severity Level 7-23 Maximum memory reserved for Detailed Event Trace Buffer (bytes) 7-23 Download Detailed Event Trace Buffer 7-23 Clear Alert Statistics 7-23 Purge Trace Buffer 7-23 Event Notifications Setup Page 7-24 Settings on the Event Notifications Setu
Contents Combining MAC-Based, EAP, and Open Authentication 8-8 Protecting the Access Point Configuration with User Manager 8-9 Setting Up WEP 8-9 Using SNMP to Set Up WEP 8-13 Enabling Additional WEP Security Features 8-13 Enabling Message Integrity Check (MIC) 8-14 Enabling Temporal Key Integrity Protocol (TKIP) 8-16 Enabling Broadcast WEP Key Rotation 8-18 Setting Up Open or Shared Key Authentication 8-19 Setting Up EAP Authentication 8-20 Enabling EAP on the Access Point 8-20 Enabling EAP in Cisco Secur
Contents Using Station Pages 9-3 Information on Station Pages 9-4 Performing Pings and Link Tests 9-8 Clearing and Updating Statistics 9-10 Deauthenticating and Disassociating Client Devices 9-10 Using the Network Map Window 9-11 Using Cisco Discovery Protocol 9-12 Settings on the CDP Setup Page 9-13 MIB for CDP 9-13 Assigning Network Ports 9-13 Settings on the Port Assignments Page 9-15 Enabling Wireless Network Accounting 9-15 Settings on the Accounting Setup Page 9-16 Accounting Attributes 9-18 CHA PTE
Contents Uploading from a Local Drive 10-14 Uploading from a File Server 10-15 Resetting the Configuration 10-16 Restarting the Access Point 10-17 CHA PTER 11 Management System Setup 11-1 SNMP Setup 11-2 Settings on the SNMP Setup Page 11-2 Using the Database Query Page 11-3 Settings on the Database Query Page 11-4 Changing Settings with the Database Query Page 11-4 Console and Telnet Setup 11-5 Settings on the Console/Telnet Page 11-5 Using Secure Shell 11-6 CHA PTER 12 Special Configurations 12-1 S
Contents AP Radio Page 13-12 Event Log Page 13-16 Display Settings 13-16 Log Headings 13-17 Saving the Log 13-17 Event Log Summary Page 13-18 Using Command-Line Diagnostics 13-19 Entering Diagnostic Commands 13-20 Diagnostic Command Results 13-21 :eap_diag1_on 13-21 :eap_diag2_on 13-22 :vxdiag_arpshow 13-22 :vxdiag_checkstack 13-24 :vxdiag_hostshow 13-25 :vxdiag_i 13-26 :vxdiag_ipstatshow 13-27 :vxdiag_memshow 13-28 :vxdiag_muxshow 13-29 :vxdiag_routeshow 13-30 :vxdiag_tcpstatshow 13-31 :vxdiag_udpstatshow
Contents Checking Basic Settings 13-40 SSID 13-40 WEP Keys 13-40 EAP Authentication Requires Matching 802.1X Protocol Drafts 13-41 Resetting to the Default Configuration 13-43 Steps for Firmware Versions 11.07 or Later 13-43 Steps for Firmware Versions 11.06 or Earlier 13-45 Determining the Boot-Block Version 13-45 Reconfiguration Steps for Boot Block Version 1.01 or Earlier 13-46 Reconfiguration Steps for Boot Block Version 1.
Preface The Cisco Aironet Access Point Software Configuration Guide describes how to configure Cisco Aironet Access Points using the web-based management system. This manual also briefly describes how to use the console-based management system.
Preface Audience and Scope Audience and Scope This guide is for the network manager responsible for configuring a wireless network. Before using the material in this guide, you should be familiar with some of the concepts and terminology of Ethernet and wireless local area networking.
Preface Conventions Chapter 10, “Managing Firmware and Configurations,” describes how to update the access point’s firmware and use the management system to distribute firmware and configurations to other access points. Chapter 11, “Management System Setup,” describes methods of managing the access point other than through the access point management system.
Preface Related Publications Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Related Publications The following documents provide more information about access points and related products: • Quick Start Guide: Cisco Aironet Access Points describes how to attach cables, power on, and assign an IP address and default gateway for the access point.
Preface Obtaining Documentation Obtaining Documentation These sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com Translated documentation is available at this URL: http://www.cisco.com/public/countries_languages.
Preface Obtaining Technical Assistance Documentation Feedback You can submit comments electronically on Cisco.com. In the Cisco Documentation home page, click the Fax or Email option in the “Leave Feedback” section at the bottom of the page. You can e-mail your comments to bug-doc@cisco.com.
Preface Obtaining Technical Assistance • Order Cisco learning materials and merchandise • Register for online skill assessment, training, and certification programs If you want to obtain customized information and service, you can self-register on Cisco.com. To access Cisco.com, go to this URL: http://www.cisco.com Technical Assistance Center The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution.
Preface Obtaining Technical Assistance All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register: http://www.cisco.com/register/ If you are a Cisco.
C H A P T E R 1 Overview Cisco Aironet access points are wireless LAN transceivers that serve as the center point of a stand-alone wireless network or as the connection point between wireless and wired networks. In large installations, wireless users within radio range of an access point can roam throughout a facility while maintaining seamless, uninterrupted access to the network.
Chapter 1 Overview Key Features Key Features This section describes the key features of the access point firmware. The following are the key features of this firmware version: • Multiple IEEE 802.11 service set identifiers (SSIDs) allow you to create different levels of network access and to access virtual LANs (VLANs).You can configure up to 16 separate SSIDs to support up to 16 VLANs.
Chapter 1 Overview Key Features – Switch to repeater mode—the access point tries to connect to a root access point using any of the configured SSIDs. If it cannot connect, all clients are disassociated and the access point removes itself from the wireless network until connectivity is restored. – Shut the radio off—all clients are disassociated and the access point removes itself from the wireless network until backbone connectivity is restored.
Chapter 1 Overview Management Options • If authentication is successful, all management traffic between the client and access point is encrypted using the session key. Management Options You can use the access point management system through the following interfaces: • A web-browser interface • A command-line interface (CLI), Telnet, and SSH • Simple Network Management Protocol (SNMP) The access point’s management system pages are organized the same way for the web- browser interface and the CLI.
Chapter 1 Overview Quality of Service Support Quality of Service Support The access point now supports Cisco’s QoS, primarily in the area of wireless VoIP telephones from Spectralink and Symbol Technologies Corporation. The access point also provides priority classification, prioritized queueing, and prioritized channel access for other downlink IEEE 802.11 traffic such as streaming audio or video traffic.
Chapter 1 Overview VLAN Support • Does not provide a method for prioritizing uplink traffic on IEEE 802.11 links. • Does not offer 802.1X authentication for Symbol VoIP phones because those phones do not support an 802.1X type such as LEAP or EAP-TLS. • The DTIM beacon period must be small to support jitter-sensitive streaming multicast audio and video applications. • Supports IEEE 802.11e EDCF-like channel access prioritization but does not support IEEE 802.11e QoS frame formats.
Chapter 1 Overview VLAN Support A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN consists of a number of end systems, either hosts or network equipment (such as bridges and routers), connected by a single bridging domain. The bridging domain is supported on various pieces of network equipment; for example, LAN switches that operate bridging protocols between them with a separate group for each VLAN.
Chapter 1 Overview VLAN Support Figure 1-1 LAN Segmentation and VLAN Segmentation with Wireless Components Traditional LAN segmentation VLAN segmentation VLAN 1 VLAN 2 VLAN 3 LAN 1 Catalyst VLAN switch Shared hub Floor 3 LAN 2 Catalyst VLAN switch Shared hub Floor 2 LAN 3 SSID 0 SSID 0 Floor 1 SSID 0 Catalyst VLAN switch Trunk SSID 1 = VLAN1 SSID 2 = VLAN2 port SSID 3 = VLAN3 SSID 1 SSID 2 SSID 3 81652 Shared hub Cisco Aironet Access Point Software Configuration Guide 1-8 OL-0657-0
Chapter 1 Overview VLAN Support Related Documents The following documents provide more detailed information pertaining to VLAN design and configuration: • Cisco IOS Switching Services Configuration Guide • Cisco Internetworking Design Guide • Cisco Internetworking Technology Handbook • Cisco Internetworking Troubleshooting Guide Incorporating Wireless Devices into VLANs A WLAN is generally deployed in an enterprise campus or branch office for increased efficiency and flexibility.
Chapter 1 Overview VLAN Support A VLAN Example The following simplified example shows how wireless devices can be used effectively in a VLAN environment on a college campus.
Chapter 1 Overview VLAN Support Figure 1-2 VLAN Example VLAN segmentation VLAN 01 VLAN 02 VLAN 03 Catalyst VLAN switch Catalyst VLAN switch Router Catalyst VLAN switch Trunk port Students SSIDL Students VLAN ID:01 Faculty SSID: Faculty VLAN ID: 02 Management SSID: Management VLAN ID: 03 81661 Access point Cisco Aironet Access Point Software Configuration Guide OL-0657-07 1-11
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section describes the access point’s role in three common wireless network configurations. The access point’s default configuration is as a root unit connected to a wired LAN or as the central unit in an all-wireless network. The repeater role requires a specific configuration. Root Unit on a Wired LAN An access point connected directly to a wired LAN provides a connection point for wireless users.
Chapter 1 Overview Network Configuration Examples Repeater Unit that Extends Wireless Range An access point can be configured as a stand-alone repeater to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. The repeater forwards traffic between wireless users and the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN. The data is sent through the route that provides the best performance for the client.
Chapter 1 Overview Network Configuration Examples Central Unit in an All-Wireless Network In an all-wireless network, an access point acts as a stand-alone root unit. The access point is not attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as the focal point for communications, increasing the communication range of wireless users. Figure 1-5 shows an access point in an all-wireless network.
C H A P T E R 2 Using the Management Interfaces This chapter describes the interfaces you can use to configure the access point. You can use a web-browser interface, a command-line interface through a terminal emulator or a Telnet session, or a Simple Network Management Protocol (SNMP) application. The access point’s management system web pages are organized the same way for the web browser and command-line interfaces. The examples in this manual show the web-browser interface.
Chapter 2 Using the Management Interfaces Using the Web-Browser Interface Using the Web-Browser Interface The web-browser interface contains management pages that you use to change access point settings, upgrade and distribute firmware, and monitor and configure other wireless devices on the network. Note The access point management system is fully compatible with Microsoft Internet Explorer versions 4.0 or later and Netscape Communicator versions 4.0 or later.
Chapter 2 Using the Management Interfaces Using the Web-Browser Interface Note It’s important to remember that clicking your browser’s Back button is the same as clicking Cancel: if you make changes on a management page, your changes are not applied when you click Back. Changes are only applied when you click Apply or OK. Table 2-1 lists the page links and buttons that appear on most management pages.
Chapter 2 Using the Management Interfaces Using the Web-Browser Interface Navigating Using the Map Windows The Map window appears when you click Map at the top of any management page. You can use the Map window to jump quickly to any system management page, or to a map of your entire wireless network. Note Your Internet browser must have Java enabled to use the map windows.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Figure 2-2 The Network Map Window Click the name of a wireless device to open a new browser window displaying a Station page listing the access point’s local information for that device. Click Go beside the device name to open a new browser window displaying that device’s home page, if available. Some devices, such as PC Card clients, might not have home pages.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Preparing to Use a Terminal Emulator To use a terminal emulator to open the CLI, you need to: 1. Connect a nine-pin, straight-through DB-9 serial cable to the RS-232 serial port on the access point and to the COM port on a computer. 2. Set up a terminal emulator to communicate with the access point.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Connecting the Serial Cable on Access Point with Metal Case S IE R E S L E C IS W C I O R E A 5VDC S A S 0 N 5 I 3 O T P E S N S O CE IR C T Y IT IV T S C A TU T A E T N S R N E H IO T T Y E CIA IT O IV S CT S A A IO D A R Figure 2-4 SERIAL PO LEFT RT SERIAL POR T RIGHT/P ONLINE POWER ETHERN RIMARY ET RS-232 9-pin serial extension cable to PC COM port Setting Up the Terminal Emulator Follow these steps
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Changing Settings with the CLI The CLI pages use consistent techniques to present and save configuration information. Table 2-2 lists the functions that appear on most CLI pages, and Figure 2-5 shows a CLI page example. Table 2-2 Common Functions on CLI Pages Function Description Press Enter three times Refreshes the page and cancel changes to settings. Ctrl-R Refreshes the page and cancel changes to settings.
Chapter 2 Using the Management Interfaces Using the Command-Line Interface Figure 2-5 CLI Page Example Selecting Pages and Settings When you type names and settings that appear in brackets you jump to that page or setting. HyperTerminal jumps to the page or setting as soon as it recognizes a unique name, so you only need to type the first few characters in the page or setting name. To jump from the home page to the Setup page, for example, you only need to type se.
Chapter 2 Using the Management Interfaces Using SNMP Navigating the CLI The organization of the CLI pages is identical to the web-browser pages. Follow these steps to browse to the CLI pages with Telnet: Step 1 On your computer’s Start menu, select Programs > Accessories > Telnet. If Telnet is not listed in your Accessories menu, select Start > Run, type Telnet in the entry field, and press Enter. Step 2 When the Telnet window appears, click Connect and select Remote System.
Chapter 2 Using the Management Interfaces Using SNMP Use the SNMP Setup page to enter detailed SNMP settings, such as the SNMP trap destination. See the “SNMP Setup” section on page 11-2 for details on the SNMP Setup page. Supported MIBs The access point supports the following MIBs: • AWC-VLAN--MIB.mib • IEEE802_11Draft6.mib • AwcVx.mib These MIBs are bundled in a compressed executable file available on the Software Center at Cisco.com.
Chapter 2 Using the Management Interfaces Using SNMP Cisco Aironet Access Point Software Configuration Guide 2-26 OL-0657-07
C H A P T E R 3 Configuring the Radio and Basic Settings This chapter describes how to use the pages in the access point management system to configure the access point. The main Setup page provides links to all the pages containing access point settings. This chapter contains the following sections: • Basic Settings, page 3-2 • Radio Configuration, page 3-8 • Ethernet Configuration, page 3-28 See Chapter 8, “Security Setup” for information on setting up the access point’s security features.
Chapter 3 Configuring the Radio and Basic Settings Basic Settings Basic Settings This section describes the basic settings on the Express Setup page. If you need to set up an access point quickly with a simple configuration, or change or update a basic setting, you can enter all the access point’s essential settings for basic operation on the Express Setup page. Figure 3-1 shows the Express Setup page. Figure 3-1 The Express Setup Page Follow this link path to reach the Express Setup page: 1.
Chapter 3 Configuring the Radio and Basic Settings Basic Settings • Default Gateway • Radio Service Set ID (SSID) • Role in Radio Network • Radio Network Optimization (Optimize Radio Network For) • Radio Network Compatibility (Ensure Compatibility With) • SNMP Admin. Community System Name The system name appears in the titles of the management system pages and in the access point’s Association Table page.
Chapter 3 Configuring the Radio and Basic Settings Basic Settings Default IP Address Use this setting to assign or change the access point’s IP address. If DHCP or BOOTP is not enabled for your network, the IP address you enter in this field is the access point’s IP address. If DHCP or BOOTP is enabled, this field provides the IP address only if no server responds with an IP address for the access point.
Chapter 3 Configuring the Radio and Basic Settings Basic Settings Role in Radio Network Use this drop-down menu to select the role of the access point on your network. The menu contains the following options: • Root Access Point—A wireless LAN transceiver that connects an Ethernet network with wireless client stations. Use this setting if the access point is connected to the wired LAN. Figure 3-2 shows an access point operating as a root unit in a network.
Chapter 3 Configuring the Radio and Basic Settings Basic Settings Figure 3-3 Repeater Access Point Access Point (Root Unit) Wired LAN 45836 Access Point (Repeater) • Site Survey Client—A wireless device that depends on an access point for its connection to the network. Use this setting when performing a site survey for a repeater access point. When you select this setting, clients are not allowed to associate.
Chapter 3 Configuring the Radio and Basic Settings Basic Settings Radio Network Optimization (Optimize Radio Network For) You use this setting to select either pre configured settings for the access point radio or customized settings for the access point radio. • Throughput—Maximizes the data volume handled by the access point but might reduce the access point’s range. • Range—Maximizes the access point’s range but might reduce throughput.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Radio Configuration This section describes how to configure the access point’s radio. You use the AP Radio pages in the management system to set the radio configuration. The radio pages include: • AP Radio Identification—Contains the basic locating and identity information for the access point Radio port. See the “Entering Identity Information” section on page 3-8 for instructions on using the AP Radio Identification page.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Figure 3-4 The AP Radio Identification Page Follow this link path to reach the AP Radio Identification page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Identification in the AP Radio row under Network Ports.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Primary Port Settings Two options allow you to designate the access point’s radio port as the Primary Port and select whether the radio port adopts or assumes the identity of the primary port. • Primary Port?—The primary port determines the access point’s MAC and IP addresses. Ordinarily, the access point’s primary port is the Ethernet port, which is connected to the wired LAN, so this setting is usually set to no.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Service Set ID (SSID) An SSID is a unique identifier that client devices use to associate with the access point. SSIDs help client devices distinguish between multiple wireless networks in the same vicinity and provide access to VLANs by wireless client devices. Several access points on a network or sub-network can share an SSID. You can configure up to 16 SSIDs on an access point.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Figure 3-5 The AP Radio Hardware Page Follow this link path to reach the AP Radio Hardware page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Hardware in the AP Radio row under Network Ports.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration • Frag. Threshold • RTS Threshold • Max. RTS Retries • Max. Data Retries • Beacon Period • Data Beacon Rate (DTIM) • Default Radio Channel • Search for Less-Congested Radio Channel • Restrict Searched Channels • Receive Antenna and Transmit Antenna The AP Radio Hardware page also contains links to the AP Radio Data Encryption page and VLAN Setup page.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration • Yes—This is the default setting; it allows devices that do not specify an SSID (devices that are broadcasting in search of an access point to associate with) to associate with the access point. • No—Devices that do not specify an SSID (devices that are broadcasting in search of an access point to associate with) are not allowed to associate with the access point.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Figure 3-6 Data Rate Settings for 11 Mbps Service Only To set up the access point to serve only client devices operating at 1 and 2 Mbps, select Basic for 1 and 2 and set the rest of the data rates to Yes. Figure 3-7 shows the Data Rates set up for 1- and 2-Mbps service only.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Frag. Threshold This setting determines the size at which packets are fragmented (sent as several pieces instead of as one block). Enter a setting ranging from 256 to 2338 bytes. Use a low setting in areas where communication is poor or where there is a great deal of radio interference. RTS Threshold This setting determines the packet size at which the access point issues a request to send (RTS) before sending the packet.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Default Radio Channel The factory setting for Cisco wireless LAN systems is Radio Channel 6 transmitting at 2437 MHz. To overcome an interference problem, other channel settings are available from the drop-down menu of 11 channels ranging from 2412 to 2462 MHz. Each channel covers 22 MHz. The bandwidth for channels 1, 6, and 11 does not overlap, so you can set up multiple access points in the same vicinity without causing interference.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Figure 3-8 AP Radio Restrict Searched Channels Page The page lists all the channels in the access point’s regulatory domain. Click the Search check boxes beside the channels to include or exclude channels in the scan for less-congested channels. All the channels are included in the scan by default.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Entering Advanced Configuration Information Use the AP Radio Advanced page to assign special configuration settings for the access point’s radio. Figure 3-9 shows the AP Radio Advanced page.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Follow this link path to reach the AP Radio Advanced page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Advanced in the AP Radio row under Network Ports.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Requested Status This setting is useful for troubleshooting problems on your network. Up, the default setting, turns the radio on for normal operation. Down turns the access point’s radio off. Current Status The Current Status line under the setting displays the current status of the radio port. This field can also display Error, meaning the port is operating but is in an error condition.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration The drop-down menus for multicast address filters contain two options: Note • Allowed—The access point forwards all traffic except packets sent to the MAC addresses listed as disallowed on the Address Filters page. • Disallowed—The access point discards all traffic except packets sent to the MAC addresses listed as allowed on the Address Filters page.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration SSID for use by Infrastructure Stations (such as Repeaters) Identifies the SSID to be used by repeaters and workgroup bridges to associate to the access point. It is also the SSID used by a non-root bridge to associate to a root bridge. This SSID should be mapped to the native VLAN ID in order to facilitate communications between infrastructure devices and a non-root access point or bridge.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Access points and bridges normally treat workgroup bridges not as client devices but as infrastructure devices, like access points or bridges. Treating a workgroup bridge as an infrastructure device means that the access point reliably delivers multicast packets, including Address Resolution Protocol (ARP) packets, to the workgroup bridge.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration • 802.1H—This default setting provides optimum performance for Cisco Aironet wireless products. • RFC1042—Use this setting to ensure interoperability with non-Cisco Aironet wireless equipment. RFC1042 does not provide the interoperability advantages of 802.1H but is used by other manufacturers of wireless equipment.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Note When you enable MIC, only MIC-capable client devices can communicate with the access point. Temporal Key Integrity Protocol This setting enables the temporal key integrity protocol (TKIP, or WEP key hashing), which defends against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in encrypted packets to calculate the WEP key.
Chapter 3 Configuring the Radio and Basic Settings Radio Configuration Note When you enable broadcast key rotation, only wireless client devices using LEAP or EAP-TLS authentication can use the access point. Client devices using static WEP (with open, shared key, or EAP-MD5 authentication) cannot use the access point when you enable broadcast key rotation. Advanced Primary SSID Setup Go to this link to configure 802.
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration Radio Preamble The radio preamble is a section of data at the head of a packet that contains information the access point and client devices need when sending and receiving packets. The drop-down menu allows you to select a long or short radio preamble: • Long—A long preamble ensures compatibility between the access point and all early models of Cisco Aironet Wireless LAN Adapters (PC4800 and PC4800A).
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration Figure 3-10 The Ethernet Identification Page Follow this link path to reach the Ethernet Identification page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Identification in the Ethernet row under Network Ports.
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration • Primary Port?—The primary port determines the access point’s MAC and IP addresses. Ordinarily, the access point’s primary port is the Ethernet port, so this setting is usually set to yes. Select yes to set the Ethernet port as the primary port. Select no to set the radio port as the primary port. • Adopt Primary Port Identity?—Select yes to adopt the primary port settings (MAC and IP addresses) for the Ethernet port.
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration Entering Ethernet Hardware Information You use the Ethernet Hardware page to select the connector type, connection speed, and duplex setting used by the access point’s Ethernet port. Figure 3-11 shows the Ethernet Hardware page. Figure 3-11 The Ethernet Hardware Page Follow this link path to reach the Ethernet Hardware page: 1. On the Summary Status page, click Setup. 2.
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration Speed The Speed drop-down menu lists five options for the type of connector, connection speed, and duplex setting used by the port. The option you select must match the actual connector type, speed, and duplex settings used to link the port with the wired network.
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration Loss of Backbone Connectivity Action This setting determines what action the access point takes when a loss of backbone connectivity occurs after the time specified in the previous setting. The following actions can be taken : • No action—nothing is done. • Switch to repeater mode—the access point disassociates all its current clients and becomes a repeater during the period when its backbone connectivity is lost.
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration Entering Advanced Configuration Information You use the Ethernet Advanced page to assign special configuration settings for the access point’s Ethernet port. Figure 3-12 shows the Ethernet Advanced page. Figure 3-12 The Ethernet Advanced Page Follow this link path to reach the Ethernet Advanced page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Advanced in the Ethernet row under Network Ports.
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration The page also displays the current status of the Ethernet port and its forwarding state. The current status displays either up or down and can also display Error if the port is in an error condition. The forwarding state displays the port’s current forwarding state. The state for normal operatoin is Forwarding.
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration blocks traffic to all MAC addresses except those you specify. Read the “MAC Address Filtering” section on page 5-6 for complete instructions on setting up MAC address filters. Unicast packets are addressed to just one device on the network. Multicast packets are addressed to multiple devices on the network.
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration Always Unblock Ethernet When STP is Disabled Use this setting to maintain a bridge link when Spanning Tree Protocol (STP) is disabled. If STP is enabled, select no. Optimize Ethernet for Use this setting to specify how you want the Ethernet link to perform. You have two choices: performance and statistics collection. Selecting either results in a compromise.
Chapter 3 Configuring the Radio and Basic Settings Ethernet Configuration Cisco Aironet Access Point Software Configuration Guide 3-38 OL-0657-07
C H A P T E R 4 Configuring VLANs This chapter describes VLANs and provides information about configuring them on an access point. The chapter guides you through the process for configuring a typical example VLAN deployment.
Chapter 4 Configuring VLANs Entering VLAN Information Entering VLAN Information To access the VLAN setup page (see Figure 4-1). click VLAN in the Associations section of the Setup page. You can also access the page from the AP Radio Advanced page in the Network Ports section of the Setup page. Figure 4-1 VLAN Setup Page Follow this link path to reach the VLAN Setup page: 1. On the Summary Status page, click Setup. The Setup page appears. 2. In the Associations section, click VLAN.
Chapter 4 Configuring VLANs Entering VLAN Information VLAN Summary Status Link Clicking this link take you to a page containing a listing of existing VLANs on the access point. The list provides you with configuration information for each VLAN. Figure 4-2 shows a typical VLAN Summary Status page. Figure 4-2 VLAN Summary Status Page VLAN (802.1Q) Tagging Determines whether the IEEE 802.1Q protocol is used to tag VLAN packets. IEEE 802.
Chapter 4 Configuring VLANs VLAN Security Policy Optionally allow Encrypted packets on the unencrypted VLAN Determines whether the access point passes encrypted packets on an unencrypted VLAN. This setting permits a client device to associate to the access point allowing both WEP and non-WEP associations. VLAN ID A unique number that identifies a VLAN. This number must match VLANs set on the switch. The setting is configured by the user.
Chapter 4 Configuring VLANs VLAN Security Policy Note With an encryption key configured, the VLAN supports standardized WEP. However, TKIP, MIC, and broadcast key rotation features can optionally be configured as noted above. Table 4-1 lists the SSID and VLAN ID configuration parameters.
Chapter 4 Configuring VLANs RADIUS-Based VLAN Access Control In these scenarios, Cisco recommends that you configure an infrastructure SSID for each access point. Figure 4-3 illustrates combined deployment of infrastructure devices along with noninfrastructure devices in an enterprise LAN. As the figure shows, the native VLAN of the access point is mapped to the infrastructure SSID. WEP encryption along with TKIP (at least per packet key hashing) should be turned on for the infrastructure SSID.
Chapter 4 Configuring VLANs RADIUS-Based VLAN Access Control There are two ways to implement RADIUS-based VLAN access control on the access point: 1. RADIUS-based VLAN assignment—upon successful IEEE 802.1x authentication, the RADIUS server assigns the user to a particular VLAN ID on the wired side. Regardless of which SSID is used for WLAN access, the user is always assigned to a particular VLAN ID. 2. RADIUS-based SSID access control—Upon successful IEEE 802.
Chapter 4 Configuring VLANs Guidelines for Deploying Wireless VLANs Guidelines for Deploying Wireless VLANs You should evaluate the need for deploying wireless VLANs in their own environment. Cisco recommends that you review the VLAN deployment rules and policies before considering wireless VLAN deployment and that you use similar policies to extend wired VLANs to the wireless LAN.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example A Wireless VLAN Deployment Example This section outlines a typical use of wireless VLANs. For the example, assume your company, XYZ, determines the need for wireless LANs in its network. Following the guidelines in the previous sections, your findings are as follows: • Five different groups are present at Company XYZ: full-time employees, part-time employees, contract employees, guests, and maintenance workers.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Wireless VLAN Deployment Example SSID = Full-time AP_2 Native VLAN = 10 SSID = Part-time 802.1Q Trunk Figure 4-5 Management VLAN RADIUS server 81660 802.1Q Trunk Management VLAN (VLAN-id 10) SSID = Maintenance SSID = Guest Using the Configuration Screens Using the example outlined above, this section describes how to use the configuration screens to configure VLANs on your access point.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Creating and Configuring VLANs on the Access Point For this example, you will create 5 VLANs using the information in Table 3-2. Note To avoid error messages in the event log, do not enable the VLANs until you have finished creating them and associated SSIDs to them. Creating the Native VLAN You must create and identify a native VLAN before the access point can connect to the trunk and communicate with the switch.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Figure 4-7 Step 7 Step 8 VLAN ID #1 Setup Page Make the following entries on this page: a. VLAN Name: Native VLAN (should be displayed) b. VLAN Enable: Enable c. Default Priority: default d. Default Policy Group: None e. Enhanced MIC verification for WEP: None f. Temporal Key Integrity Protocol: Cisco g. WEP Key 1: Enter 26 hexadecimal characters. h.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Creating the Full- and Part-Time VLANs The full- and part-time VLANs are essentially the same except for their names and SSIDs. Follow these steps to create these VLANs. Step 1 On the VLAN Setup page, make the following changes: a. VLAN (802.1Q) Tagging: Disabled b. Native VLAN ID: 0 c. Single VLAN which allows Unencrypted packets: 0 d. Optionally allow Encrypted packets on the unencrypted VLAN: yes e. VLAN ID: 2 f.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Creating the Guest VLAN Step 1 Create a “Guest” VLAN using the following configuration: a. VLAN (802.1Q) Tagging: Disabled b. Native VLAN ID: 0 c. Single VLAN ID which allows Unencrypted packets: 0 d. Optionally allow Encrypted packets on the unencrypted VLAN: yes e. VLAN ID: 4 f. VLAN Name: Guest Step 2 Click Add New. The VLAN ID #4 page appears. Step 3 Make the following entries on this page: a. VLAN Name: Guest a.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Step 8 Make the following entries on this page: a. VLAN Name: Maintenance b. VLAN Enable: Enabled c. Default Priority: default d. Default policy group: [0] None e. Enhanced MIC verification for WEP: None f. Temporal Key Integrity Protocol: None g. WEP Key Rotation Interval: 0 h. Alert?: no i. WEP Key 1: Set a 128-bit key. Step 9 Click OK to return to the VLAN Setup page.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Step 3 In the Existing SSIDs field, highlight the tsunami (primary) SSID and click Edit. The AP Radio Primary SSID page appears (Figure 4-9). Figure 4-9 Step 4 AP Radio Primary SSID Page Make the following changes to this page: a. Rename the Primary SSID to Native VLAN. b. Maximum under of Associations: 0 c. Default VLAN ID: [1] Native VLAN.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Step 10 In the Service Set ID (SSID) field, enter Part-Time and click Add New. The AP Radio SSID #2 page appears. Step 11 Map the Part-Time SSID to the [3] Part-Time VLAN ID. Step 12 Select Network-EAP authentication type and allow default unicast address filters. Step 13 Click OK to save your settings and return to the AP Radio Service Sets page. Step 14 Create the Guest SSID and map it to the [4] Guest Default VLAN ID.
Chapter 4 Configuring VLANs A Wireless VLAN Deployment Example Figure 4-10 VLAN Setup Page Step 2 Verify that the VLANs you created appear in the Existing VLANs field. Step 3 Click Cancel to return to the Setup page. Step 4 Click Service Sets. The AP Radio Service Sets page appears (Figure 4-11).
Chapter 4 Configuring VLANs Rules and Guidelines for Wireless VLAN Deployment Step 5 Verify that the SSIDs you created appear in the Existing SSIDs field. Step 6 If the VLANs and SSIDs verified in Steps 2 and 5 are correct, go to Step 7. If not, review the procedures and correct the problem. Step 7 In the VLAN (802.1Q) field, click Enable. Step 8 In the Native VLAN ID field, enter 1. Step 9 Click OK. The 802.1Q Encapsulation Mode setting changes from Disabled to Hybrid Trunk.
Chapter 4 Configuring VLANs Rules and Guidelines for Wireless VLAN Deployment • The number of clients per SSID is controllable. • All access points and bridges in the same ESS must use the same native VLAN ID in order to facilitate IAPP communication between them. Wireless LAN security policies can be mapped to the wired LAN switches and routers.
C H A P T E R 5 Configuring Filters and Quality of Service This chapter provides information and configuration procedures for setting up filters. The chapter also provides information and procedures for setting up QoS using filters you create.
Chapter 5 Configuring Filters and Quality of Service Filter Setup Filter Setup This section describes how to set up filtering to control the flow of data through the access point. You can filter data based on protocols and MAC addresses. Each type of filtering is explained in the following sections: • Protocol Filtering, page 5-2 • MAC Address Filtering, page 5-6 Protocol Filtering Protocol filters prevent or allow the use of specific protocols through the access point.
Chapter 5 Configuring Filters and Quality of Service Filter Setup Figure 5-2 Protocol Filters Page Follow this link path to reach the AP Radio or Ethernet Protocol Filters page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Filters in the AP Radio or Ethernet row under Network Ports. The left side of the Protocol Filters page contains links to the Ethertype Filters, the IP Protocol Filters, and the IP Port Filters pages.
Chapter 5 Configuring Filters and Quality of Service Filter Setup Figure 5-4 Filter Set Page Step 6 Select forward or block from the Default Disposition drop-down menu. This setting is the default action for the protocols you include in the filter set. You can override this setting for specific protocols. Step 7 In the Default Time to Live fields, enter the number of milliseconds unicast and multicast packets should stay in the access point’s buffer before they are discarded.
Chapter 5 Configuring Filters and Quality of Service Filter Setup Step 9 Select forward or block from the Disposition drop-down menu to forward or block the protocol traffic, or leave this setting at default to use the default disposition that you selected for the filter set in Step 6. Step 10 Select a priority for the protocol from the Priority drop-down menu.
Chapter 5 Configuring Filters and Quality of Service Filter Setup Step 3 Select the protocol filter set that you want to enable from the Ethertype, IP Protocol, or IP Port drop-down menu. Step 4 Click OK. The filter set is enabled. MAC Address Filtering MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses.
Chapter 5 Configuring Filters and Quality of Service Filter Setup Creating a MAC Address Filter Follow these steps to create a MAC address filter: Step 1 Follow the link path to the Address Filters page. Step 2 Type a destination MAC address in the New MAC Address Filter: Dest MAC Address field. You can type the address with colons separating the character pairs (00:40:96:12:34:56, for example) or without any intervening characters (004096123456, for example).
Chapter 5 Configuring Filters and Quality of Service Filter Setup Figure 5-7 Step 7 AP Radio Advanced Page Click Advanced Primary SSID Setup. The AP Radio Primary SSID page appears. Figure 5-8 shows the AP Radio Primary SSID page.
Chapter 5 Configuring Filters and Quality of Service Filter Setup Figure 5-8 AP Radio Primary SSID Page Select Open, Shared Key, or Network-EAP to set the authentications the access point recognizes. See the “Security Overview” section on page 7-2 for a description of authentication types. If you use open or shared authentication as well as EAP authentication, select Require EAP under Open or Shared to block client devices that are not using EAP from authenticating through the access point.
Chapter 5 Configuring Filters and Quality of Service QoS Configuration If clients are not filtered immediately, click WARM RESTART SYSTEM NOW on the Manage System Configuration page to restart the access point. To reach the Manage System Configuration page, Click Cisco Services on the main Setup page and click Manage System Configuration on the Cisco Services Setup page. Note The Ethernet Advanced page contains the Default Unicast and Multicast Address Filter settings for the Ethernet port.
Chapter 5 Configuring Filters and Quality of Service QoS Configuration Figure 5-9 Quality of Service Setup Page Follow this link path to reach the Quality of Service setup page: 1. On the Summary Status page, click Setup. The Setup page appears. 2. In the Associations section, click Protocol Filters. The Protocol Filters Setup page appears. 3. Click Quality of Service. The AP Radio Quality of Service page appears.
Chapter 5 Configuring Filters and Quality of Service Applying QoS Send IGMP General Query Configures the access point to perform IP multicast filtering on behalf of its clients. When Internet Group Membership Protocol (IGMP) snooping is enabled on a switch, and a client roams from one access point to another, the multicast session is dropped.
Chapter 5 Configuring Filters and Quality of Service Applying QoS The best example of this is the negotiations between the access point and a Symbol VoIP WLAN handset. A protocol has been defined by Symbol that allows the handset to be identified by the access point and given interactive voice classification. Follow these steps to enable this feature. Step 1 Browse to the Setup screen on the access point. Step 2 Click Protocol Filters in the Associations section.
Chapter 5 Configuring Filters and Quality of Service Applying QoS Step 4 Click the yes radio button in the Use Symbol Extensions setting. By VLAN The default priority of a VLAN can be set, and the access point or bridge uses this setting for all traffic on that VLAN except when overridden by a filter setting. This filter setting is applied through the policy group on the VLAN. Follow these steps to set up a VLANs QoS default priority. Step 1 From the Setup page, click VLAN in the Associations section.
Chapter 5 Configuring Filters and Quality of Service Applying QoS By Filter Access point and bridge filters already allow the classification of traffic based upon Ethertype, Internet Protocol, or IP Port. An example of a filter classifying traffic is shown on Figure 5-13. Figure 5-13 Filters Priority Setting The filters can be applied on interfaces or as a part of a VLAN policy group. The access point has a default filter to classify all Spectralink voice traffic with voice priority.
Chapter 5 Configuring Filters and Quality of Service Applying QoS Figure 5-15 shows how the Spectralink filter is applied. Figure 5-15 Applying the Spectralink Filter By CoS Value Traffic that comes to the access point or bridge over an Ethernet trunk is already classified by its Class of Service (CoS) settings. The classification is applied unless changed by one of the methods described above.
Chapter 5 Configuring Filters and Quality of Service A Wireless QoS Deployment Example Follow these steps to access the DSCP-to-CoS Conversion page. Step 1 From the Summary Status page, click Setup. The Setup page appears. Step 2 In the Associations section, click Protocol Filters. The Protocol Filters Setup page appears. Step 3 Click DSCP-to-CoS Conversion.
Chapter 5 Configuring Filters and Quality of Service A Wireless QoS Deployment Example Figure 5-17 VLAN Setup page Step 5 Click Add New. The VLAN ID #xx page appears. Step 6 Set VLAN Enable setting to Enable. Step 7 In the Default Priority Group drop-down menu, select Interactive Voice. (Figure 5-18).
Chapter 5 Configuring Filters and Quality of Service A Wireless QoS Deployment Example Note Wireless phones do not support Enhanced MIC verification for WEP or TKIP. No changes are required for these settings. If your wireless phone has a WEP key set, go the the next section. If a WEP key is not set, go to the “WEP Not Set on the Wireless Phone” section on page 5-19. WEP Set on the Wireless Phone If WEP is set on your wireless phone, you must set an identical WEP key for the interactive voice VLAN.
Chapter 5 Configuring Filters and Quality of Service A Wireless QoS Deployment Example Step 4 Click OK. You are returned to the Setup page. Step 5 In the Associations section, click SSIDs: Int. The AP Radio: Internal Service Sets page appears. Step 6 Enter a valid SSID in the Service Set ID (SSID) field (Figure 5-20). Figure 5-20 AP Radio: Internal Service Sets page Step 7 Click Add New. The AP Radio: Internal SSID #x page appears.
Chapter 5 Configuring Filters and Quality of Service A Wireless QoS Deployment Example Step 9 Leave all other settings at the default settings and click OK. You are returned to the AP Radio: Internal Service Sets page. Step 10 Click OK again to return to the Setup page. Your configuration is complete.
Chapter 5 Configuring Filters and Quality of Service A Wireless QoS Deployment Example Cisco Aironet Access Point Software Configuration Guide 5-22 OL-0657-07
C H A P T E R 6 Configuring Proxy Mobile IP This chapter describes how to enable and configure your access point’s proxy Mobile IP feature.
Chapter 6 Configuring Proxy Mobile IP Proxy Mobile IP Proxy Mobile IP These sections explain how access points conduct proxy Mobile IP: • Overview, page 6-2 • Components of a Proxy Mobile IP Network, page 6-3 • How Proxy Mobile IP Works, page 6-4 • Proxy Mobile IP Security, page 6-8 Overview The access point’s proxy Mobile IP feature works in conjunction with the Mobile IP feature on Cisco devices on the wired network.
Chapter 6 Configuring Proxy Mobile IP Proxy Mobile IP Note Guest client devices do not receive broadcast and multicast packets from their home networks. Components of a Proxy Mobile IP Network Five devices participate in proxy Mobile IP: • A visiting client device. The visiting client device is any device such as a personal digital assistant or a laptop that can associate to a wireless access point. It does not need any special proxy Mobile IP client software.
Chapter 6 Configuring Proxy Mobile IP Proxy Mobile IP Figure 6-1 Participating Devices in Proxy Mobile IP Client device visiting foreign network Client device at home Access point supporting proxy Mobile IP Foreign agent Authoritative access point supporting proxy Mobile IP Home agent Access point supporting proxy Mobile IP 81653 Internet How Proxy Mobile IP Works The proxy Mobile IP process has four main phases.
Chapter 6 Configuring Proxy Mobile IP Proxy Mobile IP The IRDP advertisements carry Mobile IP extensions that specify whether an agent is a home agent, foreign agent, or both; its care-of address; the types of services it provides, such as reverse tunneling and generic routing encapsulation (GRE); and the allowed registration lifetime or roaming period for visiting client devices. Rather than waiting for agent advertisements, an access point can send out an agent solicitation.
Chapter 6 Configuring Proxy Mobile IP Proxy Mobile IP the agent discovery mechanism. It sends this information to another access point called an authoritative access point (AAP). The AAP is an access point that maintains the latest subnet map table. When the AAP receives the new information, it replies to the access point with a copy of the latest subnet map table. The new access point now has the latest subnet map table locally and it is ready to perform proxy Mobile IP for visiting clients.
Chapter 6 Configuring Proxy Mobile IP Proxy Mobile IP the registration request to the visiting client’s home agent through the foreign agent. The foreign agent checks the validity of the registration request, which includes verifying that the requested lifetime does not exceed its limitations and that the requested tunnel encapsulation is available. If the registration request is valid, the foreign agent relays the request to the home agent.
Chapter 6 Configuring Proxy Mobile IP Proxy Mobile IP Data packets addressed to the visiting client are routed to its home network, where the home agent intercepts and tunnels them to the care-of address toward the visiting client. Tunneling has two primary functions: encapsulation of the data packet to reach the tunnel endpoint, and decapsulation when the packet is delivered at that endpoint. The tunnel mode that the access point supports is IP Encapsulation within IP Encapsulation.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page The Proxy Mobile IP Setup Page This section describes the Proxy Mobile IP Setup page and the links it provides to other pages you use to set up proxy Mobile IP on your access point. Figure 6-2 shows the Proxy Mobile IP Setup page. Figure 6-2 Proxy Mobile IP Setup page Follow this link path to reach the Proxy Mobile IP Setup page: 1. On the Summary Status page, click Setup. 2.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page General Selecting the General link takes you to the Proxy Mobile IP General page (Figure 6-3), where you enable proxy Mobile IP on the access point and identify the IP addresses of the authoritative access points on your wireless network. Figure 6-3 Proxy Mobile IP General Page Settings on the Proxy Mobile IP General Page Enable Proxy Mobile IP This setting enables the proxy Mobile IP feature on the access point.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page populates a subnet map for other access points. The subnet map links the access points to the home agent to contact and register a mobile client based on the client’s IP address. For example, if a mobile client appears with a “30” subnet IP address on the “20” subnet, the access point must register with the home agent that services subnet “30” mobile clients.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Settings on the Authenticator Configuration Page 802.1X Protocol Version (for EAP Authentication) This drop-down menu allows you to select the draft of the 802.1X protocol the access point’s radio will use. EAP operates only when the radio firmware on client devices complies with the same 802.1X Protocol draft as the management firmware on the access point.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Retran Int (sec) This field specifies the time interval in seconds that the server waits after it failed to contact the server until it tries again. The default setting is 5 seconds. Max Retran This field indicates how many times the server attempts to contact the server before it attempts to contact an alternate server. The setting works in conjunction with the Retran Int (sec) parameter.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Figure 6-5 Local SA Bindings Page Settings on the Local SA Bindings Page IP Address Range - Start This field contains the beginning IP address of the range in which client devices must reside in order to be valid. IP Address Range - End This field contains the ending IP address of the range in which the client devices must reside in order be valid.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Group Key This field contains an authentication key, similar to a WEP key, that the group specified in the security association uses to access a foreign agent. The group key is a 128-bit key entered as 32 hexadecimal digits (0-9, a-f, or A-F). Existing SA Bindings This field contains a listing of previously configured security association bindings.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Settings on the Proxy Mobile IP Statistics Page Mobile IP Status This informational field indicates whether proxy Mobile IP is enabled or disabled. Home Agents This informational field provides information about home agents the access point discovers on its own subnet. If a home agent is discovered, its IP address is displayed. If no agent is discovered, the field displays Not Found.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Authentication Failures for HA The number of times the home agent rejected registration requests because of authentication failures, such as an invalid SPI or group key. When a mobile node moves to a foreign network, the access point registers the mobile node to its home agent. This statistic indicates the number of registration failures caused by failure of the home agent or foreign agent to authenticate each other or the mobile node.
Chapter 6 Configuring Proxy Mobile IP The Proxy Mobile IP Setup Page Deregister Replies Received The number of times the access point received deregistration replies from the home agent. Registration Requests Denied by HA The number of times the home agent rejected registration requests. Gratuitious ARPs sent The number of times the access point sent gratuitious Address Resolution Protocol messages (ARPs).
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Settings on the Subnet Map Table Page HA Address This column lists the IP addresses of the home agents. Subnet Mask This column lists the subnet mask addresses for the corresponding home agents. Configuring Proxy Mobile IP Proxy Mobile IP functions as a proxy on behalf of roaming clients that do not implement a Mobile IP software stack.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Before You Begin Before configuring proxy Mobile IP, you should consider these guidelines: • You can enable proxy Mobile IP only on root access points (units connected to the wired LAN). You cannot enable proxy Mobile IP on repeater access points or bridges. • Access points participating in proxy Mobile IP should be configured with gateway addresses.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP • Verified that client devices are associated to the local access point. • Verified receipt of an appropriate DHCP address for the local LAN segment. • Confirmed IP connectivity between all devices (ping or HTTP). Configuring the Authoritative Access Point Proxy Mobile IP must be enabled on the wireless SSID.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Figure 6-8 AP Radio Internal SSID #x Page Step 4 Set the Proxy Mobile IP setting to yes. Step 5 Click OK. You are returned to the AP Radio: Internal Service Sets page. Step 6 Click OK again. You are returned to the Setup page. Step 7 In the Services section, click Proxy Mobile IP. The Proxy Mobile IP Setup page appears (Figure 6-9). Figure 6-9 Step 8 Proxy Mobile IP Setup Page Click General.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Figure 6-10 Proxy Mobile IP General Page Step 9 Set the Enable Proxy Mobile IP setting to yes. Step 10 Enter the IP address of the access point in the Authoritative AP 1 field. Step 11 Click OK. You are returned to the Proxy Mobile IP Setup page. Step 12 Click View Subnet Map Table. The Subnet Map Table appears (Figure 6-11). Figure 6-11 Subnet Map Table Step 13 Check the IP addresses in the HA Address column.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP There are no “standard” procedures that describe how to configure these agent access points. Configuration parameters, such as SSIDs, valid proxy Mobile IP addresses, SPI keys and group keys, and security settings must be carefully considered and coordinated with wired side router settings before any degree of success can be expected. The basic settings are the same for both access points.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Step 14 Click OK to return to the Proxy Mobile IP Setup page. Step 15 Click Done to return to the Setup page.
Chapter 6 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Cisco Aironet Access Point Software Configuration Guide 6-26 OL-0657-07
C H A P T E R 7 Configuring Other Settings This chapter identifies and provides information on how to configure other settings on the access point, such as servers and association tables.
Chapter 7 Configuring Other Settings Server Setup Server Setup This section describes how to configure the server to support access point features. You use separate management system pages to enter server settings.
Chapter 7 Configuring Other Settings Server Setup Settings on the Time Server Setup Page The Time Server Setup page contains the following settings: • Simple Network Time Protocol • Default Time Server • GMT Offset (hr) • Use Daylight Savings Time • Manually Set Date and Time The page also shows the active time server. Simple Network Time Protocol Select Enabled or Disabled to turn Simple Network Time Protocol (SNTP) on or off. If your network uses SNTP, select Enabled.
Chapter 7 Configuring Other Settings Server Setup Entering Boot Server Settings You use the Boot Server Setup page to configure the access point for your network's BOOTP or DHCP servers for automatic assignment of IP addresses. Figure 7-2 shows the Boot Server Setup page: Figure 7-2 Boot Server Setup Page Follow this link path to reach the Boot Server Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Boot Server under Services.
Chapter 7 Configuring Other Settings Server Setup Configuration Server Protocol Use the Configuration Server Protocol drop-down menu to select your network’s method of IP address assignment. The menu contains the following options: • None—Your network does not have an automatic system for IP address assignment. • BOOTP—Your network uses Boot Protocol, in which IP addresses are hard-coded based on MAC addresses.
Chapter 7 Configuring Other Settings Server Setup DHCP Minimum Lease Duration (min) This setting specifies the shortest amount of time the access point accepts for an IP address lease. The access point ignores leases shorter than this period. Enter the minimum number of minutes the access point should accept for a lease period. DHCP Client Identifier Type Use this optional setting to include a class identifier type in the DHCP request packets the access point sends to your DHCP server.
Chapter 7 Configuring Other Settings Server Setup DHCP Client Identifier Value Use this setting to include a unique identifier in the access point’s DHCP request packet. This field contains the access point’s MAC address by default. If you select Other - Non Hardware from the DHCP Client Identifier Type drop-down menu, you can enter up to 255 alphanumeric characters. If you select any other option from the DHCP Client Identifier Type drop-down menu, you can enter up to 12 hexadecimal characters.
Chapter 7 Configuring Other Settings Server Setup Settings on the Web Server Setup Page The Web Server Setup page contains the following settings: • Allow Non-Console Browsing • HTTP Port • Default Help Root URL • Extra Web Page File • Default Web Root URL Allow Non-Console Browsing Select yes to allow browsing to the management system. If you select no, the management system is accessible only through the console and Telnet interfaces.
Chapter 7 Configuring Other Settings Entering Name Server Settings Default Web Root URL This setting points to the access point management system’s HTML pages. If you create alternative HTML pages, you should change this setting to point to the alternative pages. The default setting is: mfs0:/StdUI/ Entering Name Server Settings You use the Name Server Setup page to configure the access point to work with your network’s Domain Name System (DNS) server.
Chapter 7 Configuring Other Settings Entering FTP Settings Domain Name System If your network uses a Domain Name System (DNS), select Enabled to direct the access point to use the system. If your network does not use DNS, select Disabled. Default Domain Enter the name of your network's IP domain in the entry field. Your entry might look like this: mycompany.com The Current Domain line under the entry field lists the domain that is serving the access point.
Chapter 7 Configuring Other Settings Routing Setup Follow this link path to reach the FTP Setup page: • On the Summary Status page, click Setup • On the Setup page, click FTP under Services. Settings on the FTP Setup Page The FTP Setup page contains the following settings: • File Transfer Protocol • Default File Server • FTP Directory • FTP User Name • FTP User Password File Transfer Protocol Use the drop-down menu to select FTP or TFTP (Trivial File Transfer Protocol).
Chapter 7 Configuring Other Settings Routing Setup Figure 7-6 Routing Setup Page Follow this link path to reach the Routing Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Routing under Services. Entering Routing Settings The Routing Setup page contains the following settings: • Default Gateway • New Network Route Settings • Installed Network Routes List Default Gateway Enter the IP address of your network’s default gateway in this entry field.
Chapter 7 Configuring Other Settings Association Table Display Setup Installed Network Routes List The list of installed routes provides the destination network IP address, the gateway, and the subnet mask for each installed route. Association Table Display Setup You use the Association Table Filters and the Association Table Advanced pages to customize the display of information in the access point’s Association Table. Association Table Filters Page Figure 7-7 shows the Association Table Filters page.
Chapter 7 Configuring Other Settings Association Table Display Setup • Restore Current Defaults—Applies the currently saved default settings to the Association Table and returns you to the Association Table page. • Restore Factory Defaults—Applies the factory default settings to the Association Table and returns you to the Association Table page.
Chapter 7 Configuring Other Settings Association Table Display Setup Packets To/From Station Use these settings to display packet volume information in the Association Table. Select Total to display the total number of packets to and from each station on the network. Select Alert to display the number of alert packets to and from each station on the network for which you have activated alert monitoring. Select the Alert checkbox on a device’s Station page to activate alert monitoring for that device.
Chapter 7 Configuring Other Settings Association Table Display Setup Association Table Advanced Page You use the Association Table Advanced page to control the total number of devices the access point can list in the Association Table and the amount of time the access point continues to track each device class when a device is inactive. Figure 7-8 shows the Association Table Advanced page. Figure 7-8 Association Table Advanced Page Follow this link path to reach the Association Table Advanced page: 1.
Chapter 7 Configuring Other Settings Association Table Display Setup Settings on the Association Table Advanced Page The Association Table Advanced page contains the following settings: • Handle Station Alerts as Severity Level • Maximum number of bytes stored per Station Alert packet • Maximum Number of Forwarding Table Entries • Rogue AP Alert Timeout (minutes) • Aironet Extended Statistics in MIB (awcTpFdbTable) • Block ALL Inter-Client Communications (PSPF) • Default Activity Timeout (sec
Chapter 7 Configuring Other Settings Event Notification Setup Aironet Extended Statistics in MIB (awcTpFdbTable) Use this setting to enable or disable the storage of detailed statistics in access point memory. When you disable extended statistics you conserve memory, and the access point can include more devices in the Association Table.
Chapter 7 Configuring Other Settings Event Notification Setup Follow this link path to reach the Event Display Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Display Defaults under Event Log.
Chapter 7 Configuring Other Settings Event Notification Setup Severity Level at which to display events When an event occurs, it may be displayed immediately on the console, on the console log, or on the GUI log for read purposes only. The event may also be recorded. (You control display and recording of events through the Event Handling Setup page; see the “Event Handling Setup Page” section on page 7-21 for details.
Chapter 7 Configuring Other Settings Event Notification Setup Table 7-2 Event Display Severity Levels (continued) Severity Level Description System warning The Warning settings indicate that a failure has occurred. Protocol warning Port warning External warning System information Protocol information Port information External information • System refers to the access point as a whole. • Protocol refers to a specific communications protocol in use, such as HTTP or IP.
Chapter 7 Configuring Other Settings Event Notification Setup Figure 7-10 The Event Handling Setup Page Follow this link path to reach the Event Handling Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Event Handling under Event Log.
Chapter 7 Configuring Other Settings Event Notification Setup Disposition of Events The event settings control how events are handled by the access point: counted, displayed in the log, recorded, or announced in a notification. The settings are color coded: red for fatal errors, magenta for alerts, blue for warnings, and green for information. You select an option from each setting's drop-down menu. Each option includes and builds upon the previous option.
Chapter 7 Configuring Other Settings Event Notification Setup Event Notifications Setup Page You use the Event Notifications Setup page to enable and configure notification of fatal, alert, warning, and information events to destinations external to the access point, such as an SNMP server or a Syslog system. Note For event notifications to be sent to an external destination, the events must be set to Notify on the Event Handling Setup page.
Chapter 7 Configuring Other Settings Event Notification Setup Settings on the Event Notifications Setup Page The Event Notifications Setup page contains the following settings: • Should Notify-Disposition Events generate SNMP Traps? • SNMP Trap Destination • SNMP Trap Community • Should Notify-Disposition Events generate Syslog Messages? • Should Syslog Messages use the Cisco EMBLEM Format • Syslog Destination Address • Syslog Facility Number • IEEE SNMP Traps Should Generate the Following
Chapter 7 Configuring Other Settings Event Notification Setup Example with timestamp: 192.168.85:2002 SEP 12 13:52:12 PST -08:00: %APBR-6-STA_ASSOC_OK: [AP350-12] Station [TEST-LPT]000750abcd2a Associated The timestamp is optional and included in the message only when the wall clock time is set on the access point. The facility code for all messages is APBR. Syslog Destination Address Type the IP address or the host name of the server running Syslog.
C H A P T E R 8 Security Setup This chapter describes how to set up your access point’s security features.
Chapter 8 Security Setup Security Overview Security Overview This section describes the types of security features you can enable on the access point. The security features protect wireless communication between the access point and other wireless devices, control access to your network, and prevent unauthorized entry to the access point management system. Levels of Security Security is vital for any wireless network, and you should enable all the security features available on your network.
Chapter 8 Security Setup Security Overview If you don’t enable any security features on your access point, anyone with a wireless networking device is able to join your network. If you enable open or shared-key authentication with WEP encryption, your network is safe from casual outsiders but vulnerable to intruders who use a hacking algorithm to calculate the WEP key.
Chapter 8 Security Setup Security Overview each packet to make the packets tamper-proof. See the “Enabling Message Integrity Check (MIC)” section on page 8-14 for instructions on enabling MIC MIC is also known as key hashing. Note • TKIP (Temporal Key Integrity Protocol, also known as WEP key hashing)—This feature defends against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in encrypted packets to calculate the WEP key.
Chapter 8 Security Setup Security Overview server sends the WEP key to the access point, which uses it for all unicast data signals that it sends to or receives from the client. The access point also encrypts its broadcast WEP key (entered in the access point’s WEP key slot 1) with the client’s unicast key and sends it to the client.
Chapter 8 Security Setup Security Overview When mutual authentication is complete, the RADIUS server and the client determine a WEP key that is unique to the client and provides the client with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The client loads this key and prepares to use it for the logon session.
Chapter 8 Security Setup Security Overview Figure 8-3 Sequence for MAC-Based Authentication Wired LAN Access point or bridge Client device Server 1. Authentication request 2. Authentication success 65584 3. Association request 4. Association response (block traffic from client) • A thentic tion req est Open—Allows any device to authenticate5and then attempt to communicate with the access point.
Chapter 8 Security Setup Security Overview During shared key authentication, the access point sends an unencrypted challenge text string to any device attempting to communicate with the access point. The device requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point allows the requesting device to authenticate.
Chapter 8 Security Setup Setting Up WEP device to attempt EAP authentication. See the “Authenticating Client Devices Using MAC Addresses or EAP” section on page 8-34 for more information on this feature. Protecting the Access Point Configuration with User Manager The access point’s user manager feature prevents unauthorized entry to the access point management system. You create a list of administrators authorized to view and adjust the access point settings; unauthorized users are locked out.
Chapter 8 Security Setup Setting Up WEP Follow this link path to reach the AP Radio Data Encryption page: Note 1. On the Summary Status page, click Setup. 2. On the Setup page, click Security. 3. On the Security Setup page, click Radio Data Encryption (WEP). Use this page to configure the radio unless you have enabled VLANs. If VLANs are enabled, you must set the radio data encryption for each enabled VLAN through the VLAN Setup page.
Chapter 8 Security Setup Setting Up WEP Step 3 Use the Key Size pull-down menu to select 40-bit or 128-bit encryption for each key. The not set option clears the key. You can disable WEP altogether by selecting not set for each key or by selecting No Encryption in Step 5. Step 4 Select one of the keys as the transmit key. If you select Network-EAP as the authentication type, select key 1 as the transmit key.
Chapter 8 Security Setup Setting Up WEP Note You must set a WEP key before enabling WEP. The options in the Use of Data Encryption by Stations is pull-down menu do not appear until you set a key. The three settings in the pull-down menu include: • No Encryption (default)—The access point communicates only with client devices that are not using WEP. Use this option to disable WEP. • Optional—Client devices can communicate with the access point either with or without WEP.
Chapter 8 Security Setup Enabling Additional WEP Security Features Using SNMP to Set Up WEP You can use SNMP to set the WEP level on the access point. Consult the “Using SNMP” section on page 2-24 for details on using SNMP. Access points use the following SNMP variables to set the WEP level: • dot11ExcludeUnencrypted.2 • awcDot11AllowEncrypted.2 Table 8-2 lists the SNMP variable settings and the corresponding WEP levels.
Chapter 8 Security Setup Enabling Additional WEP Security Features Note The MIC, TKIP, and broadcast key rotation features are available in firmware versions 11.10T and later, which are available on Cisco.com. You can download Cisco Aironet firmware releases at http://www.cisco.com/public/sw-center/sw-wireless.shtml. Enabling Message Integrity Check (MIC) MIC prevents attacks on encrypted packets called bit-flip attacks.
Chapter 8 Security Setup Enabling Additional WEP Security Features Figure 8-7 AP Radio Advanced Page Follow this link path to browse to the AP Radio Advanced page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Advanced in the AP Radio row under Network Ports.
Chapter 8 Security Setup Enabling Additional WEP Security Features Follow these steps to enable MIC: Step 1 Follow the steps in the “Setting Up WEP” section on page 8-9 to set up and enable WEP. You must set up and enable WEP with full encryption before MIC becomes active. If WEP is off or if you set it to optional, MIC is not enabled.
Chapter 8 Security Setup Enabling Additional WEP Security Features Note When you enable TKIP, all WEP-enabled client devices associated to the access point must support WEP key hashing. WEP-enabled devices that do not support key hashing cannot communicate with the access point. Note To use TKIP, the Use Aironet Extensions setting on the AP Radio Advanced page must be set to yes (the default setting). Tip When you enable TKIP, you might not need to enable broadcast key rotation.
Chapter 8 Security Setup Enabling Additional WEP Security Features Enabling Broadcast WEP Key Rotation EAP authentication provides dynamic unicast WEP keys for client devices but uses static multicast keys. With broadcast, or multicast, WEP key rotation enabled, the access point provides a dynamic broadcast WEP key and changes it at the interval you select.
Chapter 8 Security Setup Setting Up Open or Shared Key Authentication Tip Step 4 Use a short rotation interval if the traffic on your wireless network contains numerous broadcast or multicast packets. Click OK. Broadcast key rotation is enabled. Setting Up Open or Shared Key Authentication Cisco recommends Open authentication as preferable to Shared Key authentication. The challenge queries and responses used in Shared Key leave the access point particularly vulnerable to intruders.
Chapter 8 Security Setup Setting Up EAP Authentication Setting Up EAP Authentication During EAP authentication, the access point relays authentication messages between the RADIUS server on your network and the authenticating client device.
Chapter 8 Security Setup Setting Up EAP Authentication Follow this link path to reach the Authenticator Configuration page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Security. 3. On the Security Setup page, click Authentication Server. Follow these steps to enable EAP on the access point: Step 1 Follow the link path to the Authenticator Configuration page. You can configure up to four servers for authentication services, so you can set up backup authenticators.
Chapter 8 Security Setup Setting Up EAP Authentication Table 8-3 802.1X Protocol Drafts and Compliant Client Firmware Firmware Version Draft 7 Draft 8 802.1x-2001 PC/PCI cards 4.13 — x — PC/PCI cards 4.16 — x — PC/PCI cards 4.23 — x — PC/PCI cards 4.25 and later — — x WGB34x/352 8.58 — x — WGB34x/352 8.61 or later — — x — x — — x x — x x AP34x/35x 11.05 and earlier AP34x/35x 11.06 and later BR352 11.06 and later 1 1 1.
Chapter 8 Security Setup Setting Up EAP Authentication Step 7 Enter the number of seconds the access point should wait before authentication fails. If the server does not respond within this time, the access point tries to contact the next authentication server in the list if one is specified. Other backup servers are used in list order when the previous server times out. Step 8 Select EAP Authentication under the server.
Chapter 8 Security Setup Setting Up EAP Authentication Table 8-4 Access Point EAP Settings for Various Client Configurations Access Point Configuration Network-EAP authentication Open authentication with Require EAP checkbox selected Client Devices Allowed to Authenticate • Client devices with LEAP enabled • Repeater access points with LEAP enabled • Client devices with EAP enabled • Cisco Aironet devices with EAP-TLS or EAP-MD5 enabled through Windows XP Note Step 12 Selecting Require EAP
Chapter 8 Security Setup Setting Up EAP Authentication Enabling EAP in Cisco Secure ACS Cisco Secure Access Control Server for Windows NT/2000 Servers (Cisco Secure ACS) is network security software that helps authenticate users by controlling access to a network access server (NAS) device, such as an access server, PIX Firewall, router, or wireless access point or bridge.
Chapter 8 Security Setup Setting Up EAP Authentication Tip To save your changes and apply them later, click Submit. When you are ready to implement the changes, select System Configuration > Service Control and click Restart. Note Restarting the service clears the Logged-in User Report, refreshes the Max Sessions counter, and temporarily interrupts all Cisco Secure ACS services. Setting a Session-Based WEP Key Timeout You can set a timeout value for the session-based WEP key.
Chapter 8 Security Setup Setting Up EAP Authentication Step 4 Scroll down to the IETF RADIUS Attributes settings. Step 5 Select the checkbox for [027] Session-Timeout and enter the number of seconds for your timeout value in the [027] Session-Timeout entry field. Step 6 Click Submit + Restart. The timeout value is enabled.
Chapter 8 Security Setup Setting Up EAP Authentication Figure 8-9 AP Radio Identification Page Step 3 Enter the network username you set up for the access point in Step 1 in the LEAP User Name entry field. Step 4 Enter the network password you set up for the access point in Step 1 in the LEAP Password entry field. Step 5 Click OK. Step 6 Follow the steps in the “Enabling EAP on the Access Point” section on page 8-20 to enable Network-EAP on the repeater access point.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Setting Up MAC-Based Authentication MAC-based authentication allows only client devices with specified MAC addresses to associate and pass data through the access point. Client devices with MAC addresses not in a list of allowed MAC addresses are not allowed to associate with the access point.You can create a list of allowed MAC addresses in the access point management system and on a server used for MAC-based authentication.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Figure 8-10 Address Filters Page Note Step 2 Step 2 and Step 3 describe entering MAC addresses in the access point management system. If you will enter MAC addresses only in a list used by the authentication server, skip to Step 4. Type a MAC address in the Dest MAC Address field.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Step 4 If you plan to create a MAC address list that will be checked by the authentication server, select Yes for the option called Lookup MAC Address on Authentication Server if not in Existing Filter List. With this option enabled, the access point checks the authentication server’s MAC address list when a client device attempts to authenticate. Step 5 Click Apply to save the list of MAC addresses in the access point management system.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Step 8 Enter the port number the server uses for authentication. The default setting, 1812, is the port setting for Cisco’s RADIUS server, the Cisco Secure Access Control Server (ACS), and for many other RADIUS servers. Check your server’s product documentation to find the correct port setting. Step 9 Enter the shared secret used by the server in the Shared Secret entry field.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Figure 8-12 AP Radio Advanced Page Step 15 Select Disallowed from the pull-down menu for Default Unicast Address Filter for each authentication type requiring MAC-based authentication. For example, if the access point is configured for both open and Network-EAP authentication, you could set Default Unicast Address Filter under Open to Disallowed but leave Default Unicast Address Filter under Network-EAP set to Allowed.
Chapter 8 Security Setup Setting Up MAC-Based Authentication devices to authenticate using MAC addresses. To force all client devices to authenticate using MAC addresses, select Disallowed for all the enabled authentication types. When you set Default Unicast Address Filter to disallowed, the access point discards all unicast traffic except packets sent to the MAC addresses listed as allowed on the authentication server or on the access point’s Address Filters page.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Step 3 Follow this link path to reach the Address Filters page: a. On the Summary Status page, click Setup. b. On the Setup page, click Address Filters under Associations. Step 4 Select yes for the option called Is MAC Authentication alone sufficient for a client to be fully authenticated? Step 5 Click Apply. When you enable this feature, the access point follows these steps to authenticate all clients that associate using 802.
Chapter 8 Security Setup Setting Up MAC-Based Authentication Note The access point sends MAC address queries to the server using lower-case characters. If your server allows case-sensitive usernames and passwords, you must enter MAC addresses in the server’s database using lower-case characters. Step 3 When the User Setup screen appears, enter the MAC address in the Cisco Secure PAP Password and Confirm Password entry fields.
Chapter 8 Security Setup Summary of Settings for Authentication Types Summary of Settings for Authentication Types Table 8-5 lists the access point settings required to enable each authentication type and combinations of authentication types. Table 8-5 Settings for Authentication Types Authentication Types Required Settings LEAP On the Authenticator Configuration page (shown in Figure 8-13): • Select an 802.
Chapter 8 Security Setup Summary of Settings for Authentication Types Table 8-5 Settings for Authentication Types (continued) Authentication Types Required Settings EAP-TLS and EAP-MD5 On the Authenticator Configuration page (shown in Figure 8-13): • Select an 802.1X protocol draft that matches the protocol draft used by client devices that associate with the access point. • Enter the name or IP address, type, port, shared secret, and timeout value for your RADIUS server.
Chapter 8 Security Setup Summary of Settings for Authentication Types Table 8-5 Settings for Authentication Types (continued) Authentication Types Required Settings MAC-based On the Address Filters page (shown in Figure 8-10): • Select yes for the “Look up MAC address on authentication server if not in existing filter list” setting. On the Authenticator Configuration page (shown in Figure 8-13): • Select an 802.
Chapter 8 Security Setup Setting Up Backup Authentication Servers Setting Up Backup Authentication Servers You can configure up to four servers for authentication services on the Authenticator Configuration page, so you can set up backup authenticators. If you set up more than one server for the same service, the server first in the list is the primary server for that service, and the other servers are used in list order when the previous server times out.
Chapter 8 Security Setup Setting Up Administrator Authorization Figure 8-13 Authenticator Configuration Page with Primary and Backup Servers Setting Up Administrator Authorization Administrator authorization protects the access point management system from unauthorized access. Use the access point’s user management pages to define a list of users who are authorized to view and change the access point management system. Use the Security Setup page to reach the user management pages.
Chapter 8 Security Setup Setting Up Administrator Authorization Figure 8-14 Security Setup Page Follow this link path to reach the Security Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Security. Creating a List of Authorized Management System Users Follow these steps to create a list of users authorized to view and change the access point management system: Step 1 Follow the link path to the Security Setup page.
Chapter 8 Security Setup Setting Up Administrator Authorization Step 3 Click Add New User. The User Management window appears. Figure 8-16 shows the User Management window. Figure 8-16 User Management Window Step 4 Enter a username and password for the new user. Step 5 Select the capabilities you want to assign to the new user. Capabilities include: • Write—The user can change system settings. When you assign Write capability to a user, the user also automatically receives Admin capability.
Chapter 8 Security Setup Setting Up Administrator Authorization • Firmware—The user can update the access point's firmware. When you assign Firmware capability to a user, the user also automatically receives Write and Admin capabilities. • Admin—The user can view most system screens. To allow the user to view all system screens and make changes to the system, select Write capability. Step 6 Click Apply.
Chapter 8 Security Setup Setting up Centralized Administrator Authentication • Step 9 Protect Legal Credit Page—Select yes to restrict access to the Legal Credits page to users in the user list. Select no to allow any user to view the Legal Credits page. Click OK. You return automatically to the Security Setup page.
Chapter 8 Security Setup Setting up Centralized Administrator Authentication Figure 8-18 Authenticator Configuration page Step 10 Configure the server as follows: a. Assign an IP address or name in the Server Name/IP field. b. Select the server type your network is using, either RADIUS or TACACS. c. Assign a port number for the server. Note The default port settings are 1812 for RADIUS servers and 49 for TACACS servers. Check your server’s product documentation for the correct port setting. d.
Chapter 8 Security Setup Setting up Centralized Administrator Authentication Step 11 Configure other servers as required.
Chapter 8 Security Setup Setting up Centralized Administrator Authentication Cisco Aironet Access Point Software Configuration Guide 8-48 OL-0657-07
C H A P T E R 9 Network Management This section describes how to browse to other devices on your network, how to use Cisco Discovery Protocol with your wireless networking equipment, how to assign a specific network port to a MAC address, and how to enable wireless network accounting.
Chapter 9 Network Management Using the Association Table Using the Association Table The management system’s Association Table page lists all the devices, both wireless and wired to the root LAN, of which the access point is aware. Figure 9-1 shows an example of the Association Table page. Figure 9-1 Association Table Page Click the Association link at the top of any main management system page to go to the Association Table.
Chapter 9 Network Management Using the Association Table Setting the Display Options You use the display options to select the device types to be listed in the table. The default selections list only the access point and any devices with which it is associated. To change the selections, click a display option and then click Apply. To modify the table further, click additional display filters, which is a link to the Association Table Filters page.
Chapter 9 Network Management Using the Association Table Figure 9-2 Station Page Information on Station Pages Station Identification and Status The yellow table at the top of the Station page lists the following information: • System Name—The name assigned to the device. • Device—The type and model number of the device. • MAC Address—A unique identifier assigned by the manufacturer.
Chapter 9 Network Management Using the Association Table • IP Address—The device’s IP address. When you click the IP address link, the browser attempts to display the device’s home page. Cisco Aironet access points, bridges, and workgroup bridges have browser-based interfaces, and many servers and printers have them also. • VLAN ID—The identification number of configured VLANs. Policy Grp.—A group of filters specifically designed to allow or deny certain types of traffic to or from the access point.
Chapter 9 Network Management Using the Association Table – BootP/DHCP Client—The device is using BOOTP or DHCP protocol – ARP Proxy Server – IP Virtual Router – WEP—WEP is enabled on the device. To Station Information Fields in the To Station column in the second table on the Station page contain the following information: • Alert—Click this box if you want detailed packet trace information captured for the Association Table page. This option is only available to users with Administrator capability.
Chapter 9 Network Management Using the Association Table Rate, Signal, and Status Information The table under the To and From Station table lists rate, signal, and status information for the device. Data rate and signal quality information appears on Station pages for client devices. On Station pages for access points, this area shows network information such as system uptime. • Parent—Displays the system name of the device to which the client, bridge or repeater is associated.
Chapter 9 Network Management Using the Association Table • Hops to Infra.—The number of devices between this station and the network infrastructure. • Activity Timeout—Total time that can elapse after the access point’s last data receipt before the access point presumes the client device has been turned off. See the “Using the Association Table” section on page 9-2 for information on setting timeouts for each device class.
Chapter 9 Network Management Using the Association Table Figure 9-3 Ping Window Performing a Link Test Follow these steps to perform a link test between the access point and the device described on the Station page: Step 1 To customize the size and number of packets sent during the link test, enter the number of packets and size of the packets in the Number of Pkts. and Pkt. Size fields. Step 2 Click Link Test. The link test runs using the values in the Number of Pkts. and Pkt. Size fields.
Chapter 9 Network Management Using the Association Table Figure 9-4 Link Test Results Window Clearing and Updating Statistics Use the Clear Stats and Refresh buttons to clear and update the Station page statistics. • Clear Stats—Clears all packet, octet and error counts and resets the counters to 0. • Refresh—Updates the counts to their latest accumulated values, and saves the Alert selections.
Chapter 9 Network Management Using the Network Map Window • Disassociate—Allows a client to break its current association, re-evaluate the currently associated access point and determine which of the surrounding access points has the best signal quality to associate with. Using the Network Map Window To open the Network Map window, click Map at the top of any management system page. (See the “Using the Network Map Window” section on page 9-11 for information about the Map page.
Chapter 9 Network Management Using Cisco Discovery Protocol Click the name of a wireless device to open a new browser window displaying a Station page displaying the access point’s local information for that device. Click Go beside the device name to open a new browser window displaying that device’s home page, if available. Some devices, such as PC card clients, do not have browser-based interfaces. Click show clients to display all the wireless client devices on your network.
Chapter 9 Network Management Assigning Network Ports 3. On the Cisco Services Setup page, click Cisco Discovery Protocol (CDP). Settings on the CDP Setup Page The CDP Setup page contains the following settings: • Enabled/Disabled—Select Disabled to disable CDP on the access point; select Enabled to enable CDP on the access point. CDP is enabled by default. • Packet hold time—The number of seconds other CDP-enabled devices should consider the access point’s CDP information valid.
Chapter 9 Network Management Assigning Network Ports Figure 9-7 Port Assignments Page Follow this link path to reach the Port Assignments page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Port Assignments in the Association section near the top of the page.
Chapter 9 Network Management Enabling Wireless Network Accounting Settings on the Port Assignments Page • ifIndex—Lists the port’s designator in the Standard MIB-II (RFC1213-MIB.my) interface index. • dot1dBasePort—Lists the port’s designator in the Bridge MIB (RFC1493; BRIDGE-MIB.my) interface index. • AID—Lists the port’s 802.11 radio drivers association identifier. • Station—Enter the MAC address of the device to which you want to assign the port in the port’s Station entry field.
Chapter 9 Network Management Enabling Wireless Network Accounting Figure 9-8 Accounting Setup Page Follow this link path to reach the Accounting Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Accounting under Services. Settings on the Accounting Setup Page The Accounting Setup page contains these settings: • Enable accounting—Select Enabled to turn on accounting for your wireless network.
Chapter 9 Network Management Enabling Wireless Network Accounting • Minimum delay time to report stop (sec.)—Enter the number of seconds the access point waits before sending a stop report to the server when a client device disassociates from the access point. The delay reduces accounting activity for client devices that disassociate from the access point and then quickly reassociate. • Server Name/IP—Enter the name or IP address of the server to which the access point sends accounting data.
Chapter 9 Network Management Enabling Wireless Network Accounting • Use accounting server for—Select the authentication types for which you want to collect accounting data. When you select EAP authentication, the access point sends accounting data to the server for client devices that authenticate using Cisco Aironet LEAP, EAP-TLS, or EAP-MD5.
Chapter 9 Network Management Enabling Wireless Network Accounting Table 9-1 Accounting Attributes the Access Point Sends to the Accounting Server (continued) Attribute Definition NAS-Port The port number used for the client device’s connection. The access point sends this attribute to the server with all three status types. Acct-Authentic The method with which the client device is authenticated to the network. This value is always 1, which represents RADIUS authentication.
Chapter 9 Network Management Enabling Wireless Network Accounting Table 9-1 Accounting Attributes the Access Point Sends to the Accounting Server (continued) Attribute Definition Acct-Output-Packets The number of packets sent on the wireless network through the access point since the client device associated to the access point. The access point sends this attribute only with the ACCT_STOP and ACCT_UPDATE status types. Acct-Terminate-Cause How the client device’s session was terminated.
C H A P T E R 10 Managing Firmware and Configurations This section describes how to update the firmware version on the access point, how to distribute firmware to other access points, how to distribute the access point’s configuration to other access points, and how to download, upload, and reset the access point configuration. You use the Cisco Services Setup page as a starting point for all these activities.
Chapter 10 Managing Firmware and Configurations Updating Firmware Updating Firmware You use the Cisco Services Setup page to update the access point’s firmware. You can perform the update by browsing to a local drive or by using FTP to update the firmware from a file server. Figure 10-1 shows the Cisco Services Setup page. Figure 10-1 Cisco Services Setup Page Follow this link path in the browser interface to reach the Cisco Services Setup page: 1. On the Summary Status page, click Setup. 2.
Chapter 10 Managing Firmware and Configurations Updating Firmware Full Update of the Firmware Components To update all the firmware components at the same time, click Through Browser on the Fully Update Firmware line on the Cisco Services Setup page. The Update All Firmware Through Browser page appears. Figure 10-2 shows the Update All Firmware Through Browser page.
Chapter 10 Managing Firmware and Configurations Updating Firmware Selective Update of the Firmware Components To update firmware components individually, click Through Browser on the Selectively Update Firmware line on the Cisco Services Setup page. The Update Firmware Through Browser page appears. Figure 10-3 shows the Update Firmware Through Browser page.
Chapter 10 Managing Firmware and Configurations Updating Firmware Updating from a File Server When you update the firmware from a file server, you load new firmware through FTP or TFTP from a file server. You can update the three firmware components—the management system firmware, the firmware web pages, and the radio firmware—individually or all at once. It is simplest to update all the components at once, but in some situations you might want to update them individually.
Chapter 10 Managing Firmware and Configurations Updating Firmware Figure 10-5 FTP Setup Page Step 2 Enter the FTP settings on the FTP Setup page. a. Select FTP or TFTP from the File Transfer Protocol pull-down menu. FTP (File Transfer Protocol) is the standard protocol that supports transfers of data between local and remote computers. TFTP (Trivial File Transfer Protocol) is a relatively slow, low-security protocol that requires no user name or password. b.
Chapter 10 Managing Firmware and Configurations Updating Firmware Selective Update of the Firmware Components To update firmware components individually, click From File Server on the Selectively Update Firmware line on the Cisco Services Setup page. The Update Firmware From File Server page appears. Figure 10-6 shows the Update Firmware From File Server page.
Chapter 10 Managing Firmware and Configurations Updating Firmware These files can be downloaded selectively or at one time, depending on which page you select from which to retrieve them. To retrieve all firmware and web page files, browse to the Update All Firmware Through Browser page and click Retrieve All Firmware Files. To selectivley retrieve these files, browse to the Selectively Update Firmware Through Browser or From File Server and select the files you wish to retrieve.
Chapter 10 Managing Firmware and Configurations Distributing Firmware Step 6 Click Close when the download is complete. Distributing Firmware You use the Distribute Firmware page to distribute the access point’s firmware to other Cisco Aironet access points. Figure 10-7 shows the Distribute Firmware page. The distributing access point and the access points that receive the firmware must have a Default Gateway setting other than the default setting, which is 255.255.255.
Chapter 10 Managing Firmware and Configurations Distributing Firmware Figure 10-7 Distribute Firmware Page Follow this link path in the browser interface to reach the Distribute Firmware page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Cisco Services Setup. 3. On the Cisco Services page, click Distribute Firmware to other Cisco Devices. Follow these steps to distribute firmware to other access points: Step 1 Follow the link path to reach the Distribute Firmware page.
Chapter 10 Managing Firmware and Configurations Distributing a Configuration Distributing a Configuration You use the Distribute Configuration page to distribute the access point’s configuration to other Cisco Aironet access points. Figure 10-8 shows the Distribute Configuration page. The distributing access point and the access points that receive the configuration must have a Default Gateway setting other than the default setting, which is 255.255.255.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration 2. On the Setup page, click Cisco Services Setup. 3. On the Cisco Services page, click Distribute Configuration to other Cisco Devices. Follow these steps to distribute the access point’s configuration to other access points: Step 1 Follow the link path to reach the Distribute Configuration page. Step 2 Click Start.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Figure 10-9 System Configuration Setup Page Follow this link path in the browser interface to reach the System Configuration Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Cisco Services Setup. 3. On the Cisco Services page, click Manage System Configuration.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration • To save the current non-default configuration including the access point’s IP address, click Download Non-Default System Configuration. • To save the current default and non-default configuration including the access point’s IP address, click Download All System Configuration.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Uploading from a File Server Follow these steps to upload a configuration file from a file server: Step 1 Before you load a configuration file from a server, you need to enter FTP settings for the server. If you have already entered the FTP settings, skip to Step 3. Follow this link path in the browser interface to reach the FTP Setup page: a. On the Summary Status page, click Setup b.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration e. In the FTP Password entry field, enter the password associated with the user name. If you selected TFTP, you can leave this field blank. f. Click OK. You return automatically to the Setup page. Step 3 Follow the link path in the web browser to reach the System Configuration Setup page. Step 4 Click Read Config File From Server.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration – The users in the User Manager list – The SNMP Administrator Community name Note To completely reset all access point settings to defaults, follow the steps in the “Resetting to the Default Configuration” section on page 13-43. Follow these steps to reset the configuration to default settings: Step 1 Follow the link path to reach the System Configuration Setup page.
Chapter 10 Managing Firmware and Configurations Downloading, Uploading, and Resetting the Configuration Cisco Aironet Access Point Software Configuration Guide 10-18 OL-0657-07
C H A P T E R 11 Management System Setup This chapter explains how to set up your access point to use SNMP, Telnet, or the console port to manage the access point.
Chapter 11 Management System Setup SNMP Setup SNMP Setup Use the SNMP Setup page to configure the access point to work with your network’s SNMP station. Figure 11-1 shows the SNMP Setup page. Figure 11-1 SNMP Setup Page Follow this link path to reach the SNMP Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click SNMP in the Services section of the page.
Chapter 11 Management System Setup SNMP Setup • System Name—The name of the access point. The name in this field is reported to your SNMP's management station as the name of the device when you use SNMP to communicate with the access point. • System Location—Use this field to describe the physical location of the access point, such as the building or room in which it is installed. • System Contact—Use this field to name the system administrator responsible for the access point.
Chapter 11 Management System Setup SNMP Setup Settings on the Database Query Page The Database Query page contains the following entry fields and buttons: • OID—Type the object identifier (OID) in the OID field. You can use the integer or ASCII version of the OID. If you use the integer version of the OID, you must type the entire OID string (1.3.7.2.13.78.5.6, for example). If you use the ASCII name, you can often use the object's name as specified in the appropriate MIB (enableSNMP, for example).
Chapter 11 Management System Setup Console and Telnet Setup Console and Telnet Setup Use the Console/Telnet Setup page to configure the access point to work with a terminal emulator or through Telnet. Figure 11-3 shows the Console/Telnet Setup page. Figure 11-3 Console/Telnet Setup Page Follow this link path to reach the Console/Telnet Setup page: 1. On the Summary Status page, click Setup. 2. On the Setup page, click Console/Telnet in the Services section of the page.
Chapter 11 Management System Setup Console and Telnet Setup • Data Bits—The default setting is 8. • Stop Bits—The default setting is 1. • Flow Control—Defines the way that information is sent between pieces of equipment to prevent loss of data when too much information arrives at the same time on one device. The default setting is SW Xon/Xoff. • Terminal Type—The preferred setting is ANSI, which offers graphic features such as reverse video buttons and underlined links.
Chapter 11 Management System Setup Console and Telnet Setup After you have downloaded and installed the client on your computer, launch your your SSH client and make the connection to the access point through it.
Chapter 11 Management System Setup Console and Telnet Setup Cisco Aironet Access Point Software Configuration Guide 11-8 OL-0657-07
C H A P T E R 12 Special Configurations This chapter describes how to set up the access point in network roles other than as a root unit on a wired LAN. You can set up an access point as a repeater to extend the range of a wireless network, and you can use Hot Standby mode to use an access point as a backup unit in areas where you need extra reliability. Both configurations require two access points that support and rely upon each other.
Chapter 12 Special Configurations Setting Up a Repeater Access Point Setting Up a Repeater Access Point A repeater access point is not connected to the wired LAN; it is placed within radio range of an access point connected to the wired LAN to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication.
Chapter 12 Special Configurations Setting Up a Repeater Access Point You can set up a chain of several repeater access points, but throughput for client devices at the end of the repeater chain will be quite low. Because each repeater must receive and then re-transmit each packet on the same channel, throughput is cut in half for each repeater you add to the chain. Omni-directional antennas, like the ones that ship with your access point, are best suited for repeater access points.
Chapter 12 Special Configurations Setting Up a Repeater Access Point If the root access point settings have not been changed from the factory defaults, you don’t need to write them down. If you reconfigure the root access point, however, you must enter the same settings on the repeater access point. Step 4 Place the repeater access point within radio range of the root access point. Step 5 For a 340 series access point, plug one end of the power cord into the access point’s power connector.
Chapter 12 Special Configurations Setting Up a Repeater Access Point Note Step 12 and Step 13 describe assigning a static IP address, subnet mask, and gateway to the repeater. However, you can rely on your DHCP server to assign these settings if you do not need them to remain fixed. If the repeater will use the DHCP server, skip to Step 14. Step 12 On the Express Setup page, enter a fixed IP address for the repeater access point in the Default IP address field.
Chapter 12 Special Configurations Using Hot Standby Mode Using Hot Standby Mode Hot Standby mode designates an access point as a backup for another access point. The standby access point is placed near the access point it monitors, configured exactly the same as the monitored access point. The standby access point associates with the monitored access point as a client and queries the monitored access point regularly through both the Ethernet and the radio.
Chapter 12 Special Configurations Using Hot Standby Mode Follow these steps to enable Hot Standby mode: Step 1 Step 2 Step 3 On the standby access point, duplicate the settings that are entered on the monitored access point.
Chapter 12 Special Configurations Using Hot Standby Mode Step 7 Enter the number of seconds between each query the standby access point sends to the monitored access point. Step 8 Enter the number of seconds the standby access point should wait for a response from the monitored access point before it assumes that the monitored access point has malfunctioned. Step 9 Click Start Hot Standby Mode. The standby access point becomes a client device associated to the monitored access point.
C H A P T E R 13 Diagnostics and Troubleshooting This chapter describes the diagnostic pages in the management system and provides troubleshooting procedures for basic problems with the access point. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at http://www.cisco.com/tac Select Wireless LAN under Top Issues.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Using Diagnostic Pages The management system contains three diagnostic pages that provide detailed statistics and event records for the access point: • The Network Diagnostics Page provides access to radio diagnostic tests and provides links to the VLAN Summary Status and SSID statistics pages for accespoint radios. • The Network Ports Page lists statistics on data transmitted and received by the access point.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Follow this link path to reach the Network Diagnostics page: 1. On the Summary Status page or Setup page, click Diagnostics in the Network Ports row.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Carrier Test The carrier test measures the amount of radio activity on each frequency available to the access point. Use the carrier test to determine the best frequency for the access point to use. When you conduct a carrier test, make sure all wireless networking devices within range of the access point are operating to make the test results reflect a realistic radio environment.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages access point’s available frequencies are listed vertically across the bottom of the graph, from 2412 to 2462 GHz. The access point’s channel 1 is 2412 GHz, channel 2 is 2417 GHz, and so on up to channel 11, which is 2462 GHz. The bar graph on the right side of the window displays the amount of noise on each frequency. Noise is a measurement of the signal the radio receives when it is not receiving packets.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Clicking the Service Set Detailed Setup link at the top of the page takes you to the AP Radio Service Sets page, from which you can create, remove, or edit your SSID configuration. Network Ports Page The Network Ports page contains a table listing information for the access point’s Ethernet and radio ports. Figure 13-6 shows a Network Ports page example.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages The Network Ports table is divided into three sections: identifying information and status, data received, and data transmitted. Each row in the table is described below. Identifying Information and Status • Name—Displays the name of the network interface port. An asterisk (*) next to the name identifies the port as the primary port for the access point. The port names are links to a detailed page for each port.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages • Multicast pkts.—The number of packets received that were sent as a transmission to a set of nodes. • Total bytes—The total number of bytes received. • Errors—The number of packets determined to be in error. • Discards—The number of packets discarded by the access point due to errors or network congestion. • Forwardable pkts.—The number of packets received by the port that was acceptable or passable through the filters.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Ethernet Port Page When you click Ethernet in the Network Ports table, the browser displays the Ethernet Port page. This page lists detailed statistics on the access point’s Ethernet port. Figure 13-7 shows an Ethernet Port page example. Figure 13-7 Ethernet Port Page 172.16.24.0 Like the Network Ports page, the Ethernet Port page lists statistics in a table divided into sections.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Configuration Information • The top row of the Configuration section of the table contains a Set Properties link that leads to the Ethernet Hardware page. • Status of “fec0”— “Fast Ethernet Controller” is part of Motorola's naming convention for the Ethernet device used by the access point. This field displays one of the three possible operating states for the port.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages • Carrier Sense Lost—The number of disconnects from the Ethernet network. Carrier sense lost events are usually caused by disconnected wiring. • Late Collisions—Packet errors that probably were caused by over-long wiring problems. Late collisions could also indicate a failing NIC card. • Overrun Packets—Ethernet packets that were discarded because the access point had a temporary overload of packets to handle.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages AP Radio Page When you click AP Radio in the Network Ports table, the browser displays the AP Radio Port page. This page lists detailed statistics on the access point’s radio. Figure 13-8 shows an AP Radio Port page example. Figure 13-8 AP Radio Port Page Like the Network Ports and Ethernet Port pages, the AP Radio Port page lists statistics in a table divided into sections. Each row in the table is explained below.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Configuration Information • The top row of the Configuration section of the table contains a Set Properties link that leads to the AP Radio Hardware page. See the “Entering Radio Hardware Information” section on page 3-11 for details on the AP Radio Hardware page. • Status of “awc0”—awc0 (Aironet Wireless Communications) is part of Cisco Aironet's naming convention for this radio.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages • Discarded Packets—Packets discarded due to errors or network congestion. • Forwardable Packets—Packets received by the port that were acceptable or passable through the filters. • Filtered Packets—Packets that were stopped or screened by the filters set up on the port. • Packet CRC Errors—Cyclic redundancy check (CRC) errors that were detected in a received packet.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages • Canceled AID—Packets dropped by a repeater because it roamed to a different parent during a retransmission attempt. • Lifetime Exceeded—Fragmented packets that were dropped because it took too long to deliver a fragment.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Event Log Page The Event Log page lists access point events and provides links to the Event Display Setup and Event Log Summary pages. You can also open Station pages for devices listed in the event log. Figure 13-9 shows an Event Log page example. Figure 13-9 Event Log Page 209.165.201.7 209.165.201.7 Click the Logs link at the top of any main management system page to reach the Event Log page.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages • Additional Display Filters—A link to the Event Display Setup page, where you can change time and severity level settings. Log Headings The event log is divided into three columns: • Time—The time the event occurred. The log records time as cumulative days, hours, and minutes since the access point was turned on, or as wall-clock time if a time server is specified or if the time has been manually set on the access point.
Chapter 13 Diagnostics and Troubleshooting Using Diagnostic Pages Event Log Summary Page The Event Log Summary page lists the total number of events that occurred at each severity level. Figure 13-10 shows an Event Log Summary page example. Figure 13-10 Event Log Summary Page Click the Severity heading on the Event Log page to reach the Event Log Summary page.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics Using Command-Line Diagnostics You can view diagnostic information about your access point with diagnostic commands. Enter the commands in the command-line interface (CLI) to display the information. You can open the CLI with Telnet or with a terminal emulator through the access point’s serial port. Table 13-1 lists the access point’s diagnostic commands.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics Note The :eap_diag1_on and :eap_diag1_on EAP diagnostic commands are available in firmware versions 11.08 and later. The :vxdiag_arpshow, hostshow, ipstatshow, muxshow, routeshow, tcpstatshow, and udpstatshow commands are available in firmware version 11.11T. You can download the latest access point firmware version on Cisco.com at http://www.cisco.com/public/sw-center/sw-wireless.shtml.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics Diagnostic Command Results This section describes the information displayed on the CLI for the diagnostic commands listed in Table 13-1. :eap_diag1_on Use the :eap_diag1_on command to display authentication progress for client devices authenticating through the access point.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :eap_diag2_on Use the :eap_diag2_on command to display the packet contents of each authentication step for client devices authenticating through the access point. The packet contents for one authentication step might look like this example: EAP: Sending Identity Request 00c15730: 01 00 00 28 01 21 00 28 01 00 6e 65 74 77 6f 72 *...(.!.(..
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics • Flags—see Table 13-2 for a list of flags Table 13-2 Flag Definitions Flag Value Definition 0x1 Route is usable. 0x2 Destination is a gateway. 0x4 Host of specific routing entry. 0x8 Host or net is unreachable. 0x10 Created dynamically (by redirect). 0x20 Modified dynamically (by redirect). 0x40 Message confirmed. 0x80 Subnet mask is present. 0x100 Generate new routes on use.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics Follow the steps in the “Entering Diagnostic Commands” section on page 13-20 to open the CLI and enter the :vxdiag_arpshow command. :vxdiag_checkstack Use the :vxdiag_checkstack command to display a summary of the stack activity for each access point task.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_hostshow Use the :vxdiag_hostshow command to display remote hosts and their IP addresses and aliases. The remote host information might look like this example: Clock: 96470 sec hostname -------localhost 10.84.139.161 10.84.139.136 10.84.139.138 10.84.139.167 10.84.139.160 10.84.139.137 AP_North.cisco.com 10.84.139.164 10.84.139.169 10.84.139.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_i Use the :vxdiag_i command to display a list of current tasks on the access point.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics • Delay—delay interval in system clock-ticks (1/52 second) that must elapse before the task runs Follow the steps in the “Entering Diagnostic Commands” section on page 13-20 to open the CLI and enter the :vxdiag_i command. :vxdiag_ipstatshow Use the :vxdiag_ipstatshow command to display IP statistics for the access point.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics • Fragdropped—number of fragmented packets received that were dropped • Fragtimeout—number of fragmented packets received that timed out • Forward—number of packets forwarded • Cantforward—number of packets received for an unreachable destination • Redirectsent—number of packets forwarded in the same subnet • Unknownprotocol—number of packets received with unknown protocol information • Nobuffers—number of packets drop
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics • avg block—the average block size; simply put, the number in the bytes column divided by the number in the blocks column • max block—the maximum contiguous memory block available Follow the steps in the “Entering Diagnostic Commands” section on page 13-20 to open the CLI and enter the :vxdiag_memshow command. :vxdiag_muxshow Use the :vxdiag_muxshow command to display all the networking protocols installed on the access point.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_routeshow Use the :vxdiag_routeshow command to display current routing information for the access point. The routing information might look like the following example: ROUTE NET TABLE destination gateway flags Refcnt Use Interface ---------------------------------------------------------------------0.0.0.0 10.84.139.129 3 1 1932 emac0 10.84.139.128 10.84.139.
Chapter 13 Diagnostics and Troubleshooting Using Command-Line Diagnostics :vxdiag_tcpstatshow Use the :vxdiag_tcpstatshow command to display Transmission Control Protocol (TCP) statistics for the access point.
Chapter 13 Diagnostics and Troubleshooting Tracing Packets :vxdiag_udpstatshow Use the :vxdiag_udpstatshow command to display User Datagram Protocol (UDP) statistics for the access point.
Chapter 13 Diagnostics and Troubleshooting Tracing Packets a packet trace log file. Use the instructions in the “Tracing Packets for Specific Devices” section on page 13-33 and the “Tracing Packets for Ethernet and Radio Ports” section on page 13-34 to select devices and ports to be traced.
Chapter 13 Diagnostics and Troubleshooting Tracing Packets Step 2 Find the wireless device for which you want to trace packets and click the device’s MAC address. The device’s Station page appears. Step 3 On the device’s Station page, click the alert checkbox in the To Station header to trace packets sent to the device. Click the alert checkbox in the From Station header to trace packets the device sends. Note Step 4 Copying packets into access point memory slows the access point’s performance.
Chapter 13 Diagnostics and Troubleshooting Tracing Packets Step 2 To trace packets sent or received through the access point’s Ethernet port, click Ethernet in the yellow header row. To trace packets sent or received through the access point’s radio port, click AP Radio in the yellow header row. The Ethernet Port or AP Radio Port page appears. Step 3 Click the alert checkbox in the Receive header to trace packets received through the Ethernet or radio port.
Chapter 13 Diagnostics and Troubleshooting Tracing Packets Packets Stored in a Log File Follow these steps to view traced packets stored in a log file: Step 1 Browse to the Event Handling Setup page. Follow this link path to the Event Handling Setup page: a. On the Summary Status page, click Setup. b. On the Setup page, click Event Handling under Event Log. Step 2 Click Headers Only to view only the packet headers; click All Data to view all the collected packet information.
Chapter 13 Diagnostics and Troubleshooting Checking the Top Panel Indicators 00 4a 40 81 00 40 96 36 14 5a 00 01 64 43 ef 41 01 7f 00 04 5f 00 00 40 96 40 6f e6 00 00 00 00 00 00 00 00 00 00 0a 54 8b a4 00 00 44 57 49 4c 4c 2d 49 42 4d 2d 57 32 4b 00 00 00 00 00 00 00 00 00 |.J@..@.6.Z..dC.A..._..@.@o............T....JCOOL-IBM-W2K.........
Chapter 13 Diagnostics and Troubleshooting Checking the Top Panel Indicators Figure 13-12 Indicator Lights on Access Point with Metal Case CISCO AIRONET 350 SERIES WIRELESS ACCESS POINT ETHERNET ACTIVITY ASSOCIATION STATUS 60511 RADIO ACTIVITY Ethernet Status Radio • The Ethernet indicator signals traffic on the wired LAN, or Ethernet infrastructure. This indicator blinks green when a packet is received or transmitted over the Ethernet infrastructure.
Chapter 13 Diagnostics and Troubleshooting Checking the Top Panel Indicators Table 13-3 Top Panel Indicator Signals Message type Ethernet Status Radio Meaning indicator indicator indicator Association status – Steady green – Blinking – green – Steady green Operational Error/warning – At least one wireless client device is associated with the unit. No client devices are associated; check the unit’s SSID and WEP settings. Blinking Transmitting/receiving green radio packets.
Chapter 13 Diagnostics and Troubleshooting Checking Basic Settings Finding an Access Point by Blinking the Top Panel Indicators If you need to find the physical location of a particular access point, you can put the top panel indicators into blinking mode. Follow these instructions to blink the access point’s top panel indicators: Step 1 Browse to the access point’s Cisco Services Setup page: a. On the Summary Status page, click Setup. b. On the Setup page, click Cisco Services.
Chapter 13 Diagnostics and Troubleshooting Checking Basic Settings the transmit key, you must also set WEP Key 3 on the access point to exactly the same value. The access point does not need to use Key 3 as its transmit key, however. Note If you use Network-EAP as the authentication type, you must select key 1 as the access point’s transmit key. The access point uses the WEP key you enter in key slot 1 to encrypt multicast data signals it sends to EAP-enabled client devices.
Chapter 13 Diagnostics and Troubleshooting Checking Basic Settings Table 13-4 802.1X Protocol Drafts and Compliant Client Firmware Firmware Version Draft 7 Draft 8 Draft 10 PC/PCI cards 4.13 — x — PC/PCI cards 4.16 — x — PC/PCI cards 4.23 — x — PC/PCI cards 4.25 and later — — x WGB34x/352 8.58 — x — WGB34x/352 8.61 or later — — x — x — — x x — x x AP34x/35x 11.05 and earlier AP34x/35x 11.06 and later BR352 11.06 and later 1 1 1.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 2 Step 3 Use the 802.1X Protocol Version (for EAP authentication) pull-down menu to select the draft of the 802.1X protocol the access point’s radio should use. Menu options include: • Draft 7—No radio firmware versions compliant with Draft 7 have LEAP capability, so you should not need to select this setting.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 1 Use a straight-through cable with 9-pin male to 9-pin female connectors to connect the COM 1 or COM 2 port on your computer to the RS-232 port on the access point. Step 2 Open a terminal-emulation program on your computer. Note These instructions describe HyperTeminal; other programs are similar. Step 3 In the Connection Description window, enter a name and select an icon for the connection and click OK.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Steps for Firmware Versions 11.06 or Earlier Follow the steps in this section if your access point is running firmware version 11.06 or earlier. Note The following steps reset all configuration settings to factory defaults, including passwords, WEP keys, the IP address, and the SSID.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 5 If your boot block version is 1.01 or earlier, follow the instructions in the “Reconfiguration Steps for Boot Block Version 1.01 or Earlier” section on page 13-46. If your boot block version is 1.02 or later, follow the instructions in the “Reconfiguration Steps for Boot Block Version 1.02 or Later” section on page 13-48. Reconfiguration Steps for Boot Block Version 1.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 7 When the Summary Status screen appears, reboot the access point by unplugging the power connector and then plugging it back in, or by pressing Ctrl-X. Step 8 When the message “Type within 5 seconds for menu” appears, press Esc. Step 9 Write down the list of files for future reference.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 15 Run the access point firmware by pressing r to select Run, then the selection letter for the firmware file which is displayed. The message “Inflating [firmware file name]” appears while the access point starts the firmware. Step 16 When the Express Setup screen appears, begin reconfiguring the access point using the terminal emulator or an Internet browser. Reconfiguration Steps for Boot Block Version 1.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 7 When the Summary Status screen appears, reboot the access point by pressing Ctrl-X or by unplugging the power connector and then plugging it back in. Step 8 When the memory files are listed under the heading “Memory:File,” press Ctrl-W within 5 seconds to reach the boot block menu. Step 9 Write down the list of files for future reference.
Chapter 13 Diagnostics and Troubleshooting Resetting to the Default Configuration Step 13 Copy the installation key back to the configuration memory bank by pressing c to select Copy file, then 2 to select Config, then the selection letter for the file AP Installation Key. Step 14 If you copied a VAR installation key to DRAM in Step 11, copy it back to the configuration memory bank by pressing c to select Copy file, then 2 to select Config, then the selection letter for the file VAR Installation Key.
A P P E N D I X A Menu Tree This section provides a menu tree for the Access Point management pages. The pages are organized the same way for all interfaces. Submenus are indicated as subordinate levels. Information inside parentheses is the title of the page to which the menu option selected directs you to. Figures A-1 through A-6 show the organization for the management system’s home page (Summary Status) and sub-pages.
Appendix A Figure A-2 Menu Tree Summary Status Map Menu Tree [Help] > (Help) [Network Map] > (Network map) Summary Status > (Summary Status) Association > (Association Table) Event Logs > (Event Log) Network Ports > (Network Ports) Setup > (Setup) Figure A-3 Summary Status Network Menu Tree Summary Status Network > (Network Ports) Ethernet > (Ethernet Port) Set Properties > (Ethenet Hardware) Figure A-4 Summary Status Associations Menu Tree Summary Status Associations > (Association Table) Netwo
Appendix A Menu Tree Associations Section Display Defaults > (Association Table Filters) Address Filters > (Address Filters) Authentication Server > (Authenticator Configuration) Protocol Filters > (Protocol Filters Setup) Ethertype Filters > (Ethertype Protocol.
Appendix A Menu Tree Current Version of Web Pages Current Version of Radio Firmware Selectively Update Firmware From File Server > (Update Firmware.
Appendix A Menu Tree Radio Data Encryption (WEP) > (AP Radio Data Encryption) VLAN Setup (VLAN Setup) AP Radio Hardware > (AP Radio Hardware) Service Set ID (SSID) more > (AP Radio Service Sets) Restrict Searched Channels > (AP Radio Restrict Searched Channels) VLAN Setup (VLAN Setup) Radio Data Encryption (WEP) > (AP Radio Data Encryption) VLAN Setup (VLAN Setup) AP Radio Filters > (AP Radio Protocol Filters) Ethertype > (Ethertype Protocol Filters) IP Protocol > (IP Protocol Filters) IP Port > (IP Port
Appendix A Menu Tree Cisco Aironet Access Point Software Configuration Guide A-6 OL-0657-07
A P P E N D I X B Protocol Filter Lists The tables in this appendix list the protocols available on the Protocol Filters pages described in the “Protocol Filtering” section on page 5-2.
Appendix B Table B-1 Protocol Filter Lists Protocols on the Ethertype Filters Page Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802.2 — 0x00E0 IPX 802.
Appendix B Protocol Filter Lists Table B-2 Protocols on the IP Protocol Filters Page Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Prot
Appendix B Table B-3 Protocol Filter Lists Protocols on the IP Port Protocol Filters Page Protocol Additional Identifier ISO Designator TCP port service multiplexer tcpmux 1 echo — 7 discard (9) — 9 systat (11) — 11 daytime (13) — 13 netstat (15) — 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp-data 20 FTP Control (21) ftp 21 Secure Shell (22) ssh 22 Telnet — 23 Simple Mail Transport Protocol SMTP mail 25 t
Appendix B Protocol Filter Lists Table B-3 Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator gopher — 70 rje netrjs 77 finger — 79 Hypertext Transport Protocol HTTP www 80 ttylink link 87 Kerberos v5 Kerberos krb5 88 supdup — 95 hostname hostnames 101 TSAP iso-tsap 102 CSO Name Server cso-ns csnet-ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111
Appendix B Table B-3 Protocol Filter Lists Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator NETBIOS Name Service netbios-ns 137 NETBIOS Datagram Service netbios-dgm 138 NETBIOS Session Service netbios-ssn 139 Interim Mail Access Protocol v2 Interim Mail Access Protocol 143 IMAP2 Simple Network Management Protocol SNMP 161 SNMP Traps snmp-trap 162 ISO CMIP Management Over IP CMIP Management 163 Over IP cmip-man CMOT ISO CMIP Agent
Appendix B Protocol Filter Lists Table B-3 Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator Interactive Mail Access Protocol imap3 v3 220 Unix Listserv ulistserv 372 syslog — 514 Unix spooler spooler 515 talk — 517 ntalk — 518 route RIP 520 timeserver timed 525 newdate tempo 526 courier RPC 530 conference chat 531 netnews — 532 netwall wall 533 UUCP Daemon UUCP uucpd 540 Kerberos rlogin klogin 543 Kerbe
Appendix B Table B-3 Protocol Filter Lists Protocols on the IP Port Protocol Filters Page (continued) Protocol Additional Identifier ISO Designator Concurrent Versions System CVS 2401 Cisco IAPP — 2887 Radio Free Ethernet RFE 5002 Cisco Aironet Access Point Software Configuration Guide B-8 OL-0657-07
A P P E N D I X C Channels, Power Levels, and Antenna Gains This appendix lists the channels supported by the world's regulatory domains as well as the maximum power levels and antenna gains allowed per domain.
Appendix C Channels, Power Levels, and Antenna Gains Channels Channels The channel identifiers, channel center frequencies, and regulatory domains of each 22-MHz-wide channel are shown in Table C-1.
Appendix C Channels, Power Levels, and Antenna Gains Maximum Power Levels and Antenna Gains Maximum Power Levels and Antenna Gains An improper combination of power level and antenna gain can result in equivalent isotropic radiated power (EIRP) above the amount allowed per regulatory domain. Table C-2 indicates the maximum power levels and antenna gains allowed for each regulatory domain.
Appendix C Channels, Power Levels, and Antenna Gains Maximum Power Levels and Antenna Gains Table C-2 Maximum Power Levels Per Antenna Gain (continued) Regulatory Domain -I Channel Set (100 mW EIRP maximum) -C Channel Set (10 mW EIRP maximum) -J Channel Set (10 mW/MHz EIRP maximum) Antenna Gain (dBi) Maximum Power Level (mW) 0 100 2.2 50 5.2 30 6 30 8.5 5 12 5 13.5 5 21 1 0 5 2.2 5 5.2 n/a 6 n/a 8.5 n/a 12 n/a 13.5 n/a 21 n/a 0 50 2.2 30 5.2 30 6 30 8.
INDEX port setting 8-22 A shared secret 8-22 access point creating and configuring VLANs on 4-11 authentication types combining MAC-based and EAP 8-34 Access Point Radio Port page 13-12 LEAP 8-24 accounting on RADIUS server 9-15 MAC-based 8-29 activity timeout 7-18, 9-8 Network-EAP 8-4 administrator authorization 8-41 open 8-7 Aironet extensions 3-23 shared key 8-8 antenna gains C-3 summary of settings 8-37 antennas 3-18 Apply button 17 B AP Radio Advanced page 3-20 AP Radio Hardware page
Index baud rate 21 CLI beacons, period and rate 3-16 auto-apply 23 bit-flip attack 8-3 common functions 22 blinking top panel indicators 13-40 diagnostics 13-19 boot block version 13-45 terminal emulator settings 20 BOOTP protocol 7-5 client devices BOOTP server timeout 7-5 browsing to 9-2 Boot Server Setup page 7-4 deauthenticating 9-10 broadcast SSID 3-13 disassociating 9-10 broadcast WEP key rotation 8-18 EAP settings 8-24 browsing to network devices 9-2 in network map 19 Station pa
Index class identifier 7-7 encryption.
Index flow control 21 power levels and antenna gain C-4 fragment threshold 3-16 regulatory domain C-2 frequencies C-2 FTP 7-10 K key features 1-2 G key hashing, WEP 8-16 gateway 3-4 Kilomicroseconds, in beacon period 3-16 H L help, setting up 7-7 LEAP hexadecimal digits 8-10 enabling on a repeater access point 8-27 Home button 17 with Network-EAP setting 8-19 hops 9-7 LED indicators Hot Standby mode 12-6 Ethernet 13-38 HTTP Port 7-8 locate unit by flashing LEDs 13-40 HyperTerminal 2
Index combining with EAP 8-34 optimize radio network for 3-7 setting up in Cisco Secure ACS 8-35 map windows 18 memory, conserving 7-18 P memory use diagnostics 13-28 packet tracing 13-32 menu tree A-1 parity 21 Mexico, regulatory domain C-2 password reset 13-43 MIC 8-14 pings 9-8 monitored access point 12-6 ports, assigning to MAC addresses 9-13 multicast packets 3-21 power level maximum C-3 to C-4 N power level setting 3-15 preamble 3-28 name server 7-9 primary port 3-10 NAS, adding a
Index shared secret 8-22 Q wireless network accounting 9-15 QoS configuration 5-10 receive and transmit 3-18 entering information for 5-10 receive antenna 3-18 example 5-17 regulatory Generate QBSS Element 5-11 domains C-2 Send IGMP General Query 5-12 regulatory domains C-2 settings on QoS setup page 5-11 related publications, obtaining xviii Traffic Category 5-12 repeater Use Symbol Extensions 5-11 Quality of Service defined 1-5 chain of access points 12-3 setting up a repeater 12-2 setti
Index Speed setting 3-32 S SSH 11-6 search for less-congested channel SSID 3-4 restrict searched channels 3-17 primary and secondary 4-6 Secure Shell 11-6 SSID for use by Infrastructure Stations 3-23 Secure Shell,using 11-6 standby mode 12-6 security Station pages 9-3 Cisco Secure ACS 8-25 statistics 9-10 overview 8-2 status indicator 13-38 Security Setup page 8-42 stop bits 21 user manager 8-41 system name 3-3 serial cable 20 serial number, system 3-29 server setup boot server 7-4 T T
Index transmit power 3-15 native VLAN configuration 4-5 Native VLAN ID 4-3 U obtaining and recording setup information 4-10 unicast packets, filtering 5-9 Optionally allow Encrypted packets on the unencrypted VLAN 4-4 updating firmware 10-2 user management capabilities 8-43 creating list of authorized users 8-42 user information 8-42 using 11-6 primary and secondary SSIDs 4-6 rules and guidelines for 4-19 security policy 4-4 settings on VLAN setup page 4-2 Single VLAN ID which allows Unencrypted pac
Index W warm restart 10-17 Web-based interface common buttons 17 compatible browsers 16 Web server 7-7 WEP broadcast key rotation 8-18 full encryption 8-12 key example 8-11 key hashing 8-16 key size 8-11 optional 8-12 overview 8-3 session key timeout 8-26 setting with SNMP 8-13 transmit key 8-11 with EAP 8-4 Windows XP, using EAP with 8-21 workgroup bridges, allowing more than 20 to associate 3-23 World mode 3-14 Cisco Aironet Access Point Software Configuration Guide OL-0657-07 IN-9
Index Cisco Aironet Access Point Software Configuration Guide IN-10 OL-0657-07
