manualshive.com logo in svg

Cisco 3200 Series, Software Configuration Manual

The Siemens 3200 Series is a versatile and high-performance product designed to meet your needs. Find the user manual for this exceptional device with ease at our website, where you can download it for free. Unlock the full potential of your Siemens 3200 Series by accessing the manual at manualshive.com.

Share
Download
background image

Americas Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706 
USA
http://www.cisco.com
Tel: 408 

526-4000

800 553-NETS (6387)

Fax: 408 

527-0883

Cisco 3200 Series Wireless MIC Software 
Configuration Guide

January 2009

Text Part Number: OL-6415-04

Summary of Contents for 3200 Series

Page 1: ...ystems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco 3200 Series Wireless MIC Software Configuration Guide January 2009 Text Part Number OL 6415 04 ...

Page 2: ... LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCDE CCENT Cisco Eos Cisco HealthPresence the Cisco logo Cisco Lumin Cisco Nexus Cisco StadiumVision Cisco TelePresence Cisco WebEx DCE and Welcome to the Human Network are trademarks Changing the Way We Work Live Play an...

Page 3: ...ecurity Problems in Cisco Products i xxi Obtaining Technical Assistance i xxii Cisco Technical Support Documentation Website i xxii Submitting a Service Request i xxiii Definitions of Service Request Severity i xxiii Obtaining Additional Publications and Information i xxiii Overview of the Cisco WMIC 1 1 Understanding the Cisco Mobile Wireless Network 1 1 Public Safety Wireless Network Example 1 1...

Page 4: ...nfiguration Examples 2 6 Example No Security 2 6 Example Static WEP 2 6 Example EAP Authentication 2 7 Example WPA 2 8 Roles and the Associations of Wireless Devices 3 1 Understanding Wireless Device Network Roles 3 1 Access Point Role 3 2 Bridge Role 3 2 Point to Point Bridging 3 3 Point to Multipoint Bridging 3 4 Redundant Bridging 3 5 Workgroup Bridge Role 3 6 Universal Workgroup Bridge 2 4 GHz...

Page 5: ...Exiting a Privilege Level 4 11 Protecting the Wireless LAN 4 11 Using VLANs 4 11 Express Security Types 4 12 Security Configuration Examples 4 14 Configuring and Enabling RADIUS 4 19 Understanding RADIUS 4 19 RADIUS Operation 4 20 Controlling WMIC Access with RADIUS 4 21 Identifying the RADIUS Server Host 4 21 Configuring RADIUS Login Authentication 4 24 Defining AAA Server Groups 4 25 Configuring...

Page 6: ...tanding Network Time Protocol 4 41 Configuring Time and Date Manually 4 44 Setting the System Clock 4 44 Displaying the Time and Date Configuration 4 44 Configuring the Time Zone 4 45 Configuring Summer Time Daylight Saving Time 4 46 Configuring NTP 4 47 Default NTP Configuration 4 47 Configuring NTP Authentication 4 47 Configuring NTP Associations 4 49 Configuring NTP Broadcast Service 4 50 Confi...

Page 7: ...onfiguring an SNMP Trap for Radar Detection 7 4 Additional Information 7 5 Radio Transmit Power 8 1 Understanding Radio Transmit Power 8 1 Determine the Radio Type 8 2 Configuring Radio Transmit Power 8 2 Configuring Client Radio Transmit Power 8 3 Maximum Power Levels and Antenna Gains 8 4 IEEE 802 11g 2 4 GHz Band 8 4 Configuring Radio Data Rates 8 5 speed Command 8 6 speed Command Examples 8 7 ...

Page 8: ... 1 Configuring Cipher Suites 11 2 Configuring WEP 11 2 Configuring WEP with 12 4 3 JK or Later Releases 11 2 Configuring WEP with 12 3 8 JK or Earlier Releases 11 3 WEP Key Restrictions 11 4 Example WEP Key Setup 11 4 Enabling Cipher Suite 11 5 Enabling Cipher Suite with 12 4 3 JK or Later Releases 11 5 Enabling Cipher Suite with 12 3 8 JK or Earlier Releases 11 7 Matching Cipher Suites with WPA 1...

Page 9: ...2 1 Default CDP Configuration 2 2 Configuring the CDP Characteristics 2 2 Disabling and Enabling CDP 2 2 Disabling and Enabling CDP on an Interface 2 3 Monitoring and Maintaining CDP 2 4 Authentication Types 3 1 Understanding Authentication Types 3 1 Open Authentication to the WMIC 3 2 Shared Key Authentication to the WMIC 3 2 EAP Authentication to the Network 3 3 EAP TLS 3 5 EAP FAST 3 5 EAP TTLS...

Page 10: ...erstanding QoS for Wireless LANs 4 1 QoS for Wireless LANs Versus QoS on Wired LANs 4 2 Impact of QoS on a Wireless LAN 4 2 Precedence of QoS Settings 4 3 Using Wi Fi Multimedia Mode 4 3 Configuring QoS 4 4 QoS Configuration Examples 4 4 QoS Example Configuration for VLAN 4 4 QoS Example of IP DSCP and IP Precedence 4 5 Configuring VLANs 5 1 Understanding VLANs 5 1 Related Documents 5 2 Incorporat...

Page 11: ...nnel Template on the Home Agent 7 1 Applying the Tunnel Template on the Mobile Router 7 2 Example Configuration 7 3 Applying Tunnel Templates to the IPSec Two box Solution 7 4 Related Documents 7 7 WIMIC Troubleshooting 8 1 Checking the LED Indicators 8 1 Checking Basic Settings 8 3 SSID 8 3 WEP Keys 8 3 Security Settings 8 3 Resetting to the Default Configuration 8 3 Using the CLI 8 4 Reloading t...

Page 12: ... 4 GHz Band 11 1 Supported MIBs 12 1 MIB List 12 1 Using FTP to Access the MIB Files 12 2 Protocol Filters 13 1 WDS Fast Secure Roaming and Radio Management 14 1 Understanding WDS 14 1 Role of the WDS Access Point 14 2 Role of Access Points Using the WDS Access Point 14 2 Understanding Fast Secure Roaming 14 2 Understanding Radio Management 14 4 Configuring WDS and Fast Secure Roaming 14 4 Guideli...

Page 13: ...14 12 Management Frame Protection 15 1 Understanding Management Frame Protection 15 1 Protection of Unicast Management Frames 15 2 Protection of Broadcast Management Frames 15 2 Client MFP For Access Points in Root mode 15 2 Configuring Client MFP 15 2 Configuring Infrastructure MFP 15 3 G L O S S A R Y I N D E X ...

Page 14: ...xiv Cisco 3200 Series Wireless MIC Software Configuration Guide OL 6415 04 ...

Page 15: ...b based interface which contains all the funtionality of the command line interface CLI This guide does not provide field level descriptions of the web based windows nor does it provide the procedures for configuring the WMIC from the web based interface For all window descriptions and procedures refer to the online help which is available from the Help buttons on the web based interface pages Org...

Page 16: ...ry protocol that runs on all Cisco network equipment Authentication Types describes how to configure authentication types Client devices use these authentication methods to join your network QoS in a Wireless Environment describes how to configure quality of service QoS on your WMIC With this feature you can provide preferential treatment to certain traffic at the expense of others Configuring VLA...

Page 17: ...n but could be useful information Note Means reader take note Notes contain helpful suggestions or references to materials not contained in this manual Caution Means reader be careful In this situation you might do something that could result equipment damage or loss of data Warning This warning symbol means danger You are in a situation that could cause bodily injury Before you work on any equipm...

Page 18: ...elle pratiche standard per la prevenzione di incidenti La traduzione delle avvertenze riportate in questa pubblicazione si trova nell appendice Translated Safety Warnings Traduzione delle avvertenze di sicurezza Advarsel Dette varselsymbolet betyr fare Du befinner deg i en situasjon som kan føre til personskade Før du utfører arbeid på utstyr må du være oppmerksom på de faremomentene som elektrisk...

Page 19: ... components for the Cisco 3200 Series router The Release Notes for the Cisco 3250 Mobile Router lists the enhancements to and caveats for Cisco IOS releases as they relate to the Cisco 3200 Series router can be found at http www cisco com en US products sw iosswrel products_ios_cisco_ios_software_releases html or http www cisco com en US products sw iosswrel ps5012 prod_ios_releases_home html 1 Al...

Page 20: ...tion that is found on the Cisco website without being connected to the Internet Certain products also have PDF versions of the documentation available The Product Documentation DVD is available as a single unit or as a subscription Registered Cisco com users Cisco direct customers can order a Product Documentation DVD product number DOC DOCDVD or DOC DOCDVD SUB from Cisco Marketplace at this URL h...

Page 21: ...d security responses as they are updated in real time you can subscribe to the Product Security Incident Response Team Really Simple Syndication PSIRT RSS feed Information about how to subscribe to the PSIRT RSS feed is found at this URL http www cisco com en US products products_psirt_rss_feed html Reporting Security Problems in Cisco Products Cisco is committed to delivering secure products We t...

Page 22: ...he Cisco Technical Support Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL http www cisco com techsupport Access to all tools on the Cisco Technical Support Documentation website requires a Cisco com user ID and password If you have a valid service c...

Page 23: ...sts are reported in a standard format Cisco has established severity definitions Severity 1 S1 An existing network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to resolve the situation Severity 2 S2 Operation of an existing network is severely degraded or significant aspects of your business operations are nega...

Page 24: ...rowing companies learn how they can use technology to increase revenue streamline their business and expand services The publication identifies the challenges facing these companies and the technologies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqma...

Page 25: ...vices and other public safety agencies The wireless technologies used in the Cisco Metropolitan Mobile Network include broadband wireless connectivity providing high speed access for bandwidth intensive applications such as in car video To supplement the coverage areas where wireless network access is not provided cellular service such as code division multiple access CDMA 1xEVDO can be used to fi...

Page 26: ...AAA HA Mobility for multiple radio technologies Internet Firewall Private service provider wireless architecture Flarion Private metro mobil wireless architecture Aggregation Layer Private wireless service provider backup example 1xRTT 1xEVDO Flarion Optional public provider backup Flarion In vehicle mobile networks Fixed networks and intersections IP call box Sensor IP camera Traffic controller F...

Page 27: ...e Cisco 3200 Series routers at the secondary intersections are connected to all of the network devices at that intersection such as a traffic controller and a video camera In Figure 2 there are three bridges on the secondary intersections integrated into the Cisco 3200 Series router Two of the bridges are point to point links to other primary or secondary intersections in the local service area an...

Page 28: ...r broadband wireless bridging Each primary intersection has either a wireless or wired connection back to a nearby building Vehicle Network Example A Cisco 3200 Series router installed in a mobile unit allows the client devices in and around the vehicle to stay connected while roaming WMICs in vehicle mounted Cisco 3200 Series routers are configured as access points to provide connectivity for 802...

Page 29: ...IP tunnel is built across the service provider network and into the home agent The mobile router chooses a wireless link depending on the following factors Which link is up and available for use Priority set on each interface Bandwidth IP address Regardless of which link is up all traffic from the mobile devices travel through the MoIP tunnel to the home agent where it is routed to its destination...

Page 30: ...d the data to the Cisco 3200 Series router 1 The Cisco 3200 Series router encrypts the data The endpoint of the IPSec tunnel is the VPN gateway behind the home agent at the core network 2 The data is encapsulated in the MoIP tunnel The endpoint of the MoIP tunnel is the home agent at the core network 3 The data is forwarded to the foreign agent where a second encapsulation takes place The endpoint...

Page 31: ...et up non root bridges or workgroup bridges to authenticate to the network like other wireless client devices After a network username and password for the non root bridge or workgroup bridge are set it authenticates to the network using Cisco Light Extensible Authentication Protocol LEAP and receives and uses dynamic WEP keys 802 1x supplicant Support 802 1x the standardized framework defined by ...

Page 32: ... 6 Mbps 9 Mbps 11 Mbps 12 Mbps 18 Mbps 24 Mbps 36 Mbps 48 Mbps and 54 Mbps 20MHz baseband data rates are 6 Mbps 9 Mbps 12 Mbps 18 Mbps 24 Mbps 36 Mbps 48 Mbps and 54 Mbps 10MHz baseband data rates are 3 Mbps 4 5 Mbps 6 Mbps 9 Mbps 12 Mbps 18 Mbps 24 Mbps and 27 Mbps 5MHz baseband data rates are 1 5 Mbps 2 25 Mbps 3 Mbps 4 5 Mbps 6 Mbps 9 Mbps 12 Mbps and 13 5 Mbps Power Maximum orthogonal frequenc...

Page 33: ...ed as defined by IEEE 802 11b g Channel spacing selected by using the CLI Scanning enhancements for faster roaming All Scanning Enhancements for Faster Roaming are available All Scanning Enhancements for Faster Roaming are available except Use First Better Access Point Synthesizer tuning time Start on Current Channel Only Probe Current SSID Shorten Wait time for Probe Response Automatically Limiti...

Page 34: ...nterface CLI which you use through a PC that is running terminal emulation software or a Telnet session Connecting to the WMIC and Using the Command Line Interface provides a detailed description of how to use the CLI to configure the router The Preface describes the command formats Simple Network Management Protocol SNMP The Simple Network Management Protocol document explains how to configure yo...

Page 35: ...subnet mask A Simple Network Management Protocol SNMP community name and the SNMP file attribute if SNMP is in use Connecting to the WMIC To configure the WMIC Connect a PC to the WMIC console port by using the console cable If the WMIC has an IP address and Telnet is allowed on the device you can connect to the Fast Ethernet Switch Mobile Interface Card FESMIC Ethernet port by using an Ethernet c...

Page 36: ...at you are in Exec mode Using a Telnet Session to Access the Privileged Exec Mode Follow these steps to access the WMIC CLI by using a Telnet session The WMIC must have been previously configured to accept a Telnet session These steps are for a PC running Microsoft Windows with a Telnet terminal application Check your computer documentation for detailed instructions for your operating system Step ...

Page 37: ...ting systems Windows 9x 2000 ME NT and XP You can download IPSU from the Software Center on Cisco com Click this link to browse to the Software Center http www cisco com public sw center sw wireless shtml If the unit is a non root bridge connect to the WMIC console port of the router locally Assigning an IP Address By Using the Exec The WMIC links to the network by using a Bridge Group Virtual Int...

Page 38: ... access point you must configure security settings to prevent unauthorized access to your network Because it is a radio device the access point can communicate beyond the physical boundaries of your worksite Using VLANs If you use VLANs on your wireless LAN and assign SSIDs to VLANs you can create multiple SSIDs However if you do not use VLANs on your wireless LAN the security options that you can...

Page 39: ... devices cannot associate by using this SSID without a WEP key that matches the access point key EAP Authentication This option enables 802 1x extensible authentication protocol EAP types including Lightweight EAP LEAP Protected EAP PEAP EAP Transport Layer Security EAP TLS and EAP GTC and requires you to enter the IP address and shared secret for an authentication server on your network server au...

Page 40: ... 0 basic 2 0 basic 5 5 6 0 9 0 basic 11 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 4000 station role root infrastructure client bridge group 1 interface Dot11Radio0 10 encapsulation dot1Q 10 no ip route cache bridge group 10 bridge group 10 spanning disabled interface FastEthernet0 10 encapsulation dot1Q 10 no ip address no ip route cache duplex auto speed auto bridge group 1 Example Static WEP...

Page 41: ...0 no ip route cache bridge group 20 bridge group 20 spanning disabled Example EAP Authentication This example shows part of the configuration that is used to create an SSID called eap_ssid excluding the SSID from the beacon and assigning the SSID to VLAN 30 encryption vlan 30 mode wep mandatory Dot11 ssid eap_ssid vlan 30 authentication open eap eap_methods authentication network eap eap_methods i...

Page 42: ...ip route cache bridge group 30 no bridge group 30 source learning bridge group 30 spanning disabled Example WPA This example shows part of the configuration that is used to create an SSID called wpa_ssid excluding the SSID from the beacon and assigning the SSID to VLAN 40 aaa new model aaa group server radius rad_eap server 10 91 104 92 auth port 1645 acct port 1646 aaa group server radius rad_mac...

Page 43: ...structure client bridge group 1 interface Dot11Radio0 40 encapsulation dot1Q 40 no ip route cache bridge group 40 interface FastEthernet0 no ip address no ip route cache duplex auto speed auto bridge group 1 interface FastEthernet0 40 encapsulation dot1Q 40 no ip route cache bridge group 40 ip http server ip http help path http www cisco com warp public 779 smbiz prodconfig help eag 122 15 JA 1100...

Page 44: ...Configuring the WMIC for the First Time Protecting Your Wireless LAN 10 Cisco 3200 Series Wireless MIC Software Configuration Guide ...

Page 45: ...ciation with other elements of the network must be considered In Table 1 if the two components can form an association there is an X where the selected column and row intersect A blank space indicates an inability to associate To change the role of a wireless Cisco device use the station role command For example the following command sets the wireless device in access point mode the default mode o...

Page 46: ...es such as a non root bridge Figure 1 shows a typical scenario where an access point connects wireless clients to wireless and wired networks Figure 1 Root Access Point Mode Bridge Role Wireless bridges provide higher data rates and superior throughput for data intensive and line of sight applications High speed links between the wireless bridges deliver throughput that is many times faster than t...

Page 47: ...ons with non root bridge devices and can be set to accept wireless clients For example wd config interface dot11radio interfacenumber wd config in station role root bridge wireless clients The root parameter specifies that the bridge operates as a root bridge to which non root bridges can associate The non root parameter specifies that the router operates as a non root bridge and must associate to...

Page 48: ...non root bridges can associate to a root bridge but the non root bridges must share the available bandwidth Using point to multipoint connection multiple remote sites such as buildings can be linked together into a single logical network In a point to multipoint architecture these remote sites are linked to a single root bridge at a centralized site and share the available bandwidth over the wirel...

Page 49: ...idge Configuration Redundant Bridging Two pairs of bridges can be deployed to add redundancy or load balancing to a bridge link The bridges must use non adjacent non overlapping radio channels to prevent interference and they must use Spanning Tree Protocol STP to prevent loops STP is disabled by default Figure 5 shows two pairs of bridges in a redundant configuration Figure 5 Redundant Bridge Con...

Page 50: ...n Thereafter the workgroup bridge always performs an active scan To support continued operation during inter country travel such as airplane travel from New York to London the workgroup bridge must perform a passive scan In this configuration the workgroup bridge associates to the root device and it obtains the country specific list of frequency and output power levels through passive scan To supp...

Page 51: ...ient device more workgroup bridges are allowed to associate to the same access point or to associate with use of a service set identifier SSID that is not an infrastructure SSID The performance cost of reliable multicast delivery in which the duplication of each multicast packet is sent to each workgroup bridge limits the number of infrastructure devices including workgroup bridges that can associ...

Page 52: ...oup Bridge Considerations The following should be considered if configuring a wireless device as a universal workgroup bridge The universal workgroup bridge can not associate with an access point by using a CKIP CMIC encryption configuration When the universal workgroup bridge is associated with an access point and the show dot11 association all command is entered the IP address and the name for a...

Page 53: ...d application specific devices ASDs Table 2 lists the features that are supported by CCX versions Table 2 CCX Version Feature Support Feature v1 v2 v3 v4 AP WGB WGB Client Security WPA1 X X X X X X IEEE 802 11i WPA2 X X X X X WEP2 X X X X X X X IEEE 802 1X X X X X X X X LEAP3 X X X X X X X EAP FAST4 X X X X X Cisco TKIP 5 encryption X X X WPA 802 1X WPA TKIP X X X X X X With LEAP X X X X X X With ...

Page 54: ...Management AP specified maximum transmit power X X X X X X Recognition of proxy ARP12 information element For ASP13 X X X Client Utility Standardization Link Test X X X X 1 Wi Fi Protected Access 2 Wired Equivalent Privacy 3 Light Extensible Authentication Protocol 4 Extensible Authentication Protocol Flexible Authentication via Secure Tunneling 5 Temporal Key Integrity Protocol 6 Advanced Encrypt...

Page 55: ...default gateway 192 168 1 20 Configure a default gateway on the universal workgroup bridge to point to the MARC static IP address which will be configured on the MARC card on either the Fa0 0 subinterface or the Vlan interface depending on the interface to which the universal workgroup bridge is connected to MARC Step 5 interface FastEthernet0 0 10 encapsulation dot1Q 10 ip address 192 168 1 20 25...

Page 56: ...power settings automatically when it travels to Italy and joins a network there Cisco client devices running firmware version 5 30 17 or later detect whether the wireless device is using 802 11d world mode or Cisco legacy world mode and automatically use the world mode that matches the mode used by the wireless device World mode is disabled by default Step 7 router rip version 2 network 0 0 0 0 or...

Page 57: ...en the dot11d parameter is entered also enter a two character ISO country code for example the ISO country code for the United States is US The ISO website provides a list of ISO country codes Supported country codes can also be found in the Supported Country Codes section The indoor outdoor or both parameters indicate the placement of the wireless device The roaming parameter causes the bridge to...

Page 58: ...oth 5 15 5 25 5 25 5 35 5 725 5 825 ACA b 1 11 200 mW EIRP Both 2 4 2 4835 BE Belgium E a BIPT Annexe B3 Interface radio HIPERLAN b g 1 12 13 100 mW EIRP 100 mW EIRP In Out 2 4 2 4835 BR Brazil C a Anatel Resolution 305 b g 1 11 1 W EIRP Both 2 4 2 4835 CA Canada A a Industry Canada RSS 210 b g 1 11 1 W Restricted Antennas Both 2 4 2 4835 CH Switzerland and Liechtenstein E a OFCOM b g 1 11 100 mW ...

Page 59: ...100 mW EIRP Both In 2 4 2 4835 2 4 2 454 GB United Kingdom E a UKRA IR2006 b g 1 11 100 mW EIRP Both 2 4 2 4835 GR Greece E b g 1 11 100 mW EIRP In 2 4 2 4835 Ministry of Transport Comm HK Hong Kong N a OFTA b g 1 11 100 mW EIRP Both 2 4 2 4835 HU Hungary E a HIF b g 1 11 1 W EIRP Both 2 4 2 4835 ID Indonesia R a PDT b g 1 13 100 mW EIRP In 2 4 2 5 IE Ireland E a COMREG ODTR 00 61 ODTR 0062 b g 1 ...

Page 60: ... ARIB STD T71 b 1 14 10 mW MHz 200 mW EIRP Both 2 4 2 497 Telec ARIB STD T66 g 1 13 10 mW MHz 200 mW EIRP Both 2 4 2 497 KE Republic of Korea K a RRL MIC Notice 2003 13 b g 1 13 150 mW 6 dBi 600 mW Both 2 4 2 4835 KR Republic of Korea C a RRL MIC Notice 2003 13 b g 1 13 150 mW 6 dBi 600 mW Both 2 4 2 4835 LT Lithuania E a LTR b g 1 11 1 W Restricted Antennas Both 2 4 2 4835 LU Luxembourg E a ILR b...

Page 61: ...al E a NCA b g 1 11 100 mW EIRP Both 2 4 2 4835 SE Sweden E a PTS b g 1 11 100 mW EIRP Both 2 4 2 4835 SG Singapore S a IDA TS SSS Issue 1 b g 1 13 200 mW EIRP Both 2 4 2 4835 SI Slovenia E a ATRP b g 1 11 1 W Restricted Antennas Both 2 4 2 4835 SK Slovak Republic E a Telecom Admin b g 1 11 1 W Restricted Antennas Both 2 4 2 4835 TH Thailand R a PDT b g 1 13 100 mW EIRP In 2 4 2 5 TW Taiwan T a PD...

Page 62: ... to the Human Network are trademarks Changing the Way We Work Live Play and Learn is a service mark and Access Registrar Aironet AsyncOS Bringing the Meeting To You Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation Enterprise Sol...

Page 63: ...ies All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0801R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown f...

Page 64: ...Roles and the Associations of Wireless Devices Additional Information 20 Roles and the Associations of Wireless Devices ...

Page 65: ...S Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12 1 Configuring a System Name To manually configure a system name follow these steps beginning in privileged EXEC mode When you set the system name it is also used as the system prompt Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 hostname name Manua...

Page 66: ...base of names mapped to IP addresses To map domain names to IP addresses identify the hostnames specify the name server that is present on your network and enable the DNS Default DNS Configuration Table 1 shows the default DNS configuration Setting Up DNS To set up your WMIC to use the DNS follow these steps beginning in privileged EXEC mode Table 1 Default DNS Configuration Feature Default Settin...

Page 67: ...ted terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also appears on all connected terminals It appears after the MOTD banner and before the login prompts Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference for Releas...

Page 68: ...ge config This example shows the banner displayed from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 banner motd c message c Spe...

Page 69: ...o use passwords and assign privilege levels Password protection restricts access to a network or network device Privilege levels define what commands users can issue after they have logged into a network device Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Security Command Reference for Release 12 2 Command Purpose Step 1 configure terminal ...

Page 70: ...password but you should use extreme care when using this command If you remove the enable password you are locked out of the EXEC mode Table 2 Default Password and Privilege Levels Feature Default Setting Username and password Default username is Cisco and the default password is Cisco Enable password and privilege level Default password is Cisco The default is level 15 privileged EXEC level The p...

Page 71: ...hm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 enable password password Defines a new password or change an existing password for access to privileged EXEC mode The default password is Cisco For password specify a ...

Page 72: ...ation mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Defines a new password or change an existing password for access to privileged EXEC mode or Defines a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is normal u...

Page 73: ...one username configured and you must set your local login to open a Telnet session to the WMIC If you enter no username for the only username you can be locked out of the WMIC Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 username name privilege level password encryption type password Enters the username privilege level and password for each user For name specif...

Page 74: ...ent levels To return to the default privilege for a given command use the no privilege mode level level command command in global configuration mode Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 privilege mode level level command Sets the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interfa...

Page 75: ...ot broadcast in the beacon see Service Set Identifiers Wired Equivalent Privacy WEP and WEP features see Cipher Suites and WEP Dynamic WEP authentication see Authentication Types Using VLANs Assign SSIDs to the VLANs on the wireless LAN If you do not use VLANs on the wireless LAN the security options that can be assigned to SSIDs are limited because encryption settings and authentication types are...

Page 76: ... public space Assign this option to a VLAN that restricts access to your network None Static WEP Key This option is more secure than no security However static WEP keys are vulnerable to attack If you configure this settings you should limit association to the access point based on MAC address or if the network does not have a RADIUS server consider using an access point as a local authentication ...

Page 77: ... EAP FAST AUTH OPEN with EAP should also be configured WPA WPA permits wireless access to users authenticated against a database through the services of an authentication server and encrypts those users IP traffic with stronger algorithms than those used in WEP As with EAP authentication the IP address and shared secret for an authentication server on your network server authentication port 1645 a...

Page 78: ... g WMIC Dot11 ssid no_security ssid vlan 10 authentication open guest mode interface Dot11Radio0 no ip address no ip route cache ssid no_security ssid speed basic 1 0 basic 2 0 basic 5 5 6 0 9 0 basic 11 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 4000 station role root infrastructure client bridge group 1 interface Dot11Radio0 10 encapsulation dot1Q 10 no ip route cache bridge group 10 bridge g...

Page 79: ... speed auto bridge group 1 bridge group 1 spanning disabled interface BVI1 ip address 192 1 1 2 255 255 255 0 no ip route cache ip http server no ip http secure server ip http help path http www cisco com warp public 779 smbiz prodconfig help eag ip radius source interface BVI1 logging snmp trap emergencies logging snmp trap alerts logging snmp trap critical logging snmp trap errors logging snmp t...

Page 80: ...0 48 0 54 0 rts threshold 4000 station role root infrastructure client bridge group 1 interface Dot11Radio0 20 encapsulation dot1Q 20 no ip route cache bridge group 20 bridge group 20 spanning disabled interface FastEthernet0 no ip address no ip route cache duplex auto speed auto bridge group 1 interface FastEthernet0 20 encapsulation dot1Q 20 no ip route cache bridge group 20 bridge group 20 span...

Page 81: ...he duplex auto speed auto bridge group 1 no bridge group 1 source learning bridge group 1 spanning disabled interface FastEthernet0 30 mtu 1500 encapsulation dot1Q 30 no ip route cache bridge group 30 no bridge group 30 source learning bridge group 30 spanning disabled WPA Security Example This example shows part of the configuration for creating an SSID called wpa_ssid excluding the SSID from the...

Page 82: ...0 36 0 48 54 0 rts threshold 4000 station role root infrastructure client bridge group 1 interface Dot11Radio0 40 encapsulation dot1Q 40 no ip route cache bridge group 40 interface FastEthernet0 no ip address no ip route cache duplex auto speed auto bridge group 1 interface FastEthernet0 40 encapsulation dot1Q 40 no ip route cache bridge group 40 ip http server ip http help path http www cisco com...

Page 83: ...ich applications support the RADIUS protocol such as an access environment that uses a smart card access control system In one case RADIUS has been used with Enigma s security cards to validate users and to grant access to network resources Networks already using RADIUS You can add a Cisco bridge containing a RADIUS client to the network Networks that require resource accounting You can use RADIUS...

Page 84: ...iate level of network access thereby approximating the level of security in a wired switched segment to an individual desktop The non root bridge loads this key and prepares to use it for the logon session During the logon session the RADIUS server encrypts and sends the WEP key called a session key over the wired LAN to the root device The root device encrypts its broadcast key with the session k...

Page 85: ...he first method listed to authenticate to authorize or to keep accounts on non root bridges if that method does not respond the software selects the next method in the list This process continues until there is successful communication with a listed method or the method list is exhausted You must have access to and should configure a RADIUS server before you configure RADIUS features These section...

Page 86: ...s you must specify the host that is running the RADIUS server daemon and a secret text key string that it shares with the bridge The timeout retransmission and encryption key values can be configured globally per server for all RADIUS servers or in some combination of global and per server settings To apply these settings globally to all RADIUS servers communicating with the bridge use the three u...

Page 87: ...h the radius server host command the time interval set with the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or is responding slowly The range is from 1 to 1000 If no retransmit value is set with the radius server host command the value set with the radius server retransmit ...

Page 88: ...authentication methods are attempted To configure login authentication follow these required steps beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 aaa new model Enables AAA Step 3 aaa authentication login default list name method1 method2 Creates a login authentication method list To create a default list that is used when a named...

Page 89: ...e two different host entries on the same RADIUS server for the same service such as accounting the second configured host entry acts as a failover backup to the first one Use the server group server configuration command to associate a particular server with a defined group server To identify the server by its IP address or to identify multiple host instances or entries use the optional auth port ...

Page 90: ...the radius server host command the value set with the radius server retransmit command is used Optional For key string specify the authentication and encryption key used between the bridge and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key that is used on the RADIUS server Always configure the key as the last item in the radius serve...

Page 91: ... in the user profile allows it You can use the aaa authorization command in global configuration mode with the radius keyword to set parameters that restrict a user s network access to privileged EXEC mode The aaa authorization exec radius local command sets these authorization parameters Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS Use the lo...

Page 92: ...nting for all network related service requests Step 3 ip radius source interface bvi1 Configures the bridge to send its Bridge Group Virtual Interface BVI IP address in the NAS_IP_ADDRESS attribute for accounting records Step 4 aaa accounting update periodic minutes Enters an accounting update interval in minutes Step 5 end Returns to privileged EXEC mode Step 6 show running config Verifies your e...

Page 93: ...to also be used for RADIUS For example the following AV pair activates Cisco s multiple named ip address pools feature during IP authorization during Point to Point Protocol IP Control Protocol PPP IPCP address assignment cisco avpair ip addr pool first The following example shows how to provide a user logging in from a bridge with immediate access to privileged EXEC commands cisco avpair shell pr...

Page 94: ...and secret text string by using the radius server command in global configuration mode To specify a vendor proprietary RADIUS server host and a shared secret text string follow these steps beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 radius server vsa send accounting authentication Enables the bridge to recognize and use VSAs a...

Page 95: ...the RADIUS configuration use the show running config command in privileged EXEC mode Step 3 radius server key string Specifies the shared secret text string used between the bridge and the vendor proprietary RADIUS server The bridge and the RADIUS server use this text string to encrypt passwords and exchange responses Note The key is a text string that must match the encryption key that is used on...

Page 96: ...of the daemon Administered through the AAA security services TACACS can provide these services Authentication Provides complete control of authentication of administrators through login and password dialog challenge and response and messaging support The authentication facility can conduct a dialog with the administrator for example after a username and password are provided to challenge a user wi...

Page 97: ...administrator can be denied access or is prompted to retry the login sequence depending on the TACACS daemon ERROR An error occurred at some time during authentication with the daemon or in the network connection between the daemon and the WMIC If an ERROR response is received the WMIC typically tries to use an alternative method for authenticating the administrator CONTINUE The administrator is p...

Page 98: ...e attempted Identifying the TACACS Server Host and Setting the Authentication Key You can configure the WMIC to use a single server or to use AAA server groups to group existing server hosts for authentication You can group servers to select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list and contains the list of...

Page 99: ...uthentication methods to be queried to authenticate an administrator You can designate one or more security protocols to be used for authentication to ensure a backup system for authentication if the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process...

Page 100: ...t that is used when a named list is not specified in the login authentication command use the default keyword followed by the methods that are to be used in default situations The default method list is automatically applied to all interfaces For list name specify a character string as the name the list you are creating For method1 specify the actual method that the authentication algorithm tries ...

Page 101: ... AV pairs and is stored on the security server This data can then be analyzed for network management client billing or auditing To enable TACACS accounting for each Cisco IOS privilege level and for network services follow these steps beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 aaa authorization network tacacs Configures the W...

Page 102: ...is configuration To configure the WMIC for local AAA follow these steps beginning in privileged EXEC mode Step 5 show running config Verifies your entries Step 6 copy running config startup config Optional Saves your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 aaa new model Enables AAA Step 3 aaa authentication...

Page 103: ...authentication methods RADIUS for more information see the Controlling WMIC Access with RADIUS section on page 21 Local authentication and authorization for more information see the Configuring the WMIC for Local Authentication and Authorization section on page 38 Step 6 username name privilege level password encryption type password Enters the local database and establish a username based authent...

Page 104: ...rs bit error rates and signal strength Message Integrity Check MIC MIC is an additional WEP security feature that prevents attacks on encrypted packets called bit flip attacks The MIC implemented on both the WMIC and all associated client devices adds a few bytes to each packet to make the packets tamper proof Temporal Key Integrity Protocol TKIP TKIP also known as WEP key hashing is an additional...

Page 105: ...ermines time internally based on Universal Time Coordinated UTC also known as Greenwich Mean Time GMT You can configure information about the local time zone and summer time daylight saving time so that the time is correctly displayed for the local time zone The system clock keeps track of whether the time is authoritative or not that is whether it has been set by a time source considered to be au...

Page 106: ...ormation flow is one way only The time kept on a device is a critical resource you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time Two mechanisms are available an access list based restriction scheme and an encrypted authentication mechanism Cisco s implementation of NTP does not support stratum 1 service it is not possible to connect to a ...

Page 107: ...tch Catalyst 3550 switch Catalyst 3550 switch Catalyst 3550 switch These switches are configured in NTP server mode server association with the Catalyst 6500 series switch Catalyst 6500 series switch NTP master This switch is configured as an NTP peer to the upstream and downstream Catalyst 3550 switches Catalyst 3550 switch Workstations Workstations Local workgroup servers 43269 ...

Page 108: ...detail command in privileged EXEC mode The system clock keeps an authoritative flag that shows whether the time is authoritative believed to be accurate If the system clock has been set by a timing source such as NTP the flag is set If the time is not authoritative the flag is used only for display purposes Until the clock is authoritative and the authoritative flag is set the flag prevents peers ...

Page 109: ...o set the time to UTC use the no clock timezone command in global configuration mode Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 clock timezone zone hours offset minutes offset Sets the time zone The device keeps internal time in universal time coordinated UTC so this command is used only for display purposes and when the time is manually set For zone enter th...

Page 110: ...DT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configures summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring without parameters the...

Page 111: ...se steps beginning in privileged EXEC mode Table 4 Default NTP Configuration Feature Default Setting NTP authentication Disabled No authentication key is specified NTP peer or server associations None configured NTP broadcast service Disabled no interface sends or receives NTP broadcast packets NTP access restrictions No access control is specified NTP packet source IP address The source address i...

Page 112: ...ng authentication key 42 in the device s NTP packets bridge config ntp authenticate bridge config ntp authentication key 42 md5 aNiceKey bridge config ntp trusted key 42 Step 4 ntp trusted key key number Specifies one or more key numbers defined in Step 3 that a peer NTP device must provide in its NTP packets for this WMIC to synchronize to it By default no trusted keys are defined For key number ...

Page 113: ...onfiguration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configures the WMIC system clock to synchronize a peer or to be synchronized by a peer peer association or Configures the WMIC system clock to be synchronized by a time server server association No peer or server associations are de...

Page 114: ...st packets To configure the WMIC to send NTP broadcast packets to peers so that they can synchronize their clock to the WMIC follow these steps beginning in privileged EXEC mode To disable the interface from sending NTP broadcast packets use the no ntp broadcast interface configuration command This example shows how to configure an interface to send NTP version 2 packets bridge config interface gi...

Page 115: ...NTP broadcast packets bridge config interface gigabitethernet0 1 bridge config if ntp broadcast client Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface id Enters interface configuration mode and specifies the interface to receive NTP broadcast packets Step 3 ntp broadcast client Enables the interface to receive NTP broadcast packets By default n...

Page 116: ...access list The keywords have these meanings query only Allows only NTP control queries serve only Allows only time requests serve Allows time requests and NTP control queries but does not allow the WMIC to synchronize to the remote device peer Allows time requests and NTP control queries and allows the WMIC to synchronize to the remote device For access list number enter a standard IP access list...

Page 117: ...ccess to allow only time requests from access list 42 bridge configure terminal bridge config ntp access group peer 99 bridge config ntp access group serve only 42 bridge config access list 99 permit 172 20 130 5 bridge config access list 42 permit 172 20 130 6 Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default To disable NTP packets from being rec...

Page 118: ... packets sent to all destinations If a source address is to be used for a specific association use the source keyword in the ntp peer or ntp server command in global configuration mode as described in the Configuring NTP Associations section on page 49 Displaying the NTP Configuration To display NTP information use the following commands in privileged EXEC mode show ntp associations detail show nt...

Page 119: ...bridge config clock summer time pdt date 12 October 2000 2 00 26 April 2001 2 00 Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 clock summer time zone date month date year hh mm month date year hh mm offset or clock summer time zone date date month year hh mm date month year hh mm offset Configures summer time to start on the first date and end on the second date...

Page 120: ...Administering the WMIC Managing the System Time and Date 56 Cisco 3200 Series Wireless MIC Software Configuration Guide ...

Page 121: ...ngested channel The channel settings on wireless devices correspond to the frequencies available in your regulatory domain In the European Telecommunications Standards Institute ETSI domain the regulatory agencies do not allow the channel to be set on 5 0 GHz 802 11a h radios by the users However channel groups can be blocked on wireless devices running ETSI images When a wireless device boots fro...

Page 122: ...4 5500 100 5520 104 5540 108 5560 112 5580 116 5600 120 5620 124 5640 128 5660 132 5680 136 5700 140 Listen Frequencies 5260 52 5280 56 5300 60 5320 64 5500 100 5520 104 5540 108 5560 112 5580 116 5600 120 5620 124 5640 128 5660 132 5680 136 5700 140 Configuring a Channel or Frequency To set the channel follow these steps Determine the radio type to verify that the radio manual setting of the chan...

Page 123: ...ic safety band see the Cisco Support for 4 9 GHz Public Safety Broadband Spectrum in the US white paper at http www cisco com en US products hw routers ps272 prod_brochure0900aecd802d816e html Step 3 channel channel_number frequency least_congested Sets the channel for the wireless device radio You can specify which channel to use by providing the channel s number or frequency To automatically sea...

Page 124: ...Radio Channel and Transmit Frequency Configuration Additional Information 4 Radio Channels and Transmit Frequencies OL 11491 03 ...

Page 125: ...b 2 4 GHz Band page 3 IEEE 802 11g 2 4 GHz Band page 4 IEEE 802 11a 5 GHz Band page 5 4 9 GHz public safety Channels and Frequencies page 6 IEEE 802 11n 2 4 GHz Band The channel identifiers channel center frequencies and regulatory domains of each IEEE 802 11n 22 MHz wide channel are shown in Table 1 Table 1 Channels for IEEE 802 11n 2 4 GHz Radio Band Channel Identifier Center Frequency MHz Regul...

Page 126: ... 2467 X X 13 2472 X X 14 2484 Table 1 Channels for IEEE 802 11n 2 4 GHz Radio Band Channel Identifier Center Frequency MHz Regulatory Domains Americas A EMEA E Japan P Table 2 5 GHz Radio Band Channel Identifier Center Frequency MHz Regulatory Domains North America A EMEA E Japan P China C Isreal I 36 5180 X X X X 40 5200 X X X X 44 5220 X X X X 48 5240 X X X X 52 5260 X X X X 56 5280 X X X X 60 5...

Page 127: ...785 X X 161 5805 X X 165 5809 X X Table 2 5 GHz Radio Band continued Channel Identifier Center Frequency MHz Regulatory Domains North America A EMEA E Japan P China C Isreal I Table 3 Channels for IEEE 802 11b Channel Identifier Center Frequency MHz Regulatory Domains America A EMEA E Japan P China C Australia N 1 2412 2 2417 X X X X X 3 2422 X X X X X 4 2427 X X X X X 5 2432 X X X X X 6 2437 X X ...

Page 128: ...tandards of Mexico IEEE 802 11g 2 4 GHz Band The channel identifiers channel center frequencies and regulatory domains of each IEEE 802 11g 22 MHz wide channel are shown in Table 4 Table 4 Channels for IEEE 802 11g Channel Identifier Center Frequency MHz Regulatory Domains America A EMEA E Japan P China C Australia N 1 2412 X X X X X 2 2417 X X X X X 3 2422 X X X X X 4 2427 X X X X X 5 2432 X X X ...

Page 129: ...door use on channels 52 through 64 in the United States Table 5 5 GHz Radio Band Channel Identifier Center Frequency MHz Regulatory Domains North America A EMEA E Japan P China C Australia N 34 5170 36 5180 X X X X 38 5190 40 5200 X X X X 42 5210 44 5220 X X X X 46 5230 48 5240 X X X X 52 5260 X X X X 56 5280 X X X X 60 5300 X X X X 64 5320 X X X X 100 5500 X 104 5520 X 108 5540 X 112 5560 X 116 5...

Page 130: ...d channel width for the 4 90GHz band are shown in Table 6 Table 6 Channels Center Frequencies and Channel Widths Channel Number Center Frequency MHz Channel Width MHz Channel Number 12 3 2 JK2 and earlier 1 4942 5 5 5 2 4947 5 5 15 3 4952 5 5 25 4 4957 5 5 35 5 4962 5 5 45 6 4967 5 5 55 7 4972 5 5 65 8 4977 5 5 75 9 4982 5 5 85 10 4987 5 5 95 11 4945 10 10 12 4950 10 20 13 4955 10 30 14 4960 10 40...

Page 131: ...adios also to avoid interfering with radar Understanding Dynamic Frequency Selection TPC is used to automatically adjust the transmission power level on 5 0 GHz radios also to avoid interfering with radar 5 0 GHz 802 11a h radios in wireless devices running Cisco IOS version 12 4 6 T and later shipped to Europe and Japan are required to use DFS to detect and avoid interfering with radar signals to...

Page 132: ...annel it scans the new channel for radar signals for 60 seconds If there are no radar signals on the new channel the wireless device enables beacons and accepts client associations If a radar signal is detected the wireless device selects a different channel If a preferred channel is configurable and available it is selected first Dynamic Frequency Selection Channels When a DFS enabled radio is op...

Page 133: ...est priority to be chosen but not the only channel that can be used After the prefer channel is configured the WMIC resets its radio and selects the configured prefer channel to go through the channel availability check 60 seconds of scanning for radar signals prior to enabling transmission on the channel However if a radar signal is detected on the prefer channel a new operating channel is random...

Page 134: ...ss device detects a radar signal it immediately notifies the root device brings down its interface and restarts uplink scanning When the root device receives radar detection notification from a client it check the association status If the client is associated and authenticated the root device immediately responds to the client s radar detection notification by marking the channel specified by the...

Page 135: ...ts_white_paper0900aecd801c4a88 s html Additional information on DFS and TPC can be found in the Cisco Dynamic Frequency Selection and IEEE 802 11h Transmit Power Control document available at http www cisco com en US products ps6441 products_feature_guide09186a008060f7c2 html For additional information on the 4 9 GHz public safety band see the Cisco Support for 4 9 GHz Public Safety Broadband Spec...

Page 136: ...Dynamic Frequency Selection Additional Information 6 Radio Channels and Transmit Frequencies OL 11491 03 ...

Page 137: ... is limited according to regulatory region An improper combination of transmit power level and antenna gain can result in equivalent isotropic radiated power EIRP that exceeds the amount allowed per regulatory domain In some situations the channel selection or country code affects the transmit power level See the Radio Channel Frequencies document for additional information For general information...

Page 138: ...e in mW power local 1 5 20 30 50 100 maximum For 802 11g 2 4 GHz radios where the settings are in mW power local cck ofdm 1 5 20 30 50 100 maximum For the 802 11g 2 4 GHz radio where the settings are in dBm power local cck ofdm 1 2 5 8 11 14 16 17 20 maximum For 802 11a 5 GHz radios or 4 9 GHz radios where the settings are in mW power local cck ofdm 5 10 20 40 maximum The maximum power level for a...

Page 139: ...e in mW power client 1 5 20 30 50 100 maximum For the 802 11g 2 4 GHz radio where the settings are in dBm power client 1 2 5 8 11 14 16 17 20 maximum For 802 11a 5 GHz radios where the settings are in mW power client 5 10 20 40 maximum For 802 11a 5 GHz radio where the settings are in dBm power client 1 2 5 8 11 14 16 17 maximum Sets the maximum power level allowed on client devices that associate...

Page 140: ...at you check your local regulations with the appropriate agencies Table 2 Maximum Power Levels Per Antenna Gain for IEEE 802 11g Regulatory Domain Antenna Gain dBi Maximum Power Level mW CCK OFDM Americas A 4 W EIRP maximum 2 2 100 30 6 100 30 6 5 100 30 10 100 30 13 5 100 30 15 50 20 21 20 10 EMEA E and Israel I 100 mW EIRP maximum 2 2 50 30 6 30 10 6 5 20 10 10 10 5 13 5 5 5 15 5 1 21 1 Japan J ...

Page 141: ...nt devices are allowed to transmit at other data rates depending on the configuration If the client device supports the basic data rate and due to environmental conditions the wireless and client devices can transmit at a higher data rate the devices will transmit unicast packets at the highest allowed data rate multicast packets are always sent at the highest basic data rate If due to environment...

Page 142: ... 0 basic 9 0 basic 12 0 basic 18 0 basic 24 0 basic 27 0 3 0 4 5 6 0 9 0 12 0 18 0 24 0 27 0 basic 6 0 basic 9 0 basic 12 0 basic 18 0 basic 24 0 basic 36 0 basic 48 0 basic 54 0 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 default The default keyword is not supported on 802 11b radios basic 1 0 basic 2 0 basic 5 5 basic 11 0 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 basic 1 5 2 25 basic 3 0 4 5 basic 6 0 9 ...

Page 143: ... by using the Orthogonal frequency division multiplexing OFDM keyword throughput ofdm WD configure terminal WD config interface dot11radio 0 WD config if speed throughput ofdm WD config if end throughput basic 1 0 basic 2 0 basic 5 0 basic 11 0 basic 1 0 basic 2 0 basic 5 0 basic 11 0 basic 12 0 basic 18 0 basic 24 0 basic 36 0 basic 48 0 basic 54 0 basic 1 5 basic 2 25 basic 3 0 basic 4 5 basic 6...

Page 144: ...6 0 48 0 54 0 Best Throughput Rates basic 1 0 basic 2 0 basic 5 5 basic 6 0 basic 9 0 basic 11 0 basic 12 0 basic 18 0 basic 24 0 basic 36 0 basic 48 0 basic 54 0 With the no speed command set on a 2 4 GHz 802 11g radio WD configure terminal WD config interface dot11 0 WD config if no speed WD config if end the show controller dot11radio command displays the following WD show controller dot11Radio...

Page 145: ...ct to the following constraints To activate the feature you must enable the universal workgroup bridge and multiple client profiles All universal workgroup bridge limitations and constraints apply to multiple client profiles Each SSID should have an assigned VLAN ID The cipher suites and Wired Equivalent Privacy WEP for each SSID should be configured with the same assigned VLAN ID The infrastructu...

Page 146: ...he following client configure terminal client config dot11 ssid sample client config ssid priority 5 client config ssid end The higher priority SSID may have more opportunities to get associated as opposed to lower priority SSIDs if their matching root devices all exist in the same wireless environment However there is no guarantee that the higher priority SSID will always get preference over lowe...

Page 147: ...ing opportunities Below is a sample of channel width configuration for each profile dot11 ssid testMCP1 authentication open eap eap_method authentication network eap eap_method authentication key management wpa authentication client username yajunzhang password 7 021F05511E0815294D400E channel width 5 channel width setting encryption mode ciphers aes priority 1 Configuring a WMIC for MCP 12 4 3 JK...

Page 148: ...ient profile B client configure terminal client config dot11 ssid LEAP_TKIP client config ssid authentication network eap eap_methods client config ssid authentication key management wpa client config ssid authentication client username aLeapUser password ciscoleap client config ssid encryption mode cipher tkip client config ssid priority 8 client config ssid end client config terminal client conf...

Page 149: ...0112233 client config ssid priority 13 client config ssid end client config terminal client config interface dot11Radio 0 client config if ssid STATIC_WEP128 client config if endif Configuring a WMIC for MCP 12 3 8 JK Only You can configure a WMIC device in universal workgroup bridge mode and enable multiple client profile In this configuration the WMIC can support up to 16 different SSIDs and enc...

Page 150: ... Configures proper encryption for each SSID bounded by dot11 VLANID For this step it is assumed that SSID security has already been configured Example encryption vlan 11 key 3 size 40bit abcdef9876 encryption vlan 11 mode wep mandatory encryption vlan 21 key 2 size 128bit 98765432109876543210abcdef encryption vlan 21 mode wep mandatory key hash encryption vlan 34 mode wep mandatory mic key hash en...

Page 151: ...nt configure terminal client config dot11 ssid EAPTLS_AES client config ssid vlan 102 client config ssid authentication open eap eap_methods client config ssid authentication network eap eap_methods client config ssid authentication key management wpa client config ssid dot1x credentials authUserProfile client config ssid dot1x eap profile tlsProfile client config ssid end client config terminal c...

Page 152: ...Multiple Client Profiles Configuring a WMIC for MCP 12 3 8 JK Only 8 Cisco 3200 Series Wireless MIC Software Configuration Guide ...

Page 153: ...Do not include spaces in your SSID When you configure an SSID you assign these configuration settings to the SSID VLAN RADIUS accounting for traffic using the SSID Encryption settings Authentication method Note For detailed information on client authentication types see Authentication Types If you want the WMIC to allow associations from bridges that do not specify an SSID in their configurations ...

Page 154: ...Configure the SSID for RADIUS accounting Assign the SSID to the native VLAN bridge configure terminal bridge config dot11r ssid bridgeman bridge config ssid accounting accounting method list bridge config ssid vlan 1 bridge config ssid encryption mode cipher wep 128 bridge config ssid priority 10 bridge config ssid infrastructure ssid bridge config ssid end Command Purpose Step 1 configure termina...

Page 155: ...must enable the guest mode For Cisco wireless APs or WMICs this can be done by configuring guest mode or mbssid guest mode if mbssid is configured for the specific SSID The priority of the any profile is least default and can not be configured Configuring Multiple Basic SSIDs Cisco 3200 series WMICs now support up to 8 basic SSIDs BSSIDs which are similar to MAC addresses This feature is support o...

Page 156: ... CLI Configuration Example This example shows the commands that you can use on the command line interface CLI to enable multiple BSSIDs on a radio interface create an SSID called visitor designate the SSID as a BSSID specify that the BSSID is included in beacons set a DTIM period for the BSSID and assign the SSID visitor to the radio interface Use the dot11 mbssid command in global configuration m...

Page 157: ...one device on the network Multicast messages are addressed to multiple devices on the network Extensible Authentication Protocol EAP authentication provides dynamic WEP keys to wireless devices Dynamic WEP keys are more secure than static or unchanging WEP keys If an intruder passively receives enough packets encrypted by the same WEP key the intruder can perform a calculation to learn the key and...

Page 158: ...heck MIC called Michael to detect forgeries such as bit flipping and altering packet source and destination An extension of IV space to virtually eliminate the need for rekeying CKIP Cisco Key Integrity Protocol The Cisco WEP key permutation technique based on an early algorithm presented by the IEEE 802 11i security task group CKIP and CKIP CMIC are supported only on the 2 4 GHz 802 11b g Cisco w...

Page 159: ...s the transmit key by default If you enable WEP with MIC use the same WEP key for the transmit key in the same key slot on both root devices and non root bridges Step 4 encryption mode wep mandatory optional Sets WEP as the encryption mode for this VLAN Step 5 end Returns to privileged EXEC mode Step 6 copy running config startup config Optional Saves your entries in the configuration file Command...

Page 160: ...de for this VLAN Step 5 end Returns to privileged EXEC mode Step 6 copy running config startup config Optional Saves your entries in the configuration file Command Purpose Table 1 WEP Key Restrictions Security Configuration WEP Key Restriction CCKM or WPA authenticated key management Cannot configure a WEP in slot 1 LEAP or EAP authentication Cannot configure a WEP transmit key in slot 4 Cipher su...

Page 161: ...he root device must use the same key in its slot 1 and the key in the non root bridge s slot 1 must be selected as the transmit key Enabling Cipher Suite Enabling Cipher Suite with 12 4 3 JK or Later Releases Cisco 3201WMIC with 12 4 3 JK or later releases moves cipher settings from dot11 interface to each SSID configuration Cisco 3202 WMIC and 3205 WMIC supports this feature change starting 12 4 ...

Page 162: ...u can combine AES with TKIP In this case AES is the unicast cipher and TKIP becomes the group cipher Note If you enable a cipher suite with two elements such as TKIP and 128 bit WEP the second cipher becomes the group cipher Note You can also use the encryption mode wep command to set up static WEP However you should use encryption mode wep only if none of the non root bridges that associate to th...

Page 163: ... can combine TKIP with 128 bit or 40 bit WEP Note You can combine AES with TKIP In this case AES is the unicast cipher and TKIP becomes the group cipher Note If you enable a cipher suite with two elements such as TKIP and 128 bit WEP the second cipher becomes the group cipher Note You can also use the encryption mode wep command to set up static WEP However you should use encryption mode wep only ...

Page 164: ...D must be set to use WPA or CCKM key management If you configure TKIP but you do not configure key management on the SSID the authentication fails on this SSID For a complete description of WPA and CCKM and instructions for configuring authenticated key management see the Authentication Types document Table 3 Cipher Suites Compatible with WPA and CCKM Authenticated Key Management Types Compatible ...

Page 165: ...ctions Understanding Spanning Tree Protocol page 1 Configuring STP Features page 8 Displaying Spanning Tree Status page 14 Note STP is available only when the wireless device is in bridge mode Understanding Spanning Tree Protocol This section describes how spanning tree features work It includes this information STP Overview page 2 STP Support page 2 Bridge Protocol Data Units page 3 Election of t...

Page 166: ...m root to describe two concepts the bridge on the network that serves as a central point in the spanning tree is called the root bridge and the port on each bridge that provides the most efficient path to the root bridge is called the root port These meanings are separate from the role in radio network setting that includes root and non root options A bridge whose role in radio network setting is ...

Page 167: ...max age protocol timers When a bridge receives a configuration BPDU that contains superior information lower bridge ID lower path cost and so forth it stores the information for that port If this BPDU is received on the root port of the bridge the bridge also forwards it with an updated message to all attached LANs for which it is the designated bridge If a bridge receives a configuration BPDU tha...

Page 168: ...ywhere in the network are placed in the spanning tree blocking mode BPDUs contain information about the sending bridge and its ports including bridge and MAC addresses bridge priority port priority and path cost STP uses this information to elect the spanning tree root and root port for the network and the root port and designated port for each LAN segment Spanning Tree Timers Table 1 describes th...

Page 169: ... topology Each interface on a bridge using spanning tree exists in one of these states Blocking The interface does not participate in frame forwarding Listening The first transitional state after the blocking state when the spanning tree determines that the interface should participate in frame forwarding Learning The interface prepares to participate in frame forwarding Forwarding The interface f...

Page 170: ...tinues to block frame forwarding as the bridge learns end station location information for the forwarding database 4 When the forward delay timer expires spanning tree moves the interface to the forwarding state where both learning and frame forwarding are enabled Blocking State An interface in the blocking state does not participate in frame forwarding After initialization a BPDU is sent to the b...

Page 171: ...resses Receives BPDUs Learning State An interface in the learning state prepares to participate in frame forwarding The interface enters the learning state from the listening state An interface in the learning state performs as follows Discards frames received on the port Learns addresses Receives BPDUs Forwarding State An interface in the forwarding state forwards frames The interface enters the ...

Page 172: ...terfaces and assign different STP settings to those bridge groups Configuring STP Settings Beginning in privileged EXEC mode follow these steps to configure STP on the bridge Table 2 Default STP Values When STP is Enabled Setting Default Value Bridge priority 32768 Bridge max age 20 Bridge hello time 2 Bridge forward delay 15 Ethernet port path cost 19 Ethernet port priority 128 Radio port path co...

Page 173: ...ami authentication open guest mode speed basic 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role root no cdp enable infrastructure client bridge group 1 interface FastEthernet0 no ip address no ip route cache duplex auto speed auto bridge group 1 interface BVI1 ip address 1 4 64 23 255 255 0 0 Step 5 exit Return to global configuration mode Step 6 bridge number protocol ieee En...

Page 174: ...ed with STP enabled hostname client bridge north ip subnet zero bridge irb interface Dot11Radio0 no ip address no ip route cache ssid tsunami authentication open guest mode speed basic 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role non root no cdp enable bridge group 1 interface FastEthernet0 no ip address no ip route cache duplex auto speed auto bridge group 1 path cost 40 ...

Page 175: ...open speed basic 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role root no cdp enable infrastructure client interface Dot11Radio0 1 encapsulation dot1Q 1 native no ip route cache no cdp enable bridge group 1 interface Dot11Radio0 2 encapsulation dot1Q 2 no ip route cache no cdp enable bridge group 2 interface Dot11Radio0 3 encapsulation dot1Q 3 no ip route cache bridge group 3 ...

Page 176: ... ieee bridge 3 priority 3100 line con 0 exec timeout 0 0 line vty 5 15 end Non Root Bridge with VLANs This example shows the configuration of a non root bridge with VLANs configured with STP enabled hostname client bridge remote ip subnet zero ip ssh time out 120 ip ssh authentication retries 3 bridge irb interface Dot11Radio0 no ip address no ip route cache ssid vlan1 vlan 1 authentication open i...

Page 177: ...interface FastEthernet0 1 encapsulation dot1Q 1 native no ip route cache bridge group 1 interface FastEthernet0 2 encapsulation dot1Q 2 no ip route cache bridge group 2 interface FastEthernet0 3 encapsulation dot1Q 3 no ip route cache bridge group 3 bridge group 3 path cost 400 interface BVI1 ip address 1 4 64 24 255 255 0 0 no ip route cache bridge 1 protocol ieee bridge 1 route ip bridge 1 prior...

Page 178: ...ing tree information for the specified interface show spanning tree summary totals Displays a summary of port states or displays the total lines of the STP state section CCVP the Cisco logo and Welcome to the Human Network are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn is a service mark of Cisco Systems Inc and Access Registrar Aironet Catalyst CCDA CCDP CCIE CCIP...

Page 179: ...quipment Each device sends identifying messages to a multicast address and each device monitors the messages sent by other devices Information in CDP packets is used in network management software such as CiscoWorks2000 CDP is enabled on the WMIC s Ethernet and radio ports by default Note For best performance on your wireless LAN disable CDP on all radio interfaces and on subinterfaces if VLANs ar...

Page 180: ...a holdtime value of 120 seconds Sending CDP packets every 50 seconds For additional CDP show commands see the Monitoring and Maintaining CDP section on page 4 Disabling and Enabling CDP To disable the CDP device discovery capability follow these steps beginning in privileged EXEC mode Table 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP...

Page 181: ...ose Step 1 configure terminal Enters global configuration mode Step 2 cdp run Enables CDP after disabling it Step 3 end Returns to privileged EXEC mode Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface id Enters interface configuration mode and enter the interface on which you are disabling CDP Step 3 no cdp enable Disables CDP on an interface St...

Page 182: ...formation such as frequency of transmissions and the holdtime for packets being sent show cdp entry entry name protocol version Displays information about a specific neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neig...

Page 183: ...d Fri 10 Dec 99 11 16 by cchang advertisement version 2 Protocol Hello OUI 0x00000C Protocol ID 0x0112 payload len 25 value 0000000 0FFFFFFFF010101FF000000000000000142EFA400FF VTP Management Domain bridge show cdp entry protocol Protocol information for talSwitch14 IP address 172 20 135 194 Protocol information for tstswitch2 IP address 172 20 135 204 IP address 172 20 135 202 Protocol information...

Page 184: ... is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds bridge show cdp neighbor Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater Device IDLocal InterfaceHoldtmeCapabilityPlatformPort ID Perdido2Gig 0 6125R S IWS C3550 1Gig0 6 Perdido2Gig 0 5125R S IWS C3550 1Gig 0 5 bridge show cdp traffic CDP counters Total packets ...

Page 185: ...o the service set identifier SSID that you configure on the WMIC Before wireless devices can communicate they must authenticate to each other using open 802 1x Extensible Authentication Protocol EAP based or shared key authentication Among these authentication types for maximum security wireless devices should authenticate using EAP authentication which relies on an authentication server on the ne...

Page 186: ...commend that you use another method of authentication such as EAP in environments in which security is an issue During shared key authentication the root device sends an unencrypted challenge text string to the client device that is attempting to communicate with the root device The client device that is requesting authentication encrypts the challenge text and then sends it back to the root devic...

Page 187: ...mic session key which the root device and the authenticating device use to further derive the unicast key The root generates the broadcast key and sends it to the authenticating device after encrypting it with unicast key The unicast key is used to exchange unicast data between the root device and authenticated device and the broadcast key is used to exchange multicast and broadcast data between t...

Page 188: ...vice The root device and the non root bridge derive the unicast key from this session key The root generates the broadcast key and sends it to the non root bridge after encrypting it with the unicast key The non root bridge uses the unicast key to decrypt it The non root bridge and the root device activate WEP and use the unicast and broadcast WEP keys for all communications during the remainder o...

Page 189: ...ot device must support EAP based authentication The Cisco C3201 WMIC and the AAA server each obtains the CA certificate for its own key pairs See the Configuring Certificates Using the crypto pki CLI section on page 7 for instructions on configuring CA certificates EAP FAST Extensible Authentication Protocol Flexible Authentication via Secure Tunneling EAP FAST encrypts EAP transactions within a T...

Page 190: ...tials for CCKM enabled devices on the subnet The WDS device s cache of credentials dramatically reduces the time required for reassociation when a CCKM enabled client device roams to a new root device When a client device roams and tries to reassociate to a root device served by the same WDS device that served the previous root device the WDS device authenticates the client by using its cache of c...

Page 191: ...gn certificate requests and begin peer enrollment for the PKI Note The domain name and clock must be set prior to enrollment of certificates You can import the CA and router certificates in any of the following ways Configuration using cut and paste This is useful when there is no connection between the router and the CA or in cases where scripting is required In this method the certificate reques...

Page 192: ...wZTeWRuZXkxFjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxFDASBgNVBAsTC1dO QlUgU3lkbmV5MSEwHwYDVQQDExh3bmJ1LXN5ZC1hY3MtYS5jaXNjby5jb20wXDAN BgkqhkiG9w0BAQEFAANLADBIAkEAnDZq1u RhYyC8uNdsuXDwOve1yEZvKJerrb6 XFVyJZV4jfSKSnZ2ZRNf3VX3NcRyQxKSszgCHMGcUyBnH350ZwIDAQABo4HsMIHp MAsGA1UdDwQEAwIBxjAPBgNVHRMBAf8EBTADAQH MB0GA1UdDgQWBBSB9hMkazhs ebKHX3b9qw8VPilQRzCBlwYDVR0fBIGPMIGMMEOgQaA hj1odHRwOi8vd25idS1z eWQtYWNzLWEvQ2V...

Page 193: ...Certificate Request to terminal yes no yes Certificate Request follows MIIBmDCCAQECAQAwNzE1MA8GA1UEBRMIODBBRDVBRDQwIgYJKoZIhvcNAQkCFhVt YWxkaXZlcy1hcC5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB AOexwH9eW7n 3MEivmSHpBO3kqSdvZnf5dvOKyVoy8ZJpM2O6j0jfzOTD3IxHeQE MUiEzWKybt2k HQTuND zVhbgWQd9J3JnCrvUMij48fV7MydyZYQ2eHDgQEN64d4 RBPFi51C 2xX1SzELJfGU2oxeQ6AsW A 2S7GCycFW7rAgMBAAGgITAfBgkqhkiG 9w0B...

Page 194: ...GCCsGAQUFBzAChkxodHRwOi8vd25idS1zeWQt YWNzLWEvQ2VydEVucm9sbC93bmJ1LXN5ZC1hY3MtYV93bmJ1LXN5ZC1hY3MtYS5j aXNjby5jb20uY3J0MFoGCCsGAQUFBzAChk5maWxlOi8vXFx3bmJ1LXN5ZC1hY3Mt YVxDZXJ0RW5yb2xsXHduYnUtc3lkLWFjcy1hX3duYnUtc3lkLWFjcy1hLmNpc2Nv LmNvbS5jcnQwDQYJKoZIhvcNAQEFBQADQQCEqZgEAMExlMAiQ3aOiajY NjuKeXX A5yMsTxQIWxVmj o1U4T2dvYk60 ab 9hV1n6h3msKVcoYUFj8otLtAs END CERTIFICATE quit Router Certificate succe...

Page 195: ...ndicate that this is a certificate request For usage keys two requests are generated and two certificates are expected to be granted Thus the extension for the certificate requests are sign req and encr req After the user enters the crypto pki import command the router attempts to fetch the granted certificate using the same filename that was used to send the request except that req extension is r...

Page 196: ...r use of SCEP with the Enterprise CA server you must modify the IPSec template offline request so that its enhanced key usage extension is same as that for the user template Use certtmpl msc to modify the template and ertsrv msc to install the modified template The following example shows SCEP certificate enrollment maldives ap maldives ap conf t Command Purpose Step 1 configure terminal Enters gl...

Page 197: ...ment Create a challenge password You will need to verbally provide this password to the CA Administrator in order to revoke your certificate For security reasons your password will not be saved in the configuration Please make a note of it Password Jun 29 13 18 46 606 CRYPTO 6 AUTOGEN Generated new 1024 bit key pair Re enter password The fully qualified domain name in the certificate will be maldi...

Page 198: ...14 13 AEST Jun 29 2005 end date 13 24 13 AEST Jun 29 2006 Associated Trustpoints TEST SCEP CA Certificate Status Available Certificate Serial Number 76781FE9FA7A66A7445F540F9F382A88 Certificate Usage Signature Issuer cn wnbu syd acs a cisco com ou WNBU Sydney o Cisco Systems l Sydney st NSW c AU Subject cn wnbu syd acs a cisco com ou WNBU Sydney o Cisco Systems l Sydney st NSW c AU CRL Distributio...

Page 199: ...o the WMIC s SSID See Service Set Identifiers for details on setting up the WMIC SSID This section contains these topics Default Authentication Settings page 15 Assigning Authentication Types to an SSID page 16 Configuring Authentication Holdoffs Timeouts and Intervals page 24 Default Authentication Settings The default SSID on the WMIC is autoinstall Table 1 shows the default authentication setti...

Page 200: ...est mode SSID autoinstall The WMIC broadcasts this SSID in its beacon and allows client devices with no SSID to associate Authentication types assigned to autoinstall open Table 1 Default Authentication Configuration Feature Default Setting Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 dot11 ssid ssid string Creates an SSID The SSID can consist of up to 32 alpha...

Page 201: ...ID s authentication type to open with EAP authentication The WMIC forces all other client devices to perform EAP authentication before they are allowed to join the network For list name specify the authentication method list Use the optional keyword to allow client devices using either open or EAP authentication to associate and become authenticated This setting is used mainly by service providers...

Page 202: ...AP authentication To enable WPA for an SSID you must also enable open authentication or Network EAP or both Note Only 802 11b and 802 11g radios support WPA and CCKM simultaneously Note Before you can enable CCKM or WPA you must set the encryption mode to a cipher suite that includes TKIP AES CCMP To enable both CCKM and WPA you must set the encryption mode to a cipher suite that includes TKIP See...

Page 203: ...name for the WMIC Step 4 password password Specifies the authentication password for the WMIC Step 5 crypto pki trustpoint name Specifies the name of the trustpoint Step 6 exit Returns to global configuration mode Step 7 eap profile profile name string Creates the EAP profile Step 8 method fast gtc leap md5 mschapv2 tls Chooses an EAP authentication method for authentication purpose Note In client...

Page 204: ... use the optional keyword only WPA or CCKM client devices are allowed to use the SSID To enable CCKM for an SSID you must also enable Network EAP authentication To enable WPA for an SSID you must also enable Open authentication or Network EAP or both Note Only 802 11b and 802 11g radios support WPA and CCKM simultaneously Note Before you can enable CCKM or WPA you must set the encryption mode to a...

Page 205: ...config ssid dot1x eap_profile authProfile bridge config ssid dot1x credentials authCredentials bridge config ssid infrastructure ssid bridge config ssid exit bridge config interface dot11radio 0 bridge config if encryption mode ciphers aes ccm bridge config if ssid bridgeman bridge config if end bridge configure terminal bridge config aaa new model bridge config aaa group server radius rad_eap bri...

Page 206: ... or CCKM bridges are allowed to use the SSID To enable CCKM for an SSID you must also enable Network EAP authentication To enable WPA for an SSID you must also enable open authentication or Network EAP or both Note Only 802 11b and 802 11g radios support WPA and CCKM simultaneously Note Before you can enable CCKM or WPA you must set the encryption mode for the SSID s VLAN to one of the cipher suit...

Page 207: ... the bridge and adjust the frequency of group key updates Setting a Pre Shared Key To support WPA on a wireless LAN where 802 1x based authentication is not available you must configure a pre shared key on the bridge You can enter the pre shared key as ASCII or hexadecimal characters If you enter the key as ASCII characters you enter between 8 and 63 characters and the bridge expands the key using...

Page 208: ...you must enter a minimum of 8 letters numbers or symbols and the bridge expands the key for you You can enter a maximum of 63 ASCII characters Step 4 end Returns to privileged EXEC mode Step 5 copy running config startup config Optional Saves your entries in the configuration file Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 dot11 holdoff time seconds Enters th...

Page 209: ...ty Feature Non Root Bridge Setting Root Device Setting Static WEP with open authentication Set up and enable WEP and enable open Authentication Set up and enable WEP and enable open Authentication Static WEP with shared key authentication Set up and enable WEP and enable shared key authentication Set up and enable WEP and enable shared key Authentication LEAP authentication Configure a LEAP userna...

Page 210: ...Authentication Types Matching Authentication Types on Root Devices and Non Root Bridges 26 Cisco 3200 Series Wireless MIC Software Configuration Guide ...

Page 211: ...QoS page 4 QoS Configuration Examples page 4 Understanding QoS for Wireless LANs Typically networks operate on a best effort delivery basis which means that all traffic has equal priority and an equal chance of being delivered in a timely manner When congestion occurs all traffic has an equal chance of being dropped When you configure QoS on the WMIC you can select specific network traffic priorit...

Page 212: ...S Quality of Service Solutions Configuration Guide at this URL http www cisco com univercd cc td doc product software ios122 122cgcr fqos_c index htm Impact of QoS on a Wireless LAN Wireless LAN QoS features are a subset of the proposed 802 11e draft QoS on wireless LANs provides prioritization of traffic from the WMIC over the WLAN based on traffic classification Just as in other media you might ...

Page 213: ... classification for all packets on a VLAN that policy is third in the precedence list Using Wi Fi Multimedia Mode When you enable QoS the access point uses Wi Fi Multimedia WMM mode by default The following features of the WMM specification are supported Addition of the WMM information element to associate request frames Addition of the WMM parameter element to the beacon probe response and associ...

Page 214: ...MIC you should be aware of this information The most important guideline in QoS deployment is to be familiar with the traffic on your wireless LAN If you know the applications used by wireless client devices the applications sensitivity to delay and the amount of traffic associated with the applications you can configure QoS to improve performance QoS does not create additional bandwidth for your ...

Page 215: ... dot11Radio 0 100 service policy output v100traffic QoS Example of IP DSCP and IP Precedence The following example queues traffic data with the IP Precedence value 2 to Queue 0 IP DSCP value 12 to Queue 1 IP Precedence value 5 to Queue 2 and IP DSCP value 46 to queue 3 class map match all dscp12 match ip dscp af12 class map match all dscp46 match ip dscp ef class map match all prec2 match ip prece...

Page 216: ...B e t a D r a ft fo r R ev i ew C i s c o C o n f i d e n t i a l QoS in a Wireless Environment Configuring QoS 6 Cisco 3200 Series Wireless MIC Software Configuration Guide ...

Page 217: ...work or the fact that they might be intermingled with other teams You use VLANs to reconfigure the network through software rather than physically unplugging and moving devices or wires A VLAN can be thought of as a broadcast domain that exists within a defined set of switches A VLAN consists of a number of end systems either hosts or network equipment such as bridges and routers connected by a si...

Page 218: ...to this document http www cisco com univercd cc td doc product software ios122 122cgcr fswtch_c index htm Cisco Internetwork Design Guide Click this link to browse to this document http www cisco com univercd cc td doc cisintwk idg4 index htm Cisco Internetworking Technology Handbook Click this link to browse to this document http www cisco com univercd cc td doc cisintwk ito_doc index htm Cisco I...

Page 219: ... VLAN page 3 Viewing VLANs Configured on the WMIC page 6 Configuring a VLAN Configuring your WMIC to support VLANs is a five step process 1 Create subinterfaces on the radio and Ethernet interfaces 2 Enable 802 1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN 3 Assign a bridge group to each VLAN 4 Optional Enable WEP on the native VLAN 5 Assign the WMIC s SSID t...

Page 220: ... native VLAN is VLAN 1 Step 8 bridge group number Assigns the subinterface to a bridge group You can number your bridge groups from 1 to 255 Step 9 exit Returns to global configuration mode Step 10 interface dot11radio 0 Enters interface configuration mode for the radio interface Step 11 ssid ssid string Creates an SSID and enter SSID configuration mode for the new SSID The SSID can consist of up ...

Page 221: ...ash Optional Enables WEP and WEP features on the native VLAN Optional Select the VLAN for which you want to enable WEP and WEP features Set the WEP level and enable TKIP and MIC If you enter optional another bridge can associate to the WMIC with or without WEP enabled You can enable TKIP with WEP set to optional but you cannot enable MIC If you enter mandatory other bridges must have WEP enabled t...

Page 222: ...E 802 1Q Encapsulation vLAN Trunk Interfaces Dot11Radio0 FastEthernet0 Virtual Dot11Radio0 This is configured as native Vlan for the following interface s Dot11Radio0 FastEthernet0 Virtual Dot11Radio0 Protocols Configured Address Received Transmitted Bridging Bridge Group 1 201688 0 Bridging Bridge Group 1 201688 0 Bridging Bridge Group 1 201688 0 Virtual LAN ID 2 IEEE 802 1Q Encapsulation vLAN Tr...

Page 223: ...s such as the logging buffer terminal lines or a UNIX syslog server depending on your configuration The process also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are interspersed with prompts or output from other ...

Page 224: ...facility severity MNEMONIC description The part of the message preceding the percent sign depends on the setting of the service sequence numbers service timestamps log datetime service timestamps log datetime localtime msec show timezone or service timestamps log uptime global configuration command Table 1 describes the elements of syslog messages Table 1 System Log Message Elements Element Descri...

Page 225: ...terface Dot11Radio0 changed state to r eset Mar 1 19 35 39 718 LINK 3 UPDOWN Interface Dot11Radio0 changed state to up Mar 1 20 52 06 007 LINK 3 UPDOWN Interface Dot11Radio0 changed state to do wn Mar 1 20 52 06 022 LINK 5 CHANGED Interface Dot11Radio0 changed state to r eset Mar 1 20 52 06 035 LINK 3 UPDOWN Interface Dot11Radio0 changed state to up Mar 1 23 47 38 851 DOT11 6 ASSOC Interface Dot11...

Page 226: ...ng synchronous global configuration command also affects the display of messages to the console When this command is enabled messages appear only after you press Return For more information see the Enabling and Disabling Timestamps on Log Messages section on page 6 To re enable message logging after it has been disabled use the logging on global configuration command Timestamps Disabled Synchronou...

Page 227: ...level Logs messages to an internal buffer The default buffer size is 4096 The range is 4096 to 2147483647 bytes Levels include emergencies 0 alerts 1 critical 2 errors 3 warnings 4 notifications 5 informational 6 and debugging 7 Note Do not make the buffer size too large because the WMIC could run out of memory for other tasks Use the show memory privileged EXEC command to view the free processor ...

Page 228: ... default sequence numbers in log messages are not displayed To enable sequence numbers in log messages follow these steps beginning in privileged EXEC mode To disable sequence numbers use the no service sequence numbers global configuration command Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 service timestamps log uptime or service timestamps log datetime msec...

Page 229: ... configuration command To disable logging to syslog servers use the no logging trap global configuration command Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 logging console level Limits messages logged to the console By default the console receives debugging messages and numerically lower levels see Table 3 on page 8 Step 3 logging monitor level Limits message...

Page 230: ... enable trap global configuration command you can change the level of messages sent and stored in the WMIChistory table You can also change the number of messages that are stored in the history table Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination By default one message of the level warning and numerically lower levels see Table 3 on page 8...

Page 231: ...ogging rate limit global configuration command Configuring UNIX Syslog Servers The next sections describe how to configure the 4 3 BSD UNIX server syslog daemon and define the UNIX system logging facility Step 3 logging history size number Specifies the number of syslog messages that can be stored in the history table The default is to store one message The range is 1 to 500 messages Step 4 end Re...

Page 232: ...e level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands at the UNIX shell prompt touch usr adm log cisco log chmod 666 usr adm log cisco log Step 3 Make sure the syslog daemon reads the new changes by entering this command kill HUP cat etc syslog pid For more informat...

Page 233: ...play refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12 2 To display the logging history file use the show logging history privileged EXEC command Step 4 logging facility facility type Configures the syslog facility See Table 4 on page 11 for facility type keywords The default is local7 Step 5 end Returns to privileged EXEC mode Step 6 show running config Verifies y...

Page 234: ...System Message Logging Displaying the Logging Configuration 12 Cisco 3200 Series Wireless MIC Software Configuration Guide ...

Page 235: ...ting as mobile nodes Applying the Tunnel Template on the Home Agent To apply the tunnel template to the tunnels brought up at the home agent use the interface tunnel command For example wd enable wd password If prompted wd configure terminal wd config ip multicast routing Enables IP multicast routing wd config interface tunnel interfacenumber Designates a tunnel interface and enters interface conf...

Page 236: ... HA created fast switching enabled ICMP unreachable enabled 0 packets input 0 bytes 0 drops 24 packets output 3048 bytes Applying the Tunnel Template on the Mobile Router To apply the tunnel template to the tunnels brought up at the mobile router follow this example wd enable wd password If prompted wd configure terminal wd config ip multicast routing Enables IP multicast routing wd config interfa...

Page 237: ...unnel template to apply during registration template tunnel100 ip mobile secure host 11 1 0 1 spi 101 key hex 12345678123456781234567812345678 algorithm md5 mode prefix suffix no ip mobile tunnel route cache Mobile Router ip multicast routing interface Loopback0 ip address 11 1 0 1 255 255 255 255 ip pim sparse mode Tunnel template to be applied to mobile networks interface tunnel 100 no ip addres...

Page 238: ...he local address should be set to the home address interface This recommendation eliminates the need for policy routing and allows for all traffic to be Cisco Express Forwarding CEF switched which is not supported on loopback interfaces To be encrypted all traffic from the mobile router must be reverse tunneled the reverse tunnel becomes the egress interface at which the crypto map is applied Exam...

Page 239: ...mand to identify the tunnel interface that is being used by the mobile router Then use the show crypto ipsec sa interface tunnel n command to verify that the relevant SAs are active The important sections have been emphasized in the following sample output MN show ip mobile router Mobile Router Enabled 10 18 05 18 50 54 Last redundancy state transition NEVER Configuration Home Address 192 168 100 ...

Page 240: ...ng remaining key lifetime k sec 4602927 3584 IV size 16 bytes replay detection support Y Status ACTIVE inbound ah sas inbound pcp sas outbound esp sas spi OxC8D41EOA 3369344522 transfor m esp 256 aes esp sha hmac in use settings Tunnel conn id 2 flow_id SW 2 crypto map MAR VPN sa timdng remaining key lifetime k sec 4602928 3582 IV size 16 bytes replay detection support Y Status ACTIVE outbound ah ...

Page 241: ...ment It provides descriptions of the Cisco MIC I O cards found in Cisco 3200 Series routers Cisco 3200 Series Mobile Access Router Reference Sell Document1 An overview of the reference sell program and components for the Cisco 3200 Series router The Release Notes for the Cisco 3250 Mobile Router lists the enhancements to and caveats for Cisco IOS releases as they relate to the Cisco 3200 Series ro...

Page 242: ...Related Documents 8 Tunnel Templates Related documents from the Cisco TAC Web pages include Antenna Cabling http www cisco com warp public 102 wlan antcable html ...

Page 243: ...mally green when an Ethernet cable is connected and blinks green when a packet is received or transmitted over the Ethernet infrastructure The indicator is off when the Ethernet cable is not connected The status indicator signals operational status Steady green indicates that the wireless device is associated with at least one wireless client Blinking green indicates that the wireless device is op...

Page 244: ...ystem failure Red Red Ethernet failure during image recovery Amber Green Amber Boot environment error Red Green Red No Cisco IOS image file Amber Amber Amber Boot failure Operation Errors Green Blinking amber Maximum retries or buffer full occurred on the radio Blinking amber Transmit receive Ethernet errors Blinking amber General warning Configuration Reset Amber Resetting the configuration optio...

Page 245: ...evice does not need to use Key 3 as its transmit key however Security Settings Wireless clients attempting to authenticate with the wireless device must support the same security options configured in the wireless device such as Extensible Authentication Protocol EAP or Light Extensible Authentication Protocol LEAP MAC address authentication Message Integrity Check MIC WEP key hashing and 802 1X p...

Page 246: ...shfs 0 flashfs fsck took 0 seconds done initializing Flash Step 5 Use the dir flash command to display the contents of flash and find the config txt configuration file ap dir flash Directory of flash 3 rwx 223 date env_vars 4 rwx 2190 date config txt 5 rwx 27 date private config 150 drwx 320 date c350 k9w7 mx 122 13 JA 4207616 bytes available 3404800 bytes used Step 6 Use the rename command to cha...

Page 247: ... and use boot loader commands to load an image from a TFTP server to replace the image in the wireless device Note Your wireless device configuration is not changed when using the CLI to reload the image file Step 1 Open the CLI by using a Telnet session or a connection to the wireless device console port Step 2 Reboot the wireless device by removing power and reapplying power Step 3 Let the wirel...

Page 248: ...122 13 JA1 html level1 images directory 0 bytes extracting c350 k9w7 mx 122 13 JA1 html level1 images ap_title_appname gif 1422 bytes extracting c350 k9w7 mx 122 13 JA1 html level1 images apps_button_1st gif 1171 bytes extracting c350 k9w7 mx 122 13 JA1 html level1 images apps_button_cbottom gif 318 bytes extracting c350 k9w7 mx 122 13 JA1 html level1 images apps_button_current gif 348 bytes extra...

Page 249: ...are from several websites Cisco recommends the shareware TFTP utility available at this URL http tftpd32 jounin net Follow the instructions on the website for installing and using the utility Reloading the Bootloader Image Follow this procedure to download the boot loader image to the device Step 1 Place the bootloader image in the proper directory on a TFTP server Step 2 Connect to the console St...

Page 250: ...error and event messages Table 2 lists the errors and events and provides an explanation and recommended action for each message Table 2 Error and Event Messages Message Explanation Recommended Action Software Auto Upgrade Messages SW_AUTO_UPGRADE FATAL Attempt to upgrade software failed software on flash may be deleted Please copy software into flash Auto upgrade of the software failed The softwa...

Page 251: ...eq The unit cannot lock the intermediate frequency None DOT11 3 RADIO_RF_LO Interface interface Radio cannot lock RF freq The unit cannot lock the radio frequency None DOT11 3 RF_LOOPBACK_FAILURE Interface interface Radio failed to pass RF loopback test Radio loopback test failed at startup time None DOT11 3 TX_PWR_OUT_OF_ RANGE Interface interface Radio Tx power control out of range The unit has ...

Page 252: ...east one must be configured for the radio to run Configure at least one SSID on the device DOT11 4 FLASHING_RADIO Flashing the radio firmware chars The radio has been stopped to load new firmware None DOT11 2 NO_FIRMWARE No radio firmware file chars was found When trying to flash new firmware into the radio the file for the radio was not found in the flash file system The wrong image has been load...

Page 253: ...nknown event maj hex min hex A process can register to be notified when various events occur in the router This message indicates that a process received an event that it did not know how to handle Copy the error message exactly as it appears and report it to your technical support representative Miscellaneous Messages WGB_CLIENT_VLAN Workgroup Bridge Ethernet client VLAN not configured A VLAN con...

Page 254: ...WIMIC Troubleshooting Error and Event Messages 12 Cisco 3200 Series Wireless MIC Software Configuration Guide ...

Page 255: ...ou can filter protocols for wireless client devices users on the wired LAN or both For example an SNMP filter on the WMIC s radio port prevents SNMP access through the radio but does not block SNMP access from the wired LAN IP address and MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific IP or MAC addresses You can creat...

Page 256: ...hese documents Cisco IOS Bridging and IBM Networking Configuration Guide Release 12 2 Click this link to browse to the Configuring Transparent Bridging chapter http www cisco com univercd cc td doc product software ios122 122cgcr fibm_c bcfpart1 bcftb htm Catalyst 4908G L3 Cisco IOS Release 12 0 10 W5 18e Software Feature and Configuration Guide Click this link to browse to the Command Reference c...

Page 257: ...define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information about device parameters and network data The agent can also respond to a manager s requests to get or set data An...

Page 258: ...roved error handling includes expanded error codes that distinguish different kinds of error conditions these conditions are reported through a single error code in SNMPv1 Error return codes now report the error type You must configure the SNMP agent to use the version of SNMP supported by the management station An agent can communicate with multiple managers therefore you can configure the softwa...

Page 259: ... access to authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software CiscoWorks 2000 sof...

Page 260: ...p server global configuration command that you enter enables SNMPv1 and SNMPv2 Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent The community string acts like a password to permit access to the agent on the WMIC Optionally you can specify one or more of these characteristics associated with the string An access list o...

Page 261: ...view mib view ro rw Configures the community string For string specify a string that acts like a password and permits access to the SNMP protocol You can configure one or more community strings of any length Optional For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Optional For view mib view specify a MIB view to which this community has access such as...

Page 262: ...ued Bridges running this IOS release can have an unlimited number of trap managers Community strings can be any length Table 3 describes the supported traps notification types You can enable any or all of these traps and configure a trap manager to receive them Step 3 access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in St...

Page 263: ... Notification Types Notification Type Description authenticate fail Enables traps for authentication failures config Enables traps for SNMP configuration changes deauthenticate Enables traps for client device deauthentications disassociate Enables traps for client device disassociations dot11 qos Enables traps for QoS changes entity Enables traps for SNMP entity changes envmon temperature Enables ...

Page 264: ... informs to send SNMP informs to the host Specify the SNMP version to support Version 1 the default is not available with informs Note Though visible in the command line help string the version 3 keyword SNMPv3 is not supported For community string specify the string to send with the notification operation Though you can set this string using the snmp server host command we recommend that you defi...

Page 265: ... ieee to SNMP to allow read write access for both and to specify that open is the community string for queries on non IEEE802dot11 MIB objects and ieee is the community string for queries on IEEE802dot11 mib objects bridge config snmp server view dot11view ieee802dot11 included bridge config snmp server community open rw bridge config snmp server community ieee view ieee802dot11 rw The following e...

Page 266: ... shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the WMIC to send Entity MIB traps in addition to any traps previously enabled The second line specifies the destination of these traps and overwrites any previous snmp server host commands for the host cisco com bridge config snmp server enable traps entity bridge config snmp server ...

Page 267: ...omain Table 1 indicates the maximum power levels and antenna gains allowed for each IEEE 802 11g regulatory domain Note To meet regulatory restrictions the external antenna BR1300 must be professionally installed by someone such as the network administration or other IT professional Following installation access to the unit should be password protected by the network administrator to maintain regu...

Page 268: ...served EMEA E and Israel I 100 mW EIRP maximum 2 2 50 30 6 30 10 6 5 20 10 10 10 5 13 5 5 5 15 5 1 21 1 Japan J 10 mW MHz EIRP maximum 2 2 5 5 6 5 5 6 5 5 5 10 5 5 13 5 5 5 15 5 5 21 5 5 Table 1 Maximum Power Levels Per Antenna Gain for IEEE 802 11g continued Regulatory Domain Antenna Gain dBi Maximum Power Level mW CCK OFDM ...

Page 269: ...and SNMPv2 This document contains these sections MIB List page 1 Using FTP to Access the MIB Files page 2 MIB List CISCO CDP MIB CISCO CLASS BASED QOS MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO DDP IAPP MIB CISCO DOT11 ASSOCIATION MIB CISCO DOT11 CONTEXT SERVICES CLIENT MIB CISCO DOT11 CONTEXT SERVICES MIB CISCO DOT11 IF MIB CISCO DOT11 SSID SECURITY MIB CISCO ENTITY VENDORTYPE OID MIB C...

Page 270: ... SYS MIB OLD CISCO SYSTEM MIB OLD CISCO TS MIB P BRIDGE MIB Q BRIDGE MIB RFC1213 MIB RFC1398 MIB SNMPv2 MIB SNMPv2 SMI SNMPv2 TC SNMPv3 MIB Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP Step 1 Use FTP to access the server ftp cisco com Step 2 Log in with the username anonymous Step 3 Enter your e mail username when prompted for the password Step 4 At the...

Page 271: ...g FTP to Access the MIB Files 3 Cisco 3200 Series Wireless MIC Software Configuration Guide Note You can also access information about MIBs on the Cisco website http www cisco com public sw center netmgmt cmtk mibs shtml ...

Page 272: ...Supported MIBs Using FTP to Access the MIB Files 4 Cisco 3200 Series Wireless MIC Software Configuration Guide ...

Page 273: ...bles in this document list some of the protocols that you can filter Table E 1 Ethertype Protocols Table E 2 IP Protocols Table E 3 IP Port Protocols In each table the Protocol column lists the protocol name the Additional Identifier column lists other names for the same protocol and the ISO Designator column lists the numeric designator for each protocol ...

Page 274: ...iation 0x1000 LAN Test 0x0708 X 25 Level3 X 25 0x0805 Banyan 0x0BAD CDP 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump Load 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802 2 0x00E0 IPX 802 3 0x00FF Novell IPX old 0x8137 Novell IPX new IPX 0x8138 EAPOL old 0x8180 EAPOL new 0x888E Telxon TXP TXP 0x8729 Aironet DDP DDP 0x872D Enet Config Test 0x9000 N...

Page 275: ...0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP 12 CHAOS 16 User Datagram Protocol UDP 17 XNS IDP IDP 22 ISO TP4 TP4 29 ISO CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw 255 ...

Page 276: ...d Protocol msp 18 ttytst source chargen 19 FTP Data ftp data 20 FTP Control 21 ftp 21 Secure Shell 22 ssh 22 Telnet 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Location Protocol RLP 39 IEN 116 Name Server name 42 whois nicname 43 43 Domain Name Server DNS domain 53 MTP 57 BOOTP Server 67 BOOTP Client 68 TFTP 69 gopher 70 rje netrjs 77 finger 79 Hypertext Transport Pro...

Page 277: ...k Time Protocol ntp 123 NETBIOS Name Service netbios ns 137 NETBIOS Datagram Service netbios dgm 138 NETBIOS Session Service netbios ssn 139 Interim Mail Access Protocol v2 Interim Mail Access Protocol IMAP2 143 Simple Network Management Protocol SNMP 161 SNMP Traps snmp trap 162 ISO CMIP Management Over IP CMIP Management Over IP cmip man CMOT 163 ISO CMIP Agent Over IP cmip agent 164 X Display M...

Page 278: ...k 518 route RIP 520 timeserver timed 525 newdate tempo 526 courier RPC 530 conference chat 531 netnews 532 netwall wall 533 UUCP Daemon UUCP uucpd 540 Kerberos rlogin klogin 543 Kerberos rsh kshell 544 rfs_server remotefs 556 Kerberos kadmin kerberos adm 749 network dictionary webster 765 SUP server supfilesrv 871 swat for SAMBA swat 901 SUP debugging supfiledbg 1127 ingreslock 1524 Prospero non p...

Page 279: ...ed as an access point When configured as an access point the WMIC can use a WDS server and can act as a WDS authenticator client When you configure an access point to provide WDS other access points such as your WMIC if it is configured as an access point on your wireless LAN use the WDS access point to provide fast secure roaming for client devices and to participate in radio management Fast secu...

Page 280: ...orwards the client s security credentials to the new access point Role of Access Points Using the WDS Access Point The access points on your wireless LAN interact with the WDS access point in these activities Discover and track the current WDS access point and relay WDS advertisements to the wireless LAN Authenticate with the WDS access point and establish a secure communication channel to the WDS...

Page 281: ...ble delay in voice or other time sensitive applications Figure 2 shows client reassociation using CCKM Figure 2 Client Reassociation Using CCKM and a WDS Access Point Access point or bridge Wired LAN Client device RADIUS Server 1 Authentication request 2 Identity request 3 Username relay to client relay to server 4 Authentication challenge 5 Authentication response relay to client relay to server ...

Page 282: ...SE device on your network Access points participating in radio management also assist with the self healing wireless LAN automatically adjusting settings to provide coverage in case a nearby access point fails Configuring WDS and Fast Secure Roaming This section describes how to configure WDS and fast secure roaming on your wireless LAN This section provides information on the following topics Gui...

Page 283: ...this example the WMIC is enabled to interact with the WDS access point and it authenticates to your authentication server using APWestWing as its username and wes7win8 as its password You must configure the same username and password pair when you set up the access point as a client on your authentication server Also to configure an access point to use a WDS access point the access point must be c...

Page 284: ...uring WDS and Fast Secure Roaming 6 Cisco 3200 Series Wireless MIC Software Configuration Guide Figure 3 Network Configuration Page Step 2 Click Add Entry under the AAA Clients table The Add AAA Client page appears Figure 4 shows the Add AAA Client page ...

Page 285: ...d enter the IP address of the WDS access point Step 5 In the Key field enter exactly the same password that is configured on the WDS access point Step 6 From the Authenticate Using drop down menu select RADIUS Step 7 Click Submit Step 8 Repeat Step 2 through Step 7 for each WDS access point candidate Step 9 Click User Setup to browse to the User Setup page You must use the User Setup page to creat...

Page 286: ...aming 8 Cisco 3200 Series Wireless MIC Software Configuration Guide Figure 5 User Setup Page Step 10 Enter the name of the access point in the User field Step 11 Click Add Edit Step 12 Scroll down to the User Setup box Figure 6 shows the User Setup box Figure 6 ACS User Setup Box ...

Page 287: ...mmands to Enable the WDS Server The following command line interface CLI commands are required to enable the WDS server The no form of the commands disables the WDS server The same configuration applies for Central WDS server and per subnet WDS server The same configuration applies to WMIC no wlccp wds priority 1 255 interface BVI1 no wlccp authentication server infrastructure method_infra where m...

Page 288: ...t Port number no aaa authentication login eap_methods group rad_eap where eap_methods is named authentication list The authentication network eap eap_methods command allows traffic to and from the client while it is being authenticated by the root device This command should be entered on all the root devices located in zone boundaries and on all the clients authentication network eap eap_methods n...

Page 289: ... state authenticating authenticated or registered and lifetime seconds remaining before the access point must reauthenticate Use the mac addr option to display information about a specific access point mn Use this option to display cached information about client devices also called mobile nodes The command displays each client s MAC address IP address the access point to which the client is assoc...

Page 290: ...perform active scanning The default value for this command is 2 in which the WMIC will listen and then transmit for all the available channels If the value is set to 1 the WMIC will perform active scanning on the current active channel If the WMIC is not associated to a new AP the WMIC will start listening and then transmit for the rest of the channels to identify new AP The mobile station scan ch...

Page 291: ... you can manually configure MFP on an AP and WDS Note If a WLSE is not present then MFP cannot report detected intrusions and thus has limited effectiveness If a WLSE is present you should perform the configuration from the WLSE For complete protection you should also configure an MFP AP for Simple Network Time Protocol SNTP Client MFP encrypts class 3 management frames sent between APs and Cisco ...

Page 292: ...r required or optional for a particular SSID To configure Client MFP as required you must configure the SSID with key management WPA2 mandatory If the key management is not WPA2 mandatory an error message is displayed and your CLI command is rejected If you attempt to change the key management with Client MFP configured as required and key management WPA2 an error message is displayed and your CLI...

Page 293: ...idate the MIC causing any receiving AP that is configured to detect validate MFP frames to report the discrepancy The AP must be a member of a WDS Step 3 dot11 ids mfp detector Configures the AP as an MFP detector When enabled the AP validates management frames it receives from other APs If the AP receives any frame that does not contain a valid and expected MIC IE it will report the discrepancy t...

Page 294: ...Management Frame Protection Understanding Management Frame Protection 4 Cisco 3200 Series Wireless MIC Software Configuration Guide ...

Page 295: ...rating in the 2 4 GHz frequency band A access point A wireless LAN data transceiver that uses radio waves to connect a wired network with wireless stations AC_BE Access Category Best Effort AC_BK Access Category Background AC_VI Access Category Video AC_VO Access Category Voice AES Counter Mode CBC MAC protocol AES CCMP A protocol based on AES using the CCM mode of operation The CCM mode combines ...

Page 296: ...t packet A single data message packet sent to all addresses on the same subnet C CCK Complementary code keying A modulation technique used by IEEE 802 11b compliant wireless LANs for transmission at 5 5 and 11 Mbps CCKM Cisco Centralized Key Management Using CCKM authenticated client devices can roam from one access point to another without any perceptible delay during reassociation An access poin...

Page 297: ...t configuration protocol A protocol available with many operating systems that automatically issues IP addresses within a specified range to devices on the network The device retains the assigned address for a specific administrator defined period dipole A type of low gain 2 2 dBi antenna consisting of two often internal elements domain name The text name that refers to a grouping of networks or n...

Page 298: ...ce that connects two otherwise incompatible networks GHz Gigahertz One billion cycles per second A unit of measure for frequency I IEEE Institute of Electrical and Electronic Engineers A professional society serving electrical engineers through its publications conferences and standards development activities The body responsible for the Ethernet 802 3 and wireless LAN 802 11 specifications infras...

Page 299: ...et usually includes routing information data and sometimes error detection information pairwise Two entities that is associated with each other an access point and one associated station or a pair of stations in an IBSS network used to describe the key hierarchies for keys that are shared only between the two entities in a pairwise Pairwise Master Key PMK The key that is generated on a per session...

Page 300: ...ance with this rule Cisco like all other wireless LAN providers equips its radios and antennas with a unique connector to prevent attachment of non approved antennas to radios S slot time The amount of time a device waits after a collision before retransmitting a packet Short slot times decrease the backoff time which increases throughput spread spectrum A radio transmission technology that spread...

Page 301: ...nt to a specific IP address W WDS Wireless Domain Services An access point providing WDS on your wireless LAN maintains a cache of credentials for CCKM capable client devices on your wireless LAN When a CCKM capable client roams from one access point to another the WDS access point forwards the client s credentials to the new access point with the multicast key Only two packets pass between the cl...

Page 302: ...from the Wireless Ethernet Compatibility Alliance WECA WPA mostly synonymous to Simple Security Network SSN relies on the interim version of IEEE Standard 802 11i WPA supports WEP and TKIP encryption algorithms as well as 802 1X and EAP for simple integration with existing authentication systems WPA key management uses a combination of encryption methods to protect communication between client dev...

Page 303: ... 3 7 administrator access 4 21 Advanced Encryption Standard AES 1 7 AES CCMP 11 2 Aironet 802 11 extensions 4 40 Aironet Client Utility ACU 8 3 antenna gains 8 4 ARPANET 4 1 attributes RADIUS vendor proprietary 4 30 vendor specific 4 29 authentication EAP server 4 20 3 3 local mode with AAA 4 38 MAC address 3 6 NTP associations 4 47 RADIUS key 4 22 login 4 24 server configuration for fast secure r...

Page 304: ...nfiguring 3 7 channel default setting i xvi 5 1 7 1 channels allowed per country 3 14 to 3 18 cipher suites enabling 11 5 with WPA 11 8 Cisco Centralized Key Management See CCKM Cisco Centralized Key Management CCKM 1 7 Cisco Compatible eXtensions CCX 3 9 Cisco Express Forwarding CEF 7 4 Cisco IOS version 12 4 6 T 7 1 Cisco TAC 8 1 CiscoWorks 2000 10 3 CKIP 1 8 CKIP Cisco Key Integrity Protocol 11...

Page 305: ...evels 4 10 show cdp 2 4 show cdp entry 2 4 show cdp interface 2 4 show cdp neighbors 2 4 show cdp traffic 2 4 show controller dot11radio 8 8 show controllers dot11Radio 5 2 8 2 show crypto ipsec 7 5 show ip mobile router 7 5 show ip mobile tunnel 7 2 speed 8 6 ssid 9 1 tftp_init 8 5 vlan 10 2 world mode 3 6 community strings configuring 10 4 overview 10 3 connections secure remote 4 39 console cab...

Page 306: ...he display destination device 6 5 severity levels 6 7 system message format 6 2 Ethernet indicator 8 1 Ethertype protocols protocols Ethertype 13 2 Express Security page 2 4 Extensible Authentication Protocol See EAP extensions Aironet 4 40 F Fast Ethernet Switch mobile interface card FESMIC 2 1 Fast Secure Roaming 3 9 fast secure roaming 14 1 and WDS 14 4 authentication server 14 5 features 1 7 f...

Page 307: ...et 8 1 radio traffic 8 1 status 8 1 Lightweight AP Protocol LWAPP 3 7 Load balancing 4 40 load balancing wireless bridge 3 5 login authentication with RADIUS 4 24 with TACACS 4 34 4 35 login authentication command 4 25 login banners 4 3 log messages See system message logging loopback crypto map 7 4 M MAC address authentication 3 6 troubleshooting 8 3 Management Frame Protection 15 1 access points...

Page 308: ... overview 4 41 restricting access creating an access group 4 52 disabling NTP services per interface 4 53 source IP address configuring 4 54 stratum 4 41 synchronizing devices 4 49 time synchronizing 4 41 ntp authenticate command 4 47 ntp peer command 4 49 O OFDM 1 8 OFDM modulation 8 2 P Pairwise Master Key PMK 1 5 password reset 8 3 passwords default configuration 4 6 encrypting 4 7 setting enab...

Page 309: ...efault configuration 4 21 defining AAA server groups 4 25 displaying the configuration 4 31 identifying the server 4 21 limiting the services to the user 4 27 method list 4 21 operation of 4 20 overview 4 19 SSID 10 2 suggested network environments 4 19 tracking services accessed by user 4 28 radius server host command 4 23 range 8 5 rate limit logging 6 9 redundancy wireless bridge 3 5 regulatory...

Page 310: ...w controllers dot11Radio command 5 2 8 2 show crypto ipsec command 7 5 show ip mobile router command 7 5 show ip mobile tunnel command 7 2 show vlan 5 6 Simple Network Management Protocol See SNMP SNMP accessing MIB variables with 10 3 agent described 10 3 disabling 10 4 community strings configuring 10 4 overview 10 3 configuration examples 10 9 default configuration 10 4 limiting system log mess...

Page 311: ... timers described 1 4 stratum NTP 4 41 summer time 4 46 syslog See system message logging system clock 4 41 configuring daylight saving time 4 46 manually 4 44 summer time 4 46 time zones 4 45 displaying the time and date 4 44 overview 4 41 See also NTP system message logging default configuration 6 3 defining error message severity levels 6 7 disabling 6 4 displaying the configuration 6 11 enabli...

Page 312: ...wer 8 2 8 3 client 8 3 regulatory limits 3 13 transmit power levels supported by country 3 13 to 3 18 transmit speed 8 6 traps configuring managers 10 6 defined 10 2 enabling 10 6 notification types 10 6 overview 10 1 10 3 Tropos access point 3 8 troubleshooting 8 1 with CiscoWorks 10 3 with system message logging 6 1 tunnel 1 5 tunnel template apply 7 2 dynamic tunnel 7 1 for multicast 7 1 IPSec ...

Page 313: ...11 4 keys 8 3 troubleshooting 8 3 with EAP 3 3 Wi Fi Multimedia See WMM Wi Fi Protected Access See WPA Wi Fi Protected Access WPA 4 13 Wired Equivalent Privacy See WEP wireless bridges 5 3 Wireless Domain Services See WDS Wireless Domain Services WDS 14 1 WMIC and WDS 14 1 multiple client profiles 9 3 9 5 WMM workgroup bridge 3 6 infrastructure client 3 7 world mode 3 13 802 11d 3 12 Cisco legacy ...

Page 314: ...Index IN 12 Cisco 3200 Series Wireless MIC Software Configuration Guide OL 6415 04 ...

Reviews:

No comments

Related manuals for 3200 Series

Saito E200 Instructions For Use Manual preview
E200
Brand: Saito Pages: 90
NEC Univerge SV8100 Quickstart Reference preview
Univerge SV8100
Brand: NEC Pages: 2
NEC Univerge SV8100 Quick Reference preview
Univerge SV8100
Brand: NEC Pages: 3
D-Link i2eye DVC-1000 Quick Installation G preview
i2eye DVC-1000
Brand: D-Link Pages: 6
VCON HD100 Getting Started Manual preview
HD100
Brand: VCON Pages: 16
Safeline Fire Operating Instructions Manual preview
Fire
Brand: Safeline Pages: 8
NEC ElectraElite IPK Installation And Maintenance Manual preview
ElectraElite IPK
Brand: NEC Pages: 20
NEC UNIVERGE SL2100 Hardware Manual preview
UNIVERGE SL2100
Brand: NEC Pages: 174
NEC ElectraElite IPK General Description Manual preview
ElectraElite IPK
Brand: NEC Pages: 151
NEC UNIVERGE SL2100 Networking Manual preview
UNIVERGE SL2100
Brand: NEC Pages: 196
NEC Univerge UM8000 General Description Manual preview
Univerge UM8000
Brand: NEC Pages: 46
NEC Univerge SV9100 Hardware Manual preview
Univerge SV9100
Brand: NEC Pages: 478
Panasonic HDVC-MPCS Specification preview
HDVC-MPCS
Brand: Panasonic Pages: 2
Panasonic KX-NS300 Cabling Configuration preview
KX-NS300
Brand: Panasonic Pages: 5
Panasonic KX-HTS Series Setup Reference Manual preview
KX-HTS Series
Brand: Panasonic Pages: 14
Panasonic AFPX-COM5 Upgrade Procedure preview
AFPX-COM5
Brand: Panasonic Pages: 3
Panasonic KX-VC300 Frequently Asked Questions Manual preview
KX-VC300
Brand: Panasonic Pages: 6
Panasonic SC-HG1-ETC Instruction Manual preview
SC-HG1-ETC
Brand: Panasonic Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

ABB AEG Acer Asus Beko Black & Decker Bosch Brother Candy Canon Cisco Craftsman D-Link DeWalt Dell Electrolux Emerson Epson Frigidaire Fujitsu GE HP Haier Hitachi Honeywell Huawei Husqvarna JVC Kenmore Kenwood KitchenAid LG Lenovo Makita Miele Mitsubishi Electric Motorola NEC Nikon Nokia Panasonic Philips Pioneer Samsung Sanyo Sharp Siemens Sony TP-Link Toshiba Whirlpool Xiaomi Yamaha Zanussi Load more brands