Cisco Wireless LAN Controller Configuration Guide Software Release 4.2 October 2007 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface 21 Audience Purpose 22 22 Organization 22 Conventions 23 Related Publications 25 Obtaining Documentation, Support, and Security Guidelines Overview 26 1 Cisco Unified Wireless Network Solution Overview Single-Controller Deployments 3 Multiple-Controller Deployments 4 Operating System Software 2 5 Operating System Security 5 Cisco WLAN Solution Wired Security Layer 2 and Layer 3 LWAPP Operation Operational Requirements 7 Configuration Requirements 7 6 6 Cisco Wireless LAN
Contents Identity Networking 14 Enhanced Integration with Cisco Secure ACS File Transfers 16 Power over Ethernet Startup Wizard 16 16 17 Cisco Wireless LAN Controller Memory 18 Cisco Wireless LAN Controller Failover Protection 18 Network Connections to Cisco Wireless LAN Controllers 19 Cisco 2000 and 2100 Series Wireless LAN Controllers 19 Cisco 4400 Series Wireless LAN Controllers 20 Rogue Access Points 21 Rogue Access Point Location, Tagging, and Containment Using the Web-Browser and CLI Interf
Contents AP-Manager Interface 6 Virtual Interface 7 Service-Port Interface 8 Dynamic Interface 8 WLANs 8 Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces 10 Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces 10 Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces 12 Using the CLI to Configure the Management Interface 12 Using the CLI to Configure the AP-Manager Interface 13 Using the CLI to Configure
Contents Managing the System Time and Date 6 Configuring an NTP Server to Obtain the Time and Date Configuring the Time and Date Manually 7 6 Configuring 802.11 Bands 8 Using the GUI to Configure 802.11 Bands 8 Using the CLI to Configure 802.11 Bands 9 Configuring 802.11n Parameters 11 Using the GUI to Configure 802.11n Parameters 11 Using the CLI to Configure 802.
Contents Using the GUI to Enable Multicast Mode 33 Using the GUI to View Multicast Groups 34 Using the CLI to Enable Multicast Mode 34 Using the CLI to View Multicast Groups 35 Using the CLI to View an Access Point’s Multicast Client Table 36 Configuring Client Roaming 36 Intra-Controller Roaming 37 Inter-Controller Roaming 37 Inter-Subnet Roaming 37 Voice-over-IP Telephone Roaming 37 CCX Layer 2 Client Roaming 38 Using the GUI to Configure CCX Client Roaming Parameters 39 Using the CLI to Configure CCX
Contents Configuring Cisco Discovery Protocol 66 Using the GUI to Configure Cisco Discovery Protocol 68 Using the GUI to View Cisco Discovery Protocol Information 69 Using the CLI to Configure Cisco Discovery Protocol 73 Using the CLI to View Cisco Discovery Protocol Information 74 Configuring RFID Tag Tracking 75 Using the CLI to Configure RFID Tag Tracking 77 Using the CLI to View RFID Tag Tracking Information 78 Using the CLI to Debug RFID Tag Tracking Issues 79 Configuring and Viewing Location Settings
Contents Using the GUI to Configure LDAP 19 Using the CLI to Configure LDAP 22 Configuring Local EAP 23 Using the GUI to Configure Local EAP 24 Using the CLI to Configure Local EAP 29 Configuring the System for SpectraLink NetLink Telephones 33 Using the GUI to Enable Long Preambles 33 Using the CLI to Enable Long Preambles 34 Using the CLI to Configure Enhanced Distributed Channel Access 35 Using Management over Wireless 35 Using the GUI to Enable Management over Wireless 35 Using the CLI to Enable Mana
Contents Interface-Name 59 VLAN-Tag 60 Tunnel Attributes 60 Configuring AAA Override 61 Updating the RADIUS Server Dictionary File for Proper QoS Values Using the GUI to Configure AAA Override 63 Using the CLI to Configure AAA Override 63 62 Configuring IDS 64 Configuring IDS Sensors 64 Using the GUI to Configure IDS Sensors 64 Using the CLI to Configure IDS Sensors 66 Viewing Shunned Clients 67 Configuring IDS Signatures 68 Using the GUI to Configure IDS Signatures 68 Using the CLI to Configure IDS Sign
Contents Configuring DHCP Scopes 9 Configuring MAC Filtering for WLANs 12 Enabling MAC Filtering 12 Creating a Local MAC Filter 12 Configuring a Timeout for Disabled Clients 13 Assigning WLANs to Interfaces 13 Configuring Peer-to-Peer Blocking 13 Guidelines for Using Peer-to-Peer Blocking 14 Using the GUI to Configure Peer-to-Peer Blocking 14 Using the CLI to Configure Peer-to-Peer Blocking 15 Configuring Layer 2 Security 16 Static WEP Keys 16 Dynamic 802.
Contents Using the CLI to View a Client’s CCX Version 37 Configuring WLAN Override 37 Using the GUI to Configure WLAN Override 37 Using the CLI to Configure WLAN Override 38 Configuring Access Point Groups 38 Creating Access Point Groups 40 Assigning Access Points to Access Point Groups 42 Configuring Conditional Web Redirect with 802.
Contents Using the CLI to View Voice and Video Details for Mesh Networks 21 Viewing Mesh Statistics for an Access Point 23 Using the GUI to View Mesh Statistics for an Access Point 24 Using the CLI to View Mesh Statistics for an Access Point 28 Viewing Neighbor Statistics for an Access Point 29 Using the GUI to View Neighbor Statistics for an Access Point 29 Using the CLI to View Neighbor Statistics for an Access Point 32 Background Scanning in Mesh Networks 33 Background Scanning Scenarios 34 Using the GU
Contents Sample WGB Configuration 52 Using the GUI to View the Status of Workgroup Bridges 53 Using the CLI to View the Status of Workgroup Bridges 55 Using the CLI to Debug WGB Issues 56 Configuring Backup Controllers 56 Using the CLI to Configure Backup Controllers 56 Configuring Country Codes 57 Guidelines for Configuring Multiple Country Codes Using the GUI to Configure Country Codes 58 Using the CLI to Configure Country Codes 60 58 Migrating Access Points from the -J Regulatory Domain to the -U Re
Contents Downloading CA Certificates 10 Using the GUI to Download CA Certificates 11 Using the CLI to Download CA Certificates 11 Uploading PACs 12 Using the GUI to Upload PACs 13 Using the CLI to Upload PACs 13 Uploading and Downloading Configuration Files 14 Uploading Configuration Files 14 Downloading Configuration Files 16 Saving Configurations 18 Clearing the Controller Configuration Erasing the Controller Configuration Resetting the Controller Managing User Accounts 18 18 19 1 Creating Guest Use
Contents Customized Web Authentication Login Window Example 20 Using the CLI to Verify the Web Authentication Login Window Settings Assigning Login Pages per WLAN 21 Using the GUI to Assign Login Pages per WLAN 21 Using the CLI to Assign Login Pages per WLAN 22 20 Configuring Wired Guest Access 23 Configuration Overview 24 Configuration Guidelines 25 Using the GUI to Configure Wired Guest Access 25 Using the CLI to Configure Wired Guest Access 28 Configuring Radio Resource ManagementWireless Device Acces
Contents Disabling Dynamic Channel and Power Assignment Globally for a Controller 28 Using the GUI to Disable Dynamic Channel and Power Assignment 28 Using the CLI to Disable Dynamic Channel and Power Assignment 28 Viewing Additional RRM Settings Using the CLI 29 Configuring CCX Radio Management Features 29 Radio Measurement Requests 30 Location Calibration 30 Using the GUI to Configure CCX Radio Management 30 Using the CLI to Configure CCX Radio Management 32 Using the CLI to Obtain CCX Radio Management
Contents Configuring Hybrid REAPWireless Device Access Overview of Hybrid REAP 2 Hybrid-REAP Authentication Process Hybrid REAP Guidelines 4 1 2 Configuring Hybrid REAP 5 Configuring the Switch at the Remote Site 5 Configuring the Controller for Hybrid REAP 6 Using the GUI to Configure the Controller for Hybrid REAP 6 Using the CLI to Configure the Controller for Hybrid REAP 11 Configuring an Access Point for Hybrid REAP 11 Using the GUI to Configure an Access Point for Hybrid REAP 11 Using the CLI to C
Contents Access Points with IEEE 802.
Contents Cisco 28/37/38xx Integrated Services Router 3 Catalyst 3750G Integrated Wireless LAN Controller Switch 4 INDEX Cisco Wireless LAN Controller Configuration Guide 20 OL-13826-01
Preface This preface provides an overview of the Cisco Wireless LAN Controller Configuration Guide, Release 4.2, references related publications, and explains how to obtain other documentation and technical assistance, if necessary.
Preface Audience Audience This guide describes Cisco Wireless LAN Controllers and Cisco Lightweight Access Points. This guide is for the networking professional who installs and manages these devices. To use this guide, you should be familiar with the concepts and terminology of wireless LANs. Purpose This guide provides the information you need to set up and configure wireless LAN controllers.
Preface Conventions Appendix A, “Safety Considerations and Translated Safety Warnings,” lists safety considerations and translations of the safety warnings that apply to the Cisco Unified Wireless Network Solution products. Appendix B, “Declarations of Conformity and Regulatory Information,” provides declarations of conformity and regulatory information for the products in the Cisco Unified Wireless Network Solution.
Preface Conventions Warning Waarschuwing This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. (To see translations of the warnings that appear in this publication, refer to the appendix “Translated Safety Warnings.”) Dit waarschuwingssymbool betekent gevaar.
Preface Related Publications ¡Advertencia! Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”) Varning! Denna varningssymbol signalerar fara.
Preface Obtaining Documentation, Support, and Security Guidelines Obtaining Documentation, Support, and Security Guidelines For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
CH A P T E R 1 Overview This chapter describes the controller components and features.
Chapter 1 Overview Cisco Unified Wireless Network Solution Overview Cisco Unified Wireless Network Solution Overview The Cisco Unified Wireless Network (Cisco UWN) Solution is designed to provide 802.11 wireless networking solutions for enterprises and service providers. The Cisco UWN Solution simplifies deploying and managing large-scale wireless LANs and enables a unique best-in-class security infrastructure.
Chapter 1 Overview Cisco Unified Wireless Network Solution Overview Figure 1-1 Cisco UWN Solution Components Single-Controller Deployments A standalone controller can support lightweight access points across multiple floors and buildings simultaneously, and supports the following features: • Autodetecting and autoconfiguring lightweight access points as they are added to the network. • Full control of lightweight access points.
Chapter 1 Overview Cisco Unified Wireless Network Solution Overview Figure 1-2 Single-Controller Deployment Multiple-Controller Deployments Each controller can support lightweight access points across multiple floors and buildings simultaneously. However, full functionality of the Cisco Wireless LAN Solution is realized when it includes multiple controllers.
Chapter 1 Overview Operating System Software Figure 1-3 Typical Multi-Controller Deployment Operating System Software The operating system software controls Cisco Wireless LAN Controllers and Cisco 1000 Series Lightweight Access Points. It includes full operating system security and Radio Resource Management (RRM) features.
Chapter 1 Overview Layer 2 and Layer 3 LWAPP Operation • RSN with or without Pre-Shared key. • Cranite FIPS140-2 compliant passthrough. • Optional MAC filtering. The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as: • Passthrough VPNs • The Cisco Wireless LAN Solution supports local and RADIUS MAC address filtering. • The Cisco Wireless LAN Solution supports local and RADIUS user/password authentication.
Chapter 1 Overview Cisco Wireless LAN Controllers Operational Requirements The requirement for Layer 2 LWAPP communications is that the Cisco Wireless LAN Controller and Cisco 1000 series lightweight access points must be connected to each other through Layer 2 devices on the same subnet. This is the default operational mode for the Cisco Wireless LAN Solution.
Chapter 1 Overview Controller Platforms Primary, Secondary, and Tertiary Controllers In multiple-controller networks, lightweight access points can associate with any controller on the same subnet. To ensure that each access point associates with a particular controller, the operator can assign primary, secondary, and tertiary controllers to the access point.
Chapter 1 Overview Controller Platforms Cisco 2000 and 2100 Series Controllers The Cisco 2000 and 2100 Series Wireless LAN Controllers work in conjunction with Cisco lightweight access points and the Cisco Wireless Control System (WCS) to provide system-wide wireless LAN functions. Each 2000 and 2100 series controller controls up to six lightweight access points for multi-controller architectures typical of enterprise branch deployments.
Chapter 1 Overview Controller Platforms Cisco 4400 Series Controllers The Cisco 4400 Series Wireless LAN Controller is available in two models: 4402 and 4404. The 4402 supports up to 50 lightweight access points while the 4404 supports up to 100, making it ideal for large-sized enterprises and large-density applications.
Chapter 1 Overview Controller Platforms http://www.cisco.com/en/US/docs/wireless/technology/wism/installation/note/78_17121.html Cisco 7600 Series Router Wireless Services Module The Cisco 7600 Series Router Wireless Services Module (WiSM) is an integrated Cisco 7600 router and two Cisco 4404 controllers that supports up to 300 lightweight access points. The router has eight internal Gigabit Ethernet ports that connect the router and the controller.
Chapter 1 Overview Controller Platforms You can find these documents at this URL: http://www.cisco.com/en/US/products/hw/wireless/index.html Note The controller network module does not support port mirroring. Note The Cisco 2801 Integrated Services Router does not support the controller network module.
Chapter 1 Overview Cisco UWN Solution Wired Connections Catalyst 3750G Integrated Wireless LAN Controller Switch The Catalyst 3750G Integrated Wireless LAN Controller Switch is an integrated Catalyst 3750 switch and Cisco 4400 series controller that supports up to 25 or 50 lightweight access points. The switch has two internal Gigabit Ethernet ports that connect the switch and the controller. The switch and the internal controller run separate software versions, which must be upgraded separately.
Chapter 1 Overview Cisco UWN Solution WLANs Cisco UWN Solution WLANs The Cisco UWN Solution can control up to 16 WLANs for lightweight access points. Each WLAN has a separate WLAN ID (1 through 16), a separate WLAN SSID (WLAN name), and can be assigned unique security policies. Using software release 3.2 and later, you can configure both static and dynamic WEP on the same WLAN. The lightweight access points broadcast all active Cisco UWN Solution WLAN SSIDs and enforce the policies defined for each WLAN.
Chapter 1 Overview Identity Networking Also note that the operating system only moves clients from the default Cisco UWN Solution WLAN VLAN to a different VLAN when configured for MAC filtering, 802.1X, and/or WPA Layer 2 authentication. To configure WLANs, refer to Chapter 6.
Chapter 1 Overview File Transfers Enhanced Integration with Cisco Secure ACS The identity-based networking feature uses authentication, authorization, and accounting (AAA) override. When the following vendor-specific attributes are present in the RADIUS access accept message, the values override those present in the wireless LAN profile: • QoS level • 802.
Chapter 1 Overview Startup Wizard When you are using PoE, the installer runs a single CAT-5 cable from each lightweight access point to PoE-equipped network elements, such as a PoE power hub or a Cisco WLAN Solution Single-Line PoE Injector. When the PoE equipment determines that the lightweight access point is PoE-enabled, it sends 48 VDC over the unused pairs in the Ethernet cable to power the lightweight access point.
Chapter 1 Overview Cisco Wireless LAN Controller Memory Cisco Wireless LAN Controller Memory The controller contains two kinds of memory: volatile RAM, which holds the current, active controller configuration, and NVRAM (non-volatile RAM), which holds the reboot configuration. When you are configuring the operating system in controller, you are modifying volatile RAM; you must save the configuration from the volatile RAM to the NVRAM to ensure that the controller reboots in the current configuration.
Chapter 1 Overview Network Connections to Cisco Wireless LAN Controllers This means that when sufficient controllers are deployed, should one controller fail, active access point client sessions are momentarily dropped while the dropped access point associates with an unused port on another controller, allowing the client device to immediately reassociate and reauthenticate. Network Connections to Cisco Wireless LAN Controllers Regardless of operating mode, all controllers use the network as an 802.
Chapter 1 Overview Network Connections to Cisco Wireless LAN Controllers Figure 1-4 Physical Network Connections to the 2000 and 2100 Series Controller Cisco 4400 Series Wireless LAN Controllers Cisco 4400 series controllers can communicate with the network through one or two pairs of physical data ports, and the logical management interface can be assigned to the ports.
Chapter 1 Overview Rogue Access Points Figure 1-5 Physical Network Connections to 4402 and 4404 Series Controllers Rogue Access Points Because they are inexpensive and readily available, employees sometimes plug unauthorized rogue access points into existing LANs and build ad hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall.
Chapter 1 Overview Rogue Access Points • Contain rogue access points by sending their clients deauthenticate and disassociate messages from one to four lightweight access points. This containment can be done for individual rogue access points by MAC address, or can be mandated for all rogue access points connected to the enterprise subnet. • Tag rogue access points: – Acknowledge rogue access point when they are outside of the LAN and do not compromise the LAN or wireless LAN security.
CH A P T E R 2 Using the Web-Browser and CLI Interfaces This chapter describes the web-browser and CLI interfaces that you use to configure the controller.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the Web-Browser Interface Using the Web-Browser Interface The web-browser interface (hereafter called the GUI) is built into each controller. It allows up to five users to simultaneously browse into the controller HTTP or HTTPS (HTTP + SSL) management pages to configure parameters and monitor operational status for the controller and its associated access points.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the Web-Browser Interface Using the GUI to Enable Web and Secure Web Modes Follow these steps to enable web mode, secure web mode, or both using the controller GUI. Step 1 Click Management > HTTP to open the HTTP Configuration page (see Figure 2-1). Figure 2-1 HTTP Configuration Page Step 2 To enable web mode, which allows users to access the controller GUI using “http://ip-address,” choose Enabled from the HTTP Access drop-down box.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the Web-Browser Interface Using the CLI to Enable Web and Secure Web Modes Follow these steps to enable web mode, secure web mode, or both using the controller CLI. Step 1 To enable or disable web mode, enter this command: config network webmode {enable | disable} This command allows users to access the controller GUI using “http://ip-address.” The default value is disabled. Web mode is not a secure connection.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the Web-Browser Interface Loading an Externally Generated SSL Certificate You can use a TFTP server to download an externally generated SSL certificate to the controller. Follow these guidelines for using TFTP: Note • If you load the certificate through the service port, the TFTP server must be on the same subnet as the controller because the service port is not routable, or you must create static routes on the controller.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the Web-Browser Interface Step 6 In the Certificate File Name field, enter the name of the certificate (webadmincert_name.pem). Step 7 (Optional) In the Certificate Password field, enter a password to encrypt the certificate. Step 8 Click Apply to commit your changes. Step 9 Click Save Configuration to save your changes. Step 10 To reboot the controller for your changes to take effect, click Commands > Reboot > Reboot > Save and Reboot.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the CLI Information similar to the following appears: Mode........................................... Data Type...................................... TFTP Server IP................................. TFTP Path...................................... TFTP Filename.................................. Are you sure you want to start? (y/n) y TFTP Webadmin cert transfer starting. Certificate installed.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the CLI Follow these steps to log into the CLI through the serial port. Step 1 Connect your computer to the controller using the DB-9 null-modem serial cable. Step 2 Open a terminal emulator session using these settings: Step 3 Note • 9600 baud • 8 data bits • 1 stop bit • No parity • No hardware flow control At the prompt, log into the CLI. The default username is admin, and the default password is admin.
Chapter 2 Using the Web-Browser and CLI Interfaces Enabling Wireless Connections to the Web-Browser and CLI Interfaces Navigating the CLI The CLI is organized around five levels: Root Level Level 2 Level 3 Level 4 Level 5 When you log into the CLI, you are at the root level. From the root level, you can enter any full command without first navigating to the correct command level. Table 2-1 lists commands you use to navigate the CLI and to perform common tasks.
Chapter 2 Using the Web-Browser and CLI Interfaces Enabling Wireless Connections to the Web-Browser and CLI Interfaces Tip To use the controller GUI to enable wireless connections, click Management > Mgmt Via Wireless page and check the Enable Controller Management to be accessible from Wireless Clients check box.
CH A P T E R 3 Configuring Ports and Interfaces This chapter describes the controller’s physical ports and interfaces and provides instructions for configuring them.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Overview of Ports and Interfaces Three concepts are key to understanding how controllers connect to a wireless network: ports, interfaces, and WLANs. Ports A port is a physical entity that is used for connections on the controller platform. Controllers have two types of ports: distribution system ports and a service port. The following figures show the ports available on each controller.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Note Figure 3-3 shows a Cisco 4404 controller. The Cisco 4402 controller is similar but has only two distribution system ports. The utility port, which is the unlabeled port in Figure 3-3, is currently not operational.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Distribution System Ports A distribution system port connects the controller to a neighbor switch and serves as the data path between these two devices. • Cisco 2000 series controllers have four 10/100 copper Ethernet distribution system ports through which the controller can support up to six access points.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Note Refer to the “Configuring a 4400 Series Controller to Support More Than 48 Access Points” section on page 3-35 if you want to configure your Cisco 4400 series controller to support more than 48 access points. Each distribution system port is, by default, an 802.1Q VLAN trunk port. The VLAN trunking characteristics of the port are not configurable.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Each interface is mapped to at least one primary port, and some interfaces (management and dynamic) can be mapped to an optional secondary (or backup) port. If the primary port for an interface fails, the interface automatically moves to the backup port. In addition, multiple interfaces can be mapped to a single controller port.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Note If LAG is enabled, there can be only one AP-manager interface. But when LAG is disabled, you must assign an AP-manager interface to each port on the controller. Note If only one distribution system port can be used, you should use distribution system port 1.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Service-Port Interface The service-port interface controls communications through and is statically mapped by the system to the service port. It must have an IP address on a different supernet from the management, AP-manager, and any dynamic interfaces, and it cannot be mapped to a backup port. This configuration enables you to manage the controller directly or through a dedicated operating system network, such as 10.1.2.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Figure 3-5 illustrates the relationship between ports, interfaces, and WLANs. Figure 3-5 Ports, Interfaces, and WLANs As shown in Figure 3-5, each controller port connection is an 802.1Q trunk and should be configured as such on the neighbor switch. On Cisco switches, the native VLAN of an 802.1Q trunk is an untagged VLAN.
Chapter 3 Configuring Ports and Interfaces Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces Cisco recommends that only tagged VLANs be used on the controller. You should also allow only relevant VLANs on the neighbor switch’s 802.1Q trunk connections to controller ports. All other VLANs should be disallowed or pruned in the switch port trunk configuration. This practice is extremely important for optimal performance of the controller.
Chapter 3 Configuring Ports and Interfaces Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces This page shows the current controller interface settings. Step 2 If you want to modify the settings of a particular interface, click the name of the interface. The Interfaces > Edit page for that interface appears.
Chapter 3 Configuring Ports and Interfaces Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces Virtual Interface • Any fictitious, unassigned, and unused gateway IP address, such as 1.1.1.1 • DNS gateway host name Note To ensure connectivity and web authentication, the DNS server should always point to the virtual interface. If a DNS host name is configured for the virtual interface, then the same DNS host name must be configured on the DNS server(s) used by the client.
Chapter 3 Configuring Ports and Interfaces Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces • config interface dhcp management ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server] • config interface acl management access-control-list-name Note See Chapter 5 for more information on ACLs. Step 4 Enter save config to save your changes. Step 5 Enter show interface detailed management to verify that your changes have been saved.
Chapter 3 Configuring Ports and Interfaces Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces Using the CLI to Configure the Virtual Interface Follow these steps to display and configure the virtual interface parameters using the CLI. Step 1 Enter show interface detailed virtual to view the current virtual interface settings. Step 2 Enter config wlan disable wlan-number to disable each WLAN that uses the virtual interface for distribution system communication.
Chapter 3 Configuring Ports and Interfaces Configuring Dynamic Interfaces Configuring Dynamic Interfaces This section provides instructions for configuring dynamic interfaces using either the GUI or CLI. Using the GUI to Configure Dynamic Interfaces Follow these steps to create new or edit existing dynamic interfaces using the GUI. Step 1 Click Controller > Interfaces to open the Interfaces page (see Figure 3-6). Step 2 Perform one of the following: • To create a new dynamic interface, click New.
Chapter 3 Configuring Ports and Interfaces Configuring Dynamic Interfaces Figure 3-8 Step 5 Interfaces > Edit Page Configure the following parameters: • VLAN identifier • Fixed IP address, IP netmask, and default gateway • Physical port assignment • Quarantine Note Check the Quarantine check box if you want to configure this VLAN as unhealthy.
Chapter 3 Configuring Ports and Interfaces Configuring Dynamic Interfaces • Primary and secondary DHCP servers • Access control list (ACL) name, if required Note Note See Chapter 5 for more information on ACLs. To ensure proper operation, you must set the Port Number and Primary DHCP Server parameters. Step 6 Click Save Configuration to save your changes. Step 7 Repeat this procedure for each dynamic interface that you want to create or edit.
Chapter 3 Configuring Ports and Interfaces Configuring Ports • config interface acl operator-defined-interface-name access-control-list-name Note See Chapter 5 for more information on ACLs. Step 5 Enter config wlan enable wlan-id to re-enable each WLAN that uses the dynamic interface for distribution system communication. Step 6 Enter save config to save your changes.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Step 2 If you want to change the settings of any port, click the number for that specific port. The Port > Configure page appears (see Figure 3-10). Note If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Table 3-2 interprets the current status of the port. Table 3-2 Port Status Parameter Description Port Number The number of the current port. Physical Status The data rate being used by the port. The available data rates vary based on controller type.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Table 3-3 Port Parameters (continued) Parameter Description Physical Mode Determines whether the port’s data rate is set automatically or specified by the user. The supported data rates vary based on controller type.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Configuring Port Mirroring Mirror mode enables you to duplicate to another port all of the traffic originating from or terminating at a single client device or access point. It is useful in diagnosing specific network problems. Mirror mode should be enabled only on an unused port as any connections to this port become unresponsive.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Configuring Spanning Tree Protocol Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two network devices. STP allows only one active path at a time between network devices but establishes redundant links as a backup if the initial link should fail.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Table 3-4 interprets the current STP status of the port. Table 3-4 Port Spanning Tree Status Parameter Description STP Port ID The number of the port for which STP is enabled or disabled. STP State The port’s current STP state. It controls the action that a port takes upon receiving a frame.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Table 3-5 Port Spanning Tree Parameters Parameter Description STP Mode The STP administrative mode associated with this port. Options: Off, 802.1D, or Fast Default: Off STP Mode Description Off Disables STP for this port. 802.1D Enables this port to participate in the spanning tree and go through all of the spanning tree states when the link state transitions from down to up.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Figure 3-11 Controller Spanning Tree Configuration Page This page allows you to enable or disable the spanning tree algorithm for the controller, modify its characteristics, and view the STP status.Table 3-6 interprets the current STP status for the controller. Table 3-6 Controller Spanning Tree Status Parameter Description Spanning Tree Specification The STP version being used by the controller. Currently, only an IEEE 802.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Table 3-6 Controller Spanning Tree Status (continued) Parameter Description Hello Time (seconds) The amount of time between the transmission of configuration BPDUs by this node on any port when it is the root of the spanning tree or trying to become so. This is the actual value that this bridge is currently using.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Table 3-7 Controller Spanning Tree Parameters (continued) Parameter Description Hello Time (seconds) The length of time that the controller broadcasts hello messages to other controllers. Options: 1 to 10 seconds Default: 2 seconds Forward Delay (seconds) The length of time that each of the listening and learning states lasts before the port begins forwarding.
Chapter 3 Configuring Ports and Interfaces Enabling Link Aggregation Step 10 After you configure STP settings for the ports, enter config spanningtree switch mode enable to enable STP for the controller. The controller automatically detects logical network loops, places redundant ports on standby, and builds a network with the most efficient pathways. Step 11 Enter save config to save your settings.
Chapter 3 Configuring Ports and Interfaces Enabling Link Aggregation LAG simplifies controller configuration because you no longer need to configure primary and secondary ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the other ports. As long as at least one controller port is functioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to send and receive data.
Chapter 3 Configuring Ports and Interfaces Enabling Link Aggregation # mpls label-ip • If the recommended load-balancing method cannot be configured on the Catalyst switch, then configure the LAG connection as a single member link or disable LAG on the controller. Figure 3-13 Link Aggregation with Catalyst 6500 Neighbor Switch Link Aggregation Guidelines Keep these guidelines in mind when using LAG: • You cannot configure the controller’s ports into separate LAG groups.
Chapter 3 Configuring Ports and Interfaces Enabling Link Aggregation • When you enable LAG on the Cisco WiSM, you must enable port-channeling/Ether-channeling for all of the controller’s ports on the switch. • When you enable LAG, port mirroring is not supported. • When you enable LAG, if any single link goes down, traffic migrates to the other links. • When you enable LAG, only one functional physical port is needed for the controller to pass client traffic.
Chapter 3 Configuring Ports and Interfaces Enabling Link Aggregation Figure 3-14 Step 2 General Page Set the LAG Mode on Next Reboot parameter to Enabled. Note Choose Disabled if you want to disable LAG. LAG is disabled by default on the Cisco 4400 series controllers but enabled by default on the Cisco WiSM. Step 3 Click Apply to commit your changes. Step 4 Click Save Configuration to save your changes. Step 5 Reboot the controller. Step 6 Assign the WLAN to the appropriate VLAN.
Chapter 3 Configuring Ports and Interfaces Enabling Link Aggregation Step 3 Reboot the controller. Using the CLI to Verify Link Aggregation Settings To verify your LAG settings, enter this command: show lag summary Information similar to the following appears: LAG Enabled Configuring Neighbor Devices to Support LAG The controller’s neighbor devices must also be properly configured to support LAG.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Configuring a 4400 Series Controller to Support More Than 48 Access Points As noted earlier, 4400 series controllers can support up to 48 access points per port.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Before an access point joins a controller, it sends out a discovery request. From the discovery response that it receives, the access point can tell the number of AP-manager interfaces on the controller and the number of access points on each AP-manager interface. The access point generally joins the AP-manager with the least number of access points.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Figure 3-16 Three AP-Manager Interfaces Figure 3-17 illustrates the use of four AP-manager interfaces to support 100 access points.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Figure 3-17 Four AP-Manager Interfaces This configuration has the advantage of load-balancing all 100 access points evenly across all four AP-manager interfaces. If one of the AP-manager interfaces fails, all of the access points connected to the controller would be evenly distributed among the three available AP-manager interfaces.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Figure 3-19 Step 5 Interfaces > Edit Page Enter the appropriate interface parameters. Note Do not define a backup port for an AP-manager interface. Port redundancy is not supported for AP-manager interfaces.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Connecting Additional Ports To support more than 48 access points with a 4400 series controller in Layer 2 mode, you must connect more controller ports to individual broadcast domains that are completely separated. Table 3-8 provides an example in which each controller port is connected to an individual switch.
CH A P T E R 4 Configuring Controller SettingsWireless Device Access This chapter describes how to configure settings on the controllers. It contains these sections: • Using the Configuration Wizard, page 4-2 • Managing the System Time and Date, page 4-6 • Configuring 802.11 Bands, page 4-8 • Configuring 802.
Chapter 4 Configuring Controller SettingsWireless Device Access Using the Configuration Wizard Using the Configuration Wizard This section describes how to configure basic settings on a controller for the first time or after the configuration has been reset to factory defaults. The contents of this chapter are similar to the instructions in the quick start guide that shipped with your controller. You use the configuration wizard to configure basic settings. You can run the wizard on the CLI or the GUI.
Chapter 4 Configuring Controller SettingsWireless Device Access Using the Configuration Wizard Resetting the Device to Default Settings If you need to start over during the initial setup process, you can reset the controller to factory default settings. Note After resetting the configuration to defaults, you need a serial connection to the controller to use the configuration wizard.
Chapter 4 Configuring Controller SettingsWireless Device Access Using the Configuration Wizard Running the Configuration Wizard on the CLI When the controller boots at factory defaults, the bootup script runs the configuration wizard, which prompts the installer for initial configuration settings. Follow these steps to enter settings using the wizard on the CLI.
Chapter 4 Configuring Controller SettingsWireless Device Access Using the Configuration Wizard Step 11 Enter the IP address of the management interface netmask. Step 12 Enter the IP address of the default router. Step 13 Enter the VLAN identifier of the management interface (either a valid VLAN identifier or 0 for an untagged VLAN). The VLAN identifier should be set to match the switch interface configuration. Step 14 Enter the network interface (distribution system) physical port number.
Chapter 4 Configuring Controller SettingsWireless Device Access Managing the System Time and Date Step 24 Enter the code for the country in which the network is located. Enter help to view the list of available country codes. Note You can enter more than one country code if you want to manage access points in multiple countries from a single controller. To do so, separate the country codes with a comma (for example, US,CA,MX).
Chapter 4 Configuring Controller SettingsWireless Device Access Managing the System Time and Date 2. To specify the polling interval (in seconds), enter this command: config time ntp interval Configuring the Time and Date Manually Use these commands to configure the date and time manually.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.11 Bands Configuring 802.11 Bands You can configure the 802.11b/g/n (2.4-GHz) and 802.11a/n (5-GHz) bands for the controller to comply with the regulatory requirements in your country. By default, both 802.11b/g/n and 802.11a/n are enabled. Using the GUI to Configure 802.11 Bands Using the controller GUI, follow these steps to configure 802.11 bands. Step 1 Click Wireless > 802.11a/n or 802.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.11 Bands Step 6 To make access points advertise their channel and transmit power level in beacons and probe responses, check the DTPC Support check box. Otherwise, uncheck this check box. The default value is enabled. Client devices using dynamic transmit power control (DTPC) receive the channel and power level information from the access points and adjust their settings automatically.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.11 Bands Step 3 To specify the rate at which the SSID is broadcast by the access point, enter this command: config {802.11a | 802.11b} beaconperiod time_unit where time_unit is the beacon interval in time units (TU). One TU is 1024 micro seconds. You can configure the access point to send a beacon every 20 to 1000 milliseconds. Step 4 To specify the size at which packets are fragmented, enter this command: config {802.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.11n Parameters Step 10 To save your changes, enter this command: save config Step 11 To view the configuration settings for the 802.11a or 802.11b/g band, enter this command: show {802.11a | 802.11b} Information similar to the following appears: 802.11a Network............................... Enabled 11nSupport.................................... Enabled 802.11a Low Band........................... Enabled 802.11a Mid Band...
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.11n Parameters Figure 4-2 802.11n (2.4 GHz) High Throughput Page Step 2 Check the 11n Mode check box to enable 802.11n support on the network. The default value is enabled. Step 3 To specify the modulation and coding scheme (MCS) rates at which data can be transmitted between the access point and the client, check the check boxes of the desired rates.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.11n Parameters • 13 (116 Mbps) • 14 (130 Mbps) • 15 (144 Mbps) Any associated clients that support the selected rates may communicate with the access point using those rates. However, the clients are not required to be able to use this rate in order to associate. The MCS settings determine the number of spatial streams, the modulation, the coding rate, and the data rate values that are used.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.11n Parameters Using the CLI to Configure 802.11n Parameters Using the controller CLI, follow these steps to configure 802.11n parameters. Step 1 To enable 802.11n support on the network, enter this command: config {802.11a | 802.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.11n Parameters Table 4-1 Traffic Type Priority Levels User Priority Traffic Type 0 Best effort 1 Background 2 Spare 3 Excellent effort 4 Controlled load 5 Video, less than 100-ms latency and jitter 6 Voice, less than 10-ms latency and jitter 7 Network control You can configure each priority level independently, or you can use the all parameter to configure all of the priority levels at once.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.11n Parameters e. To convert the channel bandwidth of the radio that is configured for 802.11n support from 20 MHz to 40 MHz, enter this command: config 802.11a chan_width Cisco_AP {20 | 40_ABOVE | 40_BELOW} where • 20 specifies the default 20-MHz bandwidth. You can use this option to revert the channel bandwidth from 40 MHz back to 20 MHz.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.11n Parameters Step 8 To view the configuration settings for the 802.11a/n or 802.11b/g/n band, enter this command: show {802.11a | 802.11b} Information similar to the following appears: 802.11a Network............................... Enabled 11nSupport.................................... Enabled 802.11a Low Band........................... Enabled 802.11a Mid Band........................... Enabled 802.11a High Band...........
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring DHCP Proxy RTS Threshold.................................... Short Retry Limit................................ TI Threshold..................................... Traffic Stream Metrics Status.................... Expedited BW Request Status...................... EDCA profile type................................ Voice MAC optimization status....................
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Administrator Usernames and Passwords Using the CLI to Configure DHCP Proxy Using the controller CLI, follow these steps to configure DHCP proxy.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring SNMP Step 4 Enter config radius acct enable to enable accounting. Enter config radius acct disable to disable accounting. Accounting is disabled by default. Step 5 Enter config radius auth ip-address to configure a RADIUS server for authentication. Step 6 Enter config radius auth port to specify the UDP port for authentication. Step 7 Enter config radius auth secret to configure the shared secret.
Chapter 4 Configuring Controller SettingsWireless Device Access Changing the Default Values of SNMP Community Strings Step 11 Enter config snmp syslocation syslocation-name to configure the SNMP system location. Enter up to 31 alphanumeric characters for the location. Step 12 Use the show snmpcommunity and show snmptrap commands to verify that the SNMP traps and communities are correctly configured. Step 13 Use the show trapflags command to see the enabled and disabled trapflags.
Chapter 4 Configuring Controller SettingsWireless Device Access Changing the Default Values of SNMP Community Strings Figure 4-4 SNMP v1 / v2c Community > New Page Step 4 In the Community Name field, enter a unique name containing up to 16 alphanumeric characters. Do not enter “public” or “private.” Step 5 In the next two fields, enter the IP address from which this device accepts SNMP packets with the associated community and the IP mask.
Chapter 4 Configuring Controller SettingsWireless Device Access Changing the Default Values for SNMP v3 Users Step 5 To specify the access level for this community, enter this command, where ro is read-only mode and rw is read/write mode: config snmp community accessmode {ro | rw} name Step 6 To enable or disable this SNMP community, enter this command: config snmp community mode {enable | disable} name Step 7 To save your changes, enter save config.
Chapter 4 Configuring Controller SettingsWireless Device Access Changing the Default Values for SNMP v3 Users Figure 4-6 SNMP V3 Users > New Page Step 4 In the User Profile Name field, enter a unique name. Do not enter “default.” Step 5 Choose Read Only or Read Write from the Access Mode drop-down box to specify the access level for this user. The default value is Read Only.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Aggressive Load Balancing Step 3 To create a new SNMP v3 user, enter this command: config snmp v3user create username {ro | rw} {none | hmacmd5 | hmacsha} {none | des | aescfb128} auth_key encrypt_key where • username is the SNMP v3 username; • ro is read-only mode and rw is read-write mode; • none, hmacmd5, and hmacsha are the authentication protocol options; • none, des, and aescfb128 are the privacy protocol options; •
Chapter 4 Configuring Controller SettingsWireless Device Access Enabling 802.3x Flow Control Using the CLI to Configure Aggressive Load Balancing Follow these steps to configure aggressive load balancing using the CLI.
Chapter 4 Configuring Controller SettingsWireless Device Access Enabling System Logging Figure 4-7 Syslog Configuration Page Step 2 Check the Enable Syslog check box to enable system logging or uncheck it to disable system logging. The default value is unchecked. Step 3 In the Syslog Server IP Address field, enter the IP address of the server to which to send the system log. Step 4 Choose a logging level from the Message Log Level drop-down box.
Chapter 4 Configuring Controller SettingsWireless Device Access Enabling System Logging Using the GUI to View Message Logs To view system message logs through the GUI, click Management < Logs < Message Logs. The Message Logs page appears (see Figure 4-8). Figure 4-8 Message Logs Page Using the CLI to Enable System Logging Follow these steps to enable system logging through the CLI.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.3 Bridging Using the CLI to View Message Logs Use these commands to view system message logs through the CLI. 1. To view the current syslog status, enter this command: show syslog 2. To view the message logs, enter this command: show msglog Configuring 802.3 Bridging The controller supports 802.3 frames and the applications that use them, such as those typically used for cash registers and cash register servers.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring 802.3 Bridging Figure 4-9 General Page Step 2 From the 802.3 Bridging drop-down box, choose Enabled to enable 802.3 bridging on your controller or Disabled to disable this feature. The default value is Disabled. Step 3 Click Apply to commit your changes. Step 4 Click Save Configuration to save your changes. Using the CLI to Configure 802.3 Bridging Follow these steps to configure 802.3 bridging using the controller CLI.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Multicast Mode Configuring Multicast Mode If your network supports packet multicasting, you can configure the multicast method that the controller uses. The controller performs multicasting in two modes: • Unicast mode—In this mode, the controller unicasts every multicast packet to every access point associated to the controller. This mode is inefficient but might be required on networks that do not support multicasting.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Multicast Mode • IGMP report packets from wireless clients are consumed or absorbed by the controller, which generates a query for the clients. After the router sends the IGMP query, the controller sends the IGMP reports with its interface IP address as the listener IP address for the multicast group. As a result, the router IGMP table is updated with the controller IP address as the multicast listener.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Multicast Mode • The controller drops multicast packets sent to UDP port numbers 12222, 12223, and 12224. Therefore, you may want to consider not using these port numbers with the multicast applications on your network. • Cisco recommends that any multicast applications on your network not use the multicast address configured as the LWAPP multicast group address on the controller.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Multicast Mode Step 6 If you want to enable IGMP snooping, check the Enable IGMP Snooping check box. If you want to disable IGMP snooping, leave the check box unchecked. The default value is disabled. Step 7 To set the IGMP timeout, enter a value between 30 and 300 seconds in the IGMP Timeout field.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Multicast Mode Note Step 2 The config network broadcast {enable | disable} command allows you to enable or disable broadcasting without enabling or disabling multicasting as well. This command uses the multicast mode currently on the controller to operate. Perform one of the following: a.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Client Roaming Layer3 MGID Mapping: ------------------Number of Layer3 MGIDs........................... 1 Group address --------------239.255.255.250 • Vlan ---0 MGID ---550 To see all the clients joined to the multicast group in a specific MGID, enter this command: show network multicast mgid detail mgid_value where the mgid_value parameter is a number between 550 and 4095. Information similar to the following appears: Mgid.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Client Roaming You can adjust the default RF settings (RSSI, hysteresis, scan threshold, and transition time) to fine-tune the operation of client roaming using the controller GUI or CLI. Intra-Controller Roaming Each controller supports same-controller client roaming across access points managed by the same controller.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Client Roaming The Cisco UWN Solution supports 802.11 VoIP telephone roaming across lightweight access points managed by controllers on different subnets, as long as the controllers are in the same mobility group.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Client Roaming The roaming enhancements mentioned above are enabled automatically, with the appropriate CCX support. Note AP1030s in REAP mode and hybrid-REAP access points in standalone mode do not support CCX Layer 2 roaming. Using the GUI to Configure CCX Client Roaming Parameters Follow these steps to configure CCX client roaming parameters using the GUI. Step 1 Click Wireless > 802.11a/n (or 802.11b/g/n) > Client Roaming.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Client Roaming Step 5 In the Scan Threshold field, enter the minimum RSSI that is allowed before the client should roam to a better access point. When the RSSI drops below the specified value, the client must be able to roam to a better access point within the specified transition time. This parameter also provides a power-save method to minimize the time that the client spends in active or passive scanning.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Quality of Service This command provides the following information: – The number of roam reason reports received – The number of neighbor list requests received – The number of neighbor list reports sent – The number of broadcast neighbor updates sent 3.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Quality of Service Configuring Quality of Service Profiles You can use the controller GUI or CLI to configure the Platinum, Gold, Silver, and Bronze QoS profiles. Using the GUI to Configure QoS Profiles Follow these steps to configure QoS profiles using the controller GUI. Step 1 Disable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles. To disable the radio networks, click Wireless > 802.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Quality of Service Step 7 To define the average real-time rate for UDP traffic on a per user basis, enter the rate in Kbps in the Average Real-Time Rate field. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the profile. Step 8 To define the peak real-time rate for UDP traffic on a per user basis, enter the rate in Kbps in the Burst Real-Time Rate field.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Quality of Service Step 3 To define the average data rate in Kbps for TCP traffic per user, enter this command: config qos average-data-rate {bronze | silver | gold | platinum} rate Note Step 4 For the rate parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Quality of Service Note If you choose to create an entry on the RADIUS server for a guest user and enable RADIUS authentication for the WLAN on which web authentication is performed rather than adding a guest user to the local user database from the controller, you need to assign the QoS role on the RADIUS server itself.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Quality of Service Figure 4-16 Edit QoS Role Data Rates Page Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Quality of Service Using the CLI to Configure QoS Roles Follow these steps to configure QoS roles using the controller CLI.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Step 4 To save your changes, enter this command: save config Step 5 To see a list of the current QoS roles and their bandwidth parameters, enter this command: show netuser guest-roles Information similar to the following appears: Role Name........................................ Average Data Rate........................... Burst Data Rate............................. Average Realtime Rate............
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters The QoS setting for a WLAN determines the level of bandwidth-based CAC support. To use bandwidth-based CAC with voice applications, the WLAN must be configured for Platinum QoS. To use bandwidth-based CAC with video applications, the WLAN must be configured for Gold QoS. Also, make sure that WMM is enabled for the WLAN. See the “Configuring 802.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Table 4-2 CAC Mode TSPEC Request Handling Examples Reserved bandwidth for voice calls1 Bandwidth- 75% (default setting) based CAC Load-based CAC Usage2 Normal TSPEC TSPEC with Expedited Request Bandwidth Request Less than 75% Admitted Admitted Between 75% and 90% (reserved bandwidth for voice calls exhausted) Rejected Admitted More than 90% Rejected Rejected Less than 75% Admitted Adm
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters TSM can be configured through either the GUI or the CLI on a per radio-band basis (for example, all 802.11a radios). The controller saves the configuration in flash memory so that it persists across reboots. After an access point receives the configuration from the controller, it enables TSM on the specified radio band. Note Access points support TSM in both local and hybrid-REAP modes.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Step 8 In the Reserved Roaming Bandwidth field, enter the percentage of maximum allocated bandwidth reserved for roaming voice clients. The controller reserves this much bandwidth from the maximum allocated bandwidth for roaming voice clients. Range: 0 to 25% Default: 6% Step 9 To enable expedited bandwidth requests, check the Expedited Bandwidth check box. The default value is disabled.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Figure 4-18 802.11a > Video Parameters Page Step 5 To enable video CAC for this radio band, check the Admission Control (ACM) check box. The default value is disabled. Step 6 In the Max RF Bandwidth field, enter the percentage of the maximum bandwidth allocated to clients for video applications on this radio band.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Using the GUI to View Voice and Video Settings Follow these steps to view voice and video settings using the GUI. Step 1 Click Monitor > Clients to open the Clients page (see Figure 4-19). Figure 4-19 Step 2 Clients Page Click the MAC address of the desired client to open the Clients > Detail page (see Figure 4-20).
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Figure 4-20 Clients > Detail Page This page shows the U-APSD status (if enabled) for this client under Quality of Service Properties. Step 3 Click Back to return to the Clients page.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Step 4 Follow these steps to see the TSM statistics for a particular client and the access point to which this client is associated. Note a. This step applies only to non-mesh access points because mesh access points do not support TSM. Hover your cursor over the blue drop-down arrow for the desired client and choose 802.11aTSM or 802.11b/gTSM. The Clients > AP page appears (see Figure 4-21).
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Figure 4-22 Clients > AP > Traffic Stream Metrics Page This page shows the TSM statistics for this client and the access point to which it is associated. The statistics are shown in 90-second intervals. The timestamp field shows the specific interval when the statistics were collected.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Figure 4-23 b. Hover your cursor over the blue drop-down arrow for the desired access point and choose 802.11aTSM or 802.11b/gTSM. The AP > Clients page appears (see Figure 4-24). Figure 4-24 c. 802.11a/n Radios Page AP > Clients Page Click the Detail link for the desired client to open the AP > Clients > Traffic Stream Metrics page (see Figure 4-25).
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Figure 4-25 AP > Clients > Traffic Stream Metrics Page This page shows the TSM statistics for this access point and a client associated to it. The statistics are shown in 90-second intervals. The timestamp field shows the specific interval when the statistics were collected. Using the CLI to Configure Voice Parameters Follow these steps to configure voice parameters using the CLI.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Step 5 To save your settings, enter this command: save config Step 6 To enable or disable bandwidth-based voice CAC for the 802.11a or 802.11b/g network, enter this command: config {802.11a | 802.11b} cac voice acm {enable | disable} Step 7 To set the percentage of maximum bandwidth allocated to clients for voice applications on the 802.11a or 802.11b/g network, enter this command: config {802.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Using the CLI to Configure Video Parameters Follow these steps to configure video parameters using the CLI.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Using the CLI to View Voice and Video Settings Use these commands to view voice and video settings for non-mesh networks using the CLI. Note The CLI commands used to view voice and video settings are different for mesh networks. Refer to the “Using the CLI to View Voice and Video Details for Mesh Networks” section on page 7-21 for details. 1. To see the CAC configuration for the 802.11a or 802.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Voice and Video Parameters Delay bet 10 - 20 ms......................................20 Delay bet 20 - 40 ms......................................20 Delay greater than 40 ms..................................20 Total packet Count.........................................80 Total packet lost count (5sec).............................10 Maximum Lost Packet count(5sec)............................5 Average Lost Packet count(5secs).......
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring EDCA Parameters Note The statistics are shown in 90-second intervals. The timestamp field shows the specific interval when the statistics were collected. Configuring EDCA Parameters Enhanced distributed channel access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality-of-service (QoS) traffic.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring EDCA Parameters Step 4 If you want to enable MAC optimization for voice, check the Enable Low Latency MAC check box. Otherwise, leave this check box unchecked, which is the default value. This feature enhances voice performance by controlling packet retransmits and appropriately aging out voice packets on lightweight access points, thereby improving the number of voice calls serviced per access point.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Cisco Discovery Protocol Step 5 To enable or disable MAC optimization for voice, enter this command: config advanced {802.11a | 802.11b} voice-mac-optimization {enable | disable} This feature enhances voice performance by controlling packet retransmits and appropriately aging out voice packets on lightweight access points, thereby improving the number of voice calls serviced per access point. The default value is disabled.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Cisco Discovery Protocol • Version TLV: 0x0005—The software version of the controller, the access point, or the CDP neighbor. • Platform TLV: 0x0006—The hardware platform of the controller, the access point, or the CDP neighbor. These TLVs are supported only by the access point: • Full/Half Duplex TLV: 0x000b—The full- or half-duplex mode of the Ethernet link on which CDP packets are sent out.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Cisco Discovery Protocol Using the GUI to Configure Cisco Discovery Protocol Follow these steps to configure CDP using the controller GUI. Step 1 Click Controller > CDP > Global Configuration to open the CDP > Global Configuration page (see Figure 4-28). Figure 4-28 CDP > Global Configuration Page Step 2 Check the CDP Protocol Status check box to enable CDP on the controller or uncheck it to disable this feature.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Cisco Discovery Protocol Figure 4-29 • Step 9 All APs > Details (Advanced) Page d. Check the Cisco Discovery Protocol check box to enable CDP on this access point or uncheck it to disable this feature. The default value is enabled. e. Click Apply to commit your changes. To enable or disable CDP on all access points currently associated to the controller, follow these steps: a.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Cisco Discovery Protocol Figure 4-30 CDP > Interface Neighbors Page This page shows the following information: Step 2 • The controller port on which the CDP packets were received • The name of each CDP neighbor • The IP address of each CDP neighbor • The port used by each CDP neighbor for transmitting CDP packets • The time left (in seconds) before each CDP neighbor entry expires • The functional capability of each
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Cisco Discovery Protocol This page shows the following information: Step 3 • The controller port on which the CDP packets were received • The name of the CDP neighbor • The IP address of the CDP neighbor • The port used by the CDP neighbor for transmitting CDP packets • The CDP version being advertised (v1 or v2) • The time left (in seconds) before the CDP neighbor entry expires • The functional capability of the CD
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Cisco Discovery Protocol This page shows the following information: Step 5 • The name of each access point • The IP address of each access point • The name of each CDP neighbor • The IP address of each CDP neighbor • The port used by each CDP neighbor • The CDP version being advertised (v1 or v2) To see detailed information about an access point’s CDP neighbors, click the name of the desired access point.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Cisco Discovery Protocol Figure 4-35 CDP > Traffic Metrics Page This page shows the following information: • The number of CDP packets received by the controller • The number of CDP packets sent from the controller • The number of packets that experienced a checksum error • The number of packets dropped due to insufficient memory • The number of invalid packets Using the CLI to Configure Cisco Discovery Protocol Use th
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring Cisco Discovery Protocol Note 6. After you enable CDP on all access points joined to the controller, you may disable and then re-enable CDP on individual access points using the command in #6 below. After you disable CDP on all access points joined to the controller, you may not enable and then disable CDP on individual access points.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring RFID Tag Tracking 8. To see a list of all CDP neighbors for all access points connected to the controller, enter this command: show ap cdp neighbors [detail] all Information similar to the following appears when you enter show ap cdp neighbors all: AP Name -------AP0013.601c.0a0 AP0013.601c.0b0 AP0013.601c.0c0 AP IP -------10.76.108.123 10.76.108.111 10.76.108.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring RFID Tag Tracking Table 4-3 Cisco Compatible Extensions for RFIDTags Summary Partners AeroScout Product Name WhereNet Pango (InnerWireless) Wheretag IV V3 T2 T3 X X X Motion Detection X X X Number of Panic Buttons 1 2 0 1 X X X X X X X X X X Telemetry Temperature Pressure Humidity Status Fuel Quantity Distance Tampering Battery Information Multiple-Frequency Tags 1 1.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring RFID Tag Tracking Table 4-4 RFID Tags Supported per Controller Controller Number of RFID Tags Supported Cisco WiSM 5000 4404 2500 4402 1250 Catalyst 3750G Integrated Wireless LAN Controller Switch 1250 2106 and 2006 500 Controller Network Module within the Cisco 28/37/38xx Series Integrated Services Routers 500 You can configure and view RFID tag tracking information through the controller CLI.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring RFID Tag Tracking Using the CLI to View RFID Tag Tracking Information Use these commands to view RFID tag tracking information using the controller CLI. 1. To see the current configuration for RFID tag tracking, enter this command: show rfid config Information similar to the following appears: RFID Tag data Collection......................... Enabled RFID timeout..................................... 1200 seconds RFID mobility...
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring RFID Tag Tracking 3.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring and Viewing Location Settings Configuring and Viewing Location Settings This section provides instructions for configuring and viewing location settings from the controller CLI. Note Access points in monitor mode should not be used for location purposes. Installing the Location Appliance Certificate A self-signed certificate (SSC) is required on the location appliance.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring and Viewing Location Settings Step 4 To verify that the location appliance certificate is installed on the controller, enter this command: show auth-list Information similar to the following appears: Authorize APs against AAA ....................... disabled Allow APs with Self-Signed Certificate (SSC) ....
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring and Viewing Location Settings 2. To see the location-based RFID statistics, enter this command: show location statistics rfid Information similar to the following appears: RFID Statistics Database Full : Null Bufhandle: Bad LWAPP Data: Off Channel: Bad AP Info : Above Max RSSI: Invalid RSSI: Oldest Expired RSSI: 3.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring the Supervisor 720 to Support the WiSM Max Max Max Max Max Max Max Max Max 7.
Chapter 4 Configuring Controller SettingsWireless Device Access Configuring the Supervisor 720 to Support the WiSM Configuring the Supervisor Log into the switch or router CLI and, beginning in Privileged Exec mode, follow these steps to configure the supervisor to support the WiSM: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface vlan Create a VLAN to communicate with the data ports on the WiSM and enter interface config mode.
Chapter 4 Configuring Controller SettingsWireless Device Access Using the Wireless LAN Controller Network Module Using the Wireless LAN Controller Network Module Keep these guidelines in mind when using a wireless LAN controller network module (CNM) installed in a Cisco Integrated Services Router: • The CNM does not support IPSec. To use IPSec with the CNM, configure IPSec on the router in which the CNM is installed. Click this link to browse to IPSec configuration instructions for routers: http://www.
Chapter 4 Configuring Controller SettingsWireless Device Access Using the Wireless LAN Controller Network Module Cisco Wireless LAN Controller Configuration Guide 4-86 OL-13826-01
CH A P T E R 5 Configuring Security Solutions This chapter describes security solutions for wireless LANs.
Chapter 5 Configuring Security Solutions Cisco UWN Solution Security Cisco UWN Solution Security Cisco UWN Solution security includes the following sections: • Security Overview, page 5-2 • Layer 1 Solutions, page 5-2 • Layer 2 Solutions, page 5-2 • Layer 3 Solutions, page 5-3 • Rogue Access Point Solutions, page 5-3 • Integrated Security Solutions, page 5-4 Security Overview The Cisco UWN security solution bundles potentially complicated Layer 1, Layer 2, and Layer 3 802.
Chapter 5 Configuring Security Solutions Cisco UWN Solution Security Layer 3 Solutions The WEP problem can be further solved using industry-standard Layer 3 security solutions such as passthrough VPNs (virtual private networks). The Cisco UWN Solution supports local and RADIUS MAC (media access control) filtering. This filtering is best suited to smaller client groups with a known list of 802.11 access card MAC addresses.
Chapter 5 Configuring Security Solutions Configuring TACACS+ Integrated Security Solutions • Cisco UWN Solution operating system security is built around a robust 802.1X AAA (authorization, authentication and accounting) engine, which allows operators to rapidly configure and enforce a variety of security policies across the Cisco UWN Solution.
Chapter 5 Configuring Security Solutions Configuring TACACS+ Note • If users attempt to make changes on a controller GUI page that are not permitted for their assigned role, a message appears indicating that they do not have sufficient privilege. If users enter a controller CLI command that is not permitted for their assigned role, a message may appear indicating that the command was successfully executed although it was not.
Chapter 5 Configuring Security Solutions Configuring TACACS+ Figure 5-1 Add AAA Client Page on CiscoSecure ACS Step 3 In the AAA Client Hostname field, enter the name of your controller. Step 4 In the AAA Client IP Address field, enter the IP address of your controller. Step 5 In the Shared Secret field, enter the shared secret key to be used for authentication between the server and the controller. Note The shared secret key must be the same on both the server and the controller.
Chapter 5 Configuring Security Solutions Configuring TACACS+ Figure 5-2 TACACS+ (Cisco) Page on CiscoSecure ACS Step 10 Under TACACS+ Services, check the Shell (exec) check box. Step 11 Under New Services, check the first check box and enter ciscowlc in the Service field and common in the Protocol field. Step 12 Under Advanced Configuration Options, check the Advanced TACACS+ Features check box. Step 13 Click Submit to save your changes. Step 14 Click System Configuration on the ACS main page.
Chapter 5 Configuring Security Solutions Configuring TACACS+ Figure 5-3 Group Setup Page on CiscoSecure ACS Step 20 Under TACACS+ Settings, check the ciscowlc common check box. Step 21 Check the Custom Attributes check box. Step 22 In the text box below Custom Attributes, specify the roles that you want to assign to this group. The available roles are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMANDS, ALL, and LOBBY.
Chapter 5 Configuring Security Solutions Configuring TACACS+ Note Step 23 You should not combine the MONITOR role or the LOBBY role with any other roles. If you specify one of these two roles in the Custom Attributes text box, users will have MONITOR or LOBBY privileges only, even if additional roles are specified. Click Submit to save your changes. Using the GUI to Configure TACACS+ Follow these steps to configure TACACS+ through the controller GUI. Step 1 Click Security > AAA > TACACS+.
Chapter 5 Configuring Security Solutions Configuring TACACS+ Step 3 Perform one of the following: • To edit an existing TACACS+ server, click the server index number for that server. The TACACS+ (Authentication, Authorization, or Accounting) Servers > Edit page appears. • To add a TACACS+ server, click New. The TACACS+ (Authentication, Authorization, or Accounting) Servers > New page appears (see Figure 5-5).
Chapter 5 Configuring Security Solutions Configuring TACACS+ Step 10 In the Server Timeout field, enter the number of seconds between retransmissions. The valid range is 5 to 30 seconds, and the default value is 5 seconds. Cisco recommends that you increase the timeout value if you experience repeated reauthentication attempts or the controller falls back to the backup server when the primary server is active and reachable. Note Step 11 Click Apply to commit your changes.
Chapter 5 Configuring Security Solutions Configuring TACACS+ 2. 3. 4. • config tacacs auth (enable | disable} index—Enables or disables a TACACS+ authentication server. • config tacacs auth server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ authentication server. Use these commands to configure a TACACS+ authorization server: • config tacacs athr add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ authorization server.
Chapter 5 Configuring Security Solutions Configuring TACACS+ Information similar to the following appears for the show tacacs auth stats command: Server Index..................................... Server Address................................... Msg Round Trip Time.............................. First Requests................................... Retry Requests................................... Accept Responses................................. Reject Responses.................................
Chapter 5 Configuring Security Solutions Configuring TACACS+ Step 3 Click the .csv file corresponding to the date of the logs you wish to view. The TACACS+ Administration .csv page appears (see Figure 5-7). Figure 5-7 TACACS+ Administration .
Chapter 5 Configuring Security Solutions Configuring Local Network Users Figure 5-8 Note TACACS+ Administration .csv Page on CiscoSecure ACS You can click Refresh at any time to refresh this page. Configuring Local Network Users This section explains how to add local network users to the local user database on the controller. The local user database stores the credentials (username and password) of all the local network users. These credentials are then used to authenticate the users.
Chapter 5 Configuring Security Solutions Configuring Local Network Users Using the GUI to Configure Local Network Users Follow these steps to configure local network users using the controller GUI. Step 1 Follow these steps to specify the maximum number of local network users that can exist on the local user database: a. Click Security > AAA > General to open the General page (see Figure 5-9). Figure 5-9 Step 2 General Page b.
Chapter 5 Configuring Security Solutions Configuring Local Network Users Step 3 Perform one of the following: • To edit an existing local network user, click the username for that user. The Local Net Users > Edit page appears. • To add a local network user, click New. The Local Net Users > New page appears (see Figure 5-11). Figure 5-11 Step 4 Local Net Users > New Page If you are adding a new user, enter a username for the local user in the User Name field.
Chapter 5 Configuring Security Solutions Configuring Local Network Users Step 12 Click Apply to commit your changes. Step 13 Click Save Configuration to save your changes. Using the CLI to Configure Local Network Users Use the commands in this section to configure local network users using the controller CLI. Note Refer to the “Using the GUI to Configure Local Network Users” section on page 5-16 for the valid ranges and default values of the parameters used in the CLI commands. 1.
Chapter 5 Configuring Security Solutions Configuring LDAP Configuring LDAP This section explains how to configure a Lightweight Directory Access Protocol (LDAP) server as a backend database, similar to a RADIUS or local user database. An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user.
Chapter 5 Configuring Security Solutions Configuring LDAP Figure 5-13 LDAP Servers > New Page Step 3 If you are adding a new server, choose a number from the Server Index (Priority) drop-down box to specify the priority order of this server in relation to any other configured LDAP servers. You can configure up to seventeen servers. If the controller cannot reach the first server, it tries the second one in the list and so on.
Chapter 5 Configuring Security Solutions Configuring LDAP Figure 5-14 b. Highlight LOCAL and click < to move it to the left User Credentials box. c. Highlight LDAP and click > to move it to the right User Credentials box. The database that appears at the top of the right User Credentials box is used when retrieving user credentials.
Chapter 5 Configuring Security Solutions Configuring LDAP d. From the LDAP Servers drop-down boxes, choose the LDAP server(s) that you want to use with this WLAN. You can choose up to three LDAP servers, which are tried in priority order. e. Click Apply to commit your changes. f. Click Save Configuration to save your changes. Using the CLI to Configure LDAP Use the commands in this section to configure LDAP using the controller CLI.
Chapter 5 Configuring Security Solutions Configuring Local EAP For example, information similar to the following appears for the show ldap summary command: LDAP Servers Idx Host IP addr Port Enabled --- --------------- ----- ------1 10.10.10.10 389 Yes Information similar to the following appears for the show ldap statistics command: LDAP Servers Server 1........................ 10.10.10.10 389 5. To make sure the controller can reach the LDAP server, enter this command: ping server_ip_address 6.
Chapter 5 Configuring Security Solutions Configuring Local EAP Figure 5-16 provides an example of a remote office using local EAP. Figure 5-16 Local EAP Example WAN RADIUS server LDAP server (optional) Wireless LAN controller Cisco Aironet Lightweight Access Point 232306 IP Regional office You can configure local EAP through either the GUI or the CLI. Using the GUI to Configure Local EAP Follow these steps to configure local EAP using the controller GUI.
Chapter 5 Configuring Security Solutions Configuring Local EAP Step 4 Follow these steps to specify the order in which user credentials are retrieved from the backend database servers: a. Click Security > Local EAP > Authentication Priority to open the Priority Order > Local-Auth page (see Figure 5-17). Figure 5-17 b. Determine the priority order in which user credentials are to be retrieved from the local and/or LDAP databases.
Chapter 5 Configuring Security Solutions Configuring Local EAP Figure 5-18 Local EAP Profiles Page This page lists any local EAP profiles that have already been configured and specifies their EAP types. You can create up to 16 local EAP profiles. Note If you want to delete an existing profile, hover your cursor over the blue drop-down arrow for that profile and choose Remove. b. Click New to open the Local EAP Profiles > New page. c.
Chapter 5 Configuring Security Solutions Configuring Local EAP Note f. If you chose EAP-FAST and want the device certificate on the controller to be used for authentication, check the Local Certificate Required check box. If you want to use EAP-FAST with PACs instead of certificates, leave this check box unchecked, which is the default setting. Note g. This option applies only to EAP-FAST because device certificates are not used with LEAP and are mandatory for EAP-TLS and PEAP.
Chapter 5 Configuring Security Solutions Configuring Local EAP Figure 5-20 b. In the Server Key and Confirm Server Key fields, enter the key (in hexadecimal characters) used to encrypt and decrypt PACs. c. In the Time to Live for the PAC field, enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days. d. In the Authority ID field, enter the authority identifier of the local EAP-FAST server in hexadecimal characters.
Chapter 5 Configuring Security Solutions Configuring Local EAP Figure 5-21 Step 9 WLANs > Edit (Security > AAA Servers) Page d. Check the Local EAP Authentication check box to enable local EAP for this WLAN. e. From the EAP Profile Name drop-down box, choose the EAP profile that you want to use for this WLAN. f. If desired, choose the LDAP server(s) that you want to use with local EAP on this WLAN from the LDAP Servers drop-down boxes. g. Click Apply to commit your changes.
Chapter 5 Configuring Security Solutions Configuring Local EAP Step 4 To specify the order in which user credentials are retrieved from the local and/or LDAP databases, enter this command: config local-auth user-credentials {local | ldap} Note Step 5 If you enter config local-auth user-credentials ldap local, local EAP attempts to authenticate clients using the LDAP backend database and fails over to the local user database if the LDAP servers are not reachable.
Chapter 5 Configuring Security Solutions Configuring Local EAP Step 8 To configure EAP-FAST parameters if you created an EAP-FAST profile, enter this command: config local-auth method fast ? where ? is one of the following: Step 9 • anon-prov {enable | disable}—Configures the controller to allow anonymous provisioning, which allows PACs to be sent automatically to clients that do not have one during PAC provisioning.
Chapter 5 Configuring Security Solutions Configuring Local EAP Step 12 To view information pertaining to local EAP, enter these commands: • show local-auth config—Shows the local EAP configuration on the controller. • show local-auth statistics—Shows the local EAP statistics. • show local-auth certificates—Shows the certificates available for local EAP.
Chapter 5 Configuring Security Solutions Configuring the System for SpectraLink NetLink Telephones Step 13 If necessary, you can use these commands to troubleshoot local EAP sessions: • debug aaa local-auth eap method {all | errors | events | packets | sm} {enable | disable}— Enables or disables debugging of local EAP methods. • debug aaa local-auth eap framework {all | errors | events | packets | sm} {enable | disable}— Enables or disables debugging of the local EAP framework.
Chapter 5 Configuring Security Solutions Configuring the System for SpectraLink NetLink Telephones Step 5 Click Commands > Reboot > Reboot > Save and Reboot to reboot the controller. Click OK in response to this prompt: Configuration will be saved and the controller will be rebooted. Click ok to confirm. The controller reboots. Step 6 Log back into the controller GUI to verify that the controller is properly configured. Step 7 Click Wireless > 802.11b/g/n > Network to open the 802.
Chapter 5 Configuring Security Solutions Using Management over Wireless Using the CLI to Configure Enhanced Distributed Channel Access Use this CLI command to configure 802.11 enhanced distributed channel access (EDCA) parameters to support SpectraLink phones: config advanced edca-parameters {svp-voice | wmm-default} where svp-voice enables SpectraLink voice priority (SVP) parameters and wmm-default enables wireless multimedia (WMM) default parameters.
Chapter 5 Configuring Security Solutions Configuring DHCP Option 82 Using the CLI to Enable Management over Wireless Step 1 In the CLI, use the show network command to verify whether the Mgmt Via Wireless Interface is Enabled or Disabled. If Mgmt Via Wireless Interface is Disabled, continue with Step 2. Otherwise, continue with Step 3. Step 2 To Enable Management over Wireless, enter config network mgmt-via-wireless enable.
Chapter 5 Configuring Security Solutions Validating SSIDs Note DHCP option 82 is not supported for use with auto-anchor mobility, which is described in Chapter 11. Use these commands to configure DHCP option 82 on the controller. 1. To configure the format of the DHCP option 82 payload, enter one of these commands: – config dhcp opt-82 remote-id ap_mac This command adds the MAC address of the access point to the DHCP option 82 payload.
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists Configuring and Applying Access Control Lists An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller).
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists Step 2 Step 3 If you want to see if packets are hitting any of the ACLs configured on your controller, check the Enable Counters check box and click Apply. Otherwise, leave the check box unchecked, which is the default value. This feature is useful when troubleshooting your system.
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists Step 7 Follow these steps to configure a rule for this ACL: a. The controller supports up to 64 rules for each ACL. These rules are listed in order from 1 to 64. In the Sequence field, enter a value (between 1 and 64) to determine the order of this rule in relation to any other rules defined for this ACL. Note b. c. d. If rules 1 through 4 are already defined and you add rule 29, it is added as rule 5.
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists e. If you chose TCP or UDP in the previous step, two additional parameters appear: Source Port and Destination Port. These parameters enable you to choose a specific source port and destination port or port ranges. The port options are used by applications that send and receive data to and from the networking stack. Some ports are designated for certain applications such as telnet, ssh, http, and so on. f.
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists Note j. If you want to edit a rule, click the sequence number of the desired rule to open the Access Control Lists > Rules > Edit page. If you ever want to delete a rule, hover your cursor over the blue drop-down arrow for the desired rule and choose Remove. Repeat this procedure to add any additional rules for this ACL. Step 8 Click Save Configuration to save your changes.
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists Figure 5-27 Step 3 Choose the desired ACL from the ACL Name drop-down box and click Apply. None is the default value. Note Step 4 Interfaces > Edit Page See Chapter 3 for more information on configuring controller interfaces. Click Save Configuration to save your changes.
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists Figure 5-28 CPU Access Control Lists Page Step 2 Check the Enable CPU ACL check box to enable a designated ACL to control the traffic to the controller CPU or uncheck the check box to disable the CPU ACL feature and remove any ACL that had been applied to the CPU. The default value is unchecked. Step 3 From the ACL Name drop-down box, choose the ACL that will control the traffic to the controller CPU.
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists Figure 5-29 Step 4 WLANs > Edit (Advanced) Page From the Override Interface ACL drop-down box, choose the ACL that you want to apply to this WLAN. The ACL that you choose overrides any ACL that is configured for the interface. None is the default value. Note See Chapter 6 for more information on configuring WLANs. Step 5 Click Apply to commit your changes. Step 6 Click Save Configuration to save your changes.
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists Figure 5-30 WLANs > Edit (Security > Layer 3) Page Step 4 Check the Web Policy check box. Step 5 From the Preauthentication ACL drop-down box, choose the desired ACL and click Apply. None is the default value. Note Step 6 See Chapter 6 for more information on configuring WLANs. Click Save Configuration to save your changes.
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists Information similar to the following appears: I 1 2 Dir --Any In Source Destination Source Port Dest Port IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter ------------------ ------------------ ---- ----------- -------- ----- ------ ------0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 0 Deny 0 0.0.0.0/0.0.0.0 200.200.200.0/ 6 80-80 0-65535 Any Permit 0 255.255.255.
Chapter 5 Configuring Security Solutions Configuring and Applying Access Control Lists Step 7 To save your settings, enter this command: save config Note To delete an ACL, enter config acl delete acl_name. To delete an ACL rule, enter config acl rule delete acl_name rule_index. Using the CLI to Apply Access Control Lists Follow these steps to apply ACLs using the controller CLI.
Chapter 5 Configuring Security Solutions Configuring Management Frame Protection Step 2 To save your settings, enter this command: save config Configuring Management Frame Protection Management frame protection (MFP) provides security for the otherwise unprotected and unencrypted 802.11 management messages passed between access points and clients. MFP provides both infrastructure and client support. Controller software release 4.
Chapter 5 Configuring Security Solutions Configuring Management Frame Protection Infrastructure MFP consists of three main components: • Management frame protection—The access point protects the management frames it transmits by adding a MIC IE to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing any receiving access point configured to detect MFP frames to report the discrepancy.
Chapter 5 Configuring Security Solutions Configuring Management Frame Protection Using the GUI to Configure MFP Follow these steps to configure MFP using the controller GUI. Step 1 Click Security > Wireless Protection Policies > AP Authentication/MFP. The AP Authentication Policy page appears (see Figure 5-31). Figure 5-31 AP Authentication Policy Page Step 2 To enable infrastructure MFP globally for the controller, choose Management Frame Protection from the Protection Type drop-down box.
Chapter 5 Configuring Security Solutions Configuring Management Frame Protection Figure 5-32 Step 5 Step 6 WLANs > Edit (Advanced) Page d. Uncheck the Infrastructure MFP Protection check box to disable MFP for this WLAN or check this check box to enable infrastructure MFP for this WLAN. The default value is enabled. If global MFP is disabled, a note appears in parentheses to the right of the check box. e. Choose Disabled, Optional, or Required from the MFP Client Protection drop-down box.
Chapter 5 Configuring Security Solutions Configuring Management Frame Protection Figure 5-33 Management Frame Protection Settings Page On this page, you can see the following MFP settings: • The Management Frame Protection field shows if infrastructure MFP is enabled globally for the controller. • The Controller Time Source Valid field indicates whether the controller time is set locally (by manually entering the time) or through an external source (such as NTP server).
Chapter 5 Configuring Security Solutions Configuring Management Frame Protection 4. To enable or disable client MFP on a specific WLAN, enter this command: config wlan mfp client {enable | disable} wlan_id [required] If you enable client MFP and use the optional required parameter, clients are allowed to associate only if MFP is negotiated. Using the CLI to View MFP Settings Use these commands to view MFP settings using the controller CLI. 1.
Chapter 5 Configuring Security Solutions Configuring Management Frame Protection Infra. AP Name Validation Radio -------- ----------- ----mapAP Disabled a b/g rootAP2 Enabled a b/g HReap *Enabled b/g a 3. Operational State ----------Up Up Up Up Up Down --Infra.
Chapter 5 Configuring Security Solutions Configuring Management Frame Protection Stats Reporting Period .......................... LED State........................................ ILP Pre Standard Switch.......................... ILP Power Injector............................... Number Of Slots.................................. AP Model......................................... AP Serial Number................................. AP Certificate Type..............................
Chapter 5 Configuring Security Solutions Configuring Client Exclusion Policies Using the CLI to Debug MFP Issues Use these commands if you experience any problems with MFP: • debug wps mfp ? {enable | disable} where ? is one of the following: client—Configures debugging for client MFP messages. lwapp—Configures debugging for MFP messages between the controller and access points. detail—Configures detailed debugging for MFP messages. report—Configures debugging for MFP reporting.
Chapter 5 Configuring Security Solutions Configuring Identity Networking Identity Networking Overview In most wireless LAN systems, each WLAN has a static policy that applies to all clients associated with an SSID. Although powerful, this method has limitations since it requires clients to associate with different SSIDs to inherit different QoS and security policies.
Chapter 5 Configuring Security Solutions Configuring Identity Networking • Type – 26 for Vendor-Specific • Length – 10 • Vendor-Id – 14179 • Vendor type – 2 • Vendor length – 4 • Value – Three octets: – 0 – Bronze (Background) – 1 – Silver (Best Effort) – 2 – Gold (Video) – 3 – Platinum (Voice) ACL-Name This attribute indicates the ACL name to be applied to the client. A summary of the ACL-Name Attribute format is shown below. The fields are transmitted from left to right.
Chapter 5 Configuring Security Solutions Configuring Identity Networking • Vendor type – 5 • Vendor length – >0 • Value – A string that includes the name of the interface the client is to be assigned to. Note This Attribute only works when MAC filtering is enabled or if 802.1X or WPA is used as the security policy. VLAN-Tag This attribute indicates the group ID for a particular tunneled session, and is also known as the Tunnel-Private-Group-ID attribute.
Chapter 5 Configuring Security Solutions Configuring Identity Networking The RADIUS server typically indicates the desired VLAN by including tunnel attributes within the Access-Accept. However, the IEEE 802.1X Authenticator may also provide a hint as to the VLAN to be assigned to the Supplicant by including Tunnel attributes within the Access- Request.
Chapter 5 Configuring Security Solutions Configuring Identity Networking Updating the RADIUS Server Dictionary File for Proper QoS Values If you are using a Steel-Belted RADIUS (SBR), FreeRadius, or similar RADIUS server, clients may not obtain the correct QoS values after the AAA override feature is enabled. For these servers, which allow you to edit the dictionary file, you need to update the file to reflect the proper QoS values: Silver = 0, Gold = 1, Platinum = 2, and Bronze = 3.
Chapter 5 Configuring Security Solutions Configuring Identity Networking Step 6 Save and close the vendor.ini file. Step 7 Start the SBR service (or other RADIUS service). Step 8 Launch the SBR Administrator (or other RADIUS Administrator). Step 9 Add a RADIUS client (if not already added). Choose Cisco WLAN Controller from the Make/Model drop-down box. Using the GUI to Configure AAA Override Follow these steps to configure AAA override using the controller GUI.
Chapter 5 Configuring Security Solutions Configuring IDS Configuring IDS The Cisco intrusion detection system/intrusion prevention system (CIDS/IPS) instructs controllers to block certain clients from accessing the wireless network when attacks involving these clients are detected at Layer 3 through Layer 7. This system offers significant network protection by helping to detect, classify, and stop threats including worms, spyware/adware, network viruses, and application abuse.
Chapter 5 Configuring Security Solutions Configuring IDS Figure 5-36 CIDS Sensor Add Page Step 3 The controller supports up to five IDS sensors. From the Index drop-down box, choose a number (between 1 and 5) to determine the sequence in which the controller consults the IDS sensors. For example, if you choose 1, the controller consults this IDS sensor first. Step 4 In the Server Address field, enter the IP address of your IDS server.
Chapter 5 Configuring Security Solutions Configuring IDS Step 10 Enter a 40-hexadecimal-character security key in the Fingerprint field. This key is used to verify the validity of the sensor and is used to prevent security attacks. Note Do not include the colons that appear between every two bytes within the key. For example, enter AABBCCDD instead of AA:BB:CC:DD. Step 11 Click Apply. Your new IDS sensor appears in the list of sensors on the CIDS Sensors List page.
Chapter 5 Configuring Security Solutions Configuring IDS Step 6 To save your settings, enter this command: save config Step 7 To view the IDS sensor configuration, enter one of these commands: • show wps cids-sensor summary • show wps cids-sensor detail index The second command provides more information than the first.
Chapter 5 Configuring Security Solutions Configuring IDS This page shows the IP address and MAC address of each shunned client, the length of time that the client’s data packets should be blocked by the controller as requested by the IDS sensor, and the IP address of the IDS sensor that discovered the client. Step 2 Click Re-sync to purge and reset the list as desired.
Chapter 5 Configuring Security Solutions Configuring IDS Using the GUI to Upload or Download IDS Signatures Follow these steps to upload or download IDS signatures using the controller GUI. Step 1 If desired, create your own custom signature file. Step 2 Make sure that you have a Trivial File Transfer Protocol (TFTP) server available.
Chapter 5 Configuring Security Solutions Configuring IDS Step 9 In the File Path field, enter the path of the signature file to be downloaded or uploaded. The default value is “/.” Step 10 In the File Name field, enter the name of the signature file to be downloaded or uploaded. Note Step 11 When uploading signatures, the controller uses the filename you specify as a base name and then adds “_std.sig” and “_custom.
Chapter 5 Configuring Security Solutions Configuring IDS The Standard Signatures page shows the list of Cisco-supplied signatures that are currently on the controller. The Custom Signatures page shows the list of customer-supplied signatures that are currently on the controller. This page shows the following information for each signature: Step 2 • The order, or precedence, in which the controller performs the signature checks.
Chapter 5 Configuring Security Solutions Configuring IDS This page shows much of the same information as the Standard Signatures and Custom Signatures pages but provides these additional details: • The measurement interval, or the number of seconds that must elapse before the controller resets the signature threshold counters • The tracking method used by the access points to perform signature analysis and report the results to the controller.
Chapter 5 Configuring Security Solutions Configuring IDS Step 2 To see more information on the attacks detected by a particular signature, click the signature type link for that signature. The Signature Events Detail page appears (see Figure 5-42).
Chapter 5 Configuring Security Solutions Configuring IDS Using the CLI to Configure IDS Signatures Follow these steps to configure IDS signatures using the controller CLI. Step 1 If desired, create your own custom signature file. Step 2 Make sure that you have a TFTP server available. See the guidelines for setting up a TFTP server in Step 2 of the “Using the GUI to Upload or Download IDS Signatures” section on page 5-69. Step 3 Copy the custom signature file (*.
Chapter 5 Configuring Security Solutions Configuring IDS Step 11 To save your changes, enter this command: save config Using the CLI to View IDS Signature Events Use these commands to view signature events using the controller CLI. 1. To see whether IDS signature processing is enabled or disabled on the controller, enter this command: show wps summary Information similar to the following appears: Client Exclusion Policy Excessive 802.11-association failures.......... Excessive 802.
Chapter 5 Configuring Security Solutions Configuring AES Key Wrap 5. To see information on attacks that are tracked by access points on a per-signature and per-channel basis, enter this command: show wps signature events {standard | custom} precedence# detailed per-signature source_mac 6.
Chapter 5 Configuring Security Solutions Configuring AES Key Wrap Figure 5-44 RADIUS Authentication Servers Page Step 2 To enable RADIUS-to-controller key transport using AES key wrap protection, check the Use AES Key Wrap check box. The default value is unchecked. Step 3 Click Apply to commit your changes. Step 4 To define an AES key wrap key for a specific RADIUS server, follow these steps: a.
Chapter 5 Configuring Security Solutions Configuring Maximum Local Database Entries Step 5 c. Choose ASCII or Hex from the Key Wrap Format drop-down box to specify the format of the AES key wrap keys: Key Encryption Key (KEK) and Message Authentication Code Key (MACK). d. Enter the 16-byte KEK in the Key Encryption Key (KEK) field. e. Enter the 20-byte KEK in the Message Authentication Code Key (MACK) field. f. Click Apply to commit your changes. Click Save Configuration to save your changes.
Chapter 5 Configuring Security Solutions Configuring Maximum Local Database Entries Step 2 Enter the desired maximum value (on the next controller reboot) in the Maximum Local Database Entries field. The range of possible values is 512 to 2048 (which also includes any configured MAC filter entries). The default value is 2048. The current value appears in parentheses to the right of the field. Step 3 Click Apply to commit your changes. Step 4 Click Save Configuration to save your settings.
Chapter 5 Configuring Security Solutions Configuring Maximum Local Database Entries Cisco Wireless LAN Controller Configuration Guide 5-80 OL-13826-01
CH A P T E R 6 Configuring WLANsWireless Device Access This chapter describes how to configure up to 16 WLANs for your Cisco UWN Solution.
Chapter 6 Configuring WLANsWireless Device Access WLAN Overview WLAN Overview The Cisco UWN Solution can control up to 16 WLANs for lightweight access points. Each WLAN has a separate WLAN ID (1 through 16), a separate WLAN SSID (WLAN name), and can be assigned unique security policies. Lightweight access points broadcast all active Cisco UWN Solution WLAN SSIDs and enforce the policies that you define for each WLAN.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in beacon and probe responses. These are the available Layer 2 security policies: • None (open WLAN) • Static WEP or 802.1X Note Because static WEP and 802.1X are both advertised by the same bit in beacon and probe responses, they cannot be differentiated by clients.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Figure 6-2 Step 3 WLANs > New Page From the Type drop-down box, choose WLAN to create a WLAN. Note If you want to create a guest LAN for wired guest users, choose Guest LAN and follow the instructions in the “Configuring Wired Guest Access” section on page 9-23. Step 4 In the Profile Name field, enter up to 32 alphanumeric characters for the profile name to be assigned to this WLAN. The profile name must be unique.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Step 9 Click Apply to commit your changes. Step 10 Click Save Configuration to save your changes. Using the CLI to Create WLANs Use these commands to create WLANs using the CLI. 1. To view the list of existing WLANs and to see whether they are enabled or disabled, enter this command: show wlan summary 2. To create a new WLAN, enter this command: config wlan create wlan_id profile_name ssid 3.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Configuring DHCP WLANs can be configured to use the same or different Dynamic Host Configuration Protocol (DHCP) servers or no DHCP server. Two types of DHCP servers are available: internal and external. Internal DHCP Server The controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Per-WLAN Assignment You can also define a DHCP server on a WLAN. This server will override the DHCP server address on the interface assigned to the WLAN. Security Considerations For enhanced security, Cisco recommends that you require all clients to obtain their IP addresses from a DHCP server. To enforce this requirement, all WLANs can be configured with a DHCP Addr.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Step 6 On the General tab, choose the interface for which you configured a primary DHCP server to be used with this WLAN from the Interface drop-down box. Step 7 Click the Advanced tab to open the WLANs > Edit (Advanced) page.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Configuring DHCP Scopes Controllers have built-in DHCP relay agents. However, when network administrators desire network segments that do not have a separate DHCP server, the controllers can have built-in DHCP scopes that assign IP addresses and subnet masks to wireless clients. Typically, one controller can have one or more DHCP scopes that each provide a range of IP addresses. DHCP scopes are needed for internal DHCP to work.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Figure 6-5 Step 5 In the Pool Start Address field, enter the starting IP address in the range assigned to the clients. Note Step 6 DHCP Scope > Edit Page This pool must be unique for each DHCP scope and must not include the static IP addresses of routers or other servers. In the Pool End Address field, enter the ending IP address in the range assigned to the clients.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Using the CLI to Configure DHCP Scopes Follow these steps to configure DHCP scopes using the CLI. Step 1 To create a new DHCP scope, enter this command: config dhcp create-scope scope Note Step 2 If you ever want to delete a DHCP scope, enter this command: config dhcp delete-scope scope.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Step 11 To see the list of configured DHCP scopes, enter this command: show dhcp summary Information similar to the following appears: Scope Name Scope 1 Scope 2 Step 12 Enabled No No Address Range 0.0.0.0 -> 0.0.0.0 0.0.0.0 -> 0.0.0.0 To display the DHCP information for a particular scope, enter this command: show dhcp scope Information similar to the following appears: Enabled....................................... Lease Time.....
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs • Enter config macfilter ip-address mac_addr IP_addr to assign an IP address to an existing MAC filter entry, if one was not assigned in the config macfilter add command. • Enter show macfilter to verify that MAC addresses are assigned to the WLAN. Configuring a Timeout for Disabled Clients You can configure a timeout for disabled clients.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Figure 6-6 Peer-to-Peer Blocking Examples Layer 3 Router/Switch Controller Layer 2 Switch Lightweight Access Point WLAN 1 WLAN 2 Disable: Peer-to-peer blocking is disabled, and traffic is bridged. WLAN 2 WLAN 3 Drop: Packets are discarded by the controller. WLAN 3 Forward Up: Packets are forwarded to the upstream switch.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Figure 6-7 Step 4 WLANs > Edit (Advanced) Page Choose one of the following options from the P2P Blocking drop-down box: • Disabled—Disables peer-to-peer blocking and bridges traffic locally within the controller whenever possible. This is the default value. Note Traffic is never bridged across VLANs in the controller. • Drop—Causes the controller to discard the packets.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Step 3 To see the status of peer-to-peer blocking for a WLAN, enter this command: show wlan wlan_id Information similar to the following appears: WLAN Identifier.................................. 1 Profile Name..................................... test Network Name (SSID).............................. test Status........................................... Enabled ... ... ... Peer-to-Peer Blocking Action.....................
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Dynamic 802.1X Keys and Authorization Controllers can control 802.1X dynamic WEP keys using Extensible Authentication Protocol (EAP) across access points and support 802.1X dynamic key settings for WLANs. Note To use LEAP with lightweight access points and wireless clients, make sure to choose Cisco-Airespace or Cisco-Aironet as the RADIUS server type when configuring the CiscoSecure Access Control Server (ACS).
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Configuring a WLAN for Both Static and Dynamic WEP You can configure up to four WLANs to support static WEP keys, and you can also configure dynamic WEP on any of these static-WEP WLANs. Follow these guidelines when configuring a WLAN for both static and dynamic WEP: • The static WEP key and the dynamic WEP key must be the same length.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs On a single WLAN, you can allow WPA1, WPA2, and 802.1X/PSK/CCKM/802.1X+CCKM clients to join. All of the access points on such a WLAN advertise WPA1, WPA2, and 802.1X/PSK/CCKM/ 802.1X+CCKM information elements in their beacons and probe responses. When you enable WPA1 and/or WPA2, you can also enable one or two ciphers, or cryptographic algorithms, designed to protect data traffic.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Step 8 If you chose PSK in Step 7, choose ASCII or HEX from the PSK Format drop-down box and then enter a pre-shared key in the blank field. WPA pre-shared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal characters. Step 9 Click Apply to commit your changes. Step 10 Click Save Configuration to save your changes.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs If you enabled WPA2 with 802.1X authenticated key management, the controller supports opportunistic PMKID caching but not sticky (or non-opportunistic) PMKID caching. In sticky PMKID caching, the client stores multiple PMKIDs. This approach is not practical because it requires full authentication for each new access point and is not guaranteed to work in all conditions.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Figure 6-9 WLANs > Edit (Security > Layer 2) Page Step 8 Choose CKIP from the Layer 2 Security drop-down box. Step 9 Under CKIP Parameters, choose the length of the CKIP encryption key from the Key Size drop-down box. Range: Not Set, 40 bits, or 104 bits Default: Not Set Step 10 Choose the number to be assigned to this key from the Key Index drop-down box. You can configure up to four keys.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Using the CLI to Configure CKIP Follow these steps to configure a WLAN for CKIP using the controller CLI.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Step 5 In the Session Timeout field, enter a value between 300 and 86400 seconds to specify the duration of the client session. The default value is 1800 seconds for the following Layer 2 security types: 802.1X; Static WEP+802.1X; and WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key management and 0 seconds for all other Layer 2 security types. A value of 0 is equivalent to no timeout.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs VPN Passthrough Using the GUI to Configure VPN Passthrough Follow these steps to configure a WLAN for VPN passthrough using the controller GUI. Step 1 Click WLANs to open the WLANs page. Step 2 Click the profile name of the WLAN for which you want to configure VPN passthrough. The WLANs > Edit page appears. Step 3 Click the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page (see Figure 6-10).
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Note Web authentication is not supported for use with REAP devices. Note The controller supports web authentication redirects only to HTTP (HTTP over TCP) servers. It does not support web authentication redirects to HTTPS (HTTP over SSL) servers. Note Before enabling web authentication, make sure that all proxy servers are configured for ports other than port 53.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs The WLAN QoS level defines a specific 802.11e user priority (UP) for over-the-air traffic. This UP is used to derive the over-the-wire priorities for non-WMM traffic, and it also acts as the ceiling when managing WMM traffic with various levels of priorities. The access point uses this QoS-profile-specific UP in accordance with the values in Table 6-1 to derive the IP DSCP value that is visible on the wired LAN.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Step 5 From the Quality of Service (QoS) drop-down box, choose one of the following: • Platinum (voice) • Gold (video) • Silver (best effort) • Bronze (background) • Silver (best effort) is the default value. Step 6 Click Apply to commit your changes. Step 7 Click Save Configuration to save your changes.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Configuring QoS Enhanced BSS The QoS Enhanced Basis Service Set (QBSS) information element (IE) enables the access points to communicate their channel usage to wireless devices. Because access points with high channel usage might not be able to handle real-time traffic effectively, the 7921 or 7920 phone uses the QBSS value to determine if they should associate to another access point.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Additional Guidelines for Using 7921 and 7920 Wireless IP Phones Follow these guidelines to use Cisco 7921 and 7920 Wireless IP Phones with controllers: • Aggressive load balancing must be disabled for each controller. Otherwise, the initial roam attempt by the phone may fail, causing a disruption in the audio path. • The Dynamic Transmit Power Control (DTPC) information element (IE) must be enabled using the config 802.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs In Layer 2 LWAPP mode when WMM is enabled on any WLAN, the access point sends its priority information on the 802.1q PRI field, with VLAN ID 0 based on the WMM clients’ QoS control fields. In Layer 3 LWAPP mode, this information is carried in the DSCP of the LWAPP packet’s IP header. Some non-Cisco access switches to which the access point is connected might handle VLAN tag ID 0 inappropriately.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Note Step 4 In Layer 2 LWAPP mode when WMM is enabled on any WLAN, the access point sends its priority information on the 802.1q PRI field, with VLAN ID 0 based on the WMM clients’ QoS control fields. In Layer 3 LWAPP mode, this information is carried in the DSCP of the LWAPP packet’s IP header. Some non-Cisco access switches to which the access point is connected might handle VLAN tag ID 0 inappropriately.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs • To enable IPv6 bridging, Layer 3 security must be set to None. • Hybrid-REAP with central switching is supported for use with IPv6 bridging. Hybrid-REAP with local switching is not supported. • Auto-anchor mobility is not supported for use with IPv6 bridging. • If symmetric mobility tunneling is enabled, all IPv4 traffic is bidirectionally tunneled to and from the client, but the IPv6 client traffic is bridged locally.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Note The Security Policy Completed field in both the controller GUI and CLI shows “No for IPv4 (bridging allowed for IPv6)” until web authentication is completed. You can view this field from the Clients > Detail page on the GUI or from the show client detail CLI command. Using the GUI to Configure IPv6 Bridging Follow these steps to configure a WLAN for IPv6 bridging using the GUI. Step 1 Click WLANs to open the WLANs page.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Configuring Cisco Client Extensions Cisco Client Extensions (CCX) software is licensed to manufacturers and vendors of third-party client devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco access points and to support Cisco features that other client devices do not, including those related to increased security, enhanced performance, fast roaming, and superior power management. The 4.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Figure 6-14 Clients > Detail Page The CCX Version field shows the CCX version supported by this client device. Not Supported appears if the client does not support CCX.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Step 3 Click Back to return to the previous screen. Step 4 Repeat this procedure to view the CCX version supported by any other client devices. Using the CLI to Configure CCX Aironet IEs To enable or disable support for Aironet IEs for a particular WLAN, enter this command: config wlan ccx aironet-ie {enable | disable} wlan_id The default value is enabled.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Step 4 If you enabled the WLAN override feature in Step 3, check the check boxes for the WLANs that you want this access point to broadcast. Step 5 Click Apply to commit your changes. Step 6 Click Save Configuration to save your changes. Using the CLI to Configure WLAN Override Use these commands to configure the WLAN override feature for a specific access point using the controller CLI. 1.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Figure 6-16 Access Point Groups In Figure 6-16, three configured dynamic interfaces are mapped to three different VLANs (VLAN 61, VLAN 62, and VLAN 63). Three access point groups are defined, and each is a member of a different VLAN, but all are members of the same SSID. A client within the wireless SSID is assigned an IP address from the VLAN subnet on which its access point is a member.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs To configure access point groups, follow these top-level steps: 1. Configure the appropriate dynamic interfaces and map them to the desired VLANs. For example, to implement the network in Figure 6-16, create dynamic interfaces for VLANs 61, 62, and 63 on the controller. Refer to Chapter 3 for more information about how to configure dynamic interfaces. 2. Create the access point groups.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Note Step 6 If you ever want to delete this group, hover your cursor over the blue drop-down arrow for the group and choose Remove. To edit this new group, click the name of the group. The AP Groups VLAN page reappears with different fields (see Figure 6-18). Figure 6-18 AP Groups VLAN Page Step 7 To map the access point group to a WLAN, choose its ID from the WLAN SSID drop-down box.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Assigning Access Points to Access Point Groups After you have created your access point groups, use the controller GUI or CLI to assign access points to these groups. Using the GUI to Assign Access Points to Access Point Groups Follow these steps to assign an access point to an access point group using the GUI. Step 1 Click Wireless > Access Points > All APs to open the All APs page.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Configuring Conditional Web Redirect with 802.1X Authentication You can configure a WLAN to redirect a user to a particular web page (under certain conditions) after 802.1X authentication has completed successfully. Such conditions might include the user’s password reaching expiration or the user needing to pay his or her bill for continued usage.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Figure 6-20 ACS Server Configuration Step 4 Check the [009\001] cisco-av-pair check box.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Step 5 Set any additional parameters for 802.1X or WPA+WPA2. Step 6 Click the Layer 3 tab to open the WLANs > Edit (Security > Layer 3) page (see Figure 6-21). Figure 6-21 WLANs > Edit (Security > Layer 3) Page Step 7 Choose None from the Layer 3 Security drop-down box Step 8 Check the Web Policy check box. Step 9 Choose Conditional Web Redirect to enable this feature. The default value is disabled.
Chapter 6 Configuring WLANsWireless Device Access Configuring WLANs Disabling Accounting Servers per WLAN This section provides instructions for disabling all accounting servers on a WLAN. Disabling accounting servers disables all accounting operations and prevents the controller from falling back to the default RADIUS server for the WLAN. Follow these steps to disable all accounting servers for a RADIUS authentication server. Step 1 Click WLANs to open the WLANs page.
CH A P T E R 7 Controlling Lightweight Access Points This chapter describes the Cisco lightweight access points and explains how to connect them to the controller and manage access point settings.
Chapter 7 Controlling Lightweight Access Points The Controller Discovery Process The Controller Discovery Process Cisco’s lightweight access points use the Lightweight Access Point Protocol (LWAPP) to communicate between the controller and other lightweight access points on the network. In an LWAPP environment, a lightweight access point discovers a controller by using LWAPP discovery mechanisms and then sends it an LWAPP join request.
Chapter 7 Controlling Lightweight Access Points The Controller Discovery Process Verifying that Access Points Join the Controller When replacing a controller, you need to make sure that access points join the new controller. Using the GUI to Verify that Access Points Join the Controller Follow these steps to ensure that access points join the new controller. Step 1 Follow these steps to configure the new controller as a master controller. a.
Chapter 7 Controlling Lightweight Access Points Cisco 1000 Series Lightweight Access Points Cisco 1000 Series Lightweight Access Points The Cisco 1000 series lightweight access point is a part of the innovative Cisco Unified Wireless Network (UWN) Solution. When associated with controllers as described below, the Cisco 1000 series lightweight access point provides advanced 802.11a and/or 802.11b/g access point functions in a single aesthetically pleasing plenum-rated enclosure.
Chapter 7 Controlling Lightweight Access Points Cisco 1000 Series Lightweight Access Points Cisco 1030 Remote Edge Lightweight Access Points The only exception to the general rule of lightweight access points being continuously controlled by Cisco Wireless LAN Controllers is the Cisco 1030 IEEE 802.11a/b/g remote edge lightweight access point (Cisco 1030 remote edge lightweight access point).
Chapter 7 Controlling Lightweight Access Points Cisco 1000 Series Lightweight Access Points Note that the Cisco 1030 remote edge lightweight access point must have a DHCP server available on its local subnet, so it can obtain an IP address upon reboot. Also note that the Cisco 1030 remote edge lightweight access points at each remote location must be on the same subnet to allow client roaming.
Chapter 7 Controlling Lightweight Access Points Cisco 1000 Series Lightweight Access Points Also note that the 802.11a 5-GHz left external antenna connector is separate from the internal antennas, and adds diversity to the 802.11a transmit and receive path. Note that no external 802.11a antennas are certified in FCC-regulated areas, but external 802.11a antennas may be certified for use in other countries.
Chapter 7 Controlling Lightweight Access Points Cisco 1000 Series Lightweight Access Points Cisco 1000 Series Lightweight Access Point Connectors The AP1020 and AP1030 Cisco 1000 series lightweight access points have the following external connectors: • One RJ-45 Ethernet jack, used for connecting the Cisco 1000 series lightweight access point to the network. • One 48 VDC power input jack, used to plug in an optional factory-supplied external power adapter.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Cisco 1000 Series Lightweight Access Point External Power Supply The Cisco 1000 series lightweight access point can receive power from an external 110-220 VACto-48 VDC power supply or from Power over Ethernet equipment. The external power supply plugs into a secure 110 through 220 VAC electrical outlet.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points It is a self-contained outdoor unit that can be configured with a wired backhaul connection to an Ethernet segment for a rooftop deployment or with a wireless backhaul for a pole-top deployment. The AP1510 can be installed anywhere power is available, without the need for a network connection.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Note • The MAC filter lists of all controllers on a controller subnet service set must be identical and include all the RAPs and MAPs that may connect on that subnet. Failure to have uniform MAC filter lists on the service set may prevent access points from being able to communicate. A bridge group name can be used to logically group access points into sectors.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Configuring and Deploying the AP1510 Note For information on planning and initially configuring your Cisco mesh network, refer to the Cisco Mesh Networking Solution Deployment Guide. You can find this document at this URL: http://www.cisco.com/en/US/products/ps6548/prod_technical_reference_list.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Figure 7-5 MAC Filters > New Page Step 3 In the MAC Address field, enter the MAC address of the access point. Step 4 From the Profile Name drop-down box, choose “Any WLAN.” Step 5 In the Description field, enter a description of the access point. The text that you enter identifies the access point on the controller.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Configuring Mesh Parameters This section provides instructions for configuring the access point to establish a connection with the controller. You can configure the necessary mesh parameters using either the GUI or the CLI. All parameters are applied globally. Using the GUI to Configure Mesh Parameters Follow these steps to configure mesh parameters using the controller GUI.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Table 7-1 Mesh Parameters (continued) Parameter Description MAC Filter List Protects your network against rogue mesh access points by preventing access points that are not defined in the MAC filter list from joining. When you check the MAC Filter List check box, the access points reboot and then rejoin the controller if defined in the MAC filter list.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Step 3 Click Apply to commit your changes. Step 4 Click Save Configuration to save your changes. Using the CLI to Configure Mesh Parameters Follow these steps to configure global mesh parameters using the controller CLI.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Note Battery status appears as N/A (not applicable) in the show mesh env Cisco_AP status display because it is not provided for access points. • show mesh neigh {detail | summary} Cisco_AP—Shows the mesh neighbors for the specified access point. • show mesh path Cisco_AP—Shows the channel and signal-to-noise ratio (SNR) details for a link between a specified access point and its neighbor.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Figure 7-7 All APs > Details Page On this page, the AP Mode under General is automatically set to Bridge for access points that have bridge functionality, such as the AP1510. Step 3 Click the Mesh tab to open the All APs > Details (Mesh) page (see Figure 7-8).
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points This page shows the following information: Step 4 • The bridge type, which specifies whether the access point is designed for indoor or outdoor use. This field is set to Outdoor for the AP1510. • The backhaul interface, or the radio band that this access point uses to transfer data to other AP1510s. The only possible value is 802.11a.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Note Step 3 If you upgrade to software release 4.0 or later from a previous release, your root access points default to the meshAP role. You must reconfigure them for the rootAP role.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points You can configure bandwidth-based CAC for mesh networks using the controller GUI or CLI. The instructions for configuring this feature is essentially the same for both mesh and non-mesh networks. Follow the instructions in the “Configuring Voice and Video Parameters” section on page 4-48 to configure voice and video parameters for both mesh and non-mesh access points.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points • To view the mesh tree topology for the network and the bandwidth utilization (used/maximum available) of voice calls and video links for each access point and radio, enter this command: show mesh cac bwused {voice | video} Cisco_AP Information similar to the following appears: AP Name Model Radio -------------- --------- -----mesh-rap1 LAP1510 11a | mesh-map6 LAP1510 11a || mesh-map11 AP150
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points • To view the mesh tree topology for the network and display the voice calls that are in progress, enter this command: show mesh cac callpath Cisco_AP Information similar to the following appears: AP Name Model Radio -------------- --------- -----mesh-rap1 LAP1510 11a | mesh-map6 LAP1510 11a || mesh-map11 AP1505 11b/g ||| mesh-map12 AP1505 11b/g | mesh-map2 LAP1510 11a || mesh-map10 LAP1510 11
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Using the GUI to View Mesh Statistics for an Access Point Follow these steps to view mesh statistics for a specific access point using the controller GUI. Step 1 Click Wireless > Access Points > All APs to open the All APs page (see Figure 7-10).
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Figure 7-11 All APs > Access Point Name > Statistics Page This page shows the role of the access point in the mesh network, the name of the bridge group to which the access point belongs, the backhaul interface on which the access point operates, and the number of the physical switch port. It also displays a variety of mesh statistics for this access point.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Table 7-2 Mesh Access Point Statistics Statistics Parameter Description Mesh Node Stats Malformed Neighbor Packets The number of malformed packets received from the neighbor. Examples of malformed packets include malicious floods of traffic such as malformed or short DNS packets and malformed DNS replies.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Table 7-2 Mesh Access Point Statistics (continued) Statistics Parameter Description Mesh Node Security Stats Transmitted Packets The number of packets transmitted during security negotiations by the selected mesh access point. Received Packets The number of packets received during security negotiations by the selected mesh access point.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Table 7-2 Mesh Access Point Statistics (continued) Statistics Parameter Description Mesh Node Security Stats (continued) Unknown Reauthentication Requests The number of unknown reauthentication requests received by the parent mesh access point node from its child. This state may occur when a child mesh access point is an unknown neighbor.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Re-Association Timeouts 0 Re-Association Successes 0 Re-Authentication Failures 0 Re-Authentication Timeouts 0 Re-Authentication Successes 0 • To view the number of packets in the queue by type, enter this command: setting show mesh queue-stats Cisco_AP Information similar to the following appears: Queue Type Overflows Peak length Average length ---------- --------- ----------- -------------S
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Figure 7-12 Step 2 All APs Page To view neighbor statistics for a specific access point, hover your cursor over the blue drop-down arrow for the desired access point and choose Neighbor Information. The All APs > Access Point Name > Neighbor Info page for the selected access point appears (see Figure 7-13).
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Figure 7-14 b. Click Submit to start the link test. The link test results appear on the Mesh > LinkTest Results page (see Figure 7-15). Figure 7-15 c. Step 4 Link Test Window Mesh > LinkTest Results Page Click Back to return to the All APs > Access Point Name > Neighbor Info page. To view the details for any of the access points on this page, follow these steps: a.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Figure 7-16 b. Step 5 All APs > Access Point Name > Link Details > Neighbor Name Page Click Back to return to the All APs > Access Point Name > Neighbor Info page. To view statistics for any of the access points on this page, follow these steps: a. Hover your mouse over the blue drop-down arrow for the desired access point and choose Stats.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points • To view the channel and signal-to-noise ratio (SNR) details for a link between an access point and its neighbor, enter this command: show mesh path Cisco_AP Information similar to the following appears: AP Name/Radio Mac Channel Snr-Up Snr-Down Link-Snr Flags State ----------------- ------- ------ -------- -------- ------ ------mesh-45-rap1 165 15 18 16 0x86b UPDATED NEIGH PARENT BEACON mesh
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Note In the EMEA regulatory domain, locating neighbors on other channels might take longer given DFS requirements. Background Scanning Scenarios A few scenarios are provided below to better illustrate how background scanning operates. In Figure 7-18, when the mesh access point (MAP1) initially comes up, it is aware of both root access points (RAP1 and RAP2) as possible parents.
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Figure 7-19 Background Scanning Identifies a New Parent RAP1 Channel 1 = 153 MAP1 Channel 2 = 161 230614 RAP2 Using the GUI to Enable Background Scanning Follow these steps to enable background scanning through the GUI. Step 1 Click Wireless > Mesh to open the Mesh page (see Figure 7-20).
Chapter 7 Controlling Lightweight Access Points Cisco Aironet 1510 Series Lightweight Outdoor Mesh Access Points Using the CLI to Enable Background Scanning Follow these steps to enable background scanning through the CLI. Step 1 To enable or disable background scanning on the controller, enter this command: config mesh background-scanning {enable | disable} The default value is enabled.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode The secondary backhaul communication path is between the two 802.11b/g radios in the AP1510s while the primary backhaul continues to operate between the 802.11a radios using the Adaptive Wireless Point Protocol (AWPP). The secondary backhaul is not for load balancing. It is solely a backup path for the primary backhaul. You can enable a secondary backhaul on a global basis using the controller CLI.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode • In controller software release 4.2, all Cisco lightweight access points support 16 BSSIDs per radio and a total of 16 wireless LANs per access point. In previous releases, they supported only 8 BSSIDs per radio and a total of 8 wireless LANs per access point. When a converted access point associates to a controller, only wireless LANs with IDs 1 through 16 are pushed to the access point.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Using the MODE Button and a TFTP Server to Return to a Previous Release Follow these steps to revert from lightweight mode to autonomous mode by using the access point MODE (reset) button to load a Cisco IOS release from a TFTP server: Step 1 The PC on which your TFTP server software runs must be configured with a static IP address in the range of 10.0.0.2 to 10.0.0.30.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Authorizing Access Points Using MICs You can configure controllers to use RADIUS servers to authorize access points using MICs. The controller uses an access point’s MAC address as both the username and password when sending the information to a RADIUS server.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Note To remove an access point from the authorization list, hover your cursor over the blue drop-down arrow for the access point and choose Remove. Note To search for a specific access point in the authorization list, enter the MAC address of the access point in the Search by MAC field and click Search.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Table 7-3 VCI Strings For Lightweight Access Points Access Point VCI String Cisco 1000 Series Airespace 1200 Cisco Aironet 1130 Series Cisco AP c1130 Cisco Aironet 1200 Series Cisco AP c1200 Cisco Aironet 1240 Series Cisco AP c1240 This is the format of the TLV block: • Type: 0xf1 (decimal 241) • Length: Number of controller IP addresses * 4 • Value: List of the IP addresses of controll
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode You can view join-related information for the following numbers of access points: • Up to 300 access points for 4400 series controllers, the Cisco WiSM, and the Catalyst 3750G Integrated Wireless LAN Controller Switch • Up to three times the maximum number of access points supported by the platform for the 2000 and 2100 series controllers and the Controller Network Module within the Cisco 28/37/38xx S
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Configuring the Syslog Server for Access Points Follow these steps to configure the syslog server for access points using the controller CLI.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Use these CLI commands to view access point join information: • To see the MAC addresses of all the access points that are joined to the controller or that have tried to join, enter this command: show ap join stats summary all Information similar to the following appears: Number of APs.............................................. 3 00:0b:85:1b:7c:b0..........................................
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Configuration phase statistics - Configuration requests received.......................... - Successful configuration responses sent.................. - Unsuccessful configuration request processing............ - Reason for last unsuccessful configuration attempt....... - Time at last successful configuration attempt............ - Time at last unsuccessful configuration attempt..........
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Follow these steps to retrieve the radio core dump file using the controller CLI. Step 1 To transfer the radio core dump file from the access point to the controller, enter this command: config ap crash-file get-radio-core-dump slot Cisco_AP For the slot parameter, enter the slot ID of the radio that crashed.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Disabling the Reset Button on Access Points Converted to Lightweight Mode You can disable the reset button on access points converted to lightweight mode. The reset button is labeled MODE on the outside of the access point.
Chapter 7 Controlling Lightweight Access Points Cisco Workgroup Bridges Follow these steps to perform the TFTP recovery procedure. Step 1 Download the required recovery image from Cisco.com (c1100-rcvk9w8-mx, c1200-rcvk9w8-mx, or c1310-rcvk9w8-mx) and install it in the root directory of your TFTP server. Step 2 Connect the TFTP server to the same subnet as the target access point and power-cycle the access point.
Chapter 7 Controlling Lightweight Access Points Cisco Workgroup Bridges Figure 7-23 WGB in Mesh Network WGB2 Switch Controller MAP2 RAP MESH MESH MAP1 230771 MESH WGB1 Switch Guidelines for Using WGBs Follow these guidelines for using WGBs on your network: • The WGB can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release 12.4(3g)JA or later (on 32-MB access points) or Cisco IOS Release 12.3(8)JEB or later (on 16-MB access points).
Chapter 7 Controlling Lightweight Access Points Cisco Workgroup Bridges Note The controller supports only Cisco WGB products. Linksys and OEM WGB devices are not supported. Although the Cisco Wireless Unified Solution does not support the Linksys WET54G and WET11B Ethernet Bridges, you can use these devices in a Wireless Unified Solution configuration if you follow these guidelines: 1. Connect only one device to the WET54G or WET11B. 2.
Chapter 7 Controlling Lightweight Access Points Cisco Workgroup Bridges – Idle timeout – Web authentication Note If a WGB associates to a web-authentication WLAN, the WGB is added to the exclusion list, and all of the WGB wired clients are deleted. • The WGB supports a maximum of 20 wired clients. If you have more than 20 wired clients, use a bridge or another device.
Chapter 7 Controlling Lightweight Access Points Cisco Workgroup Bridges ap(config-ssid)#guest-mode ap(config-ssid)#exit ap(config)#interface dot11Radio 0 ap(config)#station-role workgroup-bridge ap(config-if)#encry mode wep 40 ap(config-if)#encry key 1 size 40 0 1234567890 ap(config-if)#WGB_with_static_WEP ap(config-if)#end To verify that the WGB is associated to an access point, enter this command on the WGB: show dot11 association Information similar to the following appears: ap#show dot11 associations
Chapter 7 Controlling Lightweight Access Points Cisco Workgroup Bridges Figure 7-25 Clients > Detail Page The Client Type field under Client Properties shows “WGB” if this client is a workgroup bridge, and the Number of Wired Client(s) field shows the number of wired clients that are connected to this WGB. Step 3 To see the details of any wired clients that are connected to a particular WGB, follow these steps: a. Click Back on the Clients > Detail page to return to the Clients page. b.
Chapter 7 Controlling Lightweight Access Points Cisco Workgroup Bridges Figure 7-27 Clients > Detail Page The Client Type field under Client Properties shows “WGB Client,” and the rest of the fields on this page provide additional information for this client. Using the CLI to View the Status of Workgroup Bridges Follow these steps to view the status of WGBs on your network using the controller CLI.
Chapter 7 Controlling Lightweight Access Points Configuring Backup Controllers Using the CLI to Debug WGB Issues Use the commands in this section if you experience any problems with the WGB. 1. 2. To enable debugging for IAPP messages, errors, and packets, enter these commands: • debug iapp all enable—Enables debugging for IAPP messages. • debug iapp error enable—Enables debugging for IAPP error events. • debug iapp packet enable—Enables debugging for IAPP packets.
Chapter 7 Controlling Lightweight Access Points Configuring Country Codes Note Step 2 The controller_ip_address parameter in this command and the next two commands is optional. If the backup controller is outside the mobility group to which the access point is connected (the primary controller), then you need to provide the IP address of the primary, secondary, or tertiary controller, respectively.
Chapter 7 Controlling Lightweight Access Points Configuring Country Codes Generally, you configure one country code per controller, the one matching the physical location of the controller and its access points. However, controller software release 4.1 or later allows you to configure up to 20 country codes per controller. This multiple-country support enables you to manage access points in various countries from a single controller.
Chapter 7 Controlling Lightweight Access Points Configuring Country Codes Step 2 c. Click Apply to commit your changes. d. Click Wireless > 802.11b/g/n > Network. e. Uncheck the 802.11b/g Network Status check box. f. Click Apply to commit your changes. Click Wireless > Country to open the Country page (see Figure 7-28). Figure 7-28 Country Page Step 3 Check the check box for each country where your access points are installed.
Chapter 7 Controlling Lightweight Access Points Configuring Country Codes b. Click Wireless > Access Points > All APs to open the All APs page. c. Click the link for the desired access point. d. When the All APs > Details page appears, click the Advanced tab to open the All APs > Details (Advanced) page (see Figure 7-29). Figure 7-29 All APs > Details (Advanced) Page e. The default country for this access point appears in the Country Code drop-down box.
Chapter 7 Controlling Lightweight Access Points Configuring Country Codes If you are entering more than one country code, separate each by a comma (for example, config country US,CA,MX). Information similar to the following appears: Changing country code could reset channel configuration. If running in RFM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command.
Chapter 7 Controlling Lightweight Access Points Configuring Country Codes 802.11BG Channels : : 1 1 1 1 1 : 1 2 3 4 5 6 7 8 9 0 1 2 3 4 ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+US (-AB) : A * * * * A * * * * A . . . CA (-AB) : A * * * * A * * * * A . . . MX (-NA) : A * * * * A * * * * A . . . Auto-RF : C x x x x C x x x x C . . . ------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+802.
Chapter 7 Controlling Lightweight Access Points Migrating Access Points from the -J Regulatory Domain to the -U Regulatory Domain For example, if you enter config ap country mx all, information similar to the following appears: To change country code: first disable target AP(s) (or disable all networks). Changing the country may reset any customized channel assignments. Changing the country will reboot disabled target AP(s). Are you sure you want to continue? (y/n) y AP Name --------ap2 ap1 c.
Chapter 7 Controlling Lightweight Access Points Migrating Access Points from the -J Regulatory Domain to the -U Regulatory Domain The Japanese regulations allow the regulatory domain that is programmed into an access point’s radio to be migrated from the -J domain to the -U domain. New access points for the Japanese market contain radios that are configured for the -P regulatory domain. -J radios are no longer being sold.
Chapter 7 Controlling Lightweight Access Points Migrating Access Points from the -J Regulatory Domain to the -U Regulatory Domain Migrating Access Points to the -U Regulatory Domain Follow these steps to migrate your access points from the -J regulatory domain to the -U regulatory domain using the controller CLI. This process cannot be performed using the controller GUI.
Chapter 7 Controlling Lightweight Access Points Dynamic Frequency Selection Step 9 Enter these commands to re-enable the 802.11a and 802.11b/g networks: config 802.11a enable network config 802.11b enable network Step 10 Send an email with your company name and the list of access points that have been migrated to this email address: migrateapj52w52@cisco.com. Cisco recommends that you cut and paste the output from the show ap migrate command in Step 8 into the email.
Chapter 7 Controlling Lightweight Access Points Retrieving the Unique Device Identifier on Controllers and Access Points Using DFS, the controller monitors operating frequencies for radar signals. If it detects radar signals on a channel, the controller takes these steps: • It changes the access point channel to a channel that has not shown radar activity within the last 30 minutes. (The radar event is cleared after 30 minutes.) The controller selects the channel at random.
Chapter 7 Controlling Lightweight Access Points Retrieving the Unique Device Identifier on Controllers and Access Points Figure 7-30 Inventory Page This page shows the five data elements of the controller UDI. Step 2 Click Wireless to open the All APs page. Step 3 Click the name of the desired access point. Step 4 When the All APs > Details page appears, click the Inventory tab to open the All APs > Details Inventory) page (see Figure 7-31).
Chapter 7 Controlling Lightweight Access Points Performing a Link Test Using the CLI to Retrieve the Unique Device Identifier on Controllers and Access Points Enter these commands to retrieve the UDI on controllers and access points using the CLI: • show inventory—Shows the UDI string of the controller.
Chapter 7 Controlling Lightweight Access Points Performing a Link Test Note CCX is not supported on the AP1030. Follow the instructions in this section to perform a link test using either the GUI or the CLI. Using the GUI to Perform a Link Test Follow these steps to run a link test using the GUI. Step 1 Click Monitor > Clients to open the Clients page (see Figure 7-32). Figure 7-32 Step 2 Clients Page Hover your cursor over the blue drop-down arrow for the desired client and choose LinkTest.
Chapter 7 Controlling Lightweight Access Points Performing a Link Test Figure 7-33 Link Test Page This page shows the results of the CCX link test. Note Step 3 If the client and/or controller does not support CCX v4 or later, the controller performs a ping link test on the client instead, and a much more limited link test page appears. Click OK to exit the link test page. Using the CLI to Perform a Link Test Use these commands to run a link test using the CLI. 1.
Chapter 7 Controlling Lightweight Access Points Configuring Power over Ethernet When CCX v4 or later is not enabled on either the controller or the client being tested, fewer details appear: Ping Link Test to 00:0d:88:c5:8a:d1. Link Test Packets Sent.......................... Link Test Packets Received...................... Local Signal Strength........................... Local Signal to Noise Ratio..................... 2.
Chapter 7 Controlling Lightweight Access Points Configuring Power over Ethernet Step 3 Perform one of the following: • Check the Pre-Standard State check box if the access point is being powered by a high-power Cisco switch. These switches provide more than the traditional 6 Watts of power but do not support the intelligent power management (IPM) feature.
Chapter 7 Controlling Lightweight Access Points Configuring Flashing LEDs Using the CLI to Configure Power over Ethernet Use these commands to configure PoE using the controller CLI. 1. config ap power injector enable ap installed This command is recommended if your network contains any older Cisco 6-Watt switches that could be accidentally overloaded if connected directly to a 12-Watt access point. The access point remembers that a power injector is connected to this particular switch port.
Chapter 7 Controlling Lightweight Access Points Viewing Clients Viewing Clients You can use the controller GUI or CLI to view information about the clients that are associated to the controller’s access points. Using the GUI to View Clients Using the GUI, follow these steps to view client information. Step 1 Click Monitor > Clients to open the Clients page (see Figure 7-35). Figure 7-35 Clients Page This page lists all of the clients that are associated to the controller’s access points.
Chapter 7 Controlling Lightweight Access Points Viewing Clients If you want to remove or disable a client, hover your cursor over the blue drop-down arrow for that client and choose Remove or Disable, respectively. If you want to test the connection between the client and the access point, hover your cursor over the blue drop-down arrow for that client and choose Link Test.
Chapter 7 Controlling Lightweight Access Points Viewing Clients Step 3 To view detailed information for a specific client, click the MAC address of the client. The Clients > Detail page appears (see Figure 7-37).
Chapter 7 Controlling Lightweight Access Points Viewing Clients This page shows the following information: • The general properties of the client • The security settings of the client • The QoS properties of the client • Client statistics • The properties of the access point to which the client is associated Using the CLI to View Clients Use these CLI commands to view client information. • To see the clients associated to a specific access point, enter this command: show client ap {802.
Chapter 7 Controlling Lightweight Access Points Viewing Clients QoS Level........................................ Diff Serv Code Point (DSCP)...................... 802.1P Priority Tag.............................. WMM Support...................................... Mobility State................................... Internal Mobility State.......................... Mobility Move Count.............................. Security Policy Completed........................ Policy Manager State..........................
Chapter 7 Controlling Lightweight Access Points Viewing Clients Cisco Wireless LAN Controller Configuration Guide 7-80 OL-13826-01
CH A P T E R 8 Managing Controller Software and Configurations This chapter describes how to manage configurations and software versions on the controllers.
Chapter 8 Managing Controller Software and Configurations Upgrading Controller Software Upgrading Controller Software When you upgrade the controller’s software, the software on the controller’s associated access points is also automatically upgraded. When an access point is loading software, each of its LEDs blinks in succession. Up to 10 access points can be concurrently upgraded from the controller.
Chapter 8 Managing Controller Software and Configurations Upgrading Controller Software Table 8-1 Upgrade Path to Controller Software Release 4.2 Current Software Release Upgrade Path to 4.2 Software 3.2.78.0 or later 3.2 release Upgrade to 4.0.206.0 (or a later 4.0 release) before upgrading to 4.2. 4.0.155.5 Upgrade to 4.0.206.0 (or a later 4.0 release) before upgrading to 4.2. 4.0.179.11 4.0.206.0 or later 4.0 release You can upgrade directly to 4.2. 4.1.171.0 or later 4.
Chapter 8 Managing Controller Software and Configurations Upgrading Controller Software Using the GUI to Upgrade Controller Software Follow these steps to upgrade the controller software using the GUI. Step 1 Upload your controller configuration files to a server to back them up. Note Cisco highly recommends that you back up your controller’s configuration files prior to upgrading the controller software. Otherwise, you must manually reconfigure the controller. Step 2 Disable the controller 802.
Chapter 8 Managing Controller Software and Configurations Upgrading Controller Software Figure 8-1 Download File to Controller Page Step 7 From the File Type drop-down box, choose Code. Step 8 In the IP Address field, enter the IP address of the TFTP server. Step 9 The default values of 10 retries and 6 seconds for the Maximum Retries and Timeout fields should work fine without any adjustment. However, you can change these values if desired.
Chapter 8 Managing Controller Software and Configurations Upgrading Controller Software Using the CLI to Upgrade Controller Software Follow these steps to upgrade the controller software using the CLI. Step 1 Upload your controller configuration files to a server to back them up. Note Cisco highly recommends that you back up your controller’s configuration files prior to upgrading the controller software. Otherwise, you must manually reconfigure the controller. Step 2 Disable the controller 802.
Chapter 8 Managing Controller Software and Configurations Upgrading Controller Software Step 9 Enter these commands to change the download settings, if necessary: transfer download mode tftp transfer download datatype code transfer download serverip tftp-server-ip-address transfer download filename filename transfer download path tftp-server-path-to-file Note Step 10 Pathnames on a TFTP server are relative to the server’s default or root directory.
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Transferring Files to and from a Controller Controllers have built-in utilities for uploading and downloading various files.
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Figure 8-2 Download File to Controller Page Step 3 From the File Type drop-down box, choose Vendor Device Certificate. Step 4 In the Certificate Password field, enter the password that was used to protect the certificate. Step 5 In the IP Address field, enter the IP address of the TFTP server.
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Step 6 Enter transfer download start to view the updated settings; then answer y when prompted to confirm the current settings and start the download process. This example shows the download command output: Mode........................................... TFTP Data Type................................... Vendor Dev Cert TFTP Server IP.............................. 10.10.10.4 TFTP Packet Timeout..........
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Using the GUI to Download CA Certificates Follow these steps to download a CA certificate to the controller using the controller GUI. Step 1 Copy the CA certificate to the default directory on your TFTP server. Step 2 Click Commands > Download File to open the Download File to Controller page (see Figure 8-3).
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Step 5 Enter transfer download start to view the updated settings; then answer y when prompted to confirm the current settings and start the download process. This example shows the download command output: Mode........................................... TFTP Data Type................................... Vendor CA Cert TFTP Server IP.............................. 10.10.10.4 TFTP Packet Timeout...........
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Using the GUI to Upload PACs Follow these steps to upload a PAC from the controller using the controller GUI. Step 1 Click Commands > Upload File to open the Upload File from Controller page (see Figure 8-4). Figure 8-4 Upload File from Controller Page Step 2 From the File Type drop-down box, choose PAC (Protected Access Credential).
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Step 6 Enter transfer upload start to view the updated settings; then answer y when prompted to confirm the current settings and start the upload process. This example shows the upload command output: Mode........................................... TFTP TFTP Server IP................................. 10.10.10.4 TFTP Path...................................... /tftpboot/username/ TFTP Filename............
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Figure 8-5 Upload File from Controller Page Step 2 From the File Type drop-down box, choose Configuration. Step 3 To enable encryption, check the Configuration File Encryption check box and enter the encryption key. File encryption ensures that data is encrypted while the configuration file is being uploaded through a TFTP server.
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Step 7 Enter transfer upload start to view the updated settings; then answer y when prompted to confirm the current settings and start the upload process. This example shows the upload command output: Mode............................................. TFTP Server IP................................... TFTP Path........................................ TFTP Filename....................................
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Step 5 The default values of 10 retries and 6 seconds for the Maximum Retries and Timeout fields should work fine without any adjustment. However, you can change these values if desired.
Chapter 8 Managing Controller Software and Configurations Saving Configurations Saving Configurations Controllers contain two kinds of memory: volatile RAM and NVRAM. At any time, you can save the configuration changes from active volatile RAM to non-volatile RAM (NVRAM) using one of these commands: • Use the save config command. This command saves the configuration from volatile RAM to NVRAM without resetting the controller. • Use the reset system command.
Chapter 8 Managing Controller Software and Configurations Resetting the Controller Resetting the Controller You can reset the controller and view the reboot process on the CLI console using one of the following two methods: • Turn the controller off and then turn it back on. • On the CLI, enter reset system. At the confirmation prompt, enter y to save configuration changes to NVRAM. The controller reboots.
Chapter 8 Managing Controller Software and Configurations Resetting the Controller Cisco Wireless LAN Controller Configuration Guide 8-20 OL-13826-01
CH A P T E R 9 Managing User Accounts This chapter explains how to create and manage guest user accounts, describes the web authentication process, and provides instructions for customizing the web authentication login window.
Chapter 9 Managing User Accounts Creating Guest User Accounts Creating Guest User Accounts The controller can provide guest user access on WLANs. The first step in creating guest user accounts is to create a lobby administrator account, also known as a lobby ambassador account. Once this account has been created, a lobby ambassador can create and manage guest user accounts on the controller.
Chapter 9 Managing User Accounts Creating Guest User Accounts Step 2 To create a lobby ambassador account, click New. The Local Management Users > New page appears (see Figure 9-2). Figure 9-2 Step 3 In the User Name field, enter a username for the lobby ambassador account. Note Step 4 Management usernames must be unique because they are stored in a single database. In the Password and Confirm Password fields, enter a password for the lobby ambassador account.
Chapter 9 Managing User Accounts Creating Guest User Accounts Creating Guest User Accounts as a Lobby Ambassador A lobby ambassador would follow these steps to create guest user accounts. Note Step 1 A lobby ambassador cannot access the controller CLI interface and therefore can create guest user accounts only from the controller GUI. Log into the controller as the lobby ambassador, using the username and password specified in the “Creating a Lobby Ambassador Account” section above.
Chapter 9 Managing User Accounts Creating Guest User Accounts Step 4 Perform one of the following: • If you want to generate an automatic password for this guest user, check the Generate Password check box. The generated password is entered automatically in the Password and Confirm Password fields. • If you want to create a password for this guest user, leave the Generate Password check box unchecked and enter a password in both the Password and Confirm Password fields.
Chapter 9 Managing User Accounts Creating Guest User Accounts Figure 9-5 Lobby Ambassador Guest Management > Guest Users List Page From this page, you can see all of the guest user accounts, their WLAN SSID, and their lifetime. You can also edit or remove a guest user account. When you remove a guest user account, all of the clients that are using the guest WLAN and are logged in using that account’s username are deleted. Step 9 Repeat this procedure to create any additional guest user accounts.
Chapter 9 Managing User Accounts Web Authentication Process Using the CLI to View Guest Accounts To view all of the local net user accounts (including guest user accounts) using the controller CLI, enter this command: show netuser summary Web Authentication Process Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic (except DHCP-related packets) from a particular client until that client has correctly supplied a valid username and password.
Chapter 9 Managing User Accounts Web Authentication Process Step 6 Expand the Trusted Root Certification Authorities folder and choose Local Computer. Step 7 Click OK. Step 8 Click Next > Finish. Step 9 When the “The import was successful” message appears, click OK.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Figure 9-9 Successful Login Window The default successful login window contains a pointer to a virtual gateway address URL: https://1.1.1.1/logout.html. The IP address that you set for the controller virtual interface serves as the redirect address for the login window (see Chapter 3 for more information on the virtual interface).
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Figure 9-10 Web Login Page Step 2 From the Web Authentication Type drop-down box, choose Internal (Default). Step 3 If you want to use the default web authentication login window as is, go to Step 8. If you want to modify the default login window, go to Step 4. Step 4 If you want to hide the Cisco logo that appears in the top right corner of the default window, choose the Cisco Logo Hide option.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Using the CLI to Choose the Default Web Authentication Login Window Step 1 To specify the default web authentication type, enter this command: config custom-web webauth_type internal Step 2 If you want to use the default web authentication login window as is, go to Step 7. If you want to modify the default login window, go to Step 3.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window f. To specify the IP address of the TFTP server, enter transfer download serverip tftp-server-ip-address. Note Some TFTP servers require only a forward slash (/) as the TFTP server IP address, and the TFTP server automatically determines the path to the correct directory. g. To specify the download path, enter transfer download path absolute-tftp-server-path-to-file. h.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Modified Default Web Authentication Login Window Example Figure 9-11 shows an example of a modified default web authentication login window.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Creating a Customized Web Authentication Login Window This section provides information on creating a customized web authentication login window, which can then be accessed from an external web server. Here is a web authentication login window template. It can be used as a model when creating your own customized window.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window else if(args.statusCode == 3){ alert("The username specified cannot be used at this time. Perhaps the username is already logged into the system?"); } else if(args.statusCode == 4){ alert("The User has been excluded. Please contact the administrator."); } else if(args.statusCode == 5){ alert("Invalid username and password. Please try again.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window These are the available status codes: Note • Status Code 1: “You are already logged in. No further action is required on your part.” • Status Code 2: “You are not configured to authenticate against web portal. No further action is required on your part.” • Status Code 3: “The username specified cannot be used at this time.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Step 2 From the Web Authentication Type drop-down box, choose External (Redirect to external server). Step 3 In the URL field, enter the URL of the customized web authentication login window on your web server. You can enter up to 252 characters. Step 4 In the Web Server IP Address field, enter the IP address of your web server. Your web server should be on a different network from the controller service port network.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Follow these guidelines when preparing the customized login window: • Name the login page “login.html.” The controller prepares the web authentication URL based on this name. If the does not find this file after the webauth bundle has been untarred, the bundle is discarded, and an error message appears. • Include input fields for both a username and password.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Step 7 In the Timeout field, enter the amount of time in seconds before the controller times out while attempting to download the *.tar file. Range: 1 to 254 seconds Default: 6 seconds Step 8 In the File Path field, enter the path of the .tar file to be downloaded. The default value is “/.” Step 9 In the File Name field, enter the name of the .tar file to be downloaded. Step 10 Click Download to download the .
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Customized Web Authentication Login Window Example Figure 9-14 shows an example of a customized web authentication login window. Figure 9-14 Customized Web Authentication Login Window Example Using the CLI to Verify the Web Authentication Login Window Settings Enter show custom-web to verify your changes to the web authentication login window.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Assigning Login Pages per WLAN If you want to display different web login pages when clients associate to different WLANs, you can override the Web Authentication Type setting on the Web Login page and then choose a specific login page for each WLAN. This feature is useful if different departments within an organization want to display login pages with their own logo, message, and so on.
Chapter 9 Managing User Accounts Choosing the Web Authentication Login Window Using the CLI to Assign Login Pages per WLAN Using the controller CLI, follow these steps to assign a web login page to a WLAN.
Chapter 9 Managing User Accounts Configuring Wired Guest Access Configuring Wired Guest Access Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or through specific ports in a conference room. Like wireless guest user accounts, wired guest access ports are added to the network using the lobby ambassador feature.
Chapter 9 Managing User Accounts Configuring Wired Guest Access Figure 9-16 Wired Guest Access Example with Two Controllers Wired guest client Wired guest ports Access switch Internet Anchor controller, mobility anchor, export-anchor Wireless guest client SSID: Internal SSID: GUEST 232347 Foreign controller, export-foreign Note Although wired guest access is managed by anchor and foreign anchors when two controllers are deployed, mobility is not supported for wired guest access clients.
Chapter 9 Managing User Accounts Configuring Wired Guest Access Configuration Guidelines Follow these guidelines before using wired guest access on your network: • Wired guest access is supported only on the following controllers: 4400 series controllers, the Cisco WiSM, and the Catalyst 3750G Integrated Wireless LAN Controller Switch. • Wired guest access interfaces must be tagged. • Wired guest access ports must be in the same Layer 2 network as the foreign controller.
Chapter 9 Managing User Accounts Configuring Wired Guest Access Figure 9-17 Interfaces > Edit Page Step 6 In the Port Number field, enter a valid port number. You can enter a number between 0 and 25 (inclusive). Step 7 Check the Guest LAN check box. Step 8 Enter an IP address for the primary DHCP server. Step 9 Click Apply to commit your changes. Step 10 To create a wired LAN for guest user access, click WLANs. Step 11 On the WLANs page, click New.
Chapter 9 Managing User Accounts Configuring Wired Guest Access Step 13 In the Profile Name field, enter a name that identifies the guest LAN. Do not use any spaces. Step 14 In the WLAN SSID field, enter an SSID that identifies the guest LAN. Do not use any spaces. Step 15 Click Apply to commit your changes. The WLANs > Edit page appears (see Figure 9-19). Figure 9-19 WLANs > Edit Page Step 16 Check the Enabled check box for the Status parameter.
Chapter 9 Managing User Accounts Configuring Wired Guest Access Step 21 From the Layer 3 Security drop-down box, choose one of the following: • None—Layer 3 security is disabled. • Web Authentication—Causes users to be prompted for a username and password when connecting to the wireless network. This is the default value. • Web Passthrough—Allows users to access the network without entering a username and password.
Chapter 9 Managing User Accounts Configuring Wired Guest Access Step 4 To create a wired LAN for wired client traffic and associate it to an interface, enter this command: config guest-lan create guest_lan_id interface_name The guest LAN ID must be a value between 1 and 5 (inclusive).
Chapter 9 Managing User Accounts Configuring Wired Guest Access Step 12 To use a guest-LAN specific custom web configuration rather than a global custom web configuration, enter this command: config guest-lan custom-web global disable guest_lan_id Note Step 13 If you enter the config guest-lan custom-web global enable guest_lan_id command, the custom web authentication configuration at the global level is used.
Chapter 9 Managing User Accounts Configuring Wired Guest Access Step 16 To display the configuration of a specific wired guest LAN, enter this command: show guest-lan guest_lan_id Information similar to the following appears: Guest LAN Identifier............................. 1 Profile Name..................................... guestlan Network Name (SSID).............................. guestlan Status........................................... Enabled AAA Policy Override..............................
Chapter 9 Managing User Accounts Configuring Wired Guest Access Interface........................................ VLAN............................................. Client Statistics: Number of Bytes Received..................... Number of Bytes Sent......................... Number of Packets Received................... Number of Packets Sent....................
CH A P T E R 10 Configuring Radio Resource ManagementWireless Device Access This chapter describes radio resource management (RRM) and explains how to configure it on the controllers.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Overview of Radio Resource Management Overview of Radio Resource Management The radio resource management (RRM) software embedded in the controller acts as a built-in RF engineer to consistently provide real-time RF management of your wireless network.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Overview of Radio Resource Management Dynamic Channel Assignment Two adjacent access points on the same channel can cause either signal contention or signal collision. In the case of a collision, data is simply not received by the access point. This functionality can become a problem, for example, when someone reading e-mail in a café affects the performance of the access point in a neighboring business.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Overview of Radio Resource Management The controller combines this RF characteristic information with RRM algorithms to make system-wide decisions. Conflicting demands are resolved using soft-decision metrics that guarantee the best choice for minimizing network interference.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Overview of RF Groups RRM Benefits RRM produces a network with optimal capacity, performance, and reliability while enabling you to avoid the cost of laborious historical data interpretation and individual lightweight access point reconfiguration. It also frees you from having to continually monitor the network for noise and interference problems, which can be transient and difficult to troubleshoot.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring an RF Group RF Group Leader The members of an RF group elect an RF group leader to maintain a “master” power and channel scheme for the group. The RF group leader is dynamically chosen and cannot be selected by the user. In addition, the RF group leader can change at any time, depending on the RRM algorithm calculations.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring an RF Group Using the GUI to Configure an RF Group Follow these steps to create an RF group using the GUI. Step 1 Click Controller > General to open the General page (see Figure 10-1). Figure 10-1 General Page Step 2 Enter a name for the RF group in the RF-Network Name field. The name can contain up to 19 ASCII characters. Step 3 Click Apply to commit your changes.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Viewing RF Group Status Using the CLI to Configure RF Groups Follow these steps to configure an RF group using the CLI. Step 1 Enter config network rf-network-name name to create an RF group. Note Enter up to 19 ASCII characters for the group name. Step 2 Enter show network to view the RF group. Step 3 Enter save config to save your settings.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Viewing RF Group Status Figure 10-2 802.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Viewing RF Group Status The top of this page shows the details of the RF group, specifically how often the group information is updated (600 seconds by default), the MAC address of the RF group leader, whether this particular controller is the group leader, the last time the group information was updated, and the MAC addresses of all group members.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Enabling Rogue Access Point Detection Enabling Rogue Access Point Detection After you have created an RF group of controllers, you need to configure the access points connected to the controllers to detect rogue access points. The access points will then check the beacon/ probe-response frames in neighboring access point messages to see if they contain an authentication information element (IE) that matches that of the RF group.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Enabling Rogue Access Point Detection Figure 10-4 All APs > Details Page Step 4 Choose either local or monitor from the AP Mode drop-down box and click Apply to commit your changes. Step 5 Click Save Configuration to save your changes. Step 6 Repeat Step 2 through Step 5 for every access point connected to the controller.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Enabling Rogue Access Point Detection Figure 10-5 AP Authentication Policy Page The name of the RF group to which this controller belongs appears at the top of the page. Step 8 Choose AP Authentication from the Protection Type drop-down box to enable rogue access point detection. Step 9 Enter a number in the Alarm Trigger Threshold edit box to specify when a rogue access point alarm is generated.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Dynamic RRM Using the CLI to Enable Rogue Access Point Detection Follow these steps to enable rogue access point detection using the CLI. Step 1 Make sure that each controller in the RF group has been configured with the same RF group name. Note The name is used to verify the authentication IE in all beacon frames. If the controllers have different names, false alarms will occur.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Dynamic RRM Using the GUI to Configure Dynamic RRM Follow these steps to configure dynamic RRM parameters using the GUI. Step 1 Click Wireless > 802.11a/n or 802.11b/g/n > RRM > Auto RF to open the 802.11a (or 802.11b/g) Global Parameters > Auto RF page. Note Step 2 Click Set to Factory Default at the bottom of the page if you want to return all of the controller’s RRM parameters to their factory default values.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Dynamic RRM Table 10-1 RRM Parameters (continued) Parameter Description Dynamic Channel Assignment Algorithm Channel Assignment Method The controller’s dynamic channel assignment mode. Options: Automatic, On Demand, or Off Default: Automatic Channel Assignment Method Automatic Description Causes the controller to periodically evaluate and, if necessary, update the channel assignment for all joined access points.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Dynamic RRM Table 10-1 RRM Parameters (continued) Parameter Description Avoid Cisco AP Load Causes the controller’s RRM algorithms to consider 802.11 traffic from Cisco lightweight access points in your wireless network when assigning channels. For example, RRM can assign better reuse patterns to access points that carry a heavier traffic load. Options: Enabled or Disabled Default: Disabled Avoid Non-802.11a (802.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Dynamic RRM Table 10-1 RRM Parameters (continued) Parameter Description Tx Power Level Assignment Algorithm Power Level Assignment The controller’s dynamic power assignment mode. Method Options: Automatic, On Demand, or Fixed Default: Automatic Power Level Assignment Method Description Automatic Causes the controller to periodically evaluate and, if necessary, update the transmit power for all joined access points.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Dynamic RRM Table 10-1 RRM Parameters (continued) Parameter Description The following non-configurable transmit power level parameter settings are also shown: • Power Threshold—The cutoff signal level used by RRM when determining whether to reduce an access point’s power.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Dynamic RRM Table 10-1 RRM Parameters (continued) Parameter Coverage Exception Level (0 to 100%) Description The percentage of clients on an access point that are experiencing a low signal level but cannot roam to another access point. This value is based on the Coverage threshold and the Client Min Exception Level threshold.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Dynamic RRM Table 10-1 RRM Parameters (continued) Parameter Neighbor Packet Frequency Description How frequently the access point measures signal strength and how frequently neighbor packets (messages) are sent, which eventually builds the neighbor list. Range: 60 to 3600 seconds Default: 60 seconds Note Channel Scan Duration In controller software release 4.1.185.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Dynamic RRM Figure 10-6 802.11a > RRM > DCA Page The DCA Channels field shows the channels that are currently selected. b. To select a channel, check its check box in the Select column. To exclude a channel, uncheck its check box. Range: 802.11a—36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 132, 136, 140, 149, 153, 157, 161, 165, 190, 196 802.11b/g—1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 Default: 802.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Dynamic RRM • To specify the channel set used for dynamic channel allocation (DCA), enter this command: config advanced {802.11a | 802.11b} channel {add | delete} channel_number You can enter only one channel number per command. This command is helpful when you know that the clients do not support certain channels because they are legacy devices or they have certain regulatory restrictions.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Overriding Dynamic RRM • detail—Enables debugging for RRM detail logs. • error—Enables debugging for RRM error logs. • group—Enables debugging for the RRM grouping protocol. • manager—Enables debugging for the RRM manager. • message—Enables debugging for RRM messages. • packet—Enables debugging for RRM packets. • power—Enables debugging for the RRM power assignment protocol.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Overriding Dynamic RRM Statically Assigning Channel and Transmit Power Settings to Access Point Radios This section provides instructions for statically assigning channel and power settings using the GUI or CLI. Note Cisco recommends that you assign different nonoverlapping channels to access points that are within close proximity to each other. The nonoverlapping channels in the U.S.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Overriding Dynamic RRM Figure 10-8 Step 3 To assign an RF channel to the access point radio, choose Custom for the Assignment Method under RF Channel Assignment and choose a channel from the drop-down box. Note Step 4 802.11a/n Cisco APs > Configure Page Changing the operating channel causes the access point radio to reset.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Overriding Dynamic RRM Using the CLI to Statically Assign Channel and Transmit Power Settings Follow these steps to statically assign channel and/or power settings on a per access point radio basis using the CLI. Step 1 Enter this command to disable the 802.11a or 802.11b/g network: config {802.11a | 802.11b} disable Step 2 To specify the channel that a particular access point is to use, enter this command: config {802.11a | 802.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Overriding Dynamic RRM Disabling Dynamic Channel and Power Assignment Globally for a Controller This section provides instructions for disabling dynamic channel and power assignment using the GUI or CLI. Using the GUI to Disable Dynamic Channel and Power Assignment Follow these steps to configure disable dynamic channel and power assignment using the GUI. Step 1 Click Wireless > 802.11a/n or 802.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Viewing Additional RRM Settings Using the CLI Viewing Additional RRM Settings Using the CLI Use these commands to view additional 802.11a and 802.11b/g RRM settings: • show advanced 802.11a ? • show advanced 802.11b ? where ? is one of the following: ccx—Shows the Cisco Compatible Extensions (CCX) RRM configuration. channel—Shows the channel assignment configuration and statistics. logging—Shows the RF event and performance logging.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring CCX Radio Management Features Radio Measurement Requests When this feature is enabled, lightweight access points issue broadcast radio measurement request messages to clients running CCXv2 or higher. The access points transmit these messages for every SSID over each enabled radio interface at a configured interval. In the process of performing 802.11 radio measurements, CCX clients send 802.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring CCX Radio Management Features Figure 10-9 802.11a Global Parameters Page Step 2 Under CCX Location Measurement, check the Mode check box to globally enable CCX radio management. This parameter causes the access points connected to this controller to issue broadcast radio measurement requests to clients running CCX v2 or higher. The default value is disabled (or unchecked).
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring CCX Radio Management Features Using the CLI to Configure CCX Radio Management Follow these steps to enable CCX radio management using the controller CLI. Step 1 To globally enable CCX radio management, enter this command: config advanced {802.11a | 802.11b} ccx location-meas global enable interval_seconds The range for the interval_seconds parameter is 60 to 32400 seconds, and the default value is 60 seconds.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring CCX Radio Management Features 3. To see the status of radio measurement requests for a particular access point, enter this command: show ap ccx rm Cisco_AP status Information similar to the following appears: A Radio Beacon Request................................. Channel Load Request........................... Frame Request.................................. Noise Histogram Request........................
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Pico Cell Mode Using the CLI to Debug CCX Radio Management Issues Use these commands if you experience any CCX radio management problems. 1. To debug CCX broadcast measurement request activity, enter this command: debug airewave-director message {enable | disable} 2. To debug client location calibration activity, enter this command: debug ccxrm [all | error | warning | message | packet | detail {enable | disable}] 3.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Pico Cell Mode Figure 10-10 High-Density Network Example Guidelines for Using Pico Cell Mode Follow these guidelines for using pico cell mode: • You can configure pico cell mode only for 802.11a networks. • High-density networking is supported on all Cisco lightweight access points (except the wireless mesh access points) and on notebooks using the Intel PRO/Wireless 3945ABG and Intel Wireless WiFi Link 4965AG clients.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Pico Cell Mode Figure 10-11 Step 3 Step 4 802.11a > Pico Cell Page Choose one of these options from the Pico Cell Mode drop-down box: • Disable—Disables pico cell mode. This is the default value. • V1—Enables pico cell mode version 1. This option is designed for use with legacy Airespace products (those released prior to Cisco’s acquisition of Airespace).
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Pico Cell Mode Note The default values for these parameters should be appropriate for most applications. Therefore, Cisco recommends that you use the default values. Table 10-2 Pico Cell Mode V2 Parameters Parameter Description Rx Sensitivity Threshold Specifies the current, minimum, and maximum values (in dBm) for the receiver sensitivity of the 802.11a radio.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Pico Cell Mode Using the CLI to Configure Pico Cell Mode Note Step 1 Refer to the “Using the GUI to Configure Pico Cell Mode” section on page 10-35 for descriptions and default values of the parameters used in the CLI commands. To disable the 802.11a network before changing pico cell mode parameters, enter this command: config 802.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Pico Cell Mode 3. To see the noise and interference information, coverage information, client signal-to-noise ratios, and nearby access points, enter this command: show ap auto-rf 802.
Chapter 10 Configuring Radio Resource ManagementWireless Device Access Configuring Pico Cell Mode Cisco Wireless LAN Controller Configuration Guide 10-40 OL-13826-01
CH A P T E R 11 Configuring Mobility GroupsWireless Device Access This chapter describes mobility groups and explains how to configure them on the controllers.
Chapter 11 Configuring Mobility GroupsWireless Device Access Overview of Mobility Overview of Mobility Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible. This section explains how mobility works when controllers are included in a wireless network.
Chapter 11 Configuring Mobility GroupsWireless Device Access Overview of Mobility The process becomes more complicated, however, when a client roams from an access point joined to one controller to an access point joined to a different controller. It also varies based on whether the controllers are operating on the same subnet. Figure 11-2 illustrates inter-controller roaming, which occurs when the controllers’ wireless LAN interfaces are on the same IP subnet.
Chapter 11 Configuring Mobility GroupsWireless Device Access Overview of Mobility Figure 11-3 Inter-Subnet Roaming Inter-subnet roaming is similar to inter-controller roaming in that the controllers exchange mobility messages on the client roam. However, instead of moving the client database entry to the new controller, the original controller marks the client with an “Anchor” entry in its own client database.
Chapter 11 Configuring Mobility GroupsWireless Device Access Overview of Mobility Groups Note Both inter-controller roaming and inter-subnet roaming require the controllers to be in the same mobility group. See the next two sections for a description of mobility groups and instructions for configuring them. Overview of Mobility Groups A set of controllers can be configured as a mobility group to allow seamless client roaming within a group of controllers.
Chapter 11 Configuring Mobility GroupsWireless Device Access Overview of Mobility Groups As shown above, each controller is configured with a list of the other members of the mobility group. Whenever a new client joins a controller, the controller sends out a unicast message to all of the controllers in the mobility group. The controller to which the client was previously connected passes on the status of the client.
Chapter 11 Configuring Mobility GroupsWireless Device Access Overview of Mobility Groups Note Clients may roam between access points in different mobility groups, provided they can hear them. However, their session information is not carried between controllers in different mobility groups.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Mobility Groups Figure 11-6 Mobility Group Configuration with One NAT Device Foreign controller (10.x.x.1) 10.x.x.2 NAT Anchor controller (9.x.x.1) Mobility group (10.x.x.2) 9.x.x.2 Figure 11-7 232319 Mobility group 9.x.x.2 Mobility Group Configuration with Two NAT Devices 10.x.x.2 NAT 11.x.x.2 12.x.x.2 Foreign controller (10.x.x.1) Mobility group (10.x.x.2) Internet backbone NAT Anchor controller (9.x.x.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Mobility Groups Prerequisites Before you add controllers to a mobility group, you must verify that the following requirements have been met for all controllers that are to be included in the group: • All controllers must be configured for the same LWAPP transport mode (Layer 2 or Layer 3). Note • IP connectivity must exist between the management interfaces of all controllers.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Mobility Groups • When you configure mobility groups using a third-party firewall, Cisco PIX, or Cisco ASA, you need to open ports 16666, 16667, 12222, and 12223; IP protocols 50 and 97; and UDP port 500 if you are not using secure mobility groups.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Mobility Groups Step 2 Perform one of the following to add controllers to a mobility group: • If you are adding only one controller or want to individually add multiple controllers, click New and go to Step 3. • If you are adding multiple controllers and want to add them in bulk, click EditAll and go to Step 4.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Mobility Groups Step 4 The Mobility Group Members > Edit All page (see Figure 11-10) lists the MAC address, IP address, and mobility group name (optional) of all the controllers currently in the mobility group. The controllers are listed one per line with the local controller at the top of the list. Note If desired, you can edit or delete any of the controllers in the list.
Chapter 11 Configuring Mobility GroupsWireless Device Access Viewing Mobility Group Statistics Using the CLI to Configure Mobility Groups Follow these steps to configure mobility groups using the CLI. Step 1 Enter show mobility summary to check the current mobility settings. Step 2 Enter config mobility group domain domain_name to create a mobility group. Note Step 3 Enter up to 31 case-sensitive ASCII characters for the group name. Spaces are not allowed in mobility group names.
Chapter 11 Configuring Mobility GroupsWireless Device Access Viewing Mobility Group Statistics Figure 11-11 Step 2 Mobility Statistics Page Refer to Table 11-1 for a description of each statistic. Table 11-1 Mobility Statistics Parameter Description Group Mobility Statistics Rx Errors Generic protocol packet receive errors, such as packet too short or format incorrect. Tx Errors Generic protocol packet transmit errors, such as packet transmission fail.
Chapter 11 Configuring Mobility GroupsWireless Device Access Viewing Mobility Group Statistics Table 11-1 Mobility Statistics (continued) Parameter Description Handoff Requests Received The total number of handoff requests received, ignored, or responded to. Handoff End Requests Received The total number of handoff end requests received. These requests are sent by the anchor or foreign controller to notify the other about the close of a client session.
Chapter 11 Configuring Mobility GroupsWireless Device Access Viewing Mobility Group Statistics Table 11-1 Mobility Statistics (continued) Parameter Description Mobility Responder Statistics Handoff Requests Ignored The number of handoff requests or client announcements that were ignored because the controller had no knowledge of that client. Ping Pong Handoff Requests The number of handoff requests that were denied because the Dropped handoff period was too short (3 seconds).
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Auto-Anchor Mobility Configuring Auto-Anchor Mobility You can use auto-anchor mobility (also called guest tunneling) to improve load balancing and security for roaming clients on your wireless LANs. Under normal roaming conditions, client devices join a wireless LAN and are anchored to the first controller that they contact.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Auto-Anchor Mobility Note The IPSec and L2TP Layer 3 security policies are unavailable for WLANs configured with a mobility anchor. Guidelines for Using Auto-Anchor Mobility Keep these guidelines in mind when you configure auto-anchor mobility: • Controllers must be added to the mobility group member list before you can designate them as mobility anchors for a WLAN.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Auto-Anchor Mobility Figure 11-12 Step 2 b. In the Keep Alive Count field, enter the number of times a ping request is sent to an anchor controller before the anchor is considered to be unreachable. The valid range is 3 to 20, and the default value is 3. c. In the Keep Alive Interval field, enter the amount of time (in seconds) between each ping request sent to an anchor controller.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Auto-Anchor Mobility This page lists the controllers that have already been configured as mobility anchors and shows the current state of their data and control paths. Controllers within a mobility group communicate among themselves control information over a well-known UDP port and exchange data traffic through an Ethernet-over-IP (EoIP) tunnel.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Auto-Anchor Mobility 3. 4. 5.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Symmetric Mobility Tunneling The Status field shows one of these values: 7. • UP—The controller is reachable and able to pass data. • CNTRL_PATH_DOWN—The mpings failed. The controller cannot be reached through the control path and is considered failed. • DATA_PATH_DOWN—The epings failed. The controller cannot be reached and is considered failed. • CNTRL_DATA_PATH_DOWN—Both the mpings and epings failed.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Symmetric Mobility Tunneling Figure 11-15 Asymmetric Tunneling or Uni-Directional Tunneling Server Router Foreign Mobile Mobile 210899 Anchor This mechanism breaks when an upstream router has reverse path filtering (RPF) enabled. In this case, the client traffic is dropped at the router because the RPF check ensures that the path back to the source address matches the path from which the packet is coming.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Symmetric Mobility Tunneling Note Although a 2000 or 2100 series controller cannot be designated as an anchor for a WLAN when using auto-anchor mobility, it can serve as an anchor in symmetric mobility tunneling to process and forward the upstream client data traffic tunneled from the foreign controller.
Chapter 11 Configuring Mobility GroupsWireless Device Access Configuring Symmetric Mobility Tunneling Step 6 Click Yes when you are prompted to confirm your decision to save the configuration. Step 7 If you want to reboot the controller now, click Commands > Reboot and then Reboot. Step 8 Make sure that every controller in the mobility group shares the same configuration for symmetric mobility tunneling.
Chapter 11 Configuring Mobility GroupsWireless Device Access Running Mobility Ping Tests Running Mobility Ping Tests Controllers belonging to the same mobility group communicate with each other by controlling information over a well-known UDP port and exchanging data traffic through an Ethernet-over-IP (EoIP) tunnel. Because UDP and EoIP are not reliable transport mechanisms, there is no guarantee that a mobility control packet or data packet will be delivered to a mobility peer.
CH A P T E R 12 Configuring Hybrid REAPWireless Device Access This chapter describes hybrid REAP and explains how to configure this feature on controllers and access points.
Chapter 12 Configuring Hybrid REAPWireless Device Access Overview of Hybrid REAP Overview of Hybrid REAP Hybrid REAP is a wireless solution for branch office and remote office deployments. It enables customers to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office.
Chapter 12 Configuring Hybrid REAPWireless Device Access Overview of Hybrid REAP Note • If the access point has been assigned a static IP address, it can discover a controller through any of the LWAPP discovery process methods except DHCP option 43. If the access point cannot discover a controller through Layer 3 broadcast or OTAP, Cisco recommends DNS resolution. With DNS, any access point with a static IP address that knows of a DNS server can find at least one controller.
Chapter 12 Configuring Hybrid REAPWireless Device Access Overview of Hybrid REAP require that an external RADIUS server be configured. Other WLANs enter either the “authentication down, switching down” state (if the WLAN was configured for central switching) or the “authentication down, local switching” state (if the WLAN was configured for local switching).
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP • To use CCKM fast roaming with hybrid-REAP access points, you need to configure hybrid-REAP groups. See the “Configuring Hybrid-REAP Groups” section on page 12-16 for more information. • VPN, PPTP, Fortress authentication, and Cranite authentication are supported for locally switched traffic, provided that these security types are accessible locally at the access point.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP Note The addresses in this sample configuration are for illustration purposes only. The addresses that you use must fit into your upstream network. Sample local switch configuration: ip dhcp pool NATIVE network 10.10.100.0 255.255.255.0 default-router 10.10.100.1 ! ip dhcp pool LOCAL-SWITCH network 10.10.101.0 255.255.255.0 default-router 10.10.101.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP Note WLAN Security Switching employee-local WPA1+WPA2 (PSK) Local 101 (locally switched VLAN) guest-central Web authentication management (centrally switched VLAN) Central Interface Mapping (VLAN) See the “Using the CLI to Configure the Controller for Hybrid REAP” section on page 12-11 if you would prefer to configure the controller for hybrid REAP using the CLI.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP Step 1 Follow these steps to create a centrally switched WLAN. In our example, this is the first WLAN (employee). a. Click WLANs to open the WLANs page. b. Click New to open the WLANs > New page (see Figure 12-2). Figure 12-2 WLANs > New Page c. From the Type drop-down box, choose WLAN. d. Enter a unique profile name for the WLAN in the Profile Name field. e. Enter a name for the WLAN in the WLAN SSID field. f.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP Note Step 2 Step 3 If NAC is enabled and you created a quarantined VLAN and want to use it for this WLAN, make sure to select it from the Interface drop-down box on the General tab. Also, check the Allow AAA Override check box on the Advanced tab to ensure that the controller checks for a quarantine VLAN assignment. h. Click Apply to commit your changes. i. Click Save Configuration to save your changes.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP Note If you are using an external web server, you must configure a preauthentication access control list (ACL) on the WLAN for the server and then choose this ACL as the WLAN preauthentication ACL on the Layer 3 tab. See Chapter 5 for more information on ACLs. Note Make sure to enable this WLAN by checking the Status check box on the General tab. c. Click Apply to commit your changes. d.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP Step 4 o. In the Description field, enter a descriptive title for the local user (such as “Guest user”). p. Click Apply to commit your changes. q. Click Save Configuration to save your changes. Go to the “Configuring an Access Point for Hybrid REAP” section on page 12-11 to configure up to six access points for hybrid REAP.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP Figure 12-5 Step 3 All APs Page Click the name of the desired access point. The All APs > Details (General) page appears (see Figure 12-6).
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP Step 4 Choose H-REAP from the AP Mode drop-down box to enable hybrid REAP for this access point. Note The last parameter on the Inventory tab indicates whether this access point can be configured for hybrid REAP. Only the 1130AG, 1240AG, and 1250 access points support hybrid REAP. Step 5 Click Apply to commit your changes and to cause the access point to reboot.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP Figure 12-8 All APs > Access Point Name > VLAN Mappings Page Step 11 Enter the number of the VLAN from which the clients will get an IP address when doing local switching (VLAN 101, in this example) in the VLAN ID field. Step 12 Click Apply to commit your changes. Step 13 Click Save Configuration to save your changes.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid REAP • config ap h-reap vlan native vlan-id Cisco_AP—Enables you to configure a native VLAN for this hybrid-REAP access point. By default, no VLAN is set as the native VLAN. One native VLAN must be configured per hybrid-REAP access point (when VLAN tagging is enabled). Make sure the switchport to which the access point is connected has a corresponding native VLAN configured as well.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid-REAP Groups Configuring Hybrid-REAP Groups In order to better organize and manage your hybrid-REAP access points, you can create hybrid-REAP groups and assign specific access points to them. All of the hybrid-REAP access points in a group share the same CCKM, WLAN, and backup RADIUS server configuration information.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid-REAP Groups Using the GUI to Configure Hybrid-REAP Groups Follow these steps to configure hybrid-REAP groups using the controller GUI. Step 1 Click Wireless > HREAP Groups to open the HREAP Groups page (see Figure 12-10). Figure 12-10 HREAP Groups Page This page lists any hybrid-REAP groups that have already been created.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid-REAP Groups Step 8 To add an access point to the group, click Add AP. Additional fields appear on the page under “Add AP” (see Figure 12-12). Figure 12-12 Step 9 Perform one of the following: • To choose an access point that is connected to this controller, check the Select APs from Current Controller check box and choose the name of the access point from the AP Name drop-down box.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid-REAP Groups Note To see if an individual access point belongs to a hybrid-REAP group, you can click Wireless > Access Points > All APs > the name of the desired access point > the H-REAP tab. If the access point belongs to a hybrid-REAP group, the name of the group appears in the HREAP Group Name field. Using the CLI to Configure Hybrid-REAP Groups Follow these steps to configure hybrid-REAP groups using the controller CLI.
Chapter 12 Configuring Hybrid REAPWireless Device Access Configuring Hybrid-REAP Groups Cisco Wireless LAN Controller Configuration Guide 12-20 OL-13826-01
A P P E N D I X A Safety Considerations and Translated Safety Warnings This appendix lists safety considerations and translations of the safety warnings that apply to the Cisco UWN Solution products.
Appendix A Safety Considerations and Translated Safety Warnings Safety Considerations Safety Considerations Keep these guidelines in mind when installing Cisco UWN Solution products: • The Cisco 1000 Series lightweight access points with or without external antenna ports are only intended for installation in Environment A as defined in IEEE 802.3af. All interconnected equipment must be contained within the same building including the interconnected equipment's associated LAN connections.
Appendix A Safety Considerations and Translated Safety Warnings Warning Definition Varoitus TÄRKEITÄ TURVALLISUUSOHJEITA Tämä varoitusmerkki merkitsee vaaraa. Tilanne voi aiheuttaa ruumiillisia vammoja. Ennen kuin käsittelet laitteistoa, huomioi sähköpiirien käsittelemiseen liittyvät riskit ja tutustu onnettomuuksien yleisiin ehkäisytapoihin.
Appendix A Safety Considerations and Translated Safety Warnings Warning Definition Aviso INSTRUÇÕES IMPORTANTES DE SEGURANÇA Este símbolo de aviso significa perigo. Você está em uma situação que poderá ser causadora de lesões corporais. Antes de iniciar a utilização de qualquer equipamento, tenha conhecimento dos perigos envolvidos no manuseio de circuitos elétricos e familiarize-se com as práticas habituais de prevenção de acidentes.
Appendix A Safety Considerations and Translated Safety Warnings Class 1 Laser Product Warning Class 1 Laser Product Warning Note Warning Waarschuwing Varoitus The 1000BASE-SX and 1000BASE-LX SFP modules contain Class 1 Lasers (Laser Klasse 1) according to EN 60825-1+A1+A2. Class 1 laser product. Statement 1008 Klasse-1 laser produkt. Luokan 1 lasertuote. Attention Produit laser de classe 1. Warnung Laserprodukt der Klasse 1. Avvertenza Prodotto laser di Classe 1.
Appendix A Safety Considerations and Translated Safety Warnings Class 1 Laser Product Warning Aviso Advarsel Produto a laser de classe 1. Klasse 1 laserprodukt.
Appendix A Safety Considerations and Translated Safety Warnings Ground Conductor Warning Ground Conductor Warning Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. Statement 1024 Waarschuwing Deze apparatuur dient geaard te zijn.
Appendix A Safety Considerations and Translated Safety Warnings Ground Conductor Warning Warnung Dieses Gerät muss geerdet sein. Auf keinen Fall den Erdungsleiter unwirksam machen oder das Gerät ohne einen sachgerecht installierten Erdungsleiter verwenden. Wenn Sie sich nicht sicher sind, ob eine sachgerechte Erdung vorhanden ist, wenden Sie sich an die zuständige Inspektionsbehörde oder einen Elektriker. Avvertenza Questa apparecchiatura deve essere dotata di messa a terra.
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Chassis Warning for Rack-Mounting and Servicing Warning Waarschuwing To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety: • This unit should be mounted at the bottom of the rack if it is the only unit in the rack.
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Varoitus Attention Warnung Avvertenza Advarsel Kun laite asetetaan telineeseen tai huolletaan sen ollessa telineessä, on noudatettava erityisiä varotoimia järjestelmän vakavuuden säilyttämiseksi, jotta vältytään loukkaantumiselta. Noudata seuraavia turvallisuusohjeita: • Jos telineessä ei ole muita laitteita, aseta laite telineen alaosaan.
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Aviso ¡Advertencia! Varning! Para se prevenir contra danos corporais ao montar ou reparar esta unidade numa estante, deverá tomar precauções especiais para se certificar de que o sistema possui um suporte estável.
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing • • • Aviso Advarsel Para evitar lesões corporais ao montar ou dar manutenção a esta unidade em um rack, é necessário tomar todas as precauções para garantir a estabilidade do sistema. As seguintes orientações são fornecidas para garantir a sua segurança: • Se esta for a única unidade, ela deverá ser montada na parte inferior do rack.
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide OL-13826-01 A-13
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide A-14 OL-13826-01
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing • • • • • • • • • Cisco Wireless LAN Controller Configuration Guide OL-13826-01 A-15
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide A-16 OL-13826-01
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide OL-13826-01 A-17
Appendix A Safety Considerations and Translated Safety Warnings Battery Handling Warning for 4400 Series Controllers Battery Handling Warning for 4400 Series Controllers Warning Waarschuwing There is the danger of explosion if the Cisco 4400 Series Wireless LAN Controller battery is replaced incorrectly. Replace the battery only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer’s instructions.
Appendix A Safety Considerations and Translated Safety Warnings Battery Handling Warning for 4400 Series Controllers Warnung Bei Einsetzen einer falschen Batterie besteht Explosionsgefahr. Ersetzen Sie die Batterie nur durch den gleichen oder vom Hersteller empfohlenen Batterietyp. Entsorgen Sie die benutzten Batterien nach den Anweisungen des Herstellers. Avvertenza Pericolo di esplosione se la batteria non è installata correttamente.
Appendix A Safety Considerations and Translated Safety Warnings Equipment Installation Warning Equipment Installation Warning Warning Waarschuwing Varoitus Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030 Deze apparatuur mag alleen worden geïnstalleerd, vervangen of hersteld door bevoegd geschoold personeel. Tämän laitteen saa asentaa, vaihtaa tai huoltaa ainoastaan koulutettu ja laitteen tunteva henkilökunta.
Appendix A Safety Considerations and Translated Safety Warnings Equipment Installation Warning ¡Advertencia! Varning! Aviso Advarsel Solamente el personal calificado debe instalar, reemplazar o utilizar este equipo. Endast utbildad och kvalificerad personal bör få tillåtelse att installera, byta ut eller reparera denna utrustning. Somente uma equipe treinada e qualificada tem permissão para instalar, substituir ou dar manutenção a este equipamento.
Appendix A Safety Considerations and Translated Safety Warnings Equipment Installation Warning Cisco Wireless LAN Controller Configuration Guide A-22 OL-13826-01
Appendix A Safety Considerations and Translated Safety Warnings More Than One Power Supply Warning for 4400 Series Controllers More Than One Power Supply Warning for 4400 Series Controllers Warning The Cisco 4400 Series Wireless LAN Controller might have more than one power supply connection. All connections must be removed to de-energize the unit. Statement 1028 Waarschuwing Deze eenheid kan meer dan één stroomtoevoeraansluiting bevatten.
Appendix A Safety Considerations and Translated Safety Warnings More Than One Power Supply Warning for 4400 Series Controllers Aviso Esta unidade pode ter mais de uma conexão de fonte de alimentação. Todas as conexões devem ser removidas para interromper a alimentação da unidade. Advarsel Denne enhed har muligvis mere end en strømforsyningstilslutning. Alle tilslutninger skal fjernes for at aflade strømmen fra enheden.
Appendix A Safety Considerations and Translated Safety Warnings More Than One Power Supply Warning for 4400 Series Controllers Cisco Wireless LAN Controller Configuration Guide OL-13826-01 A-25
Appendix A Safety Considerations and Translated Safety Warnings More Than One Power Supply Warning for 4400 Series Controllers Cisco Wireless LAN Controller Configuration Guide A-26 OL-13826-01
A P P E N D I X B Declarations of Conformity and Regulatory Information This appendix provides declarations of conformity and regulatory information for the products in the Cisco UWN Solution.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points Regulatory Information for 1000 Series Access Points This section contains regulatory information for 1000 series access points.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points occur. If this equipment does cause interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to correct the interference by one of the following measures: • Reorient or relocate the receiving antenna. • Increase separation between the equipment and receiver.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points European Community, Switzerland, Norway, Iceland, and Liechtenstein Model: AIR-AP1010-E-K9, AIR-AP1020-E-K9, AIR-AP1030-E-K9 Declaration of Conformity with Regard to the R&TTE Directive 1999/5/EC English: This equipment is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points Note This equipment is intended to be used in all EU and EFTA countries. Outdoor use may be restricted to certain frequencies and/or may require a license for operation. For more details, contact Cisco Corporate Compliance. For 54 Mbps, 5 GHz access points, the following standards were applied: • Radio: EN 301.893 • EMC: EN 301.489-1, EN 301.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points Guidelines for Operating Cisco Aironet Access Points in Japan This section provides guidelines for avoiding interference when operating Cisco Aironet access points in Japan. These guidelines are provided in both Japanese and English.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points Administrative Rules for Cisco Aironet Access Points in Taiwan This section provides administrative rules for operating Cisco Aironet access points in Taiwan. The rules are provided in both Chinese and English. Access Points with IEEE 802.11a Radios Chinese Translation English Translation This equipment is limited for indoor use.
Appendix B Declarations of Conformity and Regulatory Information FCC Statement for Cisco 2000 and 2100 Series Wireless LAN Controllers English Translation Administrative Rules for Low-power Radio-Frequency Devices Article 12 For those low-power radio-frequency devices that have already received a type-approval, companies, business units or users should not change its frequencies, increase its power or change its original features and functions.
Appendix B Declarations of Conformity and Regulatory Information FCC Statement for Cisco 4400 Series Wireless LAN Controllers FCC Statement for Cisco 4400 Series Wireless LAN Controllers The Cisco 4400 Series Wireless LAN Controller equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Appendix B Declarations of Conformity and Regulatory Information FCC Statement for Cisco 4400 Series Wireless LAN Controllers Cisco Wireless LAN Controller Configuration Guide B-10 OL-13826-01
A P P E N D I X C End User License and Warranty This appendix describes the end user license and warranty that apply to the Cisco UWN Solution products: • Cisco 1000 Series Lightweight Access Points • Cisco 2000 Series Wireless LAN Controllers • Cisco 2100 Series Wireless LAN Controllers • Cisco 4400 Series Wireless LAN Controllers • Cisco Wireless Services Modules This appendix contains these sections: • End User License Agreement, page C-2 • Limited Warranty, page C-4 • General Terms Appl
Appendix C End User License and Warranty End User License Agreement End User License Agreement End User License Agreement IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING OR USING CISCO OR CISCO-SUPPLIED SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT. CISCO IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT.
Appendix C End User License and Warranty End User License Agreement (ii) make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do the same; (iii) reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction; (iv) use or permit the Software to be used to perform se
Appendix C End User License and Warranty Limited Warranty Term and Termination. This Agreement and the license granted herein shall remain effective until terminated. Customer may terminate this Agreement and the license at any time by destroying all copies of Software and any Documentation. Customer’s rights under this Agreement will terminate immediately without notice from Cisco if Customer fails to comply with any provision of this Agreement.
Appendix C End User License and Warranty Limited Warranty replacement parts used in Hardware replacement may be new or equivalent to new. Cisco's obligations hereunder are conditioned upon the return of affected Hardware in accordance with Cisco's or its service center's then-current Return Material Authorization (RMA) procedures.
Appendix C End User License and Warranty General Terms Applicable to the Limited Warranty Statement and End User License Agreement Disclaimer of Warranty DISCLAIMER OF WARRANTY EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, SATISFACTORY QUALITY, NON-INTERFERENCE, ACCURACY OF INFORMATIONAL CONTENT, OR ARISING FRO
Appendix C End User License and Warranty Additional Open Source Terms the parties with respect to the license of the Software and Documentation and supersedes any conflicting or additional terms contained in any purchase order or elsewhere, all of which terms are excluded. This Agreement has been written in the English language, and the parties agree that the English version will govern.
Appendix C End User License and Warranty Additional Open Source Terms Cisco Wireless LAN Controller Configuration Guide C-8 OL-13826-01
A P P E N D I X D Troubleshooting This appendix lists system messages that can appear on the Cisco UWN Solution interfaces, describes the LED patterns on controllers and lightweight access points, and provides CLI commands that can be used to troubleshoot problems on the controller.
Appendix D Troubleshooting Interpreting LEDs Interpreting LEDs Interpreting Controller LEDs Refer to the quick start guide for your specific controller for a description of the LED patterns. You can find the guides at this URL: http://www.cisco.com/en/US/products/hw/wireless/index.html Interpreting Lightweight Access Point LEDs Refer to the hardware installation guide for your specific access point for a description of the LED patterns. You can find the guides at this URL: http://www.cisco.
Appendix D Troubleshooting System Messages Table D-1 System Messages and Descriptions (continued) Error Message Description STATION_ASSOCIATE_FAIL Check load on the Cisco Radio or signal quality issues. LRAD_ASSOCIATED The associated Cisco 1000 Series lightweight access point is now managed by this Cisco Wireless LAN Controller.
Appendix D Troubleshooting System Messages Table D-1 System Messages and Descriptions (continued) Error Message Description ROGUE_AP_REMOVED Detected rogue access point has timed out. The unit might have shut down or moved out of the coverage area. AP_MAX_ROGUE_COUNT_EXCEEDED The current number of active rogue access points has exceeded system threshold. LINK_UP Positive confirmation message. LINK_DOWN Port may have a problem or is administratively disabled.
Appendix D Troubleshooting Using the CLI to Troubleshoot Problems Table D-1 System Messages and Descriptions (continued) Error Message Description RADIUS_SERVERS_FAILED Check network connectivity between RADIUS and the controller. CONFIG_SAVED Running configuration has been saved to flash will be active after reboot. MULTIPLE_USERS Another user with the same username has logged in. FAN_FAILURE Monitor Cisco Wireless LAN Controller temperature to avoid overheating.
Appendix D Troubleshooting Using the CLI to Troubleshoot Problems 2. show process memory—Shows the allocation and deallocation of memory from various processes in the system at that instant in time.
Appendix D Troubleshooting Configuring the Syslog Facility and Log Level radius auth network 1 disable radius auth management 1 disable radius auth ipsec enable Note If you want to see the passwords in clear text, enter config passwd-cleartext enable. To execute this command, you must enter an admin password. This command is valid only for this particular session. It is not saved following a reboot. Note You cannot use TFTP to upload the output of this command.
Appendix D Troubleshooting Configuring the Syslog Facility and Log Level Step 3 • local7 = Local use. Facility level = 23. • lpr = Line printer system. Facility level = 6. • mail = Mail system. Facility level = 2. • news = USENET news. Facility level = 7. • sys12 = System use. Facility level = 12. • sys13 = System use. Facility level = 13. • sys14 = System use. Facility level = 14. • sys15 = System use. Facility level = 15. • syslog = The syslog itself. Facility level = 5.
Appendix D Troubleshooting Uploading Core Dumps from the Controller Step 5 To see the logging parameters and buffer contents, enter this command: show logging Information similar to the following appears: Logging to buffer : - Logging filter level........................... - Number of lines logged......................... - Number of lines dropped........................ Logging to console : - Logging filter level........................... - Number of lines logged.........................
Appendix D Troubleshooting Monitoring Memory Leaks Step 3 To specify the username and password for FTP login, enter this command: config coredump username ftp_username password ftp_password Step 4 To save your changes, enter this command: save config Step 5 To see a summary of the controller’s core dump file, enter this command: show coredump summary Monitoring Memory Leaks This section provides instructions for troubleshooting hard-to-solve or hard-to-reproduce memory problems.
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Step 4 To view a summary of any discovered memory issues, enter this command: show memory monitor Information similar to the following appears: Memory Leak Monitor Status: low_threshold(10000), high_threshold(30000), current status(disabled) ------------------------------------------Memory Error Monitor Status: Crash-on-error flag currently set to (disabled) No memory error detected.
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Diagnostic Channel The diagnostic channel feature enables you to troubleshoot problems regarding client communication with a WLAN. The client and access points can be put through a defined set of tests in an attempt to identify the cause of communication difficulties the client is experiencing and then allow corrective measures to be taken to make the client operational on the network.
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Using the GUI to Configure the Diagnostic Channel Follow these steps to configure the diagnostic channel using the controller GUI. Step 1 Click WLANs to open the WLANs page. Step 2 Create a new WLAN or click the profile name of an existing WLAN. Note Step 3 Cisco recommends that you create a new WLAN on which to run the diagnostic tests.
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Using the CLI to Configure the Diagnostic Channel Using the controller CLI, follow these steps to configure the diagnostic channel. Step 1 To enable diagnostic channel troubleshooting on a particular WLAN, enter this command: config wlan diag-channel {enable | disable} wlan_id Step 2 To verify that your change has been made, enter this command: show wlan wlan_id Information similar to the following appears: WLAN Identifier................
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Step 6 To send a request to the client to perform the DNS name resolution test to the specified host name, enter this command: config client ccx dns-resolve client_mac_address host_name Note Step 7 This test does not require the client to use the diagnostic channel. To send a request to the client to perform the association test, enter this command: config client ccx test-association client_mac_address ssid bssid {802.11a | 802.11b | 802.
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Step 12 • 13 = Retrieval complete. • 14 = Beginning association test. • 15 = Beginning DHCP test. • 16 = Beginning network connectivity test. • 17 = Beginning DNS ping test. • 18 = Beginning name resolution test. • 19 = Beginning 802.1X authentication test. • 20 = Redirecting client to a specific profile. • 21 = Test complete. • 22 = Test passed. • 23 = Test failed.
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Step 14 To see the results from the last successful diagnostics test, enter this command: show client ccx results client_mac_address Information similar to the following appears for the 802.1X authentication test: dot1x Complete................................... Success EAP Method....................................... *1,Host OS Login Credentials dot1x Status..................................
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Frame Data: 00000000: 80 00000010: 00 00000020: 64 00000030: 6c 00000040: 03 00000050: 00 00000060: 50 00000070: 00 00000080: 00000090: 000000a0: 000000b0: ...
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Figure D-2 Clients > Detail Page Step 3 To send a report request to the client, click the CCXv5 Req button. Step 4 To view the parameters from the client, click Display. The Client Reporting page appears (see Figure D-3).
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Figure D-3 Client Reporting Page This page lists the client profiles and indicates if they are currently in use. It also provides information on the client’s operating parameters, manufacturer, and capabilities. Step 5 Click the link for the desired client profile. The Profile Details page appears (see Figure D-4).
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Figure D-4 Profile Details Page This page shows the client profile details, including the SSID, power save mode, radio channel, data rates, and 802.11 security settings. Using the CLI to Configure Client Reporting Using the controller CLI, follow these steps to configure client reporting.
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Step 6 To see the client profiles, enter this command: show client ccx profiles client_mac_address Information similar to the following appears: Number of Profiles............................... 1 Current Profile.................................. 1 Profile ID....................................... Profile Name..................................... SSID............................................. Security Parameters[EAP Method,Credential]...
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Step 7 To see the client operating parameters, enter this command: show client ccx operating-parameters client_mac_address Information similar to the following appears: Client Mac....................................... 00:40:96:b2:8d:5e Radio Type....................................... OFDM(802.11a) Step 8 Radio Type....................................... Radio Channels.................................
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Radio Type....................................... Rx Sensitivity .................................. Rx Sensitivity .................................. Rx Sensitivity .................................. Rx Sensitivity .................................. Step 9 ERP(802.11g) Rate:6.0 Mbps, MinRssi:-95, MaxRssi:-30 Rate:9.0 Mbps, MinRssi:-95, MaxRssi:-30 Rate:12.0 Mbps, MinRssi:-95, MaxRssi:-30 Rate:18.
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Information similar to the following appears for a log response with a log_type of roam: Tue Jun 26 18:28:48 2007 Roaming Response LogID=133: Status=Successful Event Timestamp=0d 00h 00m 13s 322396us Source BSSID=00:0b:85:81:06:c2, Target BSSID=00:0b:85:81:06:c2, Transition Time=3125(ms) Tue Jun 26 18:28:48 2007 Transition Reason: Normal roam, poor link Transition Result: Success Roaming Response LogID=133: Status=Successful Event Timesta
Appendix D Troubleshooting Troubleshooting CCXv5 Client Devices Tue Jun 26 18:24:09 2007 RSNA Response LogID=132: Status=Successful Event Timestamp=0d 00h 00m 01s 624375us Target BSSID=00:14:1b:58:86:cd RSNA Version=1 Group Cipher Suite=00-0f-ac-02 Pairwise Cipher Suite Count = 1 Pairwise Cipher Suite 0 = 00-0f-ac-04 AKM Suite Count = 1 AKM Suite 0 = 00-0f-ac-01 RSN Capability = 0x0 RSNA Result: Success Information similar to the following appears for a log response with a log_type of syslog: Tue Jun 2
Appendix D Troubleshooting Using the Debug Facility dot11ReceivedFragmentCount dot11MulticastReceivedFrameCount dot11FCSErrorCount dot11TransmittedFrameCount = 10 = 11 = 12 = 13 Using the Debug Facility The debug facility enables you to display all packets going to and from the controller CPU. You can enable it for received packets, transmitted packets, or both. By default, all packets received by the debug facility are displayed.
Appendix D Troubleshooting Using the Debug Facility • LWAPP payload 802.11 header ACL – Destination address – Source address – BSSID – SNAP header type • LWAPP payload IP header ACL – Source address – Destination address – Protocol – Source port (if applicable) – Destination port (if applicable) At each level, you can define multiple ACLs. The first ACL that matches the packet is the one that is selected. Follow these steps to use the debug facility.
Appendix D Troubleshooting Using the Debug Facility • debug packet logging acl eth rule_index action dst src type vlan where – rule_index is a value between 1 and 6 (inclusive). – action is permit, deny, or disable. – dst is the destination MAC address. – src is the source MAC address. – type is the two-byte type code (such as 0x800 for IP, 0x806 for ARP). This parameter also accepts a few common string values such as “ip” (for 0x800) or “arp” (for 0x806). – vlan is the two-byte VLAN ID.
Appendix D Troubleshooting Using the Debug Facility Step 4 Figure D-5 Sample Hex2pcap Output Figure D-6 Sample Text2pcap Output To determine why packets might not be displayed, enter this command: debug packet error {enable | disable} Cisco Wireless LAN Controller Configuration Guide D-30 OL-13826-01
Appendix D Troubleshooting Using the Debug Facility Step 5 To display the status of packet debugging, enter this command: show debug packet Information similar to the following appears: Status........................................... Number of packets to display..................... Bytes/packet to display.......................... Packet display format............................
Appendix D Troubleshooting Using the Debug Facility Cisco Wireless LAN Controller Configuration Guide D-32 OL-13826-01
A P P E N D I X E Logical Connectivity Diagrams This appendix provides logical connectivity diagrams and related software commands for integrated controllers.
Appendix E Logical Connectivity Diagrams Cisco WiSM Cisco WiSM Figure E-1 Logical Connectivity Diagram for the Cisco WiSM Catalyst 6500 WiSM or Cisco 7600 Series Router WiSM Various Switch or Router Blades providing 100M/Gig/PoE/SFP Ports 2 SFP Ports RS-232 Serial at 9600 baud Supervisor 720 Console Switch or Router Motherboard Memory Boot Flash Flash File System Flash File System on CF Card Disk 0 Disk 1 Ethernet 4 Gig E Ports Memory 4404 Controller-A Hidden Port 9 Boot Flash Controller Moth
Appendix E Logical Connectivity Diagrams Cisco 28/37/38xx Integrated Services Router The commands used for communication between the Cisco WiSM, the Supervisor 720, and the 4404 controllers are documented in Configuring a Cisco Wireless Services Module and Wireless Control System at this URL: http://www.cisco.com/en/US/docs/wireless/technology/wism/technical/reference/appnote.
Appendix E Logical Connectivity Diagrams Catalyst 3750G Integrated Wireless LAN Controller Switch Note • test HW-module integrated-service-engine slot/unit reset {enable | disable} • service-module integrated-service engine slot/port {reload | reset | session [clear] | shutdown | status} Refer to the Cisco Wireless LAN Controller Network Module Feature Guide for more information. You can find this document at this URL: http://www.cisco.
Appendix E Logical Connectivity Diagrams Catalyst 3750G Integrated Wireless LAN Controller Switch Because there can be several switches in a stack, the switch_number parameter is used to indicate to which controller in the stack this session should be directed. Once a session is established, the user interacts with the controller CLI. Entering exit terminates the session and returns the user to the switch CLI. Show Commands These commands are used to view the status of the internal controller.
Appendix E Logical Connectivity Diagrams Catalyst 3750G Integrated Wireless LAN Controller Switch This command is initiated from the switch. • debug platform wireless-controller switch_number ? where ? is one of the following: all—All errors—Errors packets—WCP packets sm—State machine wcp—WCP protocol Reset Commands These two commands (in this order) are used to reset the controller from the switch. They are not yet available but will be supported in a future release.
INDEX configuring using the GUI Numerics 802.11g Support parameter 1000 series access points antennas models 802.11n clients 7-6 802.11n devices 7-4 overview 7-5 7-5 to 7-6 11n Mode parameter 4-12 4-11 configuring using the CLI 4-14 to 4-18 configuring using the GUI 4-11 to 4-13 configuring described 7920 AP CAC parameter 3-5 802.1X See AP1510 6-31 7920 Client CAC parameter 6-19 6-18 802.1X+CCKM 6-31 configuring 7920 support mode described 7-75 802.
Index and identity networking 5-59 applying to an interface using the CLI 7-13 using the GUI 7-12 to 7-13 using the CLI 5-48 antennas using the GUI 5-42 to 5-43 AP1030 overview 7-5 to 7-6 AP1510 overview 7-9 applying to a WLAN 7-6 to 7-7 using the CLI 5-48 using the GUI 5-44 to 5-45 using MICs 7-40 applying to the controller CPU using SSCs 7-39 authorizing using the CLI 5-48 using the CLI 7-41 using the GUI 5-43 to 5-44 using the GUI 7-40 configuring using the CLI 5-46
Index configuring using the CLI 5-47 configuring using the GUI 5-39 ACL Name parameter All APs > Access Point Name > VLAN Mappings page 12-13 All APs > Details (Advanced) page 5-43, 5-44 All APs > Details (General) page ACLs configuring for debug facility using with the debug facility ACS server configuration page Action parameter D-28 to D-29 D-27 to D-28 Adaptive Wireless Path Protocol (AWPP), described Add AAA Client page (on CiscoSecure ACS) Add AP button 7-10 Add New Rule button 4-69, 6-4
Index AP Mode parameter AP Policies page Background Scan parameter 7-18, 10-12, 12-13 Backhaul Client Access parameter 7-40 AP Role parameter backhaul interface 7-19 Assignment Method parameter authentication information element (IE) Authentication Priority parameter described 10-11 using the CLI 4-60 using the GUI 4-51 for mesh networks 7-20 4-24 6-19 Authority ID Information parameter 4-48 enabling 5-11 Authentication Protocol parameter Authority ID parameter 5-28 Base MAC Addr
Index Canadian compliance statement CCX Version parameter B-3 Catalyst 3750G Integrated Wireless LAN Controller Switch described 1-13 CDP > AP Neighbors page 10-37 and hybrid-REAP groups described 4-72 CDP State parameter 6-19 4-68 4-71 CDP Protocol Status parameter 12-16 4-70 4-70 CDP Advertisement Version parameter CDP AP Neighbors page CCKM 4-68 CDP > Interface Neighbors > Detail page CDP > Traffic Metrics page 1-23 CCA Sensitivity Threshold parameter configuring 4-72 4-71 CDP
Index described enabling on an access point, using the GUI 4-68 to 4-69 1-9 FCC statement B-8 features not supported network connections ports sample network 1-9 supported devices 1-19 to 1-20 Cisco 2100 Series Wireless LAN Controllers 1-9 FCC statement network connections 1-9 1-19 to 1-20 logical connectivity diagram and associated software commands E-3 ports 3-3, 3-4, 4-85 using 4-85 4-72 4-69 7-73 9-10 described 1-2 to 1-5 illustrated 1-3 configuring the Supervisor 720 described
Index using uploading 2-7 to 2-9 Client Certificate Required parameter client location 5-27 1-8 client MFP, described 8-15 to 8-16 using the GUI 8-14, 8-15, 8-16, 8-17 configuration wizard 5-49 Client Min Exception Level threshold parameter Client Protection parameter using the CLI 10-19 described running 5-53 client reporting 4-2 4-4 to 4-6 Configure option 10-25 configuring using the CLI D-21 to D-24 Confirm Password parameter configuring using the GUI D-18 to D-21 controller ne
Index country codes Deny Counters parameter commonly used Description parameter 7-58 configuring Destination parameter 7-60 to 7-63 using the configuration wizard using the GUI Japanese viewing using the CLI 10-20 10-4 Coverage Measurement parameter Coverage threshold parameter CPU ACL Mode parameter 10-21 using the GUI 8-8 to 8-9 8-8 5-70 4-9 4-7 configuring through NTP server 4-6 10-20 6-7 using 6-8 7-2 7-41 DHCP option 82 5-36 to 5-37 described 5-36 illustrated 5-36 DHCP
Index described D-12 E Diagnostic Channel parameter directed roam request Direction parameter D-13 EAP-FAST Method Parameters page 4-38 EAP-FAST parameter 5-41 disabled clients, configuring a timeout distribution system ports, described DNS Domain Name parameter DNS Servers parameter 6-13 3-4 to 3-5 5-26 EAP Profile Name parameter EAP-TLS parameter Edit QoS Profile page 6-10 5-29 5-26 EDCA Profile parameter 6-10 4-64 4-42 Edit QoS Role Data Rates page document audience Egress Interfa
Index described guest N+1 redundancy 4-49 enabling 11-17 guest user accounts using the CLI 4-60 creating using the GUI 4-52 creating as a lobby ambassador Extensible Authentication Protocol (EAP), configuring 6-17 9-2 to 9-7 viewing using the CLI 9-7 using the GUI 9-6 Guest User parameter F 5-17, 12-10 Guest User Role parameter factory default settings guest WLAN, creating resetting using the CLI 4-3 resetting using the GUI 4-3 failover protection Fast Ethernet port 5-17, 12-10
Index configuring using the GUI 12-5 to 12-15 configuring access points for using the CLI 12-14 to 12-15 configuring access points for using the GUI 12-11 to 12-14 configuring the controller using the GUI guidelines 12-4 illustrated 12-2 12-2 12-19 configuring using the GUI 12-17 to 12-19 12-16 Hysteresis parameter 12-6 to 12-11 5-72 measurement interval 5-72 5-72 5-72 tracking method Index parameter configuring using the CLI illustrated MAC frequency 5-72 IGMP Timeout parameter 12-
Index Internet Group Management Protocol (IGMP) configuring using the CLI 4-35 configuring using the GUI 4-34 configuring described inter-subnet roaming 4-37 illustrated 11-3 to 11-4 illustrated 11-2 Inventory page 5-78 5-77 LAG Mode on Next Reboot parameter 3-33 Last Auto Channel Assignment parameter Invoke Power Update Now button IP Address parameter 10-16 Last Power Level Assignment parameter 10-18 Layer 1 security 4-22, 5-69, 8-9, 8-11, 8-13, 8-15, 8-16, 9-18 4-22 6-34 configurin
Index LEAP parameter using the GUI 5-26 Lease Time parameter 4-51 Load Measurement parameter 6-10 LEDs 10-20 lobby ambassador account configuring 7-74 for access points for controllers 7-7 C-2 to C-4 Lifetime parameter lightweight mode, reverting to autonomous mode 3-34 3-29 to 3-30 enabling 7-38 3-33 using the GUI 3-32 to 3-33 guidelines 3-31 to 3-32 illustrated 3-29, 3-31 using the CLI 5-29 to 5-33 using the GUI 5-24 to 5-29 described 5-33 5-23 to 5-24 5-24 3-34 with me
Index Cisco 28/37/38xx Integrated Services Router Cisco WiSM E-3 management frame protection (MFP) configuring E-2 logs roaming D-12, D-24 to D-25 using the CLI 5-53 to 5-54 using the GUI 5-51 to 5-52 RSNA D-12, D-24 to D-26 debugging syslog D-12, D-24 to D-26 described long preambles described guidelines types 5-33 enabling on SpectraLink NetLink phones 5-57 5-49 to 5-50 5-50 5-49 viewing settings 5-54 to 5-56 using the CLI 5-34 Management Frame Protection parameter using the GU
Index types configuring 1-18 mesh described described illustrated 6-21 MMH Mode parameter 7-10 to 7-12 high-speed roaming 6-22, 6-23 4-36, 4-39, 4-40 mobility, overview 6-22 11-2 to 11-5 Mobility Anchor Config page 7-11 network example Mobility Anchor Create button 7-21 parameters 7-16 See auto-anchor mobility configuring using the GUI 7-14 to 7-16 viewing statistics 11-20 Mobility Anchors option viewing for an access point using the CLI 7-28 to 7-29 Mobility Anchors page view
Index mode button network address translation (NAT) devices, using in mobility groups 11-7 to 11-8 See reset button Mode parameter monitor mode, described mpings Network Mobility Services Protocol (NMSP) 4-39, 10-31 Network parameter 7-9 Multicast Appliance Mode parameter Noise threshold parameter 3-21 note, defined multicast groups 4-35 viewing using the GUI 4-34 Multicast Groups page Number of Hits parameter configuring using the GUI Multicast page 1-23 setting in the configuration wi
Index pico cell mode configuring using the CLI 10-38 using the GUI 10-35 to 10-37 versions 1-16, 7-72 10-36 7-69 PMK cache lifetime timer using the CLI 5-48 using the GUI 5-45 to 5-46 for external web server 6-20 9-16, 12-10 Preauthentication ACL parameter 6-21 Pool End Address parameter Port > Configure page Pre-Standard State parameter 6-10 Pool Start Address parameter priming access points Port Number parameter Priority parameter 5-65 ports Profile Details page 3-3 connecting
Index on the GUI Q overview QBSS 10-31 10-30 viewing status using the CLI 10-33 configuring using the CLI 6-31 radio preamble, described configuring using the GUI 6-30 to 6-31 radio resource management (RRM) described 6-29 guidelines benefits 6-29 5-33 10-5 CCX features information elements 6-29 See CCX radio management QoS configuring and identity networking levels 5-58 to 5-59 using the CLI 4-41, 6-26 settings using the configuration wizard 7-20 with CAC 10-22 to 10-23
Index disabling on LWAPP-enabled access points using to revert LWAPP-enabled access points to autonomous mode 7-39 resetting the controller Re-sync button described 7-48 8-19 viewing roam reason report, described 10-28 RF domain 10-13 enabling using the CLI 10-14 enabling using the GUI 10-11 to 10-13 rogue access points See RF groups challenges RF exposure declaration of conformity B-5 described 1-21 tagging, location, and containment 10-6 Role Name parameter 10-10 Role parameter R
Index described Short Preamble Enabled parameter 2-2 enabling using the CLI 2-4 short preambles, described 5-33 enabling using the GUI 2-3 Show Wired Clients option 7-54 security 5-33 shunned clients guidelines described 1-26 overview 5-2 solutions 5-2 to 5-4 5-67 viewing Security Mode parameter 7-15 Security Policy Completed parameter 5-68 using the GUI 5-67 Signal Strength Contribution parameter 6-34 Select APs from Current Controller parameter using the CLI 12-18 Signat
Index spanning-tree root Switch IP Address (Anchor) parameter 3-23 Spanning Tree Specification parameter SX/LC/T small form-factor plug-in (SFP) modules 3-26 SpectraLink NetLink phones 5-34 enabling long preambles using the GUI 5-33 configuring using the CLI Spectralink Voice Priority parameter SSC key-hash, on Cisco WiSM using the GUI 4-64 illustrated 7-38 SSID configuring 11-24 to 11-25 11-22 to 11-24 Symmetric Mobility Tunneling Mode parameter 6-5 using the GUI 6-4 described logs 6
Index TACACS+ (Authentication, Authorization, or Accounting) Servers page 5-9 TACACS+ (Cisco) page (on CiscoSecure ACS) Transmit Power parameter transmit power threshold, decreasing 5-7 telemetry access point join process CCXv5 clients 1-26 problems 4-75 terminal emulator, settings text2pcap, sample output 7-42 to 7-46 D-11 to D-27 D-5 to D-7 tunnel attributes, and identity networking 2-8 Tx Power Level Assignment parameter D-30 TFTP server, guidelines 10-23 troubleshooting TACACS+ Admin
Index Voice Optimized parameter V 4-64 voice-over-IP (VoIP) telephone roaming, described Validity parameter VCI strings 8-13 4-37 voice parameters 7-41 Verify Certificate CN Identity parameter 5-27 video information, viewing for mesh networks using the CLI 7-21 to 7-23 4-61 configuring using the GUI 4-52 to 4-53 4-59 to 4-60 configuring using the GUI 4-51 to 4-52 voice settings video parameters configuring using the CLI configuring using the CLI viewing using the CLI 4-62 to 4-64 viewi
Index using the GUI WLANs 9-18 to 9-19 checking security settings guidelines for downloading customized login window 9-17 to 9-18 modified default example previewing configuring both static and dynamic WEP 9-13 connecting clients to 9-10, 9-19 Web Authentication option 9-20 9-28 Web Authentication Type parameter Web Auth Type parameter 9-10, 9-17, 9-19 web-browser security alert 6-25 9-7 using the CLI 6-5 using the GUI 6-3 to 6-5 using the CLI 6-5 using the GUI 6-3 described 9-10,
Index sample configuration 7-52 viewing status using the CLI 7-55 using the GUI 7-53 to 7-55 world mode 4-9, 4-10 WPA1+WPA2 configuring using the CLI 6-20 using the GUI 6-19 to 6-20 described 6-18 WPA2 Policy parameter WPA Policy parameter 6-19 6-19 Cisco Wireless LAN Controller Configuration Guide OL-13826-01 IN-25
Index Cisco Wireless LAN Controller Configuration Guide IN-26 OL-13826-01
