User Manual Stratix 5100 Wireless Access Point/Workgroup Bridge Catalog Numbers 1783-WAPAK9, 1783-WAPEK9, 1783-WAPCK9, 1783-WAPZK9
Important User Information Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Table of Contents Preface Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Deploying the Access Point on the Wireless Network . . . . . . . . . . . . . . . Access Point Status Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Checking Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure the Access Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 48 49 50 Chapter 3 Stratix 5100 Device Manager Configuration Startup Using Device Manager . . .
Table of Contents Association Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Page . . . . . . . . . .
Table of Contents Chapter 5 Configure the Stratix 5100 WAP Using Cisco IOS Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Getting Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 the Command-Line Interface Abbreviating Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Using No and Default Forms of Commands . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Configuring RADIUS Login Authentication . . . . . . . . . . . . . . . . . . 209 Defining AAA Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Configuring RADIUS Authorization for User Privileged Access and Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Displaying the RADIUS Configuration . . . . . . . . . . . . . . . . . . . . . . . 214 Controlling Access Point Access with TACACS+ . . . . . . .
Table of Contents Chapter 7 Configuring Radio Settings 8 Enabling the Radio Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Role in Radio Network. . . . . . . . . . . . . . . . . . . . . . . . . . . Universal Workgroup Bridge Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Dual-radio Fallback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Radio Tracking. . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Chapter 8 Configuring Multiple SSIDs Understanding Multiple SSIDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Effect of Software Versions on SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Multiple SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default SSID Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating an SSID Globally . . . . . . . . . . . . . . . . . . . . .
Table of Contents Chapter 10 Configure an Access Point as a Local Authenticator Understanding Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Local Authenticator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring/Enabling Local MAC Authentication . . . . . . . . . . . . . . . . Configuring the SSID . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Using WPA Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 Software and Firmware Requirements for WPA, CCKM, CKIP, and WPA-TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Configuring Authentication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Assigning Authentication Types to an SSID . . . . . . . . . . . . . . . . . . . 359 Configuring WPA Migration Mode . . . . . .
Table of Contents Configuring Client MFP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Radio Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLI Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Access Points to Participate in WIDS . . . . . . . . . . . . . . . . . Configuring the Access Point for Scanner Mode. . . . . . . . . . . . . . . .
Table of Contents Chapter 15 Configuring VLANs Understanding VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Incorporating Wireless Devices into VLANs. . . . . . . . . . . . . . . . . . . Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assigning SSIDs to VLANs. . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Chapter 18 Configuring CDP Understanding CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default CDP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the CDP Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . Disabling and Enabling CDP . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Configuring a Workgroup Bridge for Roaming . . . . . . . . . . . . . . . . . . . . Configuring a Workgroup Bridge for Limited Channel Scanning . . . Configuring the Limited Channel Set . . . . . . . . . . . . . . . . . . . . . . . . . Ignoring the CCX Neighbor List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Client VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Workgroup Bridge VLAN Tagging . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Appendix A Protocol Filters Ethertype Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 IP Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 IP Port Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Appendix B Supported MIBs MIB List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface Audience This user manual is for the networking professional who installs and manages Stratix 5100™ Wireless Access Points and Workgroup Bridges. To use this guide, you must have some experience working with the Cisco IOS software and be familiar with the concepts and terminology of wireless local area networks. This user manual covers Cisco IOS Releases 12.4(25d)JA and later including 15.2(2)JA and later that support the Stratix 5100 WAP, 32 Mb platform.
Preface Organization This user manual is organized into these sections. Item Description Chapter 1 Getting Started with the Stratix 5100 WAP Provides an overview of the Stratix 5100 Wireless Access Point/Workgroup Bridge, including it’s features and network configuration Chapter 2 Install the Stratix 5100 Wireless Access Point/ Workgroup Bridge Provides details on how to install the access point.
Preface Conventions The Stratix 5100 Wireless Access Point/Workgroup Bridge is referred to as the Stratix 5100 WAP, WAP, access point, or workgroup bridge in this document This publication uses these conventions to convey instructions and information. Command descriptions use these conventions: • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Preface Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products. At http://www.rockwellautomation.com/support you can find technical and application notes, sample code, and links to software service packs. You can also visit our Support Center at https://rockwellautomation.custhelp.com/ for software updates, support chats and forums, technical information, FAQs, and to sign up for product notification updates.
Chapter 1 Getting Started with the Stratix 5100 WAP This chapter provides an overview of the Stratix 5100 Wireless Access Point/ Workgroup Bridge, including it’s features and network configuration. The Stratix 5100 Wireless Access Point/Workgroup Bridge is referred to as the Stratix 5100 WAP, WAP, unit, or the access point in this document.
Chapter 1 Getting Started with the Stratix 5100 WAP The Stratix 5100 WAP supports high-performing Spectrum Intelligence that sustains three spatial stream rates over a deployable distance with high reliability when serving clients. The access point provides high reliability and overall wireless performance. The access point is standalone (autonomous) configuration. The Stratix 5100 WAP contains simultaneous dual-band radios (2.4 GHz and 5 GHz) with integrated and external antenna options.
Getting Started with the Stratix 5100 WAP Chapter 1 Regulatory Domains The Stratix 5100 supports the following regulatory domains: • 1783-WAPAK9 (North America) • 1783-WAPZK9 (Australia/New Zealand) • 1783-WAPEK9 (European Union) • 1783-WAPCK9 (China) Configuring the Access Point You can configure and monitor the wireless device by using the following: • Command-line interface (CLI), • Stratix 5100 WAP Device Manager, browser-based management system: web based or Simple Network Management Protocol (SNMP)
Chapter 1 Getting Started with the Stratix 5100 WAP Roaming Client Devices If you have more than one wireless device in your wireless LAN, wireless client devices can roam from one wireless device to another. The roaming functionality is based on signal quality, not proximity. When signal quality drops from a client, it roams to another access point. Wireless LAN users are sometimes concerned when a client device stays associated to a distant access point instead of roaming to a closer access point.
Getting Started with the Stratix 5100 WAP This section describes the role of an access point in common wireless network configurations. The access point default configuration is as a root unit connected to a wired LAN or as the central unit in a wireless network. You can configure access points as repeater access points, bridges, and workgroup bridges. These roles require specific configurations.
Chapter 1 Getting Started with the Stratix 5100 WAP Repeater Access Point An access point can be configured as a stand-alone repeater to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. The repeater forwards traffic between wireless users and the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN. The data is sent through the route that provides the best performance for the client.
Getting Started with the Stratix 5100 WAP Chapter 1 135447 Figure 3 - Access Point as a Root Bridge with Clients Root bridge Non-root bridge 135446 Figure 4 - Access Points as Root and Non-root Bridges with Clients Root bridge Non-root bridge Workgroup Bridge You can configure access points as workgroup bridges. In workgroup bridge mode, the unit associates to another access point as a client and provides a network connection for the devices connected to its Ethernet port.
Chapter 1 Getting Started with the Stratix 5100 WAP This graphic shows an access point configured as a workgroup bridge. See Understanding Workgroup Bridge Mode on page 535 and Configuring Workgroup Bridge Mode on page 540 for information on configuring your access point as a workgroup bridge. Figure 5 - Access Point as a Workgroup Bridge 135448 Access point Workgroup bridge Central Unit in a Wireless Network In a wireless network, an access point acts as a stand-alone root unit.
Getting Started with the Stratix 5100 WAP Chapter 1 • Power adapter • 4 Wi-Fi antennas • Console cable If any item is missing or damaged, contact your Rockwell Automation, see Rockwell Automation Support on the back cover of this manual. Items Shipped with the WAP The following items are included with the WAP.
Chapter 1 Getting Started with the Stratix 5100 WAP Notes: 30 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 2 Install the Stratix 5100 Wireless Access Point/ Workgroup Bridge This chapter provides basic instructions on how to install and configure your Stratix 5100 Wireless Access Point/Workgroup Bridge.
Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Ports and Connections The ports and connections are on the bottom of the access point. 1 2 3 4 32472-M 5 Stratix 5100 WAP Specifications Item Description 1 Security hasp 2 Power connection 3 Gigabit Ethernet port 4 Console port 5 Mounting bracket pins This table lists the technical specifications for the Stratix 5100 Wireless Access Point/Workgroup Bridge.
Install the Stratix 5100 Wireless Access Point/Workgroup Bridge External Antennas Chapter 2 The Stratix 5100 Wireless Access Point/Workgroup Bridge has external antenna connectors and a status indicator on the top. The antennas are rugged and designed for industrial use in locations such as hospitals, factories, warehouses, and other locations where there is a need for extended operating temperatures.
Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Figure 8 - Access Point Antenna Connections 2 1 3 4 5 32471-M 1 2 3 Antenna connector A Antenna connector B Antenna connector C 4 5 Antenna connector D Status Indicator The Stratix 5100 WAP is configured with up to four external dual-band dipole antennas, and 2.4 GHz/5 GHz dual-band radios in a 3 x 4 MIMO configuration with three spatial streams.
Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 Table 2 - Dual-band Dipole Antenna (AIR-ANT2524DG-R) Specifications Parameter Description Antenna type Dual-band dipole Operating frequency range 2400…2500 MHz Nominal input impedance 50 Ω VSWR Less than 2:1 Peak Gain @ 2.4 GHz 2 dBi Peak Gain @ 5 GHz 4 dBi Elevation plane 3dB beam width @ 2.4 GHz 63° Elevation plane 3dB beam width @ 5 GHz 39° Connector type RP-TNC plug Antenna length 168.5 mm (6.63 in.
Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Preparing the Access Point Before you mount and deploy your access point, perform a site survey (or use a site planning tool) to determine the best location to install your access point. You can find more information about site surveys see Cisco’s Wireless Site Survey Frequently Asked Questions.
Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Install the WAP Chapter 2 Install the Stratix 5100 WAP on a flat surface. 1. Unpack and remove the access point and the accessory kit from the shipping box. 2. Return any packing material to the shipping container and save it for future use. 3. Verify that you have received the items listed below.
Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Very High Altitudes While not defined in the specification sheet for the Stratix 5100 WAP, it has passed functional checks after a non-operational altitude test of 25 °C @ 4572 m (77 °F @ 15,000 ft) was performed. Additionally, they fully passed a functional test during an operational altitude test of 40 °C @ 3000 m (104 °F @ 9843 ft).
Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Grounding the Access Point Chapter 2 Grounding is not always required for indoor installations because the access point is classified as a low-voltage device and does not contain an internal power supply. However, check your local and national electrical codes to see if grounding is a requirement. IMPORTANT Make sure to ground the mounting plate before you attach the WAP to a flat surface.
Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Securing the Access Point There are two ways to secure your access point: • Attach it to an immovable object with a security cable. • Lock it to the mounting plate with a padlock. Securing the Access Point to the Mounting Plate Use the security hasp on the adapter cable access cover and a padlock (that you provide) to secure your access point to the mounting plate.
Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 Using a Security Cable You can secure the access point by installing a standard security cable (such as the Kensington Notebook MicroSaver, model number 64068) into the access point security cable slot. The security cable can be used with any of the mounting methods described in this document. Follow these steps to install the security cable. 1. Loop the security cable around a nearby immovable object. 2.
Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Figure 13 - WAP Mounting Bracket 5 3 1 2 4 3 3 1 32473-M 3 Table 3 - Mounting Bracket Description 1 2 3 Wall mount locations Grounding post Access point attachment slots 4 5 Cable access cover Security hasp Mark all four locations of the wall mounts. Make sure you have a secure installation. Use adequate fasteners to mount the access point and use no fewer than four fasteners.
Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 Figure 14 - Routing the Ethernet and Power Cables 7. (Optional) Use the ground screw to attach the building ground wire to the mounting bracket. See Grounding the Access Point on page 39 for general grounding instructions. 8. Position the mounting bracket mounting holes (with indents down) over the pilot holes. 9. Insert a fastener into each mounting hole and tighten. 10. Connect the Ethernet and power cables to the access point.
Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Access Point Spacing Recommendation If you have a Wi-Fi device such as a WAP and want to use another WAP in the vicinity on a different channel, space the WAPs approximately six feet (two meters) apart. This recommended distance is based on the assumption that both devices operate in the unlicensed band and do not transmit RF energy more than 23 dB, that is, 200 mW. If higher power is used, space farther apart.
Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 Follow these steps to mount the access point on a solid ceiling or wall. 1. Use the mounting bracket as a template to mark the locations of the mounting holes on the bracket. Figure 15 - Details of the Mounting Bracket 5 3 1 2 4 3 3 1 32473-M 3 1 2 3 Wall mount locations Grounding post Access point attachment slots 4 5 Cable access cover Security hasp TIP Mark all four locations of the wall mounts.
Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge 4. Pull approximately 9 in. of cable through the hole. Route the Ethernet and power cables through the bracket before you attach the bracket to the ceiling or wall. Route the cables through the main cable access hole and then through the smaller access hole as shown in this figure. Figure 16 - Routing the Ethernet and Power Cables 5. (Optional) Use the ground screw to attach the building ground wire to the mounting bracket.
Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 3. Pull approximately 9 in. of Ethernet and power cable through the hole. Route the cables through the bracket before you attach the bracket to the ceiling. Route the cables through the main cable access hole and then through the smaller access hole as shown in Figure 16 on page 46. 4. (Optional) Use the ground screw to attach the building ground wire to the mounting bracket.
Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Access Point Status Indicators It is expected that there are small variations in color intensity and hue from unit to unit. This is within the normal range of the status indicators manufacturer’s specifications and is not a defect. Figure 17 - Access Point Status Indicator Status Indicator 32470-M The status indicators communicate various WAP conditions.
Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Chapter 2 Table 4 - Status Indicator Descriptions (Continued) Message Type Status Indicator Description Operating status Blinking blue Software upgrade in progress Cycling through green, red, and off Discovery/join process in progress Rapidly cycling through blue, green, and red Access point location command invoked Blinking red Ethernet link not operational Blinking blue Configuration recovery in progress (MODE button pushed for
Chapter 2 Install the Stratix 5100 Wireless Access Point/Workgroup Bridge Configure the Access Point The configuration process takes place on the WAP using the Stratix 5100 Device Manager. For instructions on how to configure the Wireless Access Point/ Workgroup Bridge by using Straitx 5100 Device Manager software, see Stratix 5100 Device Manager Configuration Startup on page 51. TIP 50 Remember that you must do the initial configuration using CLI and the console cable.
Chapter 3 Stratix 5100 Device Manager Configuration Startup This chapter describes the Stratix 5100 Device Manager and startup configurations. It is a web browser interface that you use to configure the wireless access point/workgroup bridge.
Chapter 3 Stratix 5100 Device Manager Configuration Startup Using Device Manager Device Manager contains management pages that you use to change the access point settings, upgrade firmware, monitor, and configure wireless devices on the network. The access point radio interfaces are disabled by default. As you work with the management pages, there are error messages that appear when you have missed a configuration parameter based on what you have already set.
Stratix 5100 Device Manager Configuration Startup Before You Start Chapter 3 Before you configure the Stratix 5100 WAP, make sure you are using a computer connected to the same network as the access point, and obtain the following information from your network administrator: • A system name for the access point • The case-sensitive wireless service set identifier (SSID) for your radio network. • If not connected to a DHCP server, a unique IP address for the access point (such as 172.17.255.115).
Chapter 3 Stratix 5100 Device Manager Configuration Startup Obtain and Assign an IP Address To browse to the Straitx 5100 WAP Device Manager Easy access point setup page, you must either obtain or assign the access point IP address. Provide your network administrator with the access point Media Access Control (MAC) address. Your network administrator queries the DHCP server by using the MAC address to identify the IP address.
Stratix 5100 Device Manager Configuration Startup Reset the WAP to Default Settings Chapter 3 If you need to start over during the initial setup process, you can reset the access point to factory default settings. Reset to WAP Default Settings by Using MODE Follow these steps to reset the access point to factory default settings by using the access point MODE button: 1. Disconnect power (the power jack for external power or the Ethernet cable for PoE power) from the access point. 2.
Chapter 3 Stratix 5100 Device Manager Configuration Startup The Summary Status page appears. 5. From the top menu, click Software. The System Software screen appears. 6. Click System Configuration. The System Configuration screen appears. 7. Click Reset to Defaults to reset all settings, including the IP address, to factory defaults. To reset all settings except the IP address to defaults, click Reset to Defaults (Except IP).
Stratix 5100 Device Manager Configuration Startup Logging into the Access Point Chapter 3 A user can login to the access point by using one of the following methods: • graphical user interface (GUI) • Telnet (if the AP is configured with an IP address) • console port For information on logging into the access point through the: • GUI, see Login to the Stratix 5100 WAP on page 53. • CLI, see Accessing CLI on page 182. • Console port, see Connect to the Stratix 5100 WAP Access Point Locally on page 54.
Chapter 3 Stratix 5100 Device Manager Configuration Startup The Summary Status page appears. Your page can be different depending on the access point model you are using. Figure 18 - Summary Status Page 6. Click Easy Setup. 7. Open Easy Setup and click Network Configuration.
Stratix 5100 Device Manager Configuration Startup Chapter 3 8. Enter the network configuration settings. This table describes the network configuration settings on the Easy Setup page. For more information about the parameters, see Easy Setup Network Configuration Page on page 80, Table 5 - Network Configuration Settings Parameter Description Host Name The host name, while not an essential setting, helps identify the wireless device on your network.
Chapter 3 Stratix 5100 Device Manager Configuration Startup 9. Enter the radio configuration settings. Figure 19 - Radio Configuration Settings on the Network Configuration Page Table 6 - Radio Configuration Settings Parameter Description SSID Identifies the SSID that client devices must use to associate with a device. Broadcast SSID in Beacon This setting is active when the device is in the Root AP mode.
Stratix 5100 Device Manager Configuration Startup Chapter 3 Table 6 - Radio Configuration Settings Parameter Description Aironet Extensions Choose Enable if there are only Rockwell Automation WAPs or Cisco Aironet devices on your wireless LAN and the unit is operating as an access point or workgroup bridge or if the unit is operating as a repeater. Channel Channel 1-24xx Least Congested When you choose Least congested, the WAP makes the determination on it's own which channel is best.
Chapter 3 Stratix 5100 Device Manager Configuration Startup The Network Interfaces Summary page appears. 4. Click the radio you want to configure. The Radio Status page appears. 5. Click the Settings tab.
Stratix 5100 Device Manager Configuration Startup Chapter 3 The radio settings page appears. 6. Check Enable. 7. Click Apply. Your access point is now running but requires additional configuring to conform to your network operational and security requirements. Using VLANs If you use VLANs on your wireless LAN and assign SSIDs to VLANs, you can create multiple SSIDs by using any of the four security settings on the Express Security page.
Chapter 3 Stratix 5100 Device Manager Configuration Startup Configuring Security After you assign the basic settings to the WAP, you must configure security settings to prevent unauthorized access to your network. Because it is a radio device, the access point can communicate beyond the physical boundaries of your work site. Just as you use the Easy Setup page to assign basic settings, you can use the Easy Security page to create unique SSIDs and assign one of four security types to them.
Stratix 5100 Device Manager Configuration Startup Chapter 3 Easy Set-up Page Security Types This table describes the four security types that you can assign to an SSID on the Easy Setup Network Configuration page. Table 7 - Security Types on Easy Set-up Security Setup Page Security Type Description Security Features Enabled No Security This is the least secure option. Use this option for SSIDs used only in a public space and assign it to a VLAN that restricts access to your network. None.
Chapter 3 Stratix 5100 Device Manager Configuration Startup Easy Setup Network Configuration Security Limitations Because the Easy Setup page is designed for simple configuration of basic network configurations and security, the options available are a subset of the access point security capabilities. If the No VLAN option is chosen, the static WEP key can be configured once. If you choose Enable VLAN, disable the static WEP key.
Stratix 5100 Device Manager Configuration Startup Chapter 3 3. Click NEW and type the SSID in the SSID entry field. • The SSID can contain up to 32 alphanumeric characters. • See SSID Manger Page on page 116 for details on naming conventions. 4. To broadcast the SSID in the access point beacon, check the Broadcast SSID in Beacon check box. This setting is active only when the device is in the Root AP mode.
Chapter 3 Stratix 5100 Device Manager Configuration Startup 5. (Optional) Assign the SSID to a VLAN. a. Click Define VLANS. b. Select NEW. c. Enter a VLAN number (1…4094). d. Choose a radio and click Apply. You cannot assign an SSID to an existing VLAN. 6. (Optional) Check the Native VLAN check box to mark the VLAN as the native VLAN. 7. Choose the method of client authentication. 8. Choose the server priorities.
Stratix 5100 Device Manager Configuration Startup Chapter 3 9. If needed, choose the MAC Authentication Servers. 10. Define the key management. TIP If you don’t use VLANs on your wireless LAN, the security options that you can assign to multiple SSIDs are limited. For detailed information, see Configuring VLANs on page 441. 11. Click Apply. The SSID appears in the SSID table at the top of the page.
Chapter 3 Stratix 5100 Device Manager Configuration Startup Figure 21 - DNS Page 2. Choose Enable for Domain Name System. 3. In the Domain Name field, enter your company domain name. At Rockwell Automation, for example, the domain name is rockwellautomation.com. 4. Enter at least one IP address for your DNS server in Name Server IP Addresses. 5. Click Apply. The access point FQDN is a combination of the system name and the domain name.
Stratix 5100 Device Manager Configuration Startup Chapter 3 Figure 22 - Services: HTTP Web Server Page 8. Click the Enable Secure (HTTPS) Browsing check box and click Apply. 9. Enter a domain name and click Apply. TIP Although you can enable both standard HTTP and HTTPS, We recommend that you enable one or the other. A warning page appears stating that you need to use HTTPS to browse to the access point.
Chapter 3 Stratix 5100 Device Manager Configuration Startup The address in your browser address line changes from: http://ip-address to https://ip-address. Another warning page appears stating that the access point security certificate is valid but is not from a known source. However, you can accept the certificate with confidence because the site in question is your own access point. Figure 24 - Certificate Warning page 11. Accept the certificate before proceeding, click View Certificate.
Stratix 5100 Device Manager Configuration Startup Chapter 3 The Microsoft pages Certificate Import Wizard appears. Figure 26 - Certificate Import Wizard page 13. Click Next. The Certificate Storage Area dialog box appears and asks where do you want to store the certificate. We recommend that you use the default storage area on your system. Figure 27 - Certificate Storage Area page 14. Click Next to accept the default storage area.
Chapter 3 Stratix 5100 Device Manager Configuration Startup A final security warning appears. Figure 29 - Certificate Security Warning 16. Click Yes. Another page stating that the installation is successful appears. Figure 30 - Import Successful page 17. Click OK. The access point login dialog box appears and you must log into the access point again. CLI Configuration Example This example shows the CLI commands that are equivalent to the steps listed in Enabling HTTPS for Secure Browsing on page 69.
Stratix 5100 Device Manager Configuration Startup Deleting an HTTPS Certificate Chapter 3 The access point generates a certificate automatically when you enable HTTPS. However, if you need to change the fully qualified domain name (FQDN) for an access point, or you need to add an FQDN after enabling HTTPS, you can delete the certificate. Follow these steps to delete the certificate. 1. Browse to the Services>HTTP page. 2. Uncheck the Enable Secure (HTTPS) Browsing check box to disable HTTPS. 3.
Chapter 3 Stratix 5100 Device Manager Configuration Startup Notes: 76 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 4 Stratix 5100 Device Manager Parameter Definitions This chapter defines the parameter settings for each page in Device Manager.
Chapter 4 78 Stratix 5100 Device Manager Parameter Definitions Topic (Continued) Page QoS Policies Page 149 Stream Page 154 SNMP Page 155 SNTP Page 158 ARP Caching Page 161 Band Select Page 162 Management Page 164 Software Page 166 Software Upgrade HTTP Page 167 Software Upgrade TFTP Page 168 System Configuration Page 169 Event Log Page 171 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Stratix 5100 Device Manager Parameter Definitions Device Manager System Management Tabs Chapter 4 After you have initially configured the access point with an IP address and have logged on, the Home page appears. The Home page provides a summary of associated stations, system events, and port status. The Home page provides also many links to pages with detailed information. The System Management tabs provide a consistent way to view and save configuration information.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 9 - Stratix 5100 Device Manager System Management Tab Descriptions (Continued) Easy Setup Network Configuration Page 80 Item Description Services Provides access to the other services available, for example, HTTP and QOS. See Services Page on page 135 for details. Management Location where you manage a guest user account and WebAuth. The WebAuth is where you can customize the appearance of the Login page.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Network Configuration Settings on the Easy Setup Page This is the Network configuration page under Easy Setup. Easy Setup contains an abbreviated version of parameters from the Network page. Figure 32 - Network Configuration Easy Setup Table 10 - Network Configuration Parameter Descriptions Parameter Description Host Name The host name, while not an essential setting, helps identify the wireless device on your network.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 10 - Network Configuration Parameter Descriptions (Continued) Parameter Description IP Subnet Mask Enter the IP subnet mask provided by your network administrator so the IP address can be recognized on the LAN. • If DHCP is not enabled, this field is the subnet mask. • If DHCP is enabled, this field provides the subnet mask only if a server responds to the DHCP request otherwise leave it blank.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Radio Configuration Settings on the Easy Setup Page This page contains information about the status of GigabitEthernet and Radio802.11b, Radio-802.11a, or Radio-802.11g interfaces, depending on the radio that is installed on the access point. This is an abbreviated parameters from the radio settings tab in Network>Network Interface.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 11 - Radio Configuration Parameter Descriptions (Continued) Parameter Description Repeater Choose Repeater (Non-root) if it is not connected to the wired LAN. A non-root device; accepts associations from clients and bridges wireless traffic from the clients to root access point connected to the wireless LAN. This setting can be applied to any access point.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Security Configuration Settings on the Easy Setup Page You can configure a limited number of security parameters for the Stratix 5100 WAP. There are four choices: • No Security • WEP Key • EAP Authentication • WPA Use the Security page to review and configure the security settings for the access point. You can configure security also by using CLI, see Security CLI Configuration Examples on page 184.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Network Page The Network page contains information about the network map and adjacent nodes. The Network Interface page provides the status of GigabitEthernet and Radio-802.11b, Radio-802.11a, or Radio-802.11g interfaces, depending on the radio you have installed on the access point. Use the Network Map page to display information for any device on your wireless network.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 13 - Stratix 5100 Network Map Parameter Descriptions (Continued) Item Description Device The type of device (client, access point, bridge, and so on). Name The name given to this device. Software Version The software version currently running on your device. Radio Specifies whether the radio is 802.11a or 802.11b. Channel Specifies what channel the radio is using.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 14 - System Setting Parameter Descriptions System Settings Description IP Address (DHCP) / IP Address (Static) The IP address for the access point. The IP address can be assigned dynamically with DHCP or assigned statically. IP Subnet Mask The IP subnet mask identifies the subnetwork so the IP address can be recognized on the LAN. Default Gateway The IP address of your default internet gateway is displayed here.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 14 - System Setting Parameter Descriptions (Continued) System Settings Description Last Output Hang The number of hours, minutes, and seconds (or never) since the interface was last reset because of a transmission that took too long. When the number of hours in the Time Since Last Input, Time Since Last Output, or Last Output Hang fields exceeds 24 hours, the number of days and hours is printed.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Network Interface IP Address Page Use this page to identify the configuration server protocol and to identify the IP Address, IP Subnet Mask, and Default Gateway IP Address. Figure 36 - Network Interfaces IP Address Table 15 - IP Address Parameter Description 90 Parameter Description Configuration Server Protocol Set this parameter to match the network's method of IP address assignments.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Network Interface GigabitEthernet Status Page Use this page to review the status for the GigabitEthernet interface. Figure 37 - Network Interface GigabitEthernet Status Page Table 16 - GigabitEthernet Status Parameter Descriptions Parameter Description Configuration Software Status Indicates whether the interface has been enabled or disabled by the operator.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 16 - GigabitEthernet Status Parameter Descriptions (Continued) Parameter Description Receive Statistics 5 min Input Rate (bits/sec) The average number of bits per second transmitted in the last 5 minutes. 5 min Input Rate (packets/sec) The average number of packets per second transmitted in the last 5 minutes.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 16 - GigabitEthernet Status Parameter Descriptions (Continued) Parameter Description Babbles The number of times the transmit jabber time expired. Collisions The number of packets retransmitted because of an Ethernet collision (only applicable in half duplex). Late Collisions The number of late collisions.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Network Interface: GigabitEthernet Settings You can use the settings page to define physical settings and AP authentication. Table 17 - GigabitEthernet Parameter Descriptions Parameter Description Physical Settings Enable Ethernet Enable Disable Current Status Enabled Up Requested Duplex Duplex setting for the Ethernet interface; Auto, Half, and Full. Important: Do not modify Requested Duplex while using inline power.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Network Interface: Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Status The Radio Status and the Detailed Status pages provide a summary of the current radio interface configuration and statistics. Table 18 - Radio Interface Configuration and Statistics Parameter Descriptions Parameter Description Configuration Software Status Indicates whether the interface has been enabled or disabled by the operator.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 18 - Radio Interface Configuration and Statistics Parameter Descriptions (Continued) Parameter Description Role in Network The access point can operate as an Access Point (Root) or as a Repeater (Non-root). When operating as an Access Point (Root), it bridges wireless traffic to the wired LAN. When operating as a Repeater (Non-root), it bridges wireless traffic to an access point that is connected to the wired LAN.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Detailed Status This page shows status details for the interface. Figure 38 - Interface Detailed Status Table 19 - Network Interfaces: Radio0-802.11N2.4 GHz and 5 GHz Detailed Status Parameter Description Radio Radio Type List the interface and serial number. Radio Firmware Version Current firmware version installed on the WAP. Receive/Transmit Statistics Host Kilobytes Received/Sent Number of Kilobytes Sent and Received by the server.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 19 - Network Interfaces: Radio0-802.11N2.4 GHz and 5 GHz Detailed Status (Continued) 98 Parameter Description Multicasts Received/Sent By Host Number of Multicast Packets Received/Sent by the server. Mgmt Packets Received/Sent Number of Management Packets Received/Sent by the access point. RTS Received/Transmitted Number of CTS frames received by the access point in response to an RTS frame.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Network Interface Radio Settings Page The Setting page provides detailed parameters settings for the interface you need to configure. There are some overlap in these parameters with the Easy Setup page. Figure 39 - Interface Settings Page Table 20 - Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Settings Description Parameter Description Operating Mode This value indicates whether or not the radio supports multiple protocols, as in 802.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 20 - Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Settings Description (Continued) Parameter Description Current Status This value comes from the radio buttons just above it. If you set the radio to enabled this value changes. • Software and Hardware • Disabled • Down Role in Radio Network This is where you choose a role in the radio network.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Figure 40 - Interface Settings Page (continued) Table 21 - Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Settings Description Parameter Description Data Rates • • • • • MCS Rates 0…23 Enable Disable Transmitter Power (dBm) 23, 20, 17, 14, 11, 8, 5, Max Default Best Range Best Throughput 1.0, 2.0, 5.5, 11.0, 6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, and 54.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 21 - Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Settings Description (Continued) Parameter Description Client Power (dBm) Local, 23, 20, 17, 14, 11, 8, 5, Max Default Radio Channel Least Congested Channel Search (Use Only Selected Channels) Channel Width 20 MHz Figure 41 - Interface Settings Page (Continued) Table 22 - Radio0-802.11n 2 GHz and Radio1-802.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Figure 42 - Interface Settings Page (Continued) Table 23 - Radio0-802.11n 2 GHz and Radio1-802.11n 5 GHz Settings Description (Continued) Traffic Stream Metric Enable Disable Aironet Extension Enable Disable Ethernet Encapsulation Transform RFC1042 802.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Carrier Busy Test The Carrier Busy Test determines if the carrier is busy. The Carrier indicates the regulatory domain that the access point is operating on. The carriers sets constrain the frequencies and power levels available. Association Page The Association page is where you can view what is associated with clients and infrastructure clients.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 24 - Association Page Parameter Descriptions (Continued) Wireless Page Parameter Description MAC Address The Media Access Control (MAC) address is a unique identifier assigned to the network interface by the manufacturer. If you click the MAC Address link, it takes you to the Association: Station View - Client screen. The MAC addresses that appear have been enabled on the SSID manager page.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Figure 44 - Wireless AP Services Summary Table 25 - Wireless AP Page Parameter Descriptions Parameter Description Participate in SWAN Infrastructure Enable Disable WDS Discovery Auto Discovery Specified Discovery (IP Address) Username Participate username Password Participate password Authentication Methods Profile The Define Authentication Methods Profile link takes you to Security>AP Authentication.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 WDS When you configure Wireless Domain Services on your network, access points on your wireless LAN use the WDS device (either an access point, an Integrated Services Router, or a switch configured as the WDS device) to provide fast, secure roaming for client devices and to participate in radio management. Use these parameters to identify if the interface is to be used as a Wireless Domain Services (WDS).
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 26 - Wireless WSD/WNM General Setup Page Parameter Descriptions (Continued) Parameter Description State Displays the state of the access point as either Registered or not. AP Information MAC Address The Media Access Control (MAC) address is a unique identifier assigned to the network interface by the manufacturer. IP Address IP address of the client/repeater.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Figure 46 - WDS and WNM General Set-up Page Table 27 - Wireless WSD/WNM General Setup Page Parameter Descriptions Parameter Description WDS - Wireless Domain Services - Global Properties Use this AP as Wireless Domain Services Check the box if you want to use the AP as Wireless Domain Services.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Figure 47 - WDS Server Groups Page This page lets you set up authentication servers that can be used by the WDS access point. If you want an access point to serve as the WDS or as a WDS candidate, you need to configure them as such. You must configure at least one server on the Security>Server Manager tab before setting up server groups here.
Stratix 5100 Device Manager Parameter Definitions Security Page Chapter 4 Use the Security page to configure security settings to prevent unauthorized access to your network. Because the WAP is a radio device, the wireless device can communicate beyond the physical boundaries of your work-site. The Security Summary page provides a snap shot of the security setting and links to other security pages.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 29 - Security Summary Parameters Descriptions 112 Parameters Description Username The username of the active user. Read-Only Specifies whether the user has read-only capabilities. Read-Write Specifies whether the user has read/write capabilities. SSID Specifies the unique identifier the client devices use to associate with the access point. VLAN Specifies the VLANs that are currently assigned.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Admin Access Page The Admin Access page provides the administrator with information pertaining to security, authentication and user lists.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Encryption Manager Page You use Wired Equivalent Privacy (WEP) to encrypt radio signals sent by the bridge and decrypt radio signals received by the bridge. This page enables you to select authentication types for the access point.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 31 - Security Encryption Manager Parameter Descriptions Parameter Description Encryption Modes Indicate whether clients should use data encryption when communicating with the bridge. None The bridge communicates only with client devices that are not using WEP. WEP Encryption Choose Optional or Mandatory. If optional, client devices can communicate with this access point or bridge with or without WEP.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions SSID Manger Page Use the SSID Manager page to assign SSIDs to specific radio interfaces. The SSIDs that you create are enabled on all radio interfaces. Table 32 - SSID Manager Parameter Descriptions Parameter Description Current SSID List Enter the unique identifier that client devices use to associate with the access point. The SSID helps client devices distinguish between multiple wireless networks in the same vicinity.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 32 - SSID Manager Parameter Descriptions (Continued) Parameter Description Client Authentication Settings and Methods Accepted Specifies the Layer 3 mobility network identification number for the SSID. Open Authentication Choose Open Authentication by checking the check box. This enables any device to authenticate and then attempt to communicate with the access point.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 32 - SSID Manager Parameter Descriptions (Continued) Parameter Description IDS Client Enable Client MFP on this SSID AP Authentication Credentials are used to authenticate the access point to the network. Credentials Use the pull-down menu to specify a credentials profile for an SSID.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 32 - SSID Manager Parameter Descriptions (Continued) Parameter Description Set DataBeacon Rate (DTIM) These commands let you set the DataBeacon: ap> enable ap# configure terminal ap(config)# interface ________ ap(config-if)# beacon dtim-period Set Infrastructure SSID When the access point is in repeater mode, this SSID is used to associate with a parent access point.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Server Manager Page The Server Manager page is where you to enter the authentication settings. The RADIUS/TACACS+ server on the your network uses EAP to provide authentication service for wireless client devices.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 33 - Security: Server Manager Parameter Descriptions Parameter Description Backup RADIUS Server Enter the host name or IP address of the access point acting as a local RADIUS server. Other access points on your wireless LAN use this backup authenticator when the main RADIUS server does not respond. Shared Secret Enter the shared secret used by your Local/Backup RADIUS server.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Server Manager Global Properties The Server Manager Global Properties page provides more information about the servers you are using and the global locations of those servers.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 34 - Server Manager Global Properties Parameter Descriptions Parameter Description RADIUS Calling/Called Station ID Format Default Example: 0000.4096.3e4a IETF Example: 00-00-40-96-3e-4a Unformatted Example: 000040963e4a RADIUS Service-Type Attributes Login Framed RADIUS WISPr Attributes (optional) ISO County Code 2 letters E.164 Country Code 1…999 E.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions AP Authentication Traditionally, the dot1x authenticator/client relationship has always been a network device and a PC client respectively, as it was the personal computer user that had to authenticate to gain access to the network. However, wireless networks introduce unique challenges to the traditional authenticator/client relationship.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 35 - AP Authentication General Set-up Page Parameter Descriptions Parameter Description Current Credentials Choose if you want to add a dot1x credentials profile. Credentials Name Enter a name for the dot1x credentials profile if you are adding a new profile. You can change the name if you have chosen an existing profile. Username Enter the authentication user id. Password Enter the authentication password.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions AP Authentication Certificates This page lists the current certificates and public keys available. You can also configure the parameters for the trustpoint.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 36 - Certificates Page Properties Parameter Descriptions Parameter Description Authentication Methods Profile Credential profiles are applied to an interface or an SSID in the same way. When an access point connects to the network, the access point and the network authentication device negotiate to agree upon an authentication method supported by both devices to complete authentication.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Figure 52 - MFP Statistics Table 37 - Intrusion Detection Page Parameter Descriptions 128 Parameter Description Transmit MFP Frames When enabled, the access point protects the management frames it transmits by adding a message integrity check information element (MIC IE) to each frame.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Local RADIUS Server Usually an external RADIUS Server is used to authenticate users. In some cases, this is not a feasible solution. In these situations, an access point can be made to act as a RADIUS Server. Here, users are authenticated against the local database configured in the access point. This is called a Local RADIUS Server feature.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Figure 54 - Local RADIUS Server General Set-up Page Table 39 - Local RADIUS Server General Set-up Page Parameter Descriptions 130 Parameter Description Enable Authentication Protocols EAP Fast LEAP MAC Network Access Server (AAA Clients) Current Network Access Servers Network Access Server (IP Address) Shared Secret Individual Users Current Users Username: Text or NT Hash Password Group name MAC Authentication Only User Groups Current
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Figure 55 - Local RADIUS Server EAP-Fast Set-up Page Table 40 - Local RADIUS Server EAP-Fast Set-up Page Parameter Descriptions Parameter Description PAC Encryption Keys • Primary Key (optional): 32 Hex characters; Generate Random • Secondary Key (optional): 32 Hex characters; Copy from primary PAC Content • Authority Info (optional) • Authority ID (optional) 32 Hex characters Automatic PAC Provisioning (optional) Current User Groups • PA
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Advanced Security You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication, see SSID Manger Page on page 116. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication. • If MAC authentication succeeds, the client device joins the network.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Figure 57 - Timers Page Table 42 - Timers Page Parameter Descriptions Parameter Description Global Client Properties Client Holdoff Time Disable Holdoff Enable Holdoff with Interval: 1…65555 s EAP or MAC Reauthentication Interval Disable Reauthentication Enable Reauthentication with Interval: 1…65555 s Enable Reauthentication with Interval given by Authentication Server Radio0-802.11N2.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Figure 58 - Associated Access list Page Table 43 - Association Access List Page Parameter Descriptions 134 Parameter Description Filter client association with MAC address access list Select a filter. Define Filter This link takes you to Service>Filter where you can configure filters.
Stratix 5100 Device Manager Parameter Definitions Services Page Chapter 4 The summary provides a list of the main services that are currently enabled or disabled. You can click any of the links to go to that page and change the configurations.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 44 - Telnet/SSH Page Parameter Descriptions 136 Parameter Description Telnet/SSH… Telnet: Enable or Disable • Select Enabled to let Telnet access the management system. Terminal Type: Teletype or ANSI • The preferred setting is ANSI, that offers graphic features such as reverse video buttons and underlined links. Not all terminal emulators support ANSI, so the default setting is Teletype.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Hot Standby Page Clients associated to the standby access point lose their connection during the hot standby setup process. Figure 61 - Hot Standby Page Table 45 - Hot Standby Page Parameter Descriptions Parameter Description Hot Standby Mode Enabling hot standby designates this device as a backup for another access point. The standby device is placed near the access point it monitors, configured exactly the same as the monitored device.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions CDP Page Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. Information in CDP packets is used in network management software such as CiscoWorks2000. Use the CDP page to adjust the device's CDP settings.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 46 - CDP Page Parameter Descriptions (Continued) Parameter Description Packets Sent Every (optional) The number of seconds between each CDP packet that the device sends. The default value is 60. This value needs to be less than the packet hold time. Individual Port Enable • Ethernet When selected, the device sends CDP packets through its Ethernet port and monitors the Ethernet for CDP packets from other devices.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions DNS Page This page is where you decide if you want the DNS (Domain Name System) enabled or disabled. The DNS is a named server that lets you connect to a device without knowing its IP address but can access by using a given name. So after you give the WAP a name and you assign the DNS server to use, you need to make sure that the DNS Server has a record of the WAP.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Filters Page Protocol filters prevent or allow the use of specific protocols through the interface. You can set up individual protocol filters or sets of filters. This base page enables you to apply the filters for incoming and outgoing Ethernet and 802.11b Radio interfaces. Filters must be created before they can be applied.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions MAC Address Filters Page Use this page to allow or disallow the forwarding of unicast or multicast packets sent from or addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 49 - MAC Address Filters Page Parameter Descriptions (Continued) Parameter Description Action Select Forward or Block. Click Add. The MAC address appears in the Filters Classes field. Default Action Packets that do not match any of the Filters Classes are handled according to the Default Action. Select Forward All or Block All. The filter's default action must be opposite of the action for at least one of the addresses in the filter.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions IP Filters Page Use this page to create or edit protocol filters. IP filters prevent or allow the use of IP address(es), IP protocols, and TCP/UDP ports through the access point's Ethernet and radio ports. You can create a filter that passes traffic to all addresses except those you specify, or you can create a filter that blocks traffic to all addresses except those you specify.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 50 - IP Filters Page Parameter Descriptions (Continued) Parameter Description Default Action Packets that do match any of the Filters Classes are handled according to the Default Action. Select Forward All or Block All as the filter's default action. The filter's default action must be the opposite of the action for at least one of the addresses in the filter.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Ethertype Filters Page Ethertype filters prevent or allow the use of specific L3 protocols through the access point's Ethernet and radio ports. You can apply the filters you create to either or both the Ethernet and radio ports and to either or both incoming and outgoing packets.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 HTTP Page Use the Web Server page to enable browsing to the web-based management system files and enter settings for a custom-tailored web system for management. Figure 68 - HTTP Page Table 52 - HTTP Page Parameter Descriptions Parameter Description Web-based Configuration Management Check Enable Standard (HTTP) Browsing to allow non-secure browsing of the management system.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 52 - HTTP Page Parameter Descriptions (Continued) 148 Parameter Description HTTP Port This setting determines what port your device provides non-secure web access. Use the port setting provided by your System Administrator. The default is 80. HTTPS Port This setting determines what port your device provides secure (SSL) web access. Use the port setting provided by your system administrator. The default is 443.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 QoS Policies Page This page lets you configure the quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 53 - QoS Policies Page Parameter Descriptions (Continued) 150 Parameter Description Match Classifications All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information. IP Precedence Eight IP precedence values are defined in RFC791.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 QoS: Radio Page This page enables you to define the parameters of Carrier Sense Multiple Access (CSMA) for each traffic access category. These parameters affect how packets are delivered for the different classes of service. See QoS Policies Page on page 149 to determine the level of service you want. These parameters must be modified with caution because radio behavior is affected.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 54 - Access Category Definition Page Parameter Description (Continued) Parameter Description Transmit Opportunity Enter the number of microseconds that qualified transmitters can transmit through the normal back-off procedure with a set of pending packets.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 55 - QoS Policies Advanced Page Parameter Description Parameter Description IP Phone QoS Element for Wireless Phones If you enable this feature, dynamic voice classifiers are created for some of the wireless phone vendor clients, that gives top priority to all voice packets. Additionally, the QoS Basic Service Set (QBSS) is enabled to advertise channel load information in the beacon and probe response frames.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Stream Page Figure 71 - Stream Page Table 56 - Stream Page Parameter Descriptions 154 Parameter Description Packet Handling per User Priority Select the user priority to use for stream services. For each user priority listed, use the pull-down menu to choose either Reliable or Low Latency for the packet handling descriptor. Then determine the first maximum number of retries for a packet discard.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 SNMP Page SNMP is an application-layer protocol that supports message-oriented communication between SNMP management stations and agents. This page configures the access point to work with your network administrator's Simple Network Management Protocol (SNMP) station. In addition to enabling SNMP, you must enter an SNMP community.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 57 - SNMP Page Parameter Description (Continued) Parameter Description SNMP Request Communities This section is not enabled until you select Enabled in the Simple Network Management Protocol (SNMP) field at the top of the page and click Apply. Current Community String If you want to add a new community string, make sure (the default) is highlighted in the list.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 58 - SNMP Trap Community Parameter Descriptions (Continued) Parameter Description SNMP Trap Community The SNMP community string identifiers the sender to the trap destination. This string is required by the trap destination before it records traps sent by the device. Enable All Trap Notifications Select this option to enable all the notifications available on the access point.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions SNTP Page Simple Network Time Protocol is an adaptation of the Network Time Protocol (NTP) used to synchronize computers clocks on the Internet. In this page, you can clarify certain design features to ensure accurate and reliable operation. Figure 74 - SNTP Page Table 59 - SNTP Page Parameter Descriptions 158 Parameter Description Simple Network Time Protocol (SNTP) Select Enable if your network uses SNTP.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 VLAN Page A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they can be intermingled with other teams.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 60 - VLAN Page Parameter Descriptions 160 Parameter Description Global VLAN Properties Current Native VLAN specifies the VLAN that is designated as the native VLAN. Check the box under the VLAN ID field that denotes Native VLAN. Assigned VLANs Current VLAN List By choosing a VLAN from this list, the VLAN ID and SSID for this VLAN is displayed.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 ARP Caching Page ARP caching on the access point reduces the traffic on your wireless LAN by stopping ARP requests for client devices at the access point. Instead of forwarding ARP requests to client devices, the access point responds to requests on behalf of associated client devices.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Band Select Page Band selection enables client radios that are capable of dual-band (2.4 and 5 GHz) operation to move to a less congested 5 GHz access point. The 2.4 GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as cochannel interference from other access points because of the 802.11b/g limit of three non-overlapping channels.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Table 62 - Band Select Page Parameter Descriptions (Continued) Parameter Description Cycle-Threshold 1…1000 ms Expire-Dual-Band 10…300 s Sets the expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses, clients become new and are subject to probe response suppression. Expire-Suppression 10…2000 s Sets the expiration time for pruning previously known 802.11b/g clients.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Management Page The Management page is where you manage guest user accounts. This is where your business can create guest wireless user access by creating a web authentication page. For example, if you want to login to a network that allows guest access, they are brought to a web page that states the Terms and Conditions of using the Wifi. Once the guests accept the terms and Enter the password (if necessary) they are able to access the web.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Webauth Login This page lets you customize the appearance of the Login page. The Login page is presented to web users the first time they access the Wireless Network if 'Web Authentication' is turned on SSID.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Software Page The Software page provides version information for the Cisco IOS software. Figure 80 - Software Page Table 65 - Software Page Parameter Descriptions 166 Parameter Description Product/Model Number The model number of the access point. Top Assembly Serial Number The serial number of the access point. System Software Filename The software that was installed on the system.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Software Upgrade HTTP Page An HTTP upgrade requires you to load the image into the access point memory. If there is not enough system memory for an HTTP upgrade, the upgrade fails. If it fails, try using TFTP upgrade or upgrading HTTP again after disabling the radio interfaces, shutting off high memory usage features (such as WDS), and rebooting.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Software Upgrade TFTP Page Use the Software Upgrade TFTP page to upgrade the Wireless AP via a TFTP Server. (You need to supply the TFTP server) This lets the WAP connect to the user supplied TFTP server to download a new version of software and upgrade it. You need to enter the TFTP IP address or DNS name and then the path/ filename to the upgrade version of software that you need to install.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 System Configuration Page This is where the system configuration information can be found. On this page, you can load new configuration files, pull your show-tech information, reset the device, and adjust PoE settings. Figure 83 - System Configuration Page Table 68 - Software System Configuration Parameter Descriptions Parameter Description Current Startup Configuration File Right click on this link to save the config.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 68 - Software System Configuration Parameter Descriptions 170 Parameter Description Reset to Factory Defaults (Except IP Address) Returns all access point settings to their defaults, except for a fixed IP address that remains the same if it is configured. Click Reset to Defaults (Except IP) to cause the access point to restart. The default password for the access point is wirelessap.
Stratix 5100 Device Manager Parameter Definitions Event Log Page Chapter 4 This is the page where you can view the Event log. In CLI, this command is show logging . Table 69 - Event Log Page Parameter Descriptions Parameter Description Start Display at Index Enter the event where you want the event log to begin. Max Number of Enter the number of events you want displayed on the event log. Events to Display Index Sequentially numbers the events in the event log from the oldest to the newest.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 69 - Event Log Page Parameter Descriptions (Continued) Parameter Description Time Displays the time stamp that was recorded with the event. The displayed format is chosen on the Event Log: Configuration Options page. The time stamp format displayed is dependent on the time stamp format that was selected at the time the event occurred.
Stratix 5100 Device Manager Parameter Definitions Chapter 4 Configuration Options Page These settings let you decide how you want to be notified of the different events that are logged and the level of logging that is to take place. Figure 84 - Configuration Options Page Table 70 - Event Log Configuration Parameter Descriptions Parameter Description Disposition of Events (by Severity Level) When a severity level is selected, all higher-priority severity levels are also selected.
Chapter 4 Stratix 5100 Device Manager Parameter Definitions Table 70 - Event Log Configuration Parameter Descriptions (Continued) 174 Parameter Description Time Stamp Format for Future Events Choose the time format that you want the event time stamp information saved. The three supported time stamp formats are as follows: • System Uptime The length of time the system was operational when the event occurred. Initially, this time is displayed as number of seconds, growing to minutes, days, and weeks.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure the wireless device.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface You can make changes to the running configuration by using the configuration modes: global, interface, and line. If you save the configuration, these commands are stored and used when the wireless device restarts. To access the various configuration modes, you must start at global configuration mode. From global configuration mode, you can enter interface configuration mode and line configuration mode.
Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Table 72 - Help Summary (Continued) Command Purpose ? Lists all commands available for a particular command mode. For example: ap> ? command ? Lists the associated keywords for a command. For example: ap> show ? command keyword ? Lists the associated arguments for a keyword.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Understanding CLI Messages This table lists some error messages that you can encounter while using CLI to configure the wireless device. Table 73 - CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: show con You did not enter enough characters for the wireless device to recognize the command. Enter the command followed by a question mark (?) with a space between the command and the question mark.
Configure the Stratix 5100 WAP Using the Command-Line Interface Recalling Commands Chapter 5 To recall commands from the history buffer, perform one of the actions listed in this table. Table 74 - Recall Command Actions and Results Action(1) Result Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands. Press Ctrl-N or the down arrow key.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Editing Commands through Keystrokes This table shows the keystrokes that you need to edit command lines. Table 75 - Editing Commands Through Keystrokes Capability Keystroke(1) Purpose Move around the command line to make changes or corrections. Ctrl-B or the left arrow key Move the cursor back one character. Ctrl-F or the right arrow key Move the cursor forward one character.
Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you don’t need to see.
Configure the Stratix 5100 WAP Using the Command-Line Interface Opening CLI with Secure Shell Chapter 5 Secure Shell Protocol is a protocol that provides a secure, remote connection to networking devices. Secure Shell (SSH) is a software package that provides secure login sessions by encrypting the entire session. SSH features strong cryptographic authentication, strong encryption, and integrity protection. For detailed information on SSH, visit the homepage of SSH Communications Security, Ltd.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface 5. Enter Y when the following CLI message appears: Proceed with reload? [confirm]. ATTENTION: Avoid damaging the configuration, don’t interrupt the startup process. Wait until the access point/bridge Install Mode status indicator begins to blink green before continuing with CLI configuration changes.
Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1/1 no ip address no ip route-cache ! ssid no_security_ssid ! speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 rts threshold 2312 station-role root ! interface Dot11Radio1/1.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Example 2: Static WEP This example shows part of the configuration that results from using the Security page to create an SSID called static_wep_ssid, excluding the SSID from the beacon, assigning the SSID to VLAN 20, choosing 3 as the key slot, and entering a 128 bit key: ssid static_wep_ssid vlan 20 authentication open ! interface Dot11Radio0/1 no ip address no ip route-cache ! encryption vlan 20 key 3 size 128bit 7 FFD518A2165368
Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 bridge-group 20 spanning-disabled ! interface Dot11Radio1/1 no ip address no ip route-cache ! encryption vlan 20 key 3 size 128bit 7 741F07447BA1D4382450CB68F37A transmit-key encryption vlan 20 mode wep mandatory ! ssid static_wep_ssid ! speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Example 3: EAP Authentication This example shows part of the configuration that results from using the Security page to create an SSID called eap_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 30: IMPORTANT The following warning message appears if your radio clients are using EAPFAST and you don’t include open authentication with EAP as part of the configuration: SSID CONFIG WARNING: [SSID]: If radio clien
Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 bridge-group 30 subscriber-loop-control bridge-group 30 block-unknown-source no bridge-group 30 source-learning no bridge-group 30 unicast-flooding bridge-group 30 spanning-disabled ! interface Dot11Radio0/1 no ip address no ip route-cache ! encryption vlan 30 mode wep mandatory ! ssid eap_ssid ! speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface no ip address ip mtu 1564 no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.30 mtu 1500 encapsulation dot1Q 30 no ip route-cache bridge-group 30 no bridge-group 30 source-learning bridge-group 30 spanning-disabled ! interface BVI1 ip address 10.91.104.91 255.255.255.192 no ip route-cache ! ip http server ip http help-path http://www.
Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Example 4: WPA This example shows part of the configuration that results from using the Security page to create an SSID called wpa_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 40: ssid wpa_ssid vlan 40 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa ! aaa new-model ! ! aaa group server radius rad_eap server 10.91.104.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface bridge irb ! ! interface Dot11Radio0/1 no ip address no ip route-cache ! encryption vlan 40 mode ciphers tkip ! ssid wpa_ssid ! speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 rts threshold 2312 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0/1.
Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Using a Terminal Application Session to Access CLI Follow these steps to access CLI by using a terminal application. These steps are for a computer running Microsoft with a Telnet terminal application. Check your computer operating instructions for detailed instructions for your operating system. 1. Click Start>Programs>Accessories>Telnet.
Configure the Stratix 5100 WAP Using the Command-Line Interface Creating a Credentials Profile Chapter 5 Beginning in privileged EXEC mode, follow these steps to create an 802.1X credentials profile. For information in Device Manager, see AP Authentication on page 124. 1. Enter the global configuration mode to configure the terminal. configure terminal 2. Creates a dot1x credentials profile and enters the dot1x credentials configuration submode. dot1x credentials profile 3.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface ap1240AG(config-dot1x-creden)#username Rockwell ap1240AG(config-dot1x-creden)#password wirelessap ap1240AG(config-dot1x-creden)#exit ap1240AG(config)# Applying the Credentials to an Interface or SSID Credential profiles are applied to an interface or an SSID in the same way.
Configure the Stratix 5100 WAP Using the Command-Line Interface Chapter 5 Applying the Credentials Profile to an SSID Used for the Uplink If you have a repeater access point in your wireless network and are using the 802.1X supplicant on the root access point, you must apply the 802.1X supplicant credentials to the SSID the repeater uses to associate with and authenticate to the root access point.
Chapter 5 Configure the Stratix 5100 WAP Using the Command-Line Interface Notes: 198 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 6 Administering the WAP Access This chapter describes how to administer the wireless device.
Chapter 6 Administering the WAP Access Disabling the Mode Button You can disable the mode button on access points having a console port by using the [no] boot mode-button command. This command prevents password recovery and is used to prevent unauthorized users from gaining access to the access point CLI. IMPORTANT This command disables password recovery.
Administering the WAP Access Preventing Unauthorized Access to Your Access Point Chapter 6 You can prevent unauthorized users from reconfiguring the wireless device and viewing configuration information. Typically, you want network administrators to have access to the wireless device while you restrict access to users who connect through a terminal or workstation from within the local network.
Chapter 6 Administering the WAP Access Default Password and Privilege Level Configuration This table shows the default password and privilege level configuration. Table 76 - Default Password and Privilege Levels Feature Setting or Changing a Static Enable Password Default Setting Username and password Default username is blank and the default password is wirelessap. Enable password and privilege level Default password is wirelessap. The default is level 15 (privileged EXEC level).
Administering the WAP Access Chapter 6 When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt. TIP Characters TAB, ?, $, +, and [ are invalid characters for passwords. 4. Return to privileged EXEC mode. end 5. Verify your entries. show running-config 6. (Optional) Save your entries in the configuration file.
Chapter 6 Administering the WAP Access Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Administering the WAP Access Chapter 6 Encryption prevents the password from being readable in the configuration file. 4. Return to privileged EXEC mode. end 5. (Optional) Save your entries in the configuration file. copy running-config startup-config If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level.
Chapter 6 Administering the WAP Access username name [privilege level] {password encryption-type password} • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0…15. Level 15 gives privileged EXEC mode access. Level 1 gives user EXEC mode access. • For encryption-type, enter 0 to specify that an unencrypted password follows.
Administering the WAP Access Configuring Multiple Privilege Levels Chapter 6 By default, Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 6 Administering the WAP Access show running-config or show privilege 6. (Optional) Save your entries in the configuration file. copy running-config startup-config When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip route command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Administering the WAP Access Chapter 6 Default RADIUS Configuration RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the wireless device through CLI. Configuring RADIUS Login Authentication To configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces.
Chapter 6 Administering the WAP Access • For list-name, specify a character string to name the list you are creating. • For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. Choose one of these methods: • local Use the local username database for authentication. You must enter username information in the database. Use the username password global configuration command.
Administering the WAP Access Chapter 6 Defining AAA Server Groups You can configure the wireless device to use AAA server groups to group existing server hosts for authentication. You choose a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, that lists the IP addresses of the selected server hosts.
Chapter 6 Administering the WAP Access • (Optional) For key string , specify the authentication and encryption key used between the wireless device and the RADIUS daemon running on the RADIUS server. TIP The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radiusserver host command. Leading spaces are ignored, but spaces within and at the end of the key are used.
Administering the WAP Access Chapter 6 In this example, the wireless device is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry. AP(config)# aaa new-model AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 AP(config)# radius-server host 172.10.0.
Chapter 6 Administering the WAP Access Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: 1. Enter global configuration mode. configure terminal 2. Configure the wireless device for user RADIUS authorization for all network-related service requests. aaa authorization network radius 3. Configure the wireless device for user RADIUS authorization to determine if the user has privileged EXEC access.
Administering the WAP Access Controlling Access Point Access with TACACS+ Chapter 6 This section describes how to control administrator access to the wireless device by using Terminal Access Controller Access Control System Plus (TACACS+). For complete instructions on configuring the wireless device to support TACACS+, see Configuring RADIUS and TACACS+ Servers on page 407.
Chapter 6 Administering the WAP Access Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. 1. Enter global configuration mode. configure terminal 2. Enable AAA. aaa new-model 3. Create a login authentication method list. aaa authentication login {default | list-name} method1 [method2...
Administering the WAP Access Chapter 6 7. Verify your entries. show running-config 8. (Optional) Save your entries in the configuration file. copy running-config startup-config • To disable AAA, use the no aaa new-model global configuration command. • To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command.
Chapter 6 Administering the WAP Access 3. Configure the wireless device for user TACACS+ authorization to determine if the user has privileged EXEC access. The exec keyword can return user profile information (such as autocommand information). aaa authorization exec tacacs+ 4. Return to privileged EXEC mode. end 5. Verify your entries. show running-config 6. (Optional) Save your entries in the configuration file.
Administering the WAP Access Chapter 6 The Ethernet speed and duplex are set to auto by default. Beginning in privileged EXEC mode, follow these steps to configure Ethernet speed and duplex: 1. Enter global configuration mode. configure terminal 2. Enter configuration interface mode. interface fastethernet0 3. Configure the Ethernet speed. We recommend that you use auto, the default setting. speed {10 | 100 | auto} 4. Configure the duplex setting. We recommend that you use auto, the default setting.
Chapter 6 Administering the WAP Access Configuring the Access Point for Local Authentication and Authorization You can configure AAA to operate without a server by configuring the wireless device to implement AAA in local mode. The wireless device then handles authentication and authorization. No accounting is available in this configuration. TIP You can configure the wireless device as a local authenticator for 802.
Administering the WAP Access Chapter 6 • For password, specify the password the user must enter to gain access to the wireless device. The password must be from 1…25 characters, can contain embedded spaces, and must be the last option specified in the username command. TIP Characters TAB, ?, $, +, and [ are invalid characters for passwords. username name [privilege level] {password encryption-type password} 7. Return to privileged EXEC mode. end 8. Verify your entries. show running-config 9.
Chapter 6 Administering the WAP Access The following is a configuration example from an access point configured for Admin authentication by using TACACS+ with the auth cache enabled. While this example is based on a TACACS server, the access point can be configured for Admin authentication by using RADIUS: version 12.
Administering the WAP Access Chapter 6 aaa authentication login mac_methods local aaa authorization exec default local cache tac_admin group tac_admin aaa accounting network acct_methods start-stop group rad_acct aaa cache profile admin_cache all ! aaa session-id common ! ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic11.0 12.0 18.0 24.0 36.0 48.0 54.
Chapter 6 Administering the WAP Access ! ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/ 779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! tacacs-server host 192.168.133.231 key 7 105E080A16001D1908 tacacs-server directed-request radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.134.
Administering the WAP Access Configuring the Access Point to Provide DHCP Service Chapter 6 By default, access points are configured to receive IP settings from a DHCP server on your network. You can also configure an access point to act as a DHCP server to assign IP settings to devices on both your wired and wireless LANs. TIP When you configure the access point as a DHCP server, it assigns IP addresses to devices on its subnet.
Chapter 6 Administering the WAP Access 5. Configure the duration of the lease for IP addresses assigned by the wireless device. • days, configure the lease duration in number of days • (optional) hours, configure the lease duration in number of hours • (optional) minutes, configure the lease duration in number of minutes • infinite, set the lease duration to infinite lease { days [ hours ] [ minutes ] | infinite } 6. Specify the IP address of the default router for DHCP clients on the subnet.
Administering the WAP Access Monitoring and Maintaining the DHCP Server Access Point Chapter 6 You can use show and clear commands to monitor and maintain the DHCP server access point Show Commands In Exec mode, enter the commands in this table to display information about the wireless device as DHCP server. Table 77 - Show Commands for DHCP Server Command Purpose show ip dhcp conflict [ address ] Provides a list of all address conflicts recorded by a specific DHCP Server.
Chapter 6 Administering the WAP Access Configuring the Access Point for Secure Shell This section describes how to configure the Secure Shell (SSH) feature. For complete syntax and usage information for the commands used in this section, see Secure Shell Commands in Cisco IOS Security Command Reference for Release 12.3 Understanding SSH SSH is a protocol that provides a secure, remote connection to a Layer 2 or a Layer 3 device. There are two versions of SSH: SSH version 1 and SSH version 2.
Administering the WAP Access Configuring Client ARP Caching Chapter 6 You can configure the wireless device to maintain an ARP cache for associated client devices. Maintaining an ARP cache on the wireless device reduces the traffic load on your wireless LAN. ARP caching is disabled by default. ARP caching on the wireless device reduces the traffic on your wireless LAN by stopping ARP requests for client devices at the wireless device.
Chapter 6 Administering the WAP Access 5. (Optional) Save your entries in the configuration file. copy running-config startup-config This example shows how to configure ARP caching on an access point: AP# configure terminal AP(config)# dot11 arp-cache AP(config)# end Managing the System Time and Date You can manage the system time and date on the wireless device automatically, by using the Simple Network Time Protocol (SNTP), or manually, by setting the time and date on the wireless device.
Administering the WAP Access Chapter 6 Enter the sntp server command once for each NTP server. The NTP servers must be configured to respond to the SNTP messages from the access point. If you enter both the sntp server command and the sntp broadcast client command, the access point accepts time from a broadcast server but prefers time from a configured server, assuming the strata are equal. To display information about SNTP, use the show sntp EXEC command.
Chapter 6 Administering the WAP Access 2. Verify your entries. show running-config 3. (Optional) Save your entries in the configuration file. copy running-config startup-config This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001. AP# clock set 13:32:00 23 July 2001 Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command.
Administering the WAP Access Chapter 6 3. Return to privileged EXEC mode. end 4. Verify your entries. show running-config 5. (Optional) Save your entries in the configuration file. copy running-config startup-config The minutes-offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone for some sections of Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours .
Chapter 6 Administering the WAP Access 4. Verify your entries. show running-config 5. (Optional) Save your entries in the configuration file. copy running-config startup-config The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time.
Administering the WAP Access Chapter 6 4. Verify your entries. show running-config 5. (Optional) Save your entries in the configuration file. copy running-config startup-config The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time.
Chapter 6 Administering the WAP Access Default System Name and Prompt Configuration The default access point system name and prompt is ap. Configuring a System Name Beginning in privileged EXEC mode, follow these steps to manually configure a system name: 1. Enter global configuration mode. configure terminal 2. Manually configure a system name. The default setting is ap.
Administering the WAP Access Understanding DNS Chapter 6 The DNS protocol controls the Domain Name System (DNS), a distributed database where you can map host names to IP addresses. When you configure DNS on the wireless device, you can substitute the host name for the IP address with all IP commands, such as ping, telnet, connect, and related Telnet support operations. IP defines a hierarchical naming scheme that lets a device be identified by its location or domain.
Chapter 6 Administering the WAP Access 3. Specify the address of one or more name servers to use for name and address resolution. You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The wireless device sends DNS queries to the primary server first. If that query fails, the backup servers are queried. ip name-server server-address1 [server-address2 ...
Administering the WAP Access Chapter 6 Displaying the DNS Configuration To display the DNS configuration information, use the show runningconfig privileged EXEC command. When DNS is configured on the wireless device, the show running-config command sometimes a server IP address appears instead of its name.
Chapter 6 Administering the WAP Access Notes: 240 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 7 Configuring Radio Settings This chapter describes how to configure radio settings for the wireless access point.
Chapter 7 Configuring Radio Settings Enabling the Radio Interface The wireless access point radios are disabled by default. IMPORTANT Beginning with Cisco IOS Release 12.3(8)JA there is no SSID. You must create an SSID before you can enable the radio interface. Beginning in privileged EXEC mode, follow these steps to enable the access point radio: 1. Enter global configuration mode. configure terminal 2. Enter the SSID. The SSID can consist of up to 32 alphanumeric characters.
Configuring Radio Settings Chapter 7 When configuring a universal workgroup bridge by using AES-CCM TKIP, the non-root device must use TKIP or AES-CCM TKIP as ciphers to associate to the root device. The non-root device does not associate with the root if it is configured only AES-CCM. This configuration results in a mismatch in the multicast cipher between the root and non-root devices. You can configure a fallback role also for root access points.
Chapter 7 Configuring Radio Settings • A universal workgroup bridge configures the access point in workgroup bridge mode and able to interoperate with other access points. You must enter the Ethernet client MAC address. The workgroup bridge associates with the configured MAC address only if it is present in the bridge table and it should not be a static entry. If validation fails, the workgroup bridge associates with its BVI MAC address.
Configuring Radio Settings Universal Workgroup Bridge Mode Chapter 7 When configuring the universal workgroup bridge roll, you must include the client MAC address. The workgroup bridge associates only with this MAC address if it is present in the bridge table and is not a static entry. If validation fails, the workgroup bridge associates with its BVI MAC address.
Chapter 7 Configuring Radio Settings Radio Tracking You can configure the access point to track or monitor the status of one of its radios. It the tracked radio goes down or is disabled, the access point shuts down the other radio. If the tracked radio comes up, the access point enables the other radio.
Configuring Radio Settings Chapter 7 You can configure the radio whose role is root access point to go up or down by tracking a client access point, using its MAC address, on another radio. If the client disassociates from the access point, the root access point radio goes down. If the client reassociates to the access point, the root access point radio comes back up.
Chapter 7 Configuring Radio Settings • To set the 2.4 GHz, 802.11g radio to serve only 802.11g client devices, set any Orthogonal Frequency Division Multiplexing (OFDM) data rate (6, 9, 12, 18, 24, 36, 48, 54) to Basic. • To set only the 5 GHz radio for 54 Mbps service, set the 54 Mbps rate to Basic and set the other data rates to Disabled. You can configure the wireless access point to set the data rates automatically to optimize either the range or the throughput.
Configuring Radio Settings Access Points Send Multicast and Management Frames at Highest Basic Rate Chapter 7 Access points running recent Cisco IOS versions are transmitting multicast and management frames at the highest configured basic rate, and is a situation that can cause reliability problems. Access points running LWAPP or autonomous IOS can transmit multicast and management frames at the lowest configured basic rate.
Chapter 7 Configuring Radio Settings 3. Refer to Speed Command and Purpose descriptions Table 81 - Speed Command and Purpose Descriptions Command Purpose Set each data rate to basic or enabled, or enter range to optimize range or throughput to optimize throughput. 802.11b, 2.4 GHz radio: • (Optional) Enter 1.0, 2.0, 5.5, and 11.0 to set these data rates to enabled on the {[1.0] [11.0] [2.0] [5.5] [basic-1.0] [basic802.11b, 2.4 GHz radio. 11.0] [basic-2.0] [basic-5.5] | range | Enter 1.0, 2.0, 5.5, 6.
Configuring Radio Settings Chapter 7 Use the no form of the speed command to remove one or more data rates from the configuration. This example shows how to remove data rates basic-2.0 and basic-5.5 from the configuration: ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# no speed basic-2.0 basic-5.
Chapter 7 Configuring Radio Settings Table 82 - Data Rates Based on MCS Settings, Guard Interval, and Channel Width (Continued) MCS Index Guard Interval = 800 ns Guard Interval = 400 ns 11 52 108 57 7/9 120 12 78 162 86 2/3 180 13 104 216 115 5/9 240 14 117 243 130 270 15 130 270 144 4/9 300 The legacy rates are: 5 GHz: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps 2.4 GHz: 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54 Mbps MCS rates are configured by using the speed command.
Configuring Radio Settings Chapter 7 Radio transmit power is based on the type of radio or radios installed in your access point and the regulatory domain where it operates. Configuring Radio Transmit Power Use this table to determine what transmit power, and the translation relationship between mW and dBm.
Chapter 7 Configuring Radio Settings power levels. CCK modulation is supported by 802.11b and 802.11g devices. OFDM modulation is supported by 802.11g and 802.11a devices. TIP Make sure the power settings are in the manual power settings for your regulatory domain. TIP The 802.11g radio transmits at up to 100 mW for the 1, 2, 5.5, and 11 Mbps data rates. However, for the 6, 9, 12, 18, 24, 36, 48, and 54 Mbps data rates, the maximum transmit power for the 802.11g radio is 3050 mW.
Configuring Radio Settings Chapter 7 • Setting the power level to local sets the client power level to that of the access point. • Setting the power level to maximum sets the client power to the allowed maximum. TIP The settings allowed in your regulatory domain can differ from the settings listed here. power client These options are available for 802.11b, 2.4 GHz clients (in mW): {local | 1 | 5 | 20 | 30 | 50 | 100 | maximum} These options are available for 802.11g, 2.
Chapter 7 Configuring Radio Settings Each 2.4 GHz channel covers 22 MHz. The bandwidth for channels 1, 6, and 11 does not overlap, so you can set up multiple access points in the same vicinity without causing interference. Both 802.11b and 802.11g 2.4 GHz radios use the same channels and frequencies. The 5 GHz radio operates on eight channels from 5180…5320 MHz. Each channel covers 20 MHz, and the bandwidth for the channels overlaps slightly.
Configuring Radio Settings Chapter 7 40 Mhz with the extension channel above the control channel. Choosing 40-below sets the channel width to 40 MHz with the extension channel below the control channel. TIP The channel command is disabled for 5 GHz radios that comply with European Union regulations on dynamic frequency selection (DFS). See Setting the 802.11n Guard Interval on page 262 for more information. channel {frequency | least-congested | width [20 | 40-above | 40-below] | dfs} 4.
Chapter 7 Configuring Radio Settings • If participating in WDS, sends a DFS notification of its new operating frequency to the active WDS device. You cannot manually select a channel for DFS-enabled 5 GHz radios in some regions, depending on the regulatory requirements. The access points randomly selects a channel in that case. TIP This table lists the channels and the frequencies that require DFS.
Configuring Radio Settings Chapter 7 *Mar 6 12:35:09.750: %DOT11-6-DFS_TRIGGERED: DFS: triggered on frequency 5500 MHz When radar is detected on a channel, that channel can not be used for 30 minutes. The access point maintains a flag in nonvolatile storage for each channel that it detects radar on in the last 30 minutes. After 30 minutes, the flag is cleared for the corresponding channel.
Chapter 7 Configuring Radio Settings Radio AIR-RM1251A, Base Address 011.9290ec0, BBlock version 0.00, Software version 6.00.
Configuring Radio Settings Chapter 7 configure terminal 2. Enter the configuration interface for the 802.11a radio interface dot11radio1 dfs 3. For number, enter one of the following channels: 36, 40, 44, 48, 149, 153, 157, 161, 5180, 5200, 5220, 5240, 5745, 5765, 5785, or 5805. Enter dfs and one of the following frequency bands to use dynamic frequency selection on the selected channel: 1 - 5.150…5.250 GHz 2 - 5.250…5.350 Ghz 3 - 5.470…5.725 GHz 4 - 5.725…5.
Chapter 7 Configuring Radio Settings The 1, 2, 3, and 4 options designate blocks of channels: • 1 - Specifies frequencies 5.150…5.250 GHz. This group of frequencies is also known as the UNII-1 band. • 2 - Specifies frequencies 5.250…5.350 GHz. This group of frequencies is also known as the UNII-2 band. • 3 - Specifies frequencies 5.470…5.725 GHz. • 4 - Specifies frequencies 5.725…5.825 GHz. This group of frequencies is also known as the UNII-3 band.
Configuring Radio Settings Chapter 7 5. (Optional) Save your entries in the configuration file. copy running-config startup-config This section describes how to configure location-based services by using the access point CLI. As with other access point features, you can use a WLSE on your network to configure LBS on multiple access points. LBS settings don’t appear on the access point GUI in this release.
Chapter 7 Configuring Radio Settings Configuring LBS on Access Points Use CLI to configure LBS on your access point. Beginning in privileged EXEC mode, follow these steps to configure LBS: 1. Enter global configuration mode. configure terminal 2. Create an LBS profile for the access point and enter LBS configuration mode. dot11 lbs profile-name 3. Enter the IP address of the location server and the port on the server where the access point sends UDP packets that contain location information.
Configuring Radio Settings Chapter 7 9. Return to global configuration mode. exit In this example, the profile southside is enabled on the access point 802.11g radio: ap# configure terminal ap(config)# dot11 lbs southside ap(dot11-lbs)# server-address 10.91.105.
Chapter 7 Configuring Radio Settings 5. (Optional) Save your entries in the configuration file. copy running-config startup-config Short preambles are enabled by default. Use the preamble-short command to enable short preambles if they are disabled. Configuring Transmit and Receive Antennas You can select the antenna the wireless access point uses to receive and transmit data.
Configuring Radio Settings Chapter 7 For best performance with two antennas, leave the receive antenna setting at the default setting, diversity. For one antenna, attach the antenna on the right and set the antenna for right. antenna receive {diversity | left | middle | right} 5. Set the transmit antenna to diversity, left, or right. For best performance with two antennas, leave the receive antenna setting at the default setting, diversity.
Chapter 7 Configuring Radio Settings probe-response gratuitous {period | speed} 4. (Optional) Enter a value from 10 to 255. The default value is 10 period Kusec 5. (Optional) Sets the response speed in Mbps. The default value is 6.0. speed {[6.0] [9.0] [12.0] [18.0] [24.0] [36.0] [48.0 ] [54.0] } 6. Return to privileged EXEC mode. end 7. (Optional) Save your entries in the configuration file.
Configuring Radio Settings Chapter 7 Cisco's WEP key permutation technique based on an early algorithm presented by the IEEE 802.11i security task group. The standards-based algorithm, TKIP, does not require Aironet extensions to be enabled. • Repeater mode You must enable the Aironet extensions on repeater access points and on the associated root access points.
Chapter 7 Configuring Radio Settings Configuring the Ethernet Encapsulation Transformation Method When the wireless access point receives data packets that are not 802.3 packets, the wireless access point must format the packets to 802.3 by using an encapsulation transformation method. These are the two transformation methods: • 802.1H—This method provides good performance for Cisco Aironet wireless products.
Configuring Radio Settings Chapter 7 The performance cost of reliable multicast delivery, that is a duplication of each multicast packet sent to each workgroup bridge—limits the number of infrastructure devices, including workgroup bridges, that can associate to the wireless access point. To increase beyond 20 the number of workgroup bridges that can maintain a radio link to the wireless access point, the wireless access point must reduce the delivery reliability of multicast packets to workgroup bridges.
Chapter 7 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN. This feature is useful for public wireless networks like those installed in airports or on college campuses.
Configuring Radio Settings Configuring Protected Ports Chapter 7 To prevent communication between client devices associated to different access points on your wireless LAN, you must set up protected ports on the switch where the wireless access points are connected. Beginning in privileged EXEC mode, follow these steps to define a port on your switch as a protected port: 1. Enter global configuration mode. configure terminal 2.
Chapter 7 Configuring Radio Settings The default beacon period is 100, and the default DTIM is 2. Beginning in privileged EXEC mode, follow these steps to configure the beacon period and the DTIM: 1. Enter global configuration mode. configure terminal 2. Enter interface configuration mode for the radio interface. • The 2.4 GHz radio and the 802.11n 2.4 GHz radio is 0. • The 5 GHz radio and the 802.11n 5 GHz radio is 1. interface dot11radio {0 | 1} 3. Set the beacon period.
Configuring Radio Settings Chapter 7 4. Set the maximum RTS retries. Enter a setting from 1…128. rts retries value 5. Return to privileged EXEC mode. end 6. (Optional) Save your entries in the configuration file. copy running-config startup-config Use the no form of the command to reset the RTS settings to defaults.
Chapter 7 Configuring Radio Settings • The 2.4 GHz radio and the 2.4 GHz 802.11n radio is 0. • The 5 GHz radio and the 5 GHz 802.11n radio is 1. interface dot11radio {0 | 1} 3. Set the fragmentation threshold. • Enter a setting from 256…2346 bytes for the 2.4 GHz radio. • Enter a setting from 256…2346 bytes for the 5 GHz radio. fragment-threshold value 4. Return to privileged EXEC mode. end 5. (Optional) Save your entries in the configuration file.
Configuring Radio Settings Performing a Carrier Busy Test Chapter 7 You can perform a carrier busy test to check the radio activity on wireless channels. During the carrier busy test, the wireless access point drops all associations with wireless networking devices for 4 seconds while it conducts the carrier test and then the test results appear.
Chapter 7 Configuring Radio Settings Debugging Radio Functions Use the debug dot11 privileged EXEC command to begin debugging of radio functions. Use the no form of this command to stop the debug operation.
Chapter 8 Configuring Multiple SSIDs This chapter describes how to configure and manage multiple service set identifiers (SSIDs) on the access point.
Chapter 8 Configuring Multiple SSIDs For information on how to configure guest mode SSID and disable Guest mode SSID, see Creating an SSID Globally on page 281. If your access point is a repeater or is root access point that acts as a parent for a repeater, you can set up an SSID for use in repeater mode. You can assign an authentication username and password to the repeater-mode SSID to let the repeater authenticate your network like a client device.
Configuring Multiple SSIDs Chapter 8 This table shows an example SSID configuration on an access point running Cisco IOS Release 12.2(15)JA and the configuration as it appears after upgrading to Cisco IOS Release 12.3(7)JA. Table 87 - Example: SSID Configuration Converted to Global Mode after Upgrade SSID Configuration in 12.2(15)JA SSID Configuration after Upgrade to 12.
Chapter 8 Configuring Multiple SSIDs When an SSID has been created in global configuration mode, the ssid configuration interface command attaches the SSID to the interface but does not enter ssid configuration mode. However, if the SSID has not been created in global configuration mode, the ssid command puts CLI into SSID configuration mode for the new SSID. IMPORTANT SSIDs created in Cisco IOS Releases 12.3(7)JA and later become invalid if you downgrade the software version to an earlier release.
Configuring Multiple SSIDs Chapter 8 7. (Optional) Designate the SSID as your access point guest-mode SSID. The access point includes the SSID in its beacon and allows associations from client devices that don’t specify an SSID. guest-mode 8. This command controls the SSID that access points and bridges use when associating with one another. A root access point only lets a repeater access point to associate by using the infrastructure SSID.
Chapter 8 Configuring Multiple SSIDs Use the no form of the command to disable the SSID or to disable SSID features. This example shows how to: • Name an SSID. • Configure the SSID for RADIUS accounting. • Set the maximum number of client devices that can associate by using this SSID to 15. • Assign the SSID to a VLAN. • Assign the SSID to a radio interface.
Configuring Multiple SSIDs Chapter 8 For example, this sample output from a show configuration privileged EXEC command does not show spaces in SSIDs: ssid buffalo vlan 77 authentication open ssid buffalo vlan 17 authentication open ssid buffalo vlan 7 authentication open However, this sample output from a show dot11 associations privileged EXEC command shows the spaces in the SSIDs: SSID [buffalo] : SSID [buffalo ] : SSID [buffalo IMPORTANT ] : This command shows only the first 15 characters of the
Chapter 8 Configuring Multiple SSIDs b. If the access point does not find a match for the client in the allowed list of SSIDs, the access point disassociates the client. c. If the RADIUS server does not return any SSIDs (no list) for the client, then the administrator has not configured the list, and the client is allowed to associate and attempt to authenticate. You must use the list of SSIDs from the RADIUS server in the form of Cisco VSAs.
Configuring Multiple SSIDs Chapter 8 Requirements for Configuring Multiple BSSIDs To configure multiple BSSIDs, your access points must meet these minimum requirements: • VLANs must be configured • Access points must run Cisco IOS Release 12.3(4)JA or later • Access points must contain an 802.11a or 802.11g radio that supports multiple BSSIDs. To determine whether a radio supports multiple basic SSIDs, enter the show controllers radio_interface command.
Chapter 8 Configuring Multiple SSIDs Configuring Multiple BSSIDs Follow these steps to configure multiple BSSIDs: 1. Click Security. The Security summary page appears. If you use CLI instead of the GUI, refer to CLI commands listed in the CLI Configuration Example on page 290. 2. From the left menu, click SSID Manager. The SSID Manager page appears.
Configuring Multiple SSIDs Chapter 8 3. Enter the SSID name in the SSID field. 4. From the VLAN pull-down menu, choose the VLAN that is assigned to the SSID. 5. Select the radio interfaces where the SSID is enabled. The SSID remains inactive until you enable it for a radio interface. 6. Enter a Network ID for the SSID in the Network ID field. 7.
Chapter 8 Configuring Multiple SSIDs 10. Enter a beacon rate between 1…100. TIP Increasing the DTIM period count delays the delivery of multicast packets. Because multicast packets are buffered, large DTIM period counts can cause a buffer overflow. 11. In the Guest Mode/Infrastructure SSID Settings section, select Multiple BSSID. 12. Click Apply.
Configuring Multiple SSIDs Assigning IP Redirection for an SSID Dot11Radio1 0011.2161.b7c0 Yes atlantic Dot11Radio0 0005.9a3e.7c0f Yes WPA2-TLS-g Chapter 8 When you configure IP redirection for an SSID, the access point redirects all packets sent from client devices associated to that SSID to a specific IP address. IP redirection is used mainly on wireless LANs serving handheld devices that use a central software application and are statically configured to communicate with a specific IP address.
Chapter 8 Configuring Multiple SSIDs Guidelines for Using IP Redirection Keep these guidelines in mind when using IP redirection: • The access point does not redirect broadcast, unicast, or multicast BOOTP/DHCP packets received from client devices. • Existing ACL filters for incoming packets take precedence over IP redirection. Configuring IP Redirection Beginning in privileged EXEC mode, follow these steps to configure IP redirection for an SSID: 1. Enter global configuration mode.
Configuring Multiple SSIDs IMPORTANT Chapter 8 ACL logging is not supported on the bridging interfaces of access point platforms. When applied on a bridging interface, it works as if the interface were configured without the log option, and logging does not take effect. However ACL logging does work for the BVI interfaces as long as a separate ACL is used for the BVI interface. This example shows how to configure IP redirection for an SSID without applying an ACL.
Chapter 8 Configuring Multiple SSIDs Beginning in privileged EXEC mode, follow these steps to include an SSID in an SSIDL IE: 1. Enter global configuration mode. configure terminal 2. Enter interface configuration mode for the radio interface. • The 2.4 GHz radio and the 2.4 GHz 802.11n radio is 0. • The 5 GHz radio and the 5 GHz 802.11n radio is 1. interface dot11radio { 0 | 1 } 3. Enter configuration mode for a specific SSID. ssid ssid-string 4.
Configuring Multiple SSIDs Chapter 8 WLANs need to be protected from security threats such as viruses, worms, and spyware. Both the NAC Appliance and the NAC Framework provide security threat protection for WLANs by enforcing device security policy compliance when WLAN clients attempt to access the network. These solutions quarantine non-compliant WLAN clients and provide remediation services to verify compliance.
Chapter 8 Configuring Multiple SSIDs When a client associates and the RADIUS server determines that it is unhealthy, the server returns one of the quarantine NAC VLANs in its RADIUS authentication response for dot1x authentication. This VLAN must be one of the configured back-up VLANs under the client SSID. If the VLAN is not one of the configured back-up VLANs, the client is disassociated.
Configuring Multiple SSIDs This feature supports only Layer 2 mobility within VLANs. Layer 3 mobility by using a network ID is not supported in this feature. Before you attempt to enable NAC for MBSSID on your access points, you must first have NAC working properly. This figure shows a typical network setup.
Chapter 8 Configuring Multiple SSIDs vlan mktg-normal backup mktg-infected1, mktginfected2, mktg-infected3 authentication open authentication network-eap eap_methods ! interface Dot11Radio0 ! encryption vlan engg-normal key 1 size 40bit 7 482CC74122FD transmit-key encryption vlan engg-normal mode ciphers wep40 ! encryption vlan mktg-normal key 1 size 40bit 7 9C3A6F2CBFBC transmit-key encryption vlan mktg-normal mode ciphers wep40 ! ssid engg ! ssid mktg ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.
Configuring Multiple SSIDs Chapter 8 interface FastEthernet0.100 encapsulation dot1Q 100 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.
Chapter 8 Configuring Multiple SSIDs Notes: 300 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 9 Configuring Spanning Tree Protocol This chapter describes how to configure Spanning Tree Protocol (STP) on your access point.
Chapter 9 Configuring Spanning Tree Protocol STP defines a tree with a root bridge and a loop-free path from the root to all infrastructure devices in the Layer 2 network. TIP STP discussions use the term root to describe two concepts: the bridge on the network that serves as a central point in the spanning tree is called the root bridge, and the port on each bridge that provides the most efficient path to the root bridge is called the root port.
Configuring Spanning Tree Protocol Chapter 9 When the access points in a network are powered up, each access point functions as the STP root. The access points send configuration BPDUs through the Ethernet and radio ports. The BPDUs communicate and compute the spanningtree topology.
Chapter 9 Configuring Spanning Tree Protocol Election of the Spanningtree Root All access points in the Layer 2 network participating in STP gather information about other access points in the network through an exchange of BPDU data messages.
Configuring Spanning Tree Protocol In this figure, bridge 4 is elected as the spanning-tree root because the priority of all the access points is set to the default (32768) and bridge 4 has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, bridge 4 might not be the ideal spanning-tree root.
Chapter 9 Configuring Spanning Tree Protocol An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled This figure illustrates how an interface moves through the states.
Configuring Spanning Tree Protocol Chapter 9 Blocking State An interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to the access point’s Ethernet and radio ports. A access point initially functions as the spanning-tree root until it exchanges BPDUs with other access points. This exchange establishes the access point in the network that is the spanningtree root.
Chapter 9 Configuring Spanning Tree Protocol Forwarding State An interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state. An interface in the forwarding state performs as follows: • Receives and forwards frames received on the port • Learns addresses • Receives BPDUs Disabled State An interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.
Configuring Spanning Tree Protocol Chapter 9 Default STP Configuration STP is disabled by default. This table lists the default STP settings when you enable STP.
Chapter 9 Configuring Spanning Tree Protocol 5. Return to global configuration mode. exit 6. Enable STP for the bridge group. You must enable STP on each bridge group that you create with bridge-group commands. bridge number protocol ieee 7. (Optional) Assign a priority to a bridge group. The lower the priority, the more likely it is that the bridge becomes the spanning-tree root. bridge number priority priority 8. Return to privileged EXEC mode. end 9. Verify your entries.
Configuring Spanning Tree Protocol Chapter 9 guest-mode ! speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312 station-role root no cdp enable infrastructure-client bridge-group 1 ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 ! interface BVI1 ip address 1.4.64.23 255.255.0.0 no ip route-cache ! ip default-gateway 1.4.0.
Chapter 9 Configuring Spanning Tree Protocol Non-root Bridge without VLANs This example shows the configuration of a non-root bridge with no VLANs configured with STP enabled: hostname client-bridge-north ip subnet-zero ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ssid tsunami authentication open guest-mode ! speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.
Configuring Spanning Tree Protocol Chapter 9 ! line con 0 line vty 0 4 login line vty 5 15 login ! end Root Bridge with VLANs This example shows the configuration of a root bridge with VLANs configured with STP enabled: hostname master-bridge-hq ! ip subnet-zero ! ip ssh time-out 120 ip ssh authentication-retries 3 ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ssid vlan1 vlan 1 infrastructure-ssid authentication open ! speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.
Chapter 9 Configuring Spanning Tree Protocol infrastructure-client ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 ! interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache no cdp enable bridge-group 2 ! interface Dot11Radio0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 bridge-group 3 path-cost 500 ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.
Configuring Spanning Tree Protocol Chapter 9 encapsulation dot1Q 3 no ip route-cache bridge-group 3 ! interface BVI1 ip address 1.4.64.23 255.255.0.0 no ip route-cache ! ip default-gateway 1.4.0.
Chapter 9 Configuring Spanning Tree Protocol interface Dot11Radio0 no ip address no ip route-cache ! ssid vlan1 vlan 1 authentication open infrastructure-ssid ! speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312 station-role non-root no cdp enable ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 ! interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache no cdp enable bridge-group 2 ! interface Dot11Radio0.
Configuring Spanning Tree Protocol Chapter 9 ! interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 ! interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 2 ! interface FastEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 bridge-group 3 path-cost 400 ! interface BVI1 ip address 1.4.64.24 255.255.0.
Chapter 9 Configuring Spanning Tree Protocol Displaying Spanning-tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in this table. Table 91 - Commands for Displaying Spanning-tree Status Command Description show spanning-tree Information on your network’s spanning tree. show spanning-tree blocked-ports List of blocked ports on this bridge. show spanning-tree bridge Status and configuration of this bridge.
Chapter 10 Configure an Access Point as a Local Authenticator This chapter describes how to configure the access point as a local authenticator to serve as a stand-alone authenticator for a small wireless LAN or to provide back up authentication service. As a local authenticator, the access point performs LEAP, EAP-FAST, and MAC-based authentication for up to 50 client devices.
Chapter 10 Configure an Access Point as a Local Authenticator You can configure your access points to use the local authenticator when they cannot reach the main servers, or you can configure your access points to use the local authenticator or as the main authenticator if you don’t have a RADIUS server.
Configure an Access Point as a Local Authenticator Chapter 10 If your local authenticator access point also serves client devices, you must enter the local authenticator as a RADIUS server in the local authenticator’s configuration. When a client associates to the local authenticator access point, the access point uses itself to authenticate the client. Configuring/Enabling Local MAC Authentication Two modes of MAC authentication are used.
Chapter 10 Configure an Access Point as a Local Authenticator Creating Local MAC Address Lists Now that the SSID is configured, you can create the local MAC address list. 1. Click Security. 2. From the Security menu, click Advanced Security. 3. Click the MAC Address Authentication tab to move to the MAC Address Authentication page. 4. Select Local List Only for the MAC Address Authenticated by parameter. 5. Click Apply on that MAC Address Authentication portion of the page. 6.
Configure an Access Point as a Local Authenticator Creating and Enabling MAC Authentication by Using RADIUS Server Chapter 10 You must first configure the SSID. Complete the following steps to configure the SSID. 1. Click Security. 2. From the Security menu, click SSID Manager. 3. In the Current SSID list, select the SSID for the MAC authentication. If you need to create a new SSID, continue to step 4. Otherwise, skip to step 7. 4. Select from the Current SSID List. 5.
Chapter 10 Configure an Access Point as a Local Authenticator If you click to enable the use of the defaults, click the Define Defaults link to go to the Server Manager page. This is where you can configure the RADIUS server. 10. Click Apply. Add the RADIUS Server Now that the SSID is configured, you can add the RADIUS or TACACS+ server. Complete these steps to add the RADIUS server. 1. Click Security. 2. From the Security menu, click Server Manager. 3.
Configure an Access Point as a Local Authenticator Chapter 10 9. From Default Server Priorities, determine the level of priority you want to assign to each server. 10. Select Priority 1, 2, or 3 for this server. 11. Click Apply to add the server. Steps step 12 through step 16 are optional tasks and can be skipped to expedite setup. 12. Click the Global Properties tab. 13. In the Accounting Updates Interval field, specify the interval that you want the accounting updates to be performed. 14.
Chapter 10 Configure an Access Point as a Local Authenticator Setting the MAC Authentication Method After the RADIUS server is added, you can set the MAC authentication method. Complete these steps to set the MAC authentication method. 1. Click Security. 2. From the Security menu, click Advanced Security. 3. Click the MAC Address Authentication tab. 4. Select Authentication Server if not found in Local List if you want to use the RADIUS server in conjunction with a local list. 5.
Configure an Access Point as a Local Authenticator Configuring Network EMAP Chapter 10 A device uses the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server on your network to provide authentication for wireless client devices. To configure Network EAP, you must first configure the SSID. Follow these steps to configure the SSID. 1. Click Security. 2. From the Security menu, click SSID Manager. 3.
Chapter 10 Configure an Access Point as a Local Authenticator 4. Under the Encryption Mode section, click WEP Encryption to enable encryption. You can choose either Optional or Mandatory from the pull-down menu. This step is optional and can be skipped to expedite setup. If you want to set the broadcast key rotation interval, continue with this step. Otherwise, skip to step 6. At the Broadcast Key Rotation Interval parameter, select Enable Rotation with Interval to enable this feature.
Configure an Access Point as a Local Authenticator Chapter 10 9. Enter the port number your RADIUS server uses for accounting. The port setting for Cisco's RADIUS server (the Access Control Server [ACS]) is 1646, and the port setting for many RADIUS servers is 1813. Check your server's product documentation to find the correct accounting port setting. 10. Use the pull-down menus to determine the level of priority you want to assign to each server. 11. Click Apply to add the server.
Chapter 10 Configure an Access Point as a Local Authenticator Configuring Advanced EAP Parameters Now that the RADIUS server is added, you can configure advanced EAP parameters. These steps are optional and can be skipped to expedite setup. 1. Click Security. 2. From the Security menu, click Advanced Security. 3. Click the Timers tab to go to the page where EAP authentication is specified. 4. Choose one of the options that enable reauthentication.
Configure an Access Point as a Local Authenticator Configuring the Local Authenticator Access Point by Using CLI Chapter 10 Beginning in Privileged Exec mode, follow these steps to configure the access point as a local authenticator: 1. Enter global configuration mode. configure terminal 2. Enable AAA. aaa new-model 3. Enable the access point as a local authenticator and enter configuration mode for the authenticator. radius-server local 4.
Chapter 10 Configure an Access Point as a Local Authenticator The reauthentication provides users with a new encryption key. The default setting is 0, that means that group members are never required to reauthenticate. reauthentication time seconds 9. (Optional) To help protect against password guessing attacks, you can lock out members of a user group for a length of time after a set number of incorrect passwords. • count—The number of failed passwords that triggers a lockout of the username.
Configure an Access Point as a Local Authenticator Chapter 10 12. Return to privileged EXEC mode. end 13. (Optional) Save your entries in the configuration file. copy running-config startup-config This example shows how to set up a local authenticator used by three access points with three user groups and several users: AP# configure terminal AP(config)# radius-server local AP(config-radsrv)# nas 10.91.6.159 key 110337 AP(config-radsrv)# nas 10.91.6.162 key 110337 AP(config-radsrv)# nas 10.91.6.
Chapter 10 Configure an Access Point as a Local Authenticator AP(config-radsrv)# user 00095125d02b password 00095125d02b group clerks mac-auth-only AP(config-radsrv)# user 00095125d02b password 00095125d02b group cashiers AP(config-radsrv)# user 00079431f04a password 00079431f04a group cashiers AP(config-radsrv)# user carl password 272165 group managers AP(config-radsrv)# user vic password lid178 group managers AP(config-radsrv)# end Configuring Other Access Points to Use the Local Authenticator You add
Configure an Access Point as a Local Authenticator Chapter 10 This example shows how to set up two main servers and a local authenticator with a server deadtime of 10 minutes: AP(config)# aaa new-model AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654 AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654 AP(config)# radius-server host 10.91.6.
Chapter 10 Configure an Access Point as a Local Authenticator Configuring EAP-FAST Settings The default settings for EAP-FAST authentication are suitable for most wireless LANs. However, you can customize the credential timeout values, authority ID, and server keys to match your network requirements. Configuring PAC Settings This section describes how to configure Protected Access Credential (PAC) settings.
Configure an Access Point as a Local Authenticator Chapter 10 Use this command to generate a PAC manually: AP# radius local-server pac-generate filename username [password password] [expiry days] When you enter the PAC filename, enter the full path to where the local authenticator writes the PAC file (such as tftp://172.1.1.1/test/user.pac). The password is optional and, if not specified, a default password understood by the CCX client is used.
Chapter 10 Configure an Access Point as a Local Authenticator attempts to decrypt the PAC with the secondary key if one is configured. If decryption fails, the authenticator rejects the PAC as invalid. Use these commands to configure server keys: AP(config-radsrv)# [no] eapfast server-key primary {[auto-generate] | [ [0 | 7] key]} AP(config-radsrv)# [no] eapfast server-key secondary [0 | 7] key Keys can contain up to 32 hexadecimal digits. • Enter 0 before the key to enter an unencrypted key.
Configure an Access Point as a Local Authenticator Limiting the Local Authenticator to One Authentication Type Chapter 10 By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication for client devices. However, you can limit the local authenticator to perform only one or two authentication types.
Chapter 10 Configure an Access Point as a Local Authenticator PAC refresh : 0 Username Invalid PAC received Successes Failures Blocks nicky 0 0 0 jones 0 0 0 jsmith 0 0 0 : 0 Router#sh radius local-server statistics Successes : 1 Unknown usernames : 0 Client blocks : 0 Invalid passwords : 0 Unknown NAS : 0 Invalid packet from NAS: 0 The first section of statistics lists cumulative statistics from the local authenticator.
Configure an Access Point as a Local Authenticator Using Debug Messages Chapter 10 In privileged exec mode, enter this command to control the display of debug messages for the local authenticator: AP# debug radius local-server { client | eapfast | error | packets} Use the command options to display this debug information: • Use the client option to display error messages related to failed client authentications. • Use the eapfast option to display error messages related to EAP-FAST authentication.
Chapter 10 Configure an Access Point as a Local Authenticator Notes: 342 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 11 Configuring Cipher Suites and WEP This chapter describes how to configure the cipher suites required to use Wi-Fi Protected Access (WPA) and Cisco Centralized Key Management (CCKM) authenticated key management, Wired Equivalent Privacy (WEP), WEP features including AES, Message Integrity Check (MIC), Temporal Key Integrity Protocol (TKIP), and broadcast key rotation.
Chapter 11 Configuring Cipher Suites and WEP Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable WPA or CCKM. Because cipher suites provide the protection of WEP while also allowing use of authenticated key management, We recommend that you enable WEP by using the encryption mode cipher command in CLI or by using the cipher pull-down menu in the web browser interface.
Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Chapter 11 These sections describe how to configure cipher suites, WEP and additional WEP features such as MIC, TKIP, and broadcast key rotation. TIP WEP, TKIP, MIC, and broadcast key rotation are disabled by default. Creating WEP Keys You need to configure only static WEP keys if your access point needs to support client devices that use static WEP.
Chapter 11 Configuring Cipher Suites and WEP [ 0 | 7 ] [transmit-key] 4. Return to privileged EXEC mode. end 5. (Optional) Save your entries in the configuration file.
Configuring Cipher Suites and WEP Chapter 11 Example WEP Key Setup This table shows an example WEP key setup that works for the access point and an associated device: Table 93 - WEP Key Setup Example Key Slot Access Point Associated Device Transmit? Key Contents Transmit? Key Contents 1 x 12345678901234567890abcdef – 12345678901234567890abcdef 2 – 09876543210987654321fedcba x 09876543210987654321fedcba 3 – not set – not set 4 – not set – FEDCBA09876543211234567890 Because the acce
Chapter 11 Configuring Cipher Suites and WEP • If you enable a cipher suite with two elements (such as TKIP and 128bit WEP), the second cipher becomes the group cipher. • If you configure ckip you must also enable Aironet extensions. The command to enable Aironet extensions is dot11 extension aironet. You can use the encryption mode wep command to set up static WEP. However, use encryption mode wep only if no clients that associate to the access point are capable of key management.
Configuring Cipher Suites and WEP Chapter 11 key management type. This table lists the cipher suites that are compatible with WPA and CCKM.
Chapter 11 Configuring Cipher Suites and WEP 3. Enable broadcast key rotation. 4. Enter the number of seconds between each rotation of the broadcast key. 5. (Optional) Enter a VLAN that you want to enable for broadcast key rotation. 6. (Optional) If you enable WPA authenticated key management, you can enable additional circumstances where the access point changes and distributes the WPA group key.
Chapter 12 Configuring Authentication Types This chapter describes how to configure authentication types on the access point. Understanding Authentication Types Topic Page Understanding Authentication Types 351 Using WPA Key Management 357 Configuring Authentication Types 359 Configuring Additional WPA Settings 364 Configuring Authentication Hold-off, Timeout, and Interval 368 Creating and Applying EAP Method Profiles for the 802.
Chapter 12 Configuring Authentication Types Open Authentication to the Access Point Open authentication allows any device to authenticate and then attempt to communicate with the access point. By using open authentication, any wireless device can authenticate with the access point, but the device can communicate only if its WEP keys match the access point’s. Devices not using WEP don’t attempt to authenticate with an access point that is using WEP.
Configuring Authentication Types Chapter 12 Figure 92 - Sequence for Shared Key Authentication Wired LAN Access point or bridge Client device Server 1. Authentication request 2. Unencrypted challenge text 231083 3. Encrypted challenge text 4. Authentication success EAP Authentication to the Network This authentication type provides the highest level of security for your wireless network.
Chapter 12 Configuring Authentication Types The client uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. By using information from its user database, the RADIUS server creates its own response and compares that to the response from the client. When the RADIUS server authenticates the client, the process repeats in reverse, and the client authenticates the RADIUS server.
Configuring Authentication Types TIP Chapter 12 If MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC authentication cache on your access points. MAC authentication caching reduces overhead because the access point authenticates devices in its MAC-address cache without sending the request to your authentication server. See Configuring MAC Authentication Caching on page 366 for instructions on enabling this feature.
Chapter 12 Configuring Authentication Types Using CCKM for Authenticated Clients By using Cisco Centralized Key Management (CCKM), authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network provides Wireless Domain Services (WDS) and creates a cache of security credentials for CCKM-enabled client devices on the subnet.
Configuring Authentication Types Using WPA Key Management Chapter 12 Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from and can be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key management.
Chapter 12 Configuring Authentication Types This figure shows the WPA key management process. Figure 96 - WPA Key Management Process Wired LAN Client device Access point Authentication server Client and server authenticate to each other, generating an EAP master key Server uses the EAP master key to generate a pairwise master key (PMK) to protect communication between the client and the access point. (However, if the client is using 802.
Configuring Authentication Types Chapter 12 Table 95 - Firmware and Software Requirements Key Management and Encryption Protocol Third Party Host Supplicant(1)Required Supported Platform Operating Systems LEAP with CKIP This security combination requires 12.2(11)JA or later. No pages 95/98, Me, NT, 2000, XP, pages CE, Mac OS X, Linux, DOS LEAP with CCKM and CKIP This security combination requires 12.2(11)JA or later.
Chapter 12 Configuring Authentication Types The SSID can consist of up to 32 alphanumeric, case-sensitive, characters. The first character cannot contain the following characters: • Exclamation point (!) • Pound sign (#) • Semicolon (;) The following characters are invalid and cannot be used in an SSID: • Plus sign (+) • Right bracket (]) • Front slash (/) • Quotation mark (") • Tab • Trailing spaces 3. (Optional) Set the authentication type to open for this SSID.
Configuring Authentication Types Chapter 12 Use the optional keyword to allow client devices by using either open or EAP authentication to associate and become authenticated. This setting is used mainly by service providers that require special client accessibility. An access point configured for EAP authentication forces all client devices that associate to perform EAP authentication. Client devices that don’t use EAP cannot use the access point. TIP 4.
Chapter 12 Configuring Authentication Types • To enable CCKM for an SSID, you must also enable Network-EAP authentication. When CCKM and Network EAP are enabled for an SSID, client devices using LEAP, EAP-FAST, PEAP/GTC, MSPEAP, EAP-TLS, and EAP-FAST can authenticate by using the SSID. • To enable WPA for an SSID, you must also enable Open authentication or Network-EAP or both. When you enable both WPA and CCKM for an SSID, you must enter wpa first and cckm second.
Configuring Authentication Types Chapter 12 Use the no form of the SSID commands to disable the SSID or to disable SSID features. This example sets the authentication type for the SSID batman to NetworkEAP with CCKM authenticated key management. Client devices using the batman SSID authenticate by using the adam server list. After they are authenticated, CCKM-enabled clients can perform fast reassociations by using CCKM.
Chapter 12 Configuring Authentication Types This example sets the SSID migrate for WPA migration mode: ap1200# configure terminal ap1200(config-if)# ssid migrate ap1200(config-if)# encryption mode cipher tkip wep128 ap1200(config-if)# encryption key 3 size 128 12345678901234567890123456 transmit-key ap1200(config-ssid)# authentication open ap1200(config-ssid)# authentication network-eap adam ap1200(config-ssid)# authentication key-management wpa optional ap1200(config-ssid)# wpa-psk ascii batmobile65 ap12
Configuring Authentication Types Chapter 12 Configuring Group Key Updates In the last step in the WPA process, the access point distributes a group key to the authenticated client device. You can use these optional settings to configure the access point to change and distribute the group key based on client association and disassociation: • Membership termination The access point generates and distributes a new group key when any authenticated device disassociates from the access point.
Chapter 12 Configuring Authentication Types 2. Enter the ssid defined in Step 2 to assign the ssid to the selected radio interface. ssid ssid-string 3. Return to privileged EXEC mode. exit 4. Use the broadcast key rotation command to configure additional updates of the WPA group key. broadcast-key [ vlan vlan-id ] { change seconds } [ membership-termination ] [ capability-change ] 5. (Optional) Save your entries in the configuration file.
Configuring Authentication Types Chapter 12 Use the timeout option to configure a timeout value for MAC addresses in the cache. Enter a value from 30…65555 seconds. The default value is 1800 (30 minutes). When you enter a timeout value, MAC-authentication caching is enabled automatically. 3. Return to privileged EXEC mode. exit 4. Show entries in the MAC-authentication cache. Include client MAC addresses to show entries for specific clients. show dot11 aaa mac-authen filter-cache [address] 5.
Chapter 12 Configuring Authentication Types Configuring Authentication Hold-off, Timeout, and Interval Beginning in privileged EXEC mode, follow these steps to configure hold-off times, reauthentication periods, and authentication timeouts for client devices authenticating through your access point: 1. Enter global configuration mode. configure terminal 2. Enter the number of seconds a client device must wait before it can reattempt to authenticate following a failed authentication.
Configuring Authentication Types TIP Chapter 12 If you configure both MAC address authentication and EAP authentication for an SSID, the server sends the Session-Timeout attribute for both MAC and EAP authentications for a client device. The access point uses the Session-Timeout attribute for the last authentication that the client performs.
Chapter 12 Configuring Authentication Types Creating and Applying EAP Method Profiles for the 802.1X Supplicant This section describes the optional configuration of an EAP method list for the 802.1X supplicant. Configuring EAP method profiles enables the supplicant not to acknowledge some EAP methods, even though they are available on the supplicant.
Configuring Authentication Types Chapter 12 Applying an EAP Profile to the Fast Ethernet Interface This operation normally applies to root access points. Beginning in privileged exec mode, follow these steps to apply an EAP profile to the Fast Ethernet interface: 1. Enter the global configuration mode. configure terminal 2. Enter the interface configuration mode for the access point’s Fast Ethernet port.
Chapter 12 Configuring Authentication Types Matching Access Point and Client Device Authentication Types To use the authentication types described in this section, the access point authentication settings must match the authentication settings on the client adapters that associate to the access point. See the Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide for instructions on setting authentication types on wireless client adapters.
Configuring Authentication Types Chapter 12 This table lists the client and access point settings required for each authentication type.
Chapter 12 Configuring Authentication Types Table 96 - Client and Access Point Settings Required for Each Authentication Type (Continued) Security Feature Client Setting Access Point Setting If using ACU to configure card Enable Host Based EAP and Use Dynamic WEP Keys in ACU and choose Enable network access control by using IEEE 802.1X and PEAP as the EAP Type in pages 2000 (with Service Pack 3) or pages XP Set up and enable WEP and enable EAP and Open authentication for the SSID.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services This chapter describes how to configure your access points for wireless domain services (WDS), fast, secure roaming of client devices, radio management, and wireless intrusion detection services (WIDS).
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Access points participating in radio management forward information about the radio environment (such as possible rogue access points and client associations and disassociations) to the WDS device. The WDS device aggregates the information and forwards it to a wireless LAN solution engine (WLSE) device on your network.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Role of Access Points by Using the WDS Device The access points on your wireless LAN interact with the WDS device in these activities: • Discover and track the current WDS device and relay WDS advertisements to the wireless LAN. • Authenticate with the WDS device and establish a secure communication channel to the WDS device. • Register associated client devices with the WDS device.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services When you configure your wireless LAN for fast, secure roaming, however, LEAP-enabled client devices roam from one access point to another without involving the main RADIUS server.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding Radio Management Chapter 13 Access points participating in radio management scan the radio environment and send reports to the WDS device on such radio information as potential rogue access points, associated clients, client signal strengths, and the radio signals from other access points. The WDS device forwards the aggregated radio data to the WLSE device on your network.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services This figure shows the components that interact to perform Layer 3 mobility.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding Wireless Intrusion Detection Services Chapter 13 When you implement Wireless Intrusion Detection Services (WIDS) on your wireless LAN, your access points, WLSE, and an optional (non-Cisco) WIDS engine work together to detect and prevent attacks on your wireless LAN infrastructure and associated client devices.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS This section describes how to configure WDS on your network.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Configuration Overview You must complete three major steps to set up WDS and fast, secure roaming: 1. Configure access points, ISRs, or switches as potential WDS devices. This chapter provides instructions for configuring an access point as a WDS device.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Access Points as Potential WDS Devices For the main WDS candidate, configure an access point that does not serve a large number of client devices. If client devices associate to the WDS access point when it starts up, the clients can wait several minutes to be authenticated. Repeater access points don’t support WDS.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 2. Click WDS to go to the WDS/WNM Summary page. 3. On the WDS/WNM Summary page, click General Setup to go to the WDS/WNM General Setup page. The WDS/WNM General Setup page appears. Figure 102 - WDS/WNM General Setup Page 4. Check the Use this AP as Wireless Domain Services check box. 5.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services The WDS access point candidate with the highest number in the priority field becomes the acting WDS access point. For example, if one WDS candidate is assigned priority 255 and one candidate is assigned priority 100, the candidate with priority 255 becomes the acting WDS access point. 6. (Optional) Check Use Local MAC List for Client Authentication.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 The WDS Server Groups Page appears. Figure 103 - WDS Server Groups Page Configure a Group of Servers Follow these instructions to create a group of servers to be used for 802.1x authentication for the infrastructure devices (access points) that use the WDS access point. 1. Enter a group name in the Server Group Name field. 2. From the Priority 1 pull-down menu, choose the primary server.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services 5. Configure the list of servers to be used for 802.1x authentication for client devices. You can specify a separate list for clients by using a certain type of authentication, such as EAP, LEAP, PEAP, or MAC-based, or specify a list for client devices by using any type of authentication. 6. Enter a group name for the server or servers in the Server Group Name field. 7.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 CLI Configuration Example This example shows the CLI commands that are equivalent to the steps listed in the Configuring Access Points as Potential WDS Devices on page 384: AP# configure terminal AP(config)# aaa new-model AP(config)# wlccp wds priority 200 interface bvi1 AP(config)# wlccp authentication-server infrastructure infra_devices AP(config)# wlccp authentication-server client any client_de
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Access Points to Use the WDS Device To participate in WDS, infrastructure access points run the same version of IOS as the one that WDS runs. Follow these steps to configure an access point to authenticate through the WDS device and participate in WDS. 1. Browse to the Wireless Services Summary page. 2. Click AP to browse to the Wireless Services AP page.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 This password must match the password that you create for the access point on your authentication server. 7. Click Apply. The access points that you configure to interact with the WDS automatically perform these steps: • Discover and track the current WDS device and relay WDS advertisements to the wireless LAN.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services • To set the WDS access point to operate in both AP and WDS modes, use the no wlccp wds mode wds-only command and use the write erase command to reload the access point immediately. After the access point reloads, the dot11 radio subsystems initialize. The access point and WDS associate directly to wireless clients.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Using Debug Messages In privileged exec mode, use these debug commands to control the display of debug messages for devices interacting with the WDS device: Table 98 - Debug Commands Command Description debug wlccp ap {mn | wds-discovery | state} Use this command to turn on display of debug messages related to client devices (mn), the WDS discovery process, and access point authentication to the
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Access Points to Support Fast Secure Roaming To support fast, secure roaming, the access points on your wireless LAN must be configured to participate in WDS and they must allow CCKM authenticated key management for at least one SSID. Follow these steps to configure CCKM for an SSID: 1. Browse to the Encryption Manager page on the access point GUI.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 5. Go to the SSID Manager page. Figure 106 - SSID Manager Page 6. On the SSID that supports CCKM, choose these settings: a. If your access point contains multiple radio interfaces, select the interfaces that the SSID applies to. b. Under Authentication Settings, choose Network EAP. When you enable CCKM, you must enable Network EAP as the authentication type. c.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services d. Check the CCKM check box. 7. Click Apply.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Management Frame Protection Chapter 13 Management Frame Protection provides security features for the management messages passed between Access Point and Client stations. MFP consists of two functional components: Infrastructure MFP and Client MFP. Infrastructure MFP provides Infrastructure support.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Protection of Broadcast Management Frames To prevent attacks by using broadcast frames, access points supporting CCXv5 don’t emit any broadcast class 3 management frames. An access point in workgroup bridge, repeater, or non-root bridge mode discards broadcast class 3 management frames if Client MFP is enabled.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 This ssid configuration command enables Client MFP as optional on a particular SSID. The Dot11Radio interface is reset when the command is executed if the SSID is bound to the Dot11Radio interface. Client MFP is enabled for this particular SSID if the SSID is WPAv2 capable, otherwise Client MFP is disabled.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Beginning in privileged EXEC mode, follow these steps to configure the WDS: 1. Enter global configuration mode. configure terminal 2. Configures the WDS as an MFP distributor. When enabled, the WDS manages signature keys, used to create the MIC IEs, and securely transfers them between generators and detectors. dot11 ids mfp distributor 3. Return to the privileged EXEC mode. end 4.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 2. Click WDS. 3. Check Use this AP as Wireless Domain Services and Configure Wireless Network Manager. 4. In the Wireless Network Manager IP Address field, enter the IP address of the WLSE device on your network. 5. Click Apply. The WDS access point is configured to interact with your WLSE device.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services CLI Configuration Example This example shows the CLI commands that are equivalent to the steps listed in the Configuring Radio Management on page 400: AP# configure terminal AP(config)# wlccp wnm ip address 192.250.0.5 AP(config)# end In this example, the WDS access point is enabled to interact with a WLSE device with the IP address 192.250.0.5.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Configuring the Access Point for Monitor Mode When an access point is configured as a scanner it can also capture frames in monitor mode. In monitor mode, the access point captures 802.11 frames and forwards them to the WIDS engine on your network. The access point adds a 28byte capture header to every 802.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Displaying Monitor Mode Statistics Use this global configuration command to display statistics on captured frames. show wlccp ap rm monitor statistics This example shows output from the command: ap# show wlccp ap rm monitor statistics Dot11Radio 0 ==================== WLAN Monitoring : Enabled Endpoint IP address : 10.91.107.
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Chapter 13 Configuring Monitor Mode Limits You can configure threshold values that the access point uses in monitor mode. When a threshold value is exceeded, the access point logs the information or sends an alert. Configuring an Authentication Failure Limit Setting an authentication failure limit protects your network against a denial-ofservice attack called EAPOL flooding. The 802.
Chapter 13 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WLSM Failover To ensure near hot standby in cases of WLSM failure, the WLSM Version 2.13 Release supports resilient tunnel recovery and active and standby WLSMs.
Chapter 14 Configuring RADIUS and TACACS+ Servers This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), that provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS and TACACS+ are facilitated through AAA and can be enabled only through AAA commands.
Chapter 14 Configuring RADIUS and TACACS+ Servers • Turnkey network security environments that applications support the RADIUS protocol, such as an access environment that uses a smart card access control system. In one case, RADIUS has been used with Enigma’s security cards to validate users and to grant access to network resources. • Networks already using RADIUS. You can add an access point containing a RADIUS client to the network. • Networks that require resource accounting.
Configuring RADIUS and TACACS+ Servers Chapter 14 RADIUS Operation When a wireless user attempts to log in and authenticate to an access point whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in this figure. Figure 109 - Sequence for EAP Authentication Wired LAN Client device Access point or bridge RADIUS Server 1. Authentication request 3. Username (relay to server) (relay to client) 4. Authentication challenge 5.
Chapter 14 Configuring RADIUS and TACACS+ Servers There is more than one type of EAP authentication, but the access point behaves the same way for each type: it relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See Assigning Authentication Types to an SSID on page 359 for instructions on setting up client authentication by using a RADIUS server.
Configuring RADIUS and TACACS+ Servers Chapter 14 You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 14 Configuring RADIUS and TACACS+ Servers Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. 1. Enter global configuration mode. configure terminal 2. Enable AAA. aaa new-model 3. Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Configuring RADIUS and TACACS+ Servers Chapter 14 The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive. dot11 ssid ssid-string 5. Enable RADIUS accounting for this SSID. For list-name, specify the accounting method list. See http://www.cisco.com/univercd/cc/td/doc/product/software/ ios122/122cgcr/fsecur_c/fsaaa/scfacct.htm#xtocid2 for more information on method lists. TIP To enable accounting for an SSID, you must include the accounting command in the SSID configuration.
Chapter 14 Configuring RADIUS and TACACS+ Servers You need to configure some settings also on the RADIUS server. These settings include the IP address of the access point and the key string to be shared by both the server and the access point. Configuring RADIUS Login Authentication To configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication and the sequence to be performed.
Configuring RADIUS and TACACS+ Servers Chapter 14 Use the line password for authentication. You must define a line password before you can use this authentication method. Use the password password line configuration command. • Local Use the local username database for authentication. You must enter username information in the database. Use the username password global configuration command. • Radius Use RADIUS authentication.
Chapter 14 Configuring RADIUS and TACACS+ Servers Defining AAA Server Groups You can configure the access point to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list. The list contains the IP addresses of the selected server hosts.
Configuring RADIUS and TACACS+ Servers Chapter 14 • (Optional) For key string, specify the authentication and encryption key used between the access point and the RADIUS daemon running on the RADIUS server. TIP The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used.
Chapter 14 Configuring RADIUS and TACACS+ Servers entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry. AP(config)# aaa new-model AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 AP(config)# aaa group server radius group1 AP(config-sg-radius)# server 172.20.0.
Configuring RADIUS and TACACS+ Servers Chapter 14 Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: 1. Enter global configuration mode. configure terminal 2. Configure the access point for user RADIUS authorization for all network-related service requests. aaa authorization network radius 3. Configure the access point for user RADIUS authorization to determine if the user has privileged EXEC access.
Chapter 14 Configuring RADIUS and TACACS+ Servers When a session is terminated, the RADIUS server sends a disconnect message to the Network Access Server (NAS); an access point or WDS. For 802.11 sessions, the Calling-Station-ID [31] RADIUS attribute (the MAC address of the client) must be supplied in the Pod request. The access point or WDS attempts to disassociate the relevant session and then sends a disconnect response message back to the RADIUS server.
Configuring RADIUS and TACACS+ Servers Chapter 14 string—The shared-secret text string that is shared between the network access server and the client workstation. This shared-secret must be the same on both systems. TIP Any data entered after this parameter is treated as the shared secret string. aaa pod server [port port number] [auth-type {any | all | session-key}] [clients client 1...] [ignore {server-key string...| session-key }] | server-key string...]} 3. Return to privileged EXEC mode. end 4.
Chapter 14 Configuring RADIUS and TACACS+ Servers 6. Verify your entries. show running-config 7. (Optional) Save your entries in the configuration file. copy running-config startup-config To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global configuration command. Selecting the CSID Format You can choose the format for MAC addresses in Called-Station-ID (CSID) and Calling-Station-ID attributes in RADIUS packets.
Configuring RADIUS and TACACS+ Servers Chapter 14 4. Specify the number of seconds an access point waits for a reply to a RADIUS request before resending the request. The default is 5 seconds; the range is 1…1000. radius-server timeout seconds 5. Use this command to cause the Cisco IOS software to mark as “dead” any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server.
Chapter 14 Configuring RADIUS and TACACS+ Servers Configuring the Access Point to Use Vendor-specific RADIUS Attributes The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the access point and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendorspecific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use.
Configuring RADIUS and TACACS+ Servers Chapter 14 If you enter this command without keywords, both accounting and authentication vendor-specific attributes are used. radius-server vsa send [accounting | authentication] 3. Return to privileged EXEC mode. end 4. Verify your settings. show running-config 5. (Optional) Save your entries in the configuration file.
Chapter 14 Configuring RADIUS and TACACS+ Servers The access point and the RADIUS server use this text string to encrypt passwords and exchange responses. The key is a text string that must match the encryption key used on the RADIUS server. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, don’t enclose the key in quotation marks unless the quotation marks are part of the key. TIP radius-server key string 4. Return to privileged EXEC mode.
Configuring RADIUS and TACACS+ Servers Chapter 14 You can find a list of ISO and ITU country and area codes at the ISO and ITU websites. Cisco IOS software does not check the validity of the country and area codes that you configure on the access point. Beginning in privileged EXEC mode, follow these steps to specify WISPr RADIUS attributes on the access point: 1. Enter global configuration mode. configure terminal 2. Specify the WISPr location-name attribute.
Chapter 14 Configuring RADIUS and TACACS+ Servers This example shows how to configure the WISPr location-name attribute: ap# snmp-server location ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport This example shows how to configure the ISO and ITU location codes on the access point: ap# dot11 location isocc us cc 1 ac 408 This example shows how the access point adds the SSID used by the client device and formats the location-ID string: isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport Displaying the RADI
Configuring RADIUS and TACACS+ Servers Chapter 14 Table 99 - Attributes Sent in Access-Request Packets (Continued) Attribute ID Description 61 NAS-Port-Type 79 EAP-Message 80 Message-Authenticator (1) The access point sends the NAS-Identifier if attribute 32 (include-in-access-req) is configured.
Chapter 14 Configuring RADIUS and TACACS+ Servers Table 102 - Attributes Sent in Accounting-Request (update) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 42 Acct-Input-Octets 43 Acct-Output-Octets 44 Acct-Session-Id 46 Acct-Session-Time 47 Acct-Input-Packets 48 Acct-Output-Packets 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NAS-Location VSA (attribute 26) VLAN-ID VSA (attribute 26) Con
Configuring RADIUS and TACACS+ Servers Chapter 14 Table 103 - Attributes Sent in Accounting-Request (stop) Packets (Continued) Attribute ID Description VSA (attribute 26) NAS-Location VSA (attribute 26) Disc-Cause-Ext VSA (attribute 26) VLAN-ID VSA (attribute 26) Connect-Progress VSA (attribute 26) Cisco-NAS-Port VSA (attribute 26) Interface VSA (attribute 26) Auth-Algo-Type By default, the access point sends reauthentication requests to the authentication server with the service-type attr
Chapter 14 Configuring RADIUS and TACACS+ Servers Authentication Provides complete control of authentication of administrators through login and password dialog box, challenge and response, and messaging support. The authentication facility can conduct a dialog with the administrator (for example, after a username and password are provided, to challenge a user with several questions, such as home address, mother’s maiden name, service type, and social security number).
Configuring RADIUS and TACACS+ Servers Chapter 14 TACACS+ lets a conversation to be held between the daemon and the administrator until the daemon receives enough information to authenticate the administrator. The daemon prompts for a username and password combination, but can include other items, such as the user’s mother’s maiden name. 4. The access point eventually receives one of these responses from the TACACS+ daemon.
Chapter 14 Configuring RADIUS and TACACS+ Servers Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate administrators accessing the access point through CLI.
Configuring RADIUS and TACACS+ Servers Chapter 14 aaa group server tacacs+ group-name 5. (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. server ip-address 6. Return to privileged EXEC mode. end 7. Verify your entries. show tacacs 8. (Optional) Save your entries in the configuration file.
Chapter 14 Configuring RADIUS and TACACS+ Servers Beginning in privileged EXEC mode, follow these steps to configure login authentication: 1. Enter global configuration mode. configure terminal 2. Enable AAA. aaa new-model 3. Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations.
Configuring RADIUS and TACACS+ Servers Chapter 14 • For list-name, specify the list created with the aaa authentication login command. login authentication {default | list-name} 9. Return to privileged EXEC mode. end 10. Verify your entries. show running-config 11. (Optional) Save your entries in the configuration file. copy running-config startup-config • To disable AAA, use the no aaa new-model global configuration command.
Chapter 14 Configuring RADIUS and TACACS+ Servers Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for privileged EXEC access and network services: 1. Enter global configuration mode. configure terminal 2. Configure the access point for administrator TACACS+ authorization for all network-related service requests. aaa authorization network tacacs+ 3.
Configuring RADIUS and TACACS+ Servers Chapter 14 3. Enable TACACS+ accounting to send a start-record accounting notice at the beginning of a privileged EXEC process and a stop-record at the end. aaa accounting exec start-stop tacacs+ 4. Return to privileged EXEC mode. end 5. Verify your entries. show running-config 6. (Optional) Save your entries in the configuration file. copy running-config startup-config To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1...
Chapter 14 Configuring RADIUS and TACACS+ Servers Notes: 440 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 15 Configuring VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN in the following sections: Understanding VLANs Topic Page Understanding VLANs 441 Configuring VLANs 445 VLAN Configuration Example 450 A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis.
Chapter 15 Configuring VLANs You extend VLANs into a wireless LAN by adding IEEE 802.11Q tag awareness to the access point. Frames destined for different VLANs are transmitted by the wireless access point/workgroup bridge on different SSIDs with different WEP keys. Only the clients associated with that VLAN receive those packets. Conversely, packets coming from a client associated with a certain VLAN are 802.11Q tagged before they are forwarded onto the wired network. If 802.
Configuring VLANs Chapter 15 This figure shows the difference between traditional physical LAN segmentation and logical VLAN segmentation with wireless devices connected.
Chapter 15 Configuring VLANs Incorporating Wireless Devices into VLANs The basic wireless components of a VLAN consist of an access point and a client associated to it by using wireless technology. The access point is physically connected through a trunk port to the network VLAN switch where the VLAN is configured. The physical connection to the VLAN switch is through the access point’s Ethernet port.
Configuring VLANs Configuring VLANs Chapter 15 When you configure VLANs on access points, the native VLAN must be VLAN1. In a single architecture, client traffic received by the access point is tunneled through an IP-GRE tunnel, that is established on the access point’s Ethernet interface native VLAN. Because of the IP-GRE tunnel, some users can configure another switch port as VLAN1. This misconfiguration causes errors on the switch port.
Chapter 15 Configuring VLANs The following characters are invalid and cannot be used in an SSID: • Plus sign (+) • Right bracket (]) • Front slash (/) • Quotation mark (") • Tab • Trailing spaces You use the ssid command’s authentication options to configure an TIP authentication type for each SSID. See Configuring Authentication Types on page 351 for instructions on configuring authentication types. ssid ssid-string 4. (Optional) Assign the SSID to a VLAN on your network.
Configuring VLANs Chapter 15 12. (Optional) Save your entries in the configuration file. copy running-config startup-config This example shows how to: a. Name an SSID. b. Assign the SSID to a VLAN. c. Enable the VLAN on the radio and Ethernet ports as the native VLAN. ap1200Router# configure terminal ap1200Router(config)# interface dot11radio0 ap1200Router(config-if)# ssid batman ap1200Router(config-ssid)# vlan 1 ap1200Router(config-ssid)# exit ap1200Router(config)# interface dot11radio0.
Chapter 15 Configuring VLANs • VLAN names can contain up to 32 ASCII characters. However, a VLAN name cannot be a number between 1…4095. For example, vlan4095 is a valid VLAN name, but 4095 is not. The access point reserves the numbers 1…4095 for VLAN IDs. Creating a VLAN Name Beginning in privileged EXEC mode, follow these steps to assign a name to a VLAN: 1. Enter global configuration mode. configure terminal 2. Assign a VLAN name to a VLAN ID. The name can contain up to 32 ASCII characters.
Configuring VLANs Chapter 15 3. When the client authenticates successfully, the RADIUS server maps the client to a specific VLAN, regardless of the VLAN mapping defined for the SSID the client is using on the access point. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the access point. These are the RADIUS user attributes used for vlan-id assignment.
Chapter 15 Configuring VLANs This is configured as native Vlan for the following interface(s) : Dot11Radio0 FastEthernet0 Virtual-Dot11Radio0 Protocols Configured: Address: Received: Transmitted: Bridging Bridge Group 1 201688 0 Bridging Bridge Group 1 201688 0 Bridging Bridge Group 1 201688 0 Virtual LAN ID: 2 (IEEE 802.1Q Encapsulation) vLAN Trunk Interfaces: Dot11Radio0.2 FastEthernet0.2 Virtual-Dot11Radio0.
Configuring VLANs Chapter 15 In this scenario, a minimum of three VLAN connections are required, one for each level of access. Because the access point can handle up to 16 SSIDs, you can use the basic design shown in this table.
Chapter 15 Configuring VLANs This table shows the commands needed to configure the three VLANs in this example.
Configuring VLANs Chapter 15 no bridge-group 2 unicast-flooding bridge-group 2 spanning-disabled When you configure a bridge group on the FastEthernet interface, these commands are set automatically: no bridge-group 2 source-learning bridge-group 2 spanning-disabled Rockwell Automation Publication 1783-UM006A-EN-P - May 2014 453
Chapter 15 Configuring VLANs Configuring/Enabling VLAN with SSID by Using Stratix 5100 Device Manager The default VLAN is the management VLAN, and all untagged frames are implicitly associated with this default VLAN ID. Configure one of your VLANs to be configured as the native. Complete these steps to configure the VLAN. 1. From the Services menu, choose Services. 2. Click VLAN. 3. Enter a unique VLAN ID number between 1…4095. 4. Determine if you want this VLAN ID to be the native VLAN. 5.
Configuring VLANs Chapter 15 6. Click the Define SSID link to go to the SSID Manager page. 7. Choose a unique SSID to be mapped with this VLAN. If no unique SSIDs are available, choose the setting. 8. Click Apply to add the assigned VLAN. Set the Encryption for the VLAN Now that you have completed the configuration of the VLAN, you must set the encryption for the VLAN. Complete these steps to set the encryption for the VLAN. 1. Click Security to go to the Security Summary page. 2.
Chapter 15 456 Configuring VLANs Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 16 Configuring QoS This chapter describes how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 16 Configuring QoS QoS for Wireless LANs Versus QoS on Wired LANs The QoS implementation for wireless LANs differs from QoS implementations on other Cisco devices. With QoS enabled, access points perform the following: • Don’t classify packets; they prioritize packets based on DSCP value, client type (such as a wireless phone), or the priority value in the 802.1q or 802.1p tag.
Configuring QoS Chapter 16 • The radio downstream flow is traffic transmitted out the access point radio to a wireless client device. This traffic is the main focus for QoS on a wireless LAN. • The radio upstream flow is traffic transmitted out the wireless client device to the access point. QoS for wireless LANs does not affect this traffic. • The Ethernet downstream flow is traffic sent from a switch or a router to the Ethernet port on the access point.
Chapter 16 Configuring QoS Configure QoS by Using Straitx 5100 Device Manager These steps describe how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size.
Configuring QoS Chapter 16 Follow these steps to configure QoS on your access point. 1. From the top menu, click Services. 2. From the Services menu, click QoS. 3. Select Create/Edit Policy field or select an existing policy. 4. Type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters. Do not include spaces in the policy name.
Chapter 16 Configuring QoS 5. From the Apply Class of Service pull-down menu, select the class of service that you want the access point to apply packets to the type that you selected from the IP Precedence menu. 6. The access point matches your IP Precedence selection with your class of service selection.
Configuring QoS • • • • • • • • • • Chapter 16 Assured Forwarding - Class 4 Medium Assured Forwarding - Class 4 High Class Selector 1 Class Selector 2 Class Selector 3 Class Selector 4 Class Selector 5 Class Selector 6 Class Selector 7 Expedited Forwarding 8. From the Apply Class of Service pull-down menu, select the class of service that you want the access point to apply to packets of the type that you selected from the IP DSCP menu.
Chapter 16 Configuring QoS 13. Use the Apply Policies to Interface/VLANs pull-down menus to apply policies to the access point Ethernet and radio ports. • If VLANs are configured on the access point, pull-down menus for each VLAN’s virtual ports appear in this section. • If VLANs are not configured on the access point, pull-down menus for each interface appear. 14. Click Apply at the bottom of the page to apply the policies to the access point ports.
Configuring QoS Chapter 16 Using Wi-Fi Multimedia Mode When you enable QoS, the access point uses Wi-Fi Multimedia (WMM) mode by default. WMM provides these enhancements over basic QoS mode: • The access point adds each packet’s class of service to the packet’s 802.11 header to be passed to the receiving station. • Each access class has its own 802.11 sequence number.
Chapter 16 Configuring QoS Configuring QoS QoS is disabled by default (however, the radio interface always honors tagged 802.1P packets even when you have not configured a QoS policy). This section describes how to configure QoS on your access point. Configuration Guidelines Before configuring QoS on your access point, be aware of this information: • The most important guideline in QoS deployment is to be familiar with the traffic on your wireless LAN.
Configuring QoS Chapter 16 The QoS Policies page appears. Figure 112 - QoS Policies Page 4. With selected in the Create/Edit Policy field, type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters. Don’t include spaces in the policy name. TIP You can also select two preconfigured QoS policies: WMM and Spectralink. When you select either of these, a set of default classifications are automatically populated in the Classification field. 5.
Chapter 16 Configuring QoS Settings in the Apply Class of Service menu include: • Best Effort (0) • Background (1) • Spare (2) • Excellent (3) • Control Lead (4) • Video <100 ms Latency (5) • Voice <100 ms Latency (6) • Network Control (7) 7. Click Add beside the Class of Service menu for IP Precedence. The classification appears in the Classifications field. To delete a classification, select it and click Delete beside the Classifications field. 8.
Configuring QoS Chapter 16 The access point matches your IP DSCP selection with your class of service selection. 10. Click Add beside the Class of Service menu for IP DSCP. The classification appears in the Classifications field. 11. If you need to prioritize the packets from Spectralink phones (IP Protocol 119) on your wireless LAN, use the Apply Class of Service pull-down menu. 12. Choose the class of service that the access point applies to the Spectralink phone packets.
Chapter 16 Configuring QoS 18. When you finish adding classifications to the policy, click Apply under the Apply Class of Service pull-down menus. • To cancel the policy and reset all fields to defaults, click Cancel under the Apply Class of Service pull-down menus. • To delete the entire policy, click Delete under the Apply Class of Service pull-down menus. Use the Apply Policies to Interface/VLANs pull-down menus to apply policies to the access point Ethernet and radio ports.
Configuring QoS Chapter 16 IGMP Snooping When Internet Group Membership Protocol (IGMP) snooping is enabled on a switch and a client roams from one access point to another, the clients’ multicast session is dropped. When the access points’ IGMP snooping helper is enabled, the access point sends a general query to the wireless LAN, prompting the client to send in an IGMP membership report.
Chapter 16 Configuring QoS This is used to rate-limit the upstream traffic originating from each of the nonroots to root bridge incase of P2MP setup. To do rate-limiting on downstream traffic, class-maps are applied at the root-side router/switch. IMPORTANT Rate-limiting can be applied only to ethernet ingress. Adjusting Radio Access Categories The access point uses the radio access categories to calculate backoff times for each packet. As a rule, high-priority packets have short backoff times.
Configuring QoS Chapter 16 This figure shows the Radio Access Categories page. Dual-radio access points have a Radio Access Categories page for each radio. Figure 114 - Radio Access Categories Page IMPORTANT In this release, clients are blocked from using an access category when you select Enable for Admission Control.
Chapter 16 Configuring QoS For information on other keywords for the show spanning-tree privileged EXEC command, see publication Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges. IMPORTANT The above rates work fine for Cisco phones. Third parties wireless phones can have a different nominal rate or minimum PHY rate. You need to enable additional nominal rates for these phones.
Configuring QoS Chapter 16 5. To use video access category (AC = 2) for signaling, check Admission Control under Video(CoS 4-5). IMPORTANT The admission control settings you have configured does not take effect until you enable admission control on an SSID. Enabling Admission Control Follow these steps to enable admission control on an SSID: 1. Open the SSID Manager page. 2. Select an SSID. 3. Under General Settings, select Enable in the Call Admission Control field.
Chapter 16 Configuring QoS Notes: 476 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 17 Configuring Filters This chapter describes how to configure and manage MAC address, IP, and Ethertype filters on the access point by using the web browser interface. Understanding Filters Topic Page Understanding Filters 477 Configuring Filters by Using CLI Commands 478 Configuring Filters by Using Stratix 5100 Device Manager 480 Protocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports.
Chapter 17 Configuring Filters Configuring Filters by Using CLI Commands To configure filters by using CLI commands, you use access control lists (ACLs) and bridge groups. You can find explanations of these concepts and instructions for implementing them in these documents: • Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.4. • Catalyst 4908G-L3 Cisco IOS Release 12.0(10)W5(18e) Software Feature and Configuration Guide.
Configuring Filters Chapter 17 6. Create an ACL. For this example, 101: AP# ip access-list extended 101 AP#permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range Test IMPORTANT This ACL permits Telnet traffic to and from the network for the specified timerange Test. It also permits a Telnet session to the AP on weekdays. 7. Apply the time-based ACL to the Ethernet interface: interface Ethernet0/0 ip address 10.1.1.1 255.255.255.
Chapter 17 Configuring Filters Configuring Filters by Using Stratix 5100 Device Manager This section describes how to configure and manage MAC address, IP, and Ethertype filters on the access point by using the web-browser interface, Stratix 5100 Device Manager. Protocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. You can set up individual protocol filters or sets of filters.
Configuring Filters Chapter 17 Configuring and Enabling MAC Address Filters MAC address filters allow or disallow the forwarding of unicast and multicast packets addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.
Chapter 17 482 Configuring Filters Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Configuring Filters Chapter 17 To edit a filter, select the filter number from the Create/Edit Filter Index menu. 4. In the Filter Index field, name the filter with a number from 700…799. The number you assign creates an access control list (ACL) for the filter. 5. Enter a MAC address in the Add MAC Address field. Enter the address with periods separating the three groups of four characters, for example, 0040.9612.3456.
Chapter 17 Configuring Filters 7. From the Action pull-down menu, choose Forward or Block. 8. Click Add. The MAC address appears in the Filters Classes field. To remove the MAC address from the Filters Classes list, select it and click Delete Class. 9. Repeat step 5 through step 8 to add addresses to the filter. 10. From the Default Action menu, choose Forward All or Block All. The default action of the filter must be the opposite of the action for at least one of the addresses in the filter.
Configuring Filters Chapter 17 13. From one of the MAC pull-down menus, select the filter number. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets. 14. Click Apply. The filter is enabled on the selected ports. If clients are not filtered immediately, click Reload on the System Configuration page to restart the access point.
Chapter 17 Configuring Filters For MAC addresses that you want to allow to associate, choose Forward from the Action menu. Select Block for addresses that you want to prevent from associating. Select Block All from the Default Action menu. 2. From the main menu, click Security. This figure shows the Security Summary page. Figure 115 - Security Summary Page 3. Click Advanced Security.
Configuring Filters Chapter 17 4. Click Association Access List tab. Figure 117 - Association Access List Page 5. Select your MAC address ACL from the pull-down menu. 6. Click Apply.
Chapter 17 Configuring Filters Configuring and Enabling IP Filters IP filters (IP address, IP protocol, and IP port) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. IP address filters allow or disallow the forwarding of unicast and multicast packets addressed to specific IP addresses.
Configuring Filters Rockwell Automation Publication 1783-UM006A-EN-P - May 2014 Chapter 17 489
Chapter 17 Configuring Filters 5. From the Default Action pull-down menu, select Forward all or Block all. • The filter’s default action must be the opposite of the action for at least one of the addresses in the filter. • For example, if you create a filter containing an IP addresses, an IP protocol, and an IP port and you choose Block as the action for all of them, you must choose Forward All as the filter’s default action. Filter an IP address Follow these steps to filter an IP Address. 1.
Configuring Filters Chapter 17 3. From the Action pull-down menu, select Forward or Block and click Add. • The address appears in the Filters Classes field. • To remove the address from the Filters Classes list, select it and click Delete Class. 4. Repeat step 1 through step 3 to add addresses to the filter. If you do not need to add IP protocol or IP port elements to the filter, click Apply. 5. From the IP Protocol pull-down menu, select one of the common protocols to filter an IP protocol. 6.
Chapter 17 Configuring Filters 8. Repeat step 5 through step 7 to add protocols to the filter. 9. If you do not need to add IP port elements to the filter, skip to step 6 to save the filter on the access point. Filter a TCP or UDP Port Number Follow these steps to filter a TCP or UDP port number. 1. From the TCP Port or UDP Port pull-down menus, select one of the common port protocols or select Custom and enter the number of an existing port in one of the Custom fields. 2.
Configuring Filters Chapter 17 • To remove the port from the Filters Classes list, select it and click Delete Class. 5. Repeat step 1 through step 4 to add ports to the filter. 6. When the filter is complete, click Apply. IMPORTANT The filter is saved on the access point, but it is not enabled until you apply it on the Apply Filters page. 7. Click the Apply Filters tab. 8. From one of the IP pull-down menus, select the filter name.
Chapter 17 Configuring Filters Figure 118 - IP Filters Page Creating an IP Filter Follow these steps to create an IP filter: 1. If you are creating a new filter, make sure (the default) is selected in the Create/Edit Filter Name menu. To edit an existing filter, select the filter name. 2. Enter a descriptive name for the new filter in the Filter Name field. 3. From the Default Action pull-down, select Forward all or Block all.
Configuring Filters Chapter 17 4. To filter an IP address, enter an address in the IP Address field. IMPORTANT If you plan to block traffic to all IP addresses except those you specify as allowed, put the address of your computer in the list of allowed addresses to avoid losing connectivity to the access point. 5. Type the mask for the IP address in the Mask field. Enter the mask with periods separating the groups of characters, for example, 112.334.556.778. If you enter 255.255.255.
Chapter 17 Configuring Filters 13. Click Add. The protocol appears in the Filters Classes field. To remove the protocol from the Filters Classes list, select it and click Delete Class. 14. When the filter is complete, click Apply. The filter is saved on the access point, but it is not enabled until you apply it on the Apply Filters page. 15. Click the Apply Filters tab to return to the Apply Filters page. Figure 119 on page 496 shows the Apply Filters page. Figure 119 - Apply Filters Page 16.
Configuring Filters Chapter 17 Figure 120 - Ethertype Filters Page Follow these steps to go to the Ethertype Filters page: 1. From the main menu, click Services. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the Ethertype Filters tab. Creating an Ethertype Filter Follow these steps to create an Ethertype filter: 1. Follow the link path to the Ethertype Filters page. 2.
Chapter 17 Configuring Filters 5. Enter the mask for the Ethertype in the Mask field. If you enter 0, the mask requires an exact match of the Ethertype. 6. From the Action menu, select Forward or Block. 7. Click Add. The Ethertype appears in the Filters Classes field. To remove the Ethertype from the Filters Classes list, select it and click Delete Class. Repeat step 4 through step 7 to add Ethertypes to the filter. 8.
Chapter 18 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your access point. If you are not going to use CDP, we recommend that you turn the feature off. IMPORTANT For complete syntax and usage information for the commands used in this chapter, see these publications: • Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges • Cisco IOS Configuration Fundamentals Command Reference for Release 12.
Chapter 18 Configuring CDP Configuring CDP This section contains CDP configuration information and procedures: Default CDP Configuration This table lists the default CDP settings.
Configuring CDP Chapter 18 AP# show cdp Global CDP information: Sending a holdtime value of 120 seconds Sending CDP packets every 50 seconds For additional CDP show commands, see the Monitoring and Maintaining CDP on page 503. Disabling and Enabling CDP CDP is enabled by default. Beginning in Privileged EXEC mode, follow these steps to disable the CDP device discovery capability. 1. Enter global configuration mode. configure terminal 2. Disable CDP. no cdp run 3. Return to Privileged EXEC mode.
Chapter 18 Configuring CDP Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: 1. Enter global configuration mode. configure terminal 2. Enter interface configuration mode, and enter the interface that you are disabling CDP. interface interface-id 3. Disable CDP on an interface. no cdp enable 4. Return to privileged EXEC mode. end 5. (Optional) Save your entries in the configuration file.
Configuring CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description Reset the traffic counters to zero. clear cdp counters clear cdp table show cdp show cdp entry entry-name [protocol | version] show cdp interface [type number] show cdp neighbors [type number] [detail] show cdp traffic Chapter 18 Delete the CDP table of information about neighbors.
Chapter 18 Configuring CDP Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Fri 06-Jul-01 18:18 by jang advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=0000000 0FFFFFFFF010221FF00000000000000024B293A00FF0000 VTP Management Domain: '' Duplex: full ------------------------Device ID: idf2-1-lab-l3.cisco.com Entry address(es): IP address: 10.1.1.
Configuring CDP Chapter 18 IP address: 172.20.135.202 Protocol information for tstswitch2 : IP address: 172.20.135.204 IP address: 172.20.135.
Chapter 18 Configuring CDP Sending CDP packets every 60 seconds Holdtime is 180 seconds AP# show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Interface Holdtme Capability Platform Perdido2 Gig 0/6 125 R S I WS-C3550-1Gig 0/6 Port ID Perdido2 Gig 0/5 125 R S I WS-C3550-1Gig 0/5 AP# show cdp traffic CDP counters : Total packets output: 50882, Input: 52510 Hdr syntax: 0, Chksum error: 0, Encaps
Chapter 19 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point. For complete syntax and usage information for the commands used in this chapter, see these publications: • Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges • Cisco IOS Configuration Fundamentals Command Reference for Release 12.3.
Chapter 19 Configuring SNMP SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a full Internet standard, defined in RFC 1157. • SNMPv2C, has these features: – SNMPv2—Version 2 of the Simple Network Management Protocol, a draft Internet standard, defined in RFCs 1902…1907. – SNMPv2C—The Community-based Administrative Framework for SNMPv2, an experimental Internet protocol defined in RFC 1901.
Configuring SNMP Chapter 19 SNMP Manager Functions The SNMP manager uses information in the MIB to perform the operations described in this table. Table 110 - SNMP Operations Operation Description get-request Retrieves a value from a specific variable. get-next-request Retrieves a value from a variable within a table.(2) get-bulk-request(1) Retrieves large blocks of data that otherwise requires that the transmission of many small blocks of data, such as multiple rows in a table.
Chapter 19 Configuring SNMP SNMP Community Strings SNMP community strings authenticate access to MIB objects and function as embedded passwords. For the NMS to access the access point, the community string definitions on the NMS must match at least one of the three community string definitions on the access point.
Configuring SNMP Chapter 19 Default SNMP Configuration This table shows the default SNMP configuration. Feature Default Setting SNMP agent Disabled SNMP community strings No strings are configured by default. However, when you enable SNMP by using the web browser interface, the access point automatically creates the public community with read-only access to the IEEE802dot11 MIB.
Chapter 19 Configuring SNMP • Read and write or read-only permission for the MIB objects accessible to the community TIP In the current Cisco IOS MIB agent implementation, the default community string is for the Internet MIB object sub-tree. Because IEEE802dot11 is under another branch of the MIB object tree, you must enable either a separate community string and view on the IEEE802dot11 MIB or a common view and community string on the ISO object in the MIB object tree.
Configuring SNMP Chapter 19 • For source, enter the IP address of the SNMP managers that are permitted to use the community string to gain access to the agent. • (Optional) For source-wildcard, enter the wildcard bits in dotted decimal notation to be applied to the source. Place ones in the bit positions that you want to ignore. 4. Recall that the access list is always terminated by an implicit deny statement for everything. access-list access-list-number {deny | permit} source [source-wildcard] 5.
Chapter 19 Configuring SNMP Configuring SNMP-Server Hosts To configure the recipient of an SNMP trap operation, use the following command in global configuration mode: snmp-server host host [traps | informs][version {1 | 2c | 3 [auth | noauth | priv]} ] community-string [udp-port port] [notification-type] Configuring SNMP-Server Users To configure a new user to an SNMP group, use the following command in global configuration mode: snmp-server user username [groupname remote ipaddress [udp-port port] {v1
Configuring SNMP Chapter 19 Some notification types cannot be controlled with the snmp-server enable global configuration command, such as udp-port. These notification types are always enabled. You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 111 on page 514. Beginning in privileged EXEC mode, follow these steps to configure the access point to send traps to a host: 1. Enter global configuration mode. configure terminal 2.
Chapter 19 Configuring SNMP 5. Verify your entries. show running-config 6. (Optional) Save your entries in the configuration file. copy running-config startup-config To remove the specified host from receiving traps, use the no snmphost global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command.
Configuring SNMP Chapter 19 Using the snmp-server view Command In global configuration mode, use the snmp-server view command to access Standard IEEE 802.11 MIB objects through IEEE view and the dot11 read-write community string. This example shows how to enable IEEE view and dot11 read-write community string: AP(config)# snmp-server view ieee ieee802dot11 included AP(config)# snmp-server community dot11 view ieee RW SNMP Examples This example shows how to enable SNMPv1, SNMPv2C, and SNMPv3.
Chapter 19 Configuring SNMP This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com by using the community string public. AP(config)# snmp-server community comaccess ro 4 AP(config)# snmp-server enable traps snmp authentication AP(config)# snmp-server host cisco.
Configuring SNMP Chapter 19 AP(config)# snmp-server view iso iso included AP(config)# snmp-server engineID remote 1.4.74.
Chapter 19 Configuring SNMP Notes: 520 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This chapter describes how to configure your access point as a repeater, as a hot standby unit, or as a workgroup bridge.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode To set up repeaters, you must enable Aironet extensions on both the parent (root) access point and the repeater access points. Aironet extensions are enabled by default. This improve the access point's ability to understand the capabilities of Cisco Aironet client devices associated with the access point.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Repeater Access Point Chapter 20 This section provides instructions for setting up an access point as a repeater. Default Configuration Access points are configured as root units by default. This table shows the default values for settings that control the access point’s role in the wireless LAN.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Setting Up a Repeater Beginning in Privileged Exec mode, follow these steps to configure an access point as a repeater: 1. Enter the global configuration mode. configure terminal 2. Enter interface configuration mode for the radio interface. – The 2.4 GHz radio and the 2.4 GHz 802.11n radio is 0. – The 5 GHz radio and the 5 GHz 802.11n radio is 1. interface dot11radio { 0 | 1 } 3.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 (Optional) You can also enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list. Enter a timeout value from 0 to 65535 seconds. parent {1-4} mac-address [timeout] 9. Return to privileged EXEC mode. end 10. (Optional) Save your entries in the configuration file.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode 2. Enter interface configuration mode for the radio interface. – The 2.4 GHz radio and the 2.4 GHz 802.11n radio is 0. – The 5 GHz radio and the 5 GHz 802.11n radio is 1. dot11 dot11radio { 0 | 1 } 3. Establish the time in seconds that the antenna alignment test runs before timing out. The default is 5 seconds.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Setting Up a Repeater as a LEAP Client Chapter 20 You can set up a repeater access point to authenticate to your network like other wireless client devices. After you provide a network username and password for the repeater access point, it authenticates to your network by using LEAP, Cisco's wireless authentication method, and receives and uses dynamic WEP keys. Setting up a repeater as a LEAP client requires three major steps: 1.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode 5. Configure the username and password that the repeater uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the repeater on the authentication server. authentication client username username password password 6. (Optional) Designate the SSID as the SSID that other access points and workgroup bridges use to associate to this access point.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 6. Designate the SSID as the SSID that the repeater uses to associate to other access points. infrastructure ssid 7. Enter a pre-shared key for the repeater. Enter the key by using either hexadecimal or ASCII characters. If you use hexadecimal, you must enter 64 hexadecimal characters to complete the 256-bit key. If you use ASCII, you must enter from 8…63 ASCII characters, and the access point expands the key for you.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode The MAC address of the monitored access point can change if a BSSID on the monitored unit is added or deleted. If you use multiple BSSIDs on your wireless LAN, check the status of the standby unit when you add or delete BSSIDs on the monitored access point. If necessary, reconfigure the standby unit to use the BSSID’s new MAC address.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 The table below lists the possible status values of the standby access point. Configuring a Hot Standby Access Point by Using CLI Message Description IAPP Standby is Disabled The access point is not configured for standby mode. IAPP - AP is in standby mode The access point is in standby mode.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode TIP To quickly duplicate the monitored access point’s settings on the standby access point, save the monitored access point configuration and load it on the standby access point. Beginning in Privileged Exec mode, follow these steps to enable hot standby mode on an access point: 1. Enter global configuration mode. configure terminal 2.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 6. If the monitored access point is configured to require LEAP authentication, configure the username and password that the standby access point uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the standby access point on the authentication server. authentication client username username password password 7.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode 13. (Optional) Save your entries in the configuration file. copy running-config startup-config After you enable standby mode, configure the settings that you recorded from the monitored access point to match on the standby access point. Verifying Standby Operation Use this command to check the status of the standby access point: show iapp standby-status This command provides the status of the standby access point.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode Chapter 20 You can configure the Stratix 5100 access point as workgroup bridges. In workgroup bridge mode, the unit associates to another access point as a client and provides a network connection for the devices connected to its Ethernet port.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This figure shows an access point in workgroup bridge mode.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Treating Workgroup Bridges as Infrastructure Devices or as Client Devices Chapter 20 The access point that a workgroup bridge associates can treat the workgroup bridge as an infrastructure device or as a simple client device. By default, access points and bridges treat workgroup bridges as client devices.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Workgroup Bridge for Roaming If your workgroup bridge is mobile, you can configure it to scan for a better radio connection to a parent access point or bridge.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 ap(config-if)#end ap# Use the no mobile station scan command to restore scanning to all the channels. Ignoring the CCX Neighbor List In addition, the workgroup bridge updates its known channel list by using CCX reports such as the AP Adjacent report or Enhanced Neighbor List report.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Workgroup Bridge VLAN Tagging The Workgroup-Bridge (WGB) VLAN tagging feature enables segregation of VLAN traffic based on the VLAN numbers for Unified WGB solution. When this feature is enabled, the WGB removes the 802.1q header while sending the packet from a VLAN client to the wireless LAN controller (WLC). WGB gets the packet to a VLAN client without 802.1q header and WGB code has to be modified to add the 802.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Chapter 20 6. (Optional) If the parent access point is configured to require LEAP authentication, configure the username and password that the workgroup bridge uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the workgroup bridge on the authentication server. authentication client username username password password 7.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This example shows how to configure an access point as a workgroup bridge.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Guidelines for Using Workgroup Bridges in a Lightweight Environment Chapter 20 Follow these guidelines for using workgroup bridges on your lightweight network: • The workgroup bridge can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release JA or greater (on 32-MB access points). TIP If your access point has two radios, you can configure only one for workgroup bridge mode.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode • In a mesh network, a workgroup bridge can associate to any mesh access point, regardless of whether it acts as a root access point or a mesh access point. • Wired clients connected to the workgroup bridge are not authenticated for security. Instead, the workgroup bridge is authenticated against the access point to which it associates.
Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Sample Workgroup Bridge Configuration Chapter 20 Here is a sample configuration of a workgroup bridge access point by using static WEP with a 40-bit WEP key: ap#confure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 20 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Enabling VideoStream Support on Workgroup Bridges VideoStream improves the reliability of an IP multicast stream by converting the multicast frame, over the air, to a unicast frame. Cisco IOS Releases 15.2(2)JA and later provide VideoStream support for wired devices connected to workgroup bridges. For access points running release 15.
Chapter 21 Configuring System Message Logging This chapter describes how to configure system message logging on your access point.
Chapter 21 Configuring System Message Logging You can set the severity level of the messages to control the type of messages displayed on the console and each of the destinations. You can timestamp log messages or set the syslog source address to enhance real-time debugging and management. You can access logged system messages by using the access point commandline interface (CLI) or by saving them to a properly configured syslog server.
Configuring System Message Logging Chapter 21 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down 2 *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from co
Chapter 21 Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to disable message logging: 1. Enter global configuration mode. configure terminal 2. Disable message logging. no logging on 3. Return to privileged EXEC mode. end 4. Verify your entries. show running-config or show logging 5. (Optional) Save your entries in the configuration file.
Configuring System Message Logging Chapter 21 Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages: 1. Enter global configuration mode. configure terminal Log messages to an internal buffer. The default buffer size is 4096. The range is 4096…2147483647 bytes.
Chapter 21 Configuring System Message Logging The logging buffered global configuration command copies logging messages to an internal buffer. The buffer is circular, so newer messages overwrite older messages after the buffer is full. • To display the messages that are logged in the buffer, use the show logging privileged EXEC command. The first message displayed is the oldest message in the buffer. • To clear the contents of the buffer, use the clear logging privileged EXEC command.
Configuring System Message Logging Chapter 21 • To disable timestamps for both debug and log messages, use the no service timestamps global configuration command. • This example shows part of a logging display with the service timestamps log datetime global configuration command enabled: *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.
Chapter 21 Configuring System Message Logging Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, that are described in Table 115 on page 555. Specifying a level causes messages at that level and numerically lower levels to be displayed at the destination. Beginning in privileged EXEC mode, follow these steps to define the message severity level: 1. Enter global configuration mode. configure terminal 2.
Configuring System Message Logging Chapter 21 • To disable logging to a terminal other than the console, use the no logging monitor global configuration command. • To disable logging to syslog servers, use the no logging trap global configuration command. This table describes the level keywords. It lists also the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 21 Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you have enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the access point history table. You can also change the number of messages that are stored in the history table.
Configuring System Message Logging Chapter 21 When the history table is full (it contains the maximum number of message entries specified with the logging history size global configuration command), the oldest message entry is deleted from the table to allow the new message entry to be stored. To return the logging of syslog messages to the default level, use the no logging history global configuration command.
Chapter 21 Configuring System Message Logging Configuring UNIX Syslog Servers The next sections describe how to configure the 4.3 BSD UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
Configuring System Message Logging Chapter 21 Configuring the UNIX System Logging Facility When sending system log messages to an external device, you can cause the access point to identify its messages as originating from any of the UNIX syslog facilities. Beginning in privileged EXEC mode, follow these steps to configure UNIX system facility message logging: 1. Enter global configuration mode. configure terminal 2. Log messages to a UNIX syslog server host by entering its IP address.
Chapter 21 Configuring System Message Logging This table lists the 4.3 BSD UNIX system facilities supported by the Cisco IOS software. For more information about these facilities, consult the operator’s manual for your UNIX operating system.
Chapter 22 Troubleshooting This chapter provides troubleshooting procedures for basic problems with the wireless access point/workgroup bridge. For the most up-to-date and compressive troubleshooting information, see the Cisco TAC website at the following URL (select Top Issues and then select Wireless Technologies): http://www.cisco.
Chapter 21 Troubleshooting WEP Keys The WEP key you use to transmit data must be set up exactly the same on the wireless device and any associated wireless devices. For example, if you set WEP Key 3 on your client adapter to 0987654321 and select it as the transmit key, you must set WEP Key 3 on the wireless device to exactly the same value. The wireless device does not need to use Key 3 as its transmit key, however.
Troubleshooting Resetting to the Default Configuration Chapter 21 If you forget the password that lets you to configure the wireless device, you need to completely reset the configuration. IMPORTANT The following steps reset all configuration settings to factory defaults, including passwords, WEP keys, the IP address, and the SSID. The default username is `a blank field’ and the password is `wirelessap’. It is case sensitive.
Chapter 21 Troubleshooting The System Configuration screen appears. 7. Click the Reset to Defaults or Reset to Defaults (Except IP). 8. If you want to retain a static IP address, choose Reset to Defaults (Except IP). 9. Click Restart. The system restarts. 10. After the wireless device restarts, you must reconfigure the wireless device by using the web browser interface or CLI commands. The default username is blank and the password is wirelessap, that is case-sensitive.
Troubleshooting Chapter 21 flashfs[0]: flashfs fsck took 0 seconds. ...done initializing Flash. 4. Use the dir flash: command to display the contents of Flash and find the config.txt configuration file. ap: dir flash: Directory of flash:/ 3 .rwx 223 env_vars 4 .rwx 2190 config.txt 5 .rwx 27 private.config 150 drwx 320 c350.k9w7.mx.122.13.JA 4207616 bytes available (3404800 bytes used) 5. Use the rename command to change the name of the config.txt file to config.old.
Chapter 21 Troubleshooting ap# del flash:config.old Delete filename [config.old] Delete flash:config.old [confirm] ap# Reloading the Access Point Image If the wireless device has a firmware failure, you must reload the image file by using the web browser interface or by pressing and holding the MODE button for around 30 seconds. You can use the browser interface if the wireless device firmware is still fully operational and you want to upgrade the firmware image.
Troubleshooting Chapter 21 4. Click the System Software tab. The Summary Status page appears. 5. Click Software Upgrade. The HTTP Upgrade screen appears. 6. Browse to the image file on your PC. 7. Click Upload. Using the TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the wireless device image file. Follow the instructions below to use a TFTP server: 1. Open your Internet browser. You must use Microsoft Internet Explorer (version 6.
Chapter 21 Troubleshooting 3. Enter your username, password and press Enter. 4. Click the System Software tab. 5. Click Software Upgrade. The HTTP Upgrade screen appears. 6. Click the TFTP Upgrade tab. 7. Enter the IP address for the TFTP server in the TFTP Server field. 8. Enter the file name for the image file in the Upload New System Image Tar File field.
Troubleshooting Chapter 21 Using CLI Follow the steps below to reload the wireless device image by using CLI commands. When the wireless device begins to start, you interrupt the start-up process and use boot loader commands to load an image from a TFTP server to replace the image in the access point. TIP Your wireless device configuration is not changed when using CLI to reload the image file. 1. Start CLI by using a connection to the wireless device console port. 2.
Chapter 21 Troubleshooting • Directory on the TFTP server that contains the image • Name of the image • Destination for the image (the wireless device Flash) Your entry can look like this example: ap: tar -xtract tftp://192.168.130.222/images/c350k9w7-tar.122-13.JA1.tar flash: When the display becomes full, CLI pauses and --MORE-- appears. 7. Press the spacebar to continue. extracting info (229 bytes) c350-k9w7-mx.122-13.JA1/ (directory) 0 (bytes) c350-k9w7-mx.122-13.
Troubleshooting Chapter 21 extracting c350-k9w7-mx.122-13.JA1/html/level1/ images/apps_button_last_flat.gif (318 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/ images/apps_button_nth.gif (1177 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/ images/apps_leftnav_dkgreen.gif (869 bytes) -- MORE -- TIP If you don’t press the spacebar to continue, the process eventually times out and the wireless device stops inflating the image. 8.
Chapter 21 Troubleshooting Notes: 572 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Appendix A Protocol Filters The tables in this appendix list some of the protocols that you can filter on the access point. Ethertype Protocols Topic Page Ethertype Protocols 573 IP Protocols 574 IP Port Protocols 574 In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.
Appendix A Protocol Filters Table 1 - Ethertype Protocols (Continued) IP Protocols IP Port Protocols 574 Protocol Additional Identifier ISO Designator Telxon TXP TXP 0x8729 Aironet DDP DDP 0x872D Enet Config Test — 0x9000 NetBUI — 0xF0F0 Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 Us
Protocol Filters Appendix A Table 3 - IP Port Protocols (Continued) Secure Shell (22) ssh 22 Telnet — 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Location Protocol RLP 39 IEN 116 Name Server name 42 whois nicname 43 43 Domain Name Server DNS domain 53 MTP — 57 BOOTP Server — 67 BOOTP Client — 68 TFTP — 69 gopher — 70 rje netrjs 77 finger — 79 Hypertext Transport Protocol HTTP www 80 ttylink link 87 Kerberos v5 Kerberos krb5
Appendix A Protocol Filters Table 3 - IP Port Protocols (Continued) 576 NETBIOS Datagram Service netbios-dgm 138 NETBIOS Session Service netbios-ssn 139 Interim Mail Access Protocol v2 Interim Mail Access Protocol IMAP2 143 Simple Network Management Protocol SNMP 161 SNMP Traps snmp-trap 162 ISO CMIP Management Over IP CMIP Management Over IP cmip-man CMOT 163 ISO CMIP Agent Over IP cmip-agent 164 X Display Manager Control Protocol xdmcp 177 NeXTStep page Server NeXTStep 178 B
Protocol Filters Appendix A Table 3 - IP Port Protocols (Continued) SUP server supfilesrv 871 swat for SAMBA swat 901 SUP debugging supfiledbg 1127 ingreslock — 1524 Prospero non-priveleged prospero-np 1525 RADIUS — 1812 Concurrent Versions System CVS 2401 Cisco IAPP — 2887 Radio Free Ethernet RFE 5002 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014 577
Appendix A Protocol Filters Notes: 578 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Appendix B Supported MIBs This appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Cisco IOS SNMP agent supports SNMPv1, SNMPv2, and SNMPv3.
Appendix B Supported MIBs • CISCO-TC-MIB • CISCO-SYSLOG-MIB • CISCO-WDS-INFO-MIB • ENTITY-MIB • IF-MIB • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP: 1. Use FTP to access the server ftp.cisco.com. 2. Log in with the username: anonymous. 3. Enter your e-mail username when prompted for the password. 4.
Appendix C Error and Event Messages This appendix lists the CLI error and event messages. Topic Page Conventions 581 Software Auto Upgrade Messages 582 Association Management Messages 583 Unzip Messages 583 System Log Messages 584 802.
Appendix C Error and Event Messages Table 1 - Conventions for System Error Messages (Continued) Message Component Description Example Action Flags Internal to the code for additional action to display. 0—No action flag MSG-TRACEBACK—includes traceback with message MSG-PROCESS—includes process information with message MSG-CLEAR—indicates condition had cleared MSG-SECURITY—indicates as security message MSG-NOSCAN—suppresses EEM pattern screening %d An integer number. 2450 %e A MAC address. 000b.
Error and Event Messages Association Management Messages Appendix C This table explains error message that are related to association management. Table 3 - Association Management Messages Message Explanation Recommended Action DOT11-3-BADSTATE: “%s %s ->%s.” 802.11 association and management uses a tabledriven state machine to keep track and transition an association through various states. A state transition occurs when an association receives one of many possible events.
Appendix C Error and Event Messages System Log Messages This table explains the system log messages. Table 5 - System Log Messages Message Explanation Recommended Action %DOT11-4-LOADING_RADIO: Interface [chars], loading the radio firmware ([chars]) The radio has been stopped to load new firmware. No action is required. %LINEPROTO-5-UPDOWN: Line protocol on Interface [chars], changed state to [chars] The data link level line protocol has changed state. No action is required.
Error and Event Messages Appendix C Table 6 - Subsystem Messages (Continued) Message Explanation Recommended Action DOT11-6-CHAN_NOT_AVAIL: “DFS configured frequency %d Mhz unavailable for %d minute(s). Radar has been detected on the current channel. Dynamic Frequency Selection (DFS) regulations require no transmission for 30 seconds on the channel. None. DOT11-6-DFS_SCAN_COMPLETE: “DFS scan complete on frequency %d MHz.
Appendix C Error and Event Messages Table 6 - Subsystem Messages (Continued) Message Explanation Recommended Action DOT11-2-PROCESS_INITIALIZATION_FAILED: “The background process for the radio could not be started: %s) The initialization process used by the indicated interface failed for some reason, possibly a transient error. Perform a reload of the access point. If this fails to rectify the problem, perform a power cycle.
Error and Event Messages Appendix C Table 6 - Subsystem Messages (Continued) Message Explanation Recommended Action DOT11-2-NO_FIRMWARE: “Interface %s, no radio firmware file (%s) was found.” When trying to upgrade firmware, the file for the radio was not found in the flash file system. Or, the IOS on the access point is corrupt. The wrong image has been loaded into the unit. Locate the correct image based on the type of radio used.
Appendix C Error and Event Messages Table 6 - Subsystem Messages (Continued) Message Explanation Recommended Action DOT11-7-CCKM_AUTH_FAILED: “Station %e CCKM authentication failed.” The indicated station failed CCKM authentication. Verify that the topology of the access points configured to use the WDS access point is functional. DOT11-4-CCMP_REPLAY: “AES-CCMP TSC replay was detected on packet (TSC 0x%11x received from &e).” AES-CCMP TSC replay was indicated on a frame.
Error and Event Messages Appendix C Table 6 - Subsystem Messages (Continued) Message Explanation Recommended Action SOAP_FIPS-2-SELF_TEST_RAD_FAILURE: “RADIO crypto FIPS self test failed at %s on interface %s %d.” SOAP FIPS self test on radio crypto routine failed. Check radio image. SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: “IOS crypto FIPS self test passed.” SOAP FIPS self test passed. None SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: “RADIO crypto FIPS self test passed on interface %s %d.
Appendix C Error and Event Messages Message Explanation Recommended Action DOT1X-SHIM-3-UNSUPPORTED_KM: “Unsupported key management: %X.” Am error occurred during the initialization of the shim layer. An unsupported key management type was found. None. DPT1X-SHIM-4-PLUMB_KEY_ERR: “Unable to plumb keys - %s.” An unexpected error occurred when the shim layer tried to plumb the keys. None. DOT1X-SHIM-3-PKT_TX_ERR: “Unable to tx packet -%s.
Error and Event Messages Appendix C Mini IOS Messages Message Explanation Recommended Action MTS-2-PROTECT_PORT_FAILURE: An attempt to protect port [number] failed Initialization failed on attempting to protect port. None. MTS-2-SET_PW_FAILURE: Error %d enabling secret password. Initialization failed when the user attempted to enable a secret password. None Saving this config to nvram may corrupt any network management or security files stored at the end of nvram.
Appendix C Error and Event Messages LWAPP Error Messages Message Explanation Recommended Action LWAPP-3-CDP: Failure sending CDP Update to Controller. Reason “s” Could not send access point CDP update to controller No action is required. LWAPP-3-CLIENTERRORLOG: “s” This log message indicates an LWAPP client error event. The message is logged to help in troubleshooting LWAPP access point join problems. No action is required.
Error and Event Messages Appendix C SNMP Error Messages Message Explanation Recommended Action SNMP-3-AUTHFAILIPV6: Authentication failure for SNMP request from hostUnrecognized format ‘ %P’ An SNMP request was sent by this host that was not properly authenticated. Make sure that the community/user name used in the SNMP req has been configured on the router.
Appendix C Error and Event Messages Notes: 594 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Glossary The following terms and abbreviations are used throughout this manual. For definitions of terms not listed here, refer to the Allen-Bradley Industrial Automation Glossary, publication AG-7.1. 802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4 GHz band. 802.
Glossary CCKM cell client CSMA data rates dBi The area of radio range or coverage that the wireless devices can communicate with the base station. The size of the cell depends upon the speed of the transmission, the type of antenna used, and the physical environment, as well as other factors. A radio device that uses the services of an wireless access point/workgroup bridge to communicate with other devices on a local area network. Carrier sense multiple access.
Glossary ETSI The European Telecommunication Standardization Institute (ETSI) has developed standards that have been adopted by many European countries as well as many others. Under the ETSI regulations, the power output and EIRP regulations are much different than in the United States. file server A repository for files so that a local area network can share files, mail, and programs. firmware Software that is programmed on a memory chip.
Glossary receiver sensitivity RF Radio frequency. A generic term for radio-based technology. roaming A feature of some Access Points that lets you move through a facility while maintaining an unbroken connection to the LAN. RP-TNC A connector type unique to Cisco Aironet radios and antennas. Part 15.203 of the FCC rules covering spread spectrum devices limits the types of antennas that can be used with transmission equipment.
Glossary WLSE Wireless LAN Solutions Engine. The WLSE is a specialized appliance for managing Cisco Aironet wireless LAN infrastructures. It centrally identifies and configures access points in customer-defined groups and reports on throughput and client associations. WLSE's centralized management capabilities are further enhanced with an integrated template-based configuration tool for added configuration ease and improved productivity. WNM Wireless Network Manager.
Glossary Notes: 600 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Index Numerics 802.11e 458 802.11g 276 802.11i 269 802.11n channel width 256 802.11n guard interval 262 802.1H 270 802.1x authentication 319 802.
Index Cisco TAC 561 CiscoWorks 2000 510 clear command 175 CLI 175 abbreviating commands 177 command modes 175 editing features enabling and disabling 179 keystroke editing 180 wrapped lines 181 error messages 178 filtering command output 182 getting help 176 history 178 changing the buffer size 178 described 178 disabling 179 recalling commands 179 no and default forms of commands 177 Secure Shell (SSH) 183 Telnet 182 client ARP caching 229 client communication, blocking 272 Client MFP 397, 398 client powe
Index console cable 54 console port 32 countermeasure tkip hold-time command 369 crypto software image 228 CSID format, selecting 422 D Data Beacon Rate 273 data rate setting 247 data retries 275 data volume 84 daylight saving time 233 debug command 547 default commands 177 default configuration DNS 237 password and privilege level 202 RADIUS 209, 410 resetting 563 SNMP 511 system message logging 549 system name and prompt 236 TACACS+ 215, 434 default gateway 59, 82 default radio settings description of 5
Index error messages 802.
Index L latency 458 Layer 3 mobility 379 LBS 263 LEAP 52 LEAP authentication local authentication 319 setting on client and access point 373 limited channel scanning 538 limiting client associations by MAC address 485 limiting client power level 254 line configuration mode 176 load balancing 268 local authenticator, access point as 319 local user profiles 52 Location-Based Services 263 login authentication with RADIUS 209, 414 with TACACS+ 215, 435 M MAC address ACLs, blocking association with 485 filter
Index parameters association 104 band select 162 event log 171 event log configuration 173 GigabitEthernet status 91 HTTP upgrade 167 IP address 90 management 164 network configuration 81 network map 86 radio configuration 83 radio interface 95 security admin access 113 security encryption manager 115 security summary 112 server manager 121 software 166 software system 169 SSID manager 116 system setting 88 TFTP upgrade 168 webauth login 165 Wireless AP 106 Wireless WSD/WNM 107 password reset 563 passwords
Index RADIUS 52 attributes CSID format, selecting 422 sent by the access point 428 vendor-proprietary 425 vendor-specific 424 WISPr 426 configuring access point as local server 320 accounting 421 authentication 209, 414 authorization 213, 418 communication, global 411, 422 communication, per-server 410, 411 multiple UDP ports 411 default configuration 209, 410 defining AAA server groups 211, 416 displaying the configuration 214, 428 identifying the server 410 limiting the services to the user 213, 418 loca
Index SNMP 59 accessing MIB variables with 510 agent described 509 disabling 511 community 82 community strings configuring 511 overview 510 configuration examples 517 default configuration 511 limiting system log messages to NMS 556 manager functions 509 overview 507, 510 server groups 513 snmp-server view 517 status, displaying 519 system contact and location 516 trap manager, configuring 515 traps described 509 enabling 514 overview 507, 510 types of 514 versions supported 508 SNMP versions supported 50
Index system prompt default setting 235, 236 T TAC 561 TACACS+ accounting, defined 432 authentication, defined 432 authorization, defined 432 configuring accounting 438 authentication key 434 authorization 217, 437 login authentication 215, 435 default configuration 215, 434 displaying the configuration 218, 439 identifying the server 434 limiting the services to the user 217, 437 operation of 432 overview 431 tracking services accessed by user 438 Telnet 57, 182, 194 Temporal Key Integrity Protocol (TKIP
Index Notes: 610 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products. At http://www.rockwellautomation.com/support you can find technical and application notes, sample code, and links to software service packs. You can also visit our Support Center at https://rockwellautomation.custhelp.com/ for software updates, support chats and forums, technical information, FAQs, and to sign up for product notification updates.