manualshive.com logo in svg

Allen-Bradley 1783-WAPAK9, User Manual

Share
Download
Allen-Bradley 1783-WAPAK9 User Manual Download Page 416

416

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

Chapter 14

Configuring RADIUS and  Servers

Defining AAA Server Groups

You can configure the access point to use AAA server groups to group existing 
server hosts for authentication. You select a subset of the configured server hosts 
and use them for a particular service. The server group is used with a global 
server-host list. The list contains the IP addresses of the selected server hosts. 

Server groups also can include multiple host entries for the same server if each 
entry has a unique identifier (the combination of the IP address and UDP port 
number), allowing different ports to be individually defined as RADIUS hosts 
providing a specific AAA service. If you configure two different host entries on 
the same RADIUS server for the same service (such as accounting), the second 
configured host entry acts as a fail-over backup to the first one.

You use the server group server configuration command to associate a particular 
server with a defined group server. You can either identify the server by its IP 
address or identify multiple host instances or entries by using the optional 
authport and acct-port keywords.

Beginning in privileged EXEC mode, follow these steps to define the AAA server 
group and associate a particular RADIUS server with it:

1.

Enter global configuration mode.

configure terminal

2.

Enable AAA.

aaa new-model

3.

Specify the IP address or host name of the remote RADIUS server host.

(Optional) 

For auth-port

 

port-number

, specify the UDP 

destination port for authentication requests.

(Optional) For 

acct-port

 

port-number

, specify the UDP 

destination port for accounting requests.

(Optional) For 

timeout

 

seconds

, specify the time interval that the 

access point waits for the RADIUS server to reply before 
retransmitting. 

The range is 1…1000. This setting overrides the 

radius-server 

timeout

 global configuration command setting. If no timeout is set 

with the 

radius-server host

 command, the setting of the 

radius-server timeout

 command is used.

(Optional) For 

retransmit

 

retries

, specify the number of times a 

RADIUS request is resent to a server if that server is not responding or 
responding slowly. 

The range is 1…1000. If no retransmit value is set with the 

radius-

server hostp

 command, the setting of the 

radius-server 

retransmit

 global configuration command is used.

Summary of Contents for 1783-WAPAK9

Page 1: ...Stratix 5100 Wireless Access Point Workgroup Bridge Catalog Numbers 1783 WAPAK9 1783 WAPEK9 1783 WAPCK9 1783 WAPZK9 User Manual...

Page 2: ...ual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations Labels may als...

Page 3: ...reless AccessPoint WorkgroupBridge Ports and Connections 32 Stratix 5100 WAP Specifications 32 Ethernet Cable Recommendation 32 External Antennas 33 Antenna Cable Extensions Recommendation 33 Preparin...

Page 4: ...k 61 Using VLANs 63 Configuring Security 64 Easy Set up Page Security Types 65 Easy Setup Network Configuration Security Limitations 66 Create an SSID from the Security Menu 66 Enabling HTTPS for Secu...

Page 5: ...l RADIUS Server 129 Advanced Security 132 Services Page 135 Telnet SSH 135 Hot Standby Page 137 CDP Page 138 DNS Page 140 Filters Page 141 MAC Address Filters Page 142 IP Filters Page 144 Ethertype Fi...

Page 6: ...6 Example 3 EAP Authentication 188 Example 4 WPA 191 Assign an IP Address by Using CLI 193 Using a Terminal Application Session to Access CLI 194 Configuring the 802 1X Supplicant 194 Creating a Crede...

Page 7: ...the Authentication Cache and Profile 221 Configuring the Access Point to Provide DHCP Service 225 Setting up the DHCP Server 225 Monitoring and Maintaining the DHCP Server Access Point 227 Show Comma...

Page 8: ...260 Blocking Channels from DFS Selection 261 Setting the 802 11n Guard Interval 262 Configuring Location based Services 263 Understanding Location Based Services 263 Configuring LBS on Access Points...

Page 9: ...ion for an SSID 291 Guidelines for Using IP Redirection 292 Configuring IP Redirection 292 Including an SSID in an SSIDL IE 293 NAC Support for MBSSID 294 Configuring NAC for MBSSID 297 Chapter9 Confi...

Page 10: ...enerating PACs Manually 336 Configuring an Authority ID 337 Configuring Server Keys 337 Possible PAC Failures Caused by Access Point Clock 338 Limiting the Local Authenticator to One Authentication Ty...

Page 11: ...nd WirelessIntrusionDetectionServices Understanding WDS 375 Role of the WDS Device 376 Role of Access Points by Using the WDS Device 377 Understanding Fast Secure Roaming 377 Understanding Radio Manag...

Page 12: ...gin Authentication 414 Defining AAA Server Groups 416 Configuring RADIUS Authorization for User Privileged Access and Network Services 418 Configuring Packet of Disconnect 419 Starting RADIUS Accounti...

Page 13: ...455 Chapter16 ConfiguringQoS Understanding QoS for Wireless LANs 457 QoS for Wireless LANs Versus QoS on Wired LANs 458 Impact of QoS on a Wireless LAN 458 Precedence of QoS Settings 459 Configure QoS...

Page 14: ...P Server Hosts 514 Configuring SNMP Server Users 514 Configuring Trap Managers and Enabling Traps 514 Setting the Agent Contact and Location Information 516 Using the snmp server view Command 517 SNMP...

Page 15: ...m Message Logging 548 Default System Message Logging Configuration 549 Disabling and Enabling Message Logging 549 Setting the Message Display Destination Device 551 Enabling and Disabling Timestamps o...

Page 16: ...ns 581 Software Auto Upgrade Messages 582 Association Management Messages 583 Unzip Messages 583 System Log Messages 584 802 11 Subsystem Messages 584 Inter Access Point Protocol Messages 589 Local Au...

Page 17: ...use with the access point It does not provide detailed information about these commands For detailed information about these commands see the Cisco IOS Command Line Configuration Guide 15 3 This user...

Page 18: ...MIC CMIC TKIP CKIP and broadcast key rotation Chapter 12 Configuring Authentication Types Describes how to configure authentication types onthe access point Client devices use these authentication met...

Page 19: ...LI Reference Manual Using the Cisco IOS Command Line Interface Configuration Guide 15 3 Provides comprehensive information about using the Cisco IOS Command Line Interface Cisco IOS Security Command R...

Page 20: ...ode and links to software service packs You can also visit our Support Center at https rockwellautomation custhelp com for software updates support chats and forums technical information FAQs and to s...

Page 21: ...5100 WAP is a wireless LAN transceiver Wi Fi certified and compliant in 802 11a b g n 802 11b 802 11g pre 802 11n The Stratix 5100 WAP offers dual band radios 2 4 GHz and 5 GHz with integrated and ex...

Page 22: ...ultaneous single band or dual band radios Wi Fi Standards 802 11 a b g n 3TX transmit x 4RX receive 3 spatial streams 450 Mbps PHY rate Throughput forwarding and filtering performance scan to meet 3 s...

Page 23: ...Management Options You can use the wireless device management system through the following interfaces A web browser interface that you use through a web browser See Stratix 5100 Device Manager Config...

Page 24: ...sometimes concerned when a client device stays associated to a distant access point instead of roaming to a closer access point However if a client signal to a distant access point remains strong and...

Page 25: ...ese roles require specific configurations Root Access Point An access point connected directly to a wired LAN provides a connection point for wireless users If more than one access point is connected...

Page 26: ...le an access point establishes a wireless link with a non root bridge Traffic is passed over the link to the wired LAN Access points in root and non root bridge roles can be configured to accept assoc...

Page 27: ...client and provides a network connection for the devices connected to its Ethernet port For example if you need to provide wireless connectivity for a group of network printers you can connect the pr...

Page 28: ...unit The access point is not attached to a wired LAN it functions as a hub linking all stations together The access point serves as the focal point for communication increasing the communication range...

Page 29: ...ation Support on the back cover of this manual Items Shipped with the WAP The following items are included with the WAP Item Description Stratix 5100 Wireless Access Point Workgroup Bridge 1783 WAPAK9...

Page 30: ...30 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 1 Getting Started with the Stratix 5100 WAP Notes...

Page 31: ...nt Damage to the WAP 36 Ports and Connections 36 Install the WAP 37 IDF Closets telecommunications or other electrical equipment 37 Very High Altitudes 38 Common or Distributed Antenna System DAS 38 G...

Page 32: ...Ethernet port 4 Console port 5 Mounting bracket pins 32472 M 1 3 4 5 2 Table 1 Stratix 5100 Wireless Access Point Workgroup Bridge Specifications Category Specification Dimensions LxWxD 22 04 x 22 04...

Page 33: ...ralow loss ULL cables that have the same characteristics as Times Microwave LMR 400 and LMR 600 When drilling holes for cable allow for the size of connector drill bit typically15 8750 mm 5 8 in Cisco...

Page 34: ...Hz dual band radios in a 3 x 4 MIMO configuration with three spatial streams The radios and antennas support frequency bands 2400 2500 MHz and 5150 5850 MHz through a common dual band RF interface The...

Page 35: ...y range 2400 2500 MHz Nominal input impedance 50 VSWR Less than 2 1 Peak Gain 2 4 GHz 2 dBi Peak Gain 5 GHz 4 dBi Elevation plane 3dB beam width 2 4 GHz 63 Elevation plane 3dB beam width 5 GHz 39 Conn...

Page 36: ...you use the Stratix 5100 Wireless Access Point Workgroup Bridge you must configure it using the console cable See Connect to the Stratix 5100 WAP Access Point Locally on page 54 and Configure the Stra...

Page 37: ...this manual Other items you need to install the unit ESD preventive cord and wrist strap Ethernet cable Power supply Mounting screws Grounding wire IDF Closets telecommunications or other electrical...

Page 38: ...ed for deployments on distributed antenna systems DAS Rockwell Automation does not certify endorse or provide RF support for Wi Fi deployments over any DAS The DAS vendor and systems integrator are so...

Page 39: ...nt as possible 2 Connect a user supplied ground wire to the building grounding point The minimum length of the wire is 2 5mm2 14 AWG assuming a circuit length of 25 ft 30 5 cm Consult your local elect...

Page 40: ...r 121T The cable access cover on the mounting bracket covers the cable bay area including the power port Ethernet port console port and the mode button to prevent the installation or removal of the ca...

Page 41: ...ght or left to secure the security cable lock to the access point 5 Remove the key Mounting the Access Point The Stratix 5100 WAP comes with a low profile access point mounting bracket AIR AP BRACKET...

Page 42: ...nother access hole Table 3 Mounting Bracket Description 1 Wall mount locations 4 Cable access cover 2 Grounding post 5 Security hasp 3 Access point attachment slots TIP Mark all four locations of the...

Page 43: ...thernet and power cables to the access point 11 Align the access point feet with the large part of the keyhole mounting slots on the mounting plate 12 When positioned correctly the cable access cover...

Page 44: ...ypes of devices at the same time under heavy use load 4 Characterize each system independently to see whether degradation exists Mounting an Access Point on a Hard Ceiling or a Wall This procedure des...

Page 45: ...Ethernet cable building ground wire and power cables 1 Wall mount locations 4 Cable access cover 2 Grounding post 5 Security hasp 3 Access point attachment slots TIP Mark all four locations of the wal...

Page 46: ...s with indents down over the pilot holes 7 Insert a fastener into each mounting hole and tighten 8 Connect the Ethernet and power cables to the access point 9 Align the access point feet with the larg...

Page 47: ...he power cord attached into the WAP 3 Plug the power cord into the outlet 4 Observe the access point status indicators See Access Point Status Indicators on page 48 for descriptions of the status indi...

Page 48: ...ator The status indicators communicate various WAP conditions Table 4 Status Indicator Descriptions Message Type Status Indicator Description Boot loader status sequence Blinking green DRAM memory tes...

Page 49: ...through green red and off Discovery join process in progress Rapidly cycling through blue green and red Access point location command invoked Blinking red Ethernetlink not operational Boot loader war...

Page 50: ...ager For instructions on how to configure the Wireless Access Point Workgroup Bridge by using Straitx 5100 Device Manager software see Stratix 5100 Device Manager Configuration Startup on page 51 TIP...

Page 51: ...x 5100 WAP 53 Obtain and Assign an IP Address 54 Connect to the Stratix 5100 WAP Access Point Locally 54 Default Radio Settings 54 Reset the WAP to Default Settings 55 Logging into the Access Point 57...

Page 52: ...ger Configure a VLAN Assign the SSID and Broadcast SSID Determine VLAN to SSID mappings Assign maximum reach Determine maximum throughput Configure Light Extensible Authentication Protocol LEAP includ...

Page 53: ...SNMP is in use If you use IPSU to find the wireless device IP address the access point MAC address The MAC address can be found on the label on the bottom of the access point such as 00164625854c Logi...

Page 54: ...nnect the console cable RJ 45 to the WAP 2 Connect the other end of the console cable DB 9 to the serial port on the computer 3 Set up a terminal emulator to communicate with the access point Use the...

Page 55: ...nt 3 Hold MODE until the status indicator turns amber approximately 20 30 seconds and release the button All access point settings return to factory defaults Reset to Default Settings by Using the GUI...

Page 56: ...ware The System Software screen appears 6 Click System Configuration The System Configuration screen appears 7 Click Reset to Defaults to reset all settings including the IP address to factory default...

Page 57: ...at the top of any page in the web browser interface to display online help Click the printer icon to print the page you are on The help page appears in a new browser page use the select a topic pull...

Page 58: ...pter 3 Stratix 5100 Device Manager Configuration Startup The Summary Status page appears Your page can be different depending on the access point model you are using Figure 18 Summary Status Page 6 Cl...

Page 59: ...ddress assignment IP Address Use this setting to assignor change the wireless device IP address If DHCP is enabled for your network leave this field blank IP Subnet Mask Enter the IP subnet mask provi...

Page 60: ...is not connected to the wired LAN Root Bridge Establishes a link with a non root bridge Non root Bridge In this mode the device establishes a link with a root bridge Workgroup Bridge Specifiesthatthe...

Page 61: ...you must go to the radio settings page to enable the radio 1 From the top menu click Network The Network Summary page appears 2 Click Network Interface 3 Click Summary Aironet Extensions Choose Enabl...

Page 62: ...tion 1783 UM006A EN P May 2014 Chapter 3 Stratix 5100 Device Manager Configuration Startup The Network Interfaces Summary page appears 4 Click the radio you want to configure The Radio Status page app...

Page 63: ...page However if you don t use VLANs on your wireless LAN the security options that you can assign to SSIDs are limited because on the Easy Setup page encryption settings and authentication types are...

Page 64: ...configure security settings to prevent unauthorized access to your network Because it is a radio device the access point can communicate beyond the physical boundaries of your work site Just as you u...

Page 65: ...need to enter a WEP key Mandatory 802 1X authentication Client devices that associate by using this SSID must perform 802 1X authentication If radio clients are configuredto authenticate by using EAP...

Page 66: ...guration Examples on page 184 for information on how to create an SSID by using CLI Command Line Interface 1 From the top menu click Security 2 From the left menu click SSID Manager Table 8 Easy Setup...

Page 67: ...a useful option for an SSID used by guests or by client devices in a public space If you do not broadcast the SSID client devices cannot associate to the access point unless their SSIDs match this SSI...

Page 68: ...onal Assign the SSID to a VLAN a Click Define VLANS b Select NEW c Enter a VLAN number 1 4094 d Choose a radio and click Apply You cannot assign an SSID to an existing VLAN 6 Optional Check the Native...

Page 69: ...he access point If you lose the connection change the URL in your browser address line from http ip_address to https ip_address and log into the access point again When you enable HTTPS most browsers...

Page 70: ...tion of the system name and the domain name For example if your system name is ap1100 and your domain name is company com the FQDN is ap1100 company com 6 Enter the FQDN on your DNS server This way th...

Page 71: ...check box and click Apply 9 Enter a domain name and click Apply A warning page appears stating that you need to use HTTPS to browse to the access point The page also instructs you to change the URL t...

Page 72: ...t the access point security certificate is valid but is not from a known source However you can accept the certificate with confidence because the site in question is your own access point Figure 24 C...

Page 73: ...d page 13 Click Next The Certificate Storage Area dialog box appears and asks where do you want to store the certificate We recommend that you use the default storage area on your system Figure 27 Cer...

Page 74: ...gain CLI Configuration Example This example shows the CLI commands that are equivalent to the steps listed in Enabling HTTPS for Secure Browsing on page 69 In this example the access point system name...

Page 75: ...ete the certificate Follow these steps to delete the certificate 1 Browse to the Services HTTP page 2 Uncheck the Enable Secure HTTPS Browsing check box to disable HTTPS 3 Click Delete Certificate 4 R...

Page 76: ...76 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 3 Stratix 5100 Device Manager Configuration Startup Notes...

Page 77: ...tup Page 85 Network Page 86 Network Interface Summary Page 87 Network Interface IP Address Page 90 Network Interface Radio0 802 11n 2 GHz and Radio1 802 11n 5 GHz Status 95 Network Interface Radio Set...

Page 78: ...Parameter Definitions QoS Policies Page 149 Stream Page 154 SNMP Page 155 SNTP Page 158 ARP Caching Page 161 Band Select Page 162 Management Page 164 Software Page 166 Software Upgrade HTTP Page 167 S...

Page 79: ...ick Apply Table 9 Stratix 5100 Device Manager System Management Tab Descriptions Item Description Home TheEasySetuppageprovidesthewirelessdevicestatuspagewithinformationon the number of radio devices...

Page 80: ...ge on page 166 for details Event Log Creates the wireless device event log and provides links to configuration pages where you can select events to be in traps set event severity levels and set notifi...

Page 81: ...nge the system name the wireless device resets the radios causing associated client devices to disassociate and quickly reassociate Server Protocol Choose the item that matches the network method of I...

Page 82: ...address for example FE80 E690 69FF FEAE 66D0 X X X X X 0 128 Username The username want to use for this WAP Password The password you want to use for this WAP SNMP Community To use Simplified Network...

Page 83: ...tting VLAN If you use VLANs on your wireless LAN and assign SSIDs to VLANs you can create multiple SSIDsusinganyofthefoursecuritysettingsontheExpressSecuritypage However ifyoudo not use VLANs on your...

Page 84: ...her radio interface is automatically disabled UniversalWorkgroup Bridge Provides the means for the Stratix 5100 WAP to be configured as workgroup bridges WGBs and to associate with non Cisco access po...

Page 85: ...on your network server authentication port 1645 Because 802 1X authentication provides dynamic encryption keys you don t need to enter a WEP key Mandatory 802 1X authentication Client devices that as...

Page 86: ...lities If you select Enable it is best to switch back to the Disable default before leaving the page because the time to discover the network can greatly increase the system load Figure 34 Network Map...

Page 87: ...this device Software Version The software version currently running on your device Radio Specifies whether the radio is 802 11a or 802 11b Channel Specifies what channel the radio is using Age hrs Sp...

Page 88: ...interface and helps locate network problems Total Packets Input The total number of error free packets received by the system Total Bytes Input The total number of error free bytes received by the sys...

Page 89: ...e parent access point was restarted The operator changed the assigned parent Better parent found The number of times the repeater switched to a new parent access point because the signal from the curr...

Page 90: ...configure the access point as a DHCP server it assigns IP addresses to devices on its subnet The devices communicate with other devices on the subnet but not beyond it If data needs to be passed beyo...

Page 91: ...ftware Status Indicates whether the interface has been enabled or disabled by the operator Hardware Status Indicates whether the line protocol for the interface is up or down Maximum Rate The rate set...

Page 92: ...eroftimesthereceiverhardwarewasunabletosendreceiveddatatoa hardware buffer because the input rate exceeded the receiver s ability to process the data Ignored Packets The number of received packets ign...

Page 93: ...sults from an overextended LAN where the Ethernet or transceiver cable is too long where too many cascadedmulti port transceiversare used or where more than two repeaters are used between stations Las...

Page 94: ...and Full Important Do not modify Requested Duplex while using inline power Changing these settings while using inline power can cause the device to reboot Requested Speed Auto 1000 Mbps 100 Mbps 10 M...

Page 95: ...ransmission Aironet Extensions If compatibility with non Cisco Aironet products is required deselect Aironet Extensions Disablingthisoptionlimitsseveraladvancedfeaturesoftheaccesspoint such as load ba...

Page 96: ...umber of bytes including data and MAC encapsulation received by the system Transmit Statistics 5 min Output Rate bits sec The average number of bits transmitted per second in the last 5 minutes 5 min...

Page 97: ...ber of Kilobytes Sent and Received by the server Unicast Packets Received Sent Number of Unicast Packets Received Sent in point to point communication Unicast Packets Sent To Host By Host Number of Un...

Page 98: ...em or because they were not encrypted Retries Number of attempts to send a packet Buffer full Messagethatissenttothesendingdevicetosuspendtransmissionuntilthe data in the buffers has been processed Pa...

Page 99: ...Table 20 Radio0 802 11n 2 GHz and Radio1 802 11n 5 GHz Settings Description Parameter Description Operating Mode This value indicates whether or not the radio supports multiple protocols as in 802 11...

Page 100: ...Disabled Down Role in Radio Network This is where you choose a role in the radio network The choices are access point repeater root bridge non root bridge install workgroup bridge scanner spectrum For...

Page 101: ...rface Settings Page continued Table 21 Radio0 802 11n 2 GHz and Radio1 802 11n 5 GHz Settings Description Parameter Description Data Rates Default Best Range Best Throughput 1 0 2 0 5 5 11 0 6 0 9 0 1...

Page 102: ...nly Selected Channels Channel Width 20 MHz Table 21 Radio0 802 11n 2 GHz and Radio1 802 11n 5 GHz Settings Description Continued Parameter Description Table 22 Radio0 802 11n 2 GHz and Radio1 802 11n...

Page 103: ...am Metric Enable Disable Aironet Extension Enable Disable Ethernet Encapsulation Transform RFC1042 802 1H Reliable Multicast to WGB Enable Disable Public Secure Packet Forwarding Enable Disable Beacon...

Page 104: ...ge is where you can view what is associated with clients and infrastructure clients Figure 43 Association Page Table 24 Association Page Parameter Descriptions Parameter Description SSID Name Device T...

Page 105: ...address is a unique identifier assigned to the network interface by the manufacturer If you click the MAC Address link it takes you to the Association Station View Client screen The MAC addresses that...

Page 106: ...e Parameter Descriptions Parameter Description Participate in SWAN Infrastructure Enable Disable WDS Discovery Auto Discovery Specified Discovery IP Address Username Participate username Password Part...

Page 107: ...WDS Fast Secure Roaming Radio Management and Wireless Intrusion Detection Services on page 375 for detailed configuration information Figure 45 WDS Wireless Domain Service Status Page This page provi...

Page 108: ...etwork interface by the manufacturer IP Address IP address of the client repeater State Displays the state of the client repeater as either Registered or not SSID Specifies the SSIDtied to the VLAN VL...

Page 109: ...to act as the main WDS and lower priorities to backup WDSs If your main WDS fails the backup with the highest priority becomes the active WDS Use Local MAC List for Client Authentication Checkthistoau...

Page 110: ...e group name Group Sever Priorities Set the priority of servers used forinfrastructure and clientauthentications Define Servers ClickDefineServerstomovetotheSecurity ServerManagerpagewhereyoucan confi...

Page 111: ...other security pages Figure 48 Security Summary Page Links on the Security Summary Page Description Administrators Link to Admin Access seeAdmin Access Pageon page 113 Service Set Identifiers SSIDs Li...

Page 112: ...ifies which radio is being used BSSID Guest Mode Specifies the BSSID Guest mode attached to this SSID Open Shared Network EAP Specifies the method of authentication being used Open enables any device...

Page 113: ...arameter Descriptions Parameter Description Administrator Authenticated by Default Authentication Global Password Local User List Only Individual Passwords Authentication Server Only Authentication Se...

Page 114: ...arameter Definitions Encryption Manager Page You use Wired Equivalent Privacy WEP to encrypt radio signals sent by the bridge and decrypt radio signals received by the bridge This page enables you to...

Page 115: ...Because cipher suites provide the protection of communication while also allowing the use of authenticated key management we recommend that you enable encryption by using the encryption mode cipher co...

Page 116: ...logically segmented byfunctions project teams or applications rather than ona physical or geographical basis For example all workstations and servers used by a particular workgroup team can be connec...

Page 117: ...n Server Only option on the Advanced Security page In the case of Authentication Server Only option MAC Authentication Servers must be set in this page or in the Server Manager page EAP Authentication...

Page 118: ...redirect only packets addressed to specific ports the access point redirects those packets from clients using the SSID and drops all other packets from clients using the SSID IP Address Enter the IP...

Page 119: ...ructure SSID Whentheaccesspointisinrepeatermode thisSSIDisusedtoassociatewithaparentaccesspoint Checkthecheckboxbythepull downmenu if you want to force infrastructure devices to associate only to this...

Page 120: ...ter 4 Stratix 5100 Device Manager Parameter Definitions Server Manager Page The Server Manager page is where you to enter the authentication settings The RADIUS TACACS server on the your network uses...

Page 121: ...number your RADIUS TACACS server uses for authentication The port setting for the Cisco RADIUS server the Access Control Server ACS is 1645 and the port setting for many RADIUS servers is 1812 Check y...

Page 122: ...about the servers you are using and the global locations of those servers Table 34 Server Manager Global Properties Parameter Descriptions Parameter Description Accounting Update Interval optional 1 2...

Page 123: ...n ID Format Default Example 0000 4096 3e4a IETF Example 00 00 40 96 3e 4a Unformatted Example 000040963e4a RADIUS Service Type Attributes Login Framed RADIUS WISPr Attributes optional ISO County Code...

Page 124: ...uce unique challenges to the traditional authenticator client relationship First access points can be placed in public places inviting the possibility that they could be unplugged and their network co...

Page 125: ...ndthe network authentication device negotiate to agree upon an authentication method supportedbybothdevicestocompleteauthentication Anauthenticationmethods profile is usedtorestrict thetypesof authent...

Page 126: ...inviting the possibility that they could be unplugged and their network connection used by an outsider Second when a repeater access point is incorporated into a wireless network the repeater access...

Page 127: ...ntication methodsprofile and assign it to the relevant SSIDs or FastEthernet interface The restriction may be required to prevent the network authentication server and the access point from negotiatin...

Page 128: ...access points in the network It ensures that the MIC IE is present when the originator is configured to transmit MFP frames and matches the content of the management frame If it receives any frame tha...

Page 129: ...US Server feature on an access point Figure 53 Local RADIUS Server Statistics Page Table 38 Local RADIUS Server Statistics Page Parameter Descriptions Parameter Description Blocks The number of times...

Page 130: ...ntication Protocols EAP Fast LEAP MAC Network Access Server AAA Clients Current Network Access Servers Network Access Server IP Address Shared Secret Individual Users Current Users Username Text or NT...

Page 131: ...ys Primary Key optional 32 Hex characters Generate Random Secondary Key optional 32 Hex characters Copy from primary PAC Content Authority Info optional Authority ID optional 32 Hex characters Automat...

Page 132: ...the Authentication Server Only option Authentication Server if not found in Local List Choose Authentication Server if not found in Local List if you want to try MAC authentication list first and then...

Page 133: ...eauthentication Enable Reauthentication with Interval 1 65555 s Enable Reauthentication with Interval given by Authentication Server Radio0 802 11N2 4 GHz Authentication TKIP MIC Failure Holdoff Time...

Page 134: ...Parameter Definitions Figure 58 Associated Access list Page Table 43 Association Access List Page Parameter Descriptions Parameter Description Filter client association with MAC address access list S...

Page 135: ...Manager Parameter Definitions Chapter 4 Services Page The summary provides a list of the main services that are currently enabled or disabled You can click any of the links to go to that page and chan...

Page 136: ...Telnet security Secure shell enables a strong encryption to be used with the Cisco IOS software authentication Secure Shell Enable or Disable Select Enabled if you want to enable the secure shell SSH...

Page 137: ...displays This field displays the current status of the hot standby and is updated by pressing Refresh MAC Address for Monitored Radio0 802 11N2 4 GHz MAC Address for Monitored 802 11a b or g Radio HH...

Page 138: ...s2000 Use the CDP page to adjust the device s CDP settings Figure 62 CDP Page Table 46 CDP Page Parameter Descriptions Parameter Description Cisco Discovery Protocol CDP Select Disabled to disable CDP...

Page 139: ...IB athttp www cisco com public mibs v1 CISCO CDP MIB V1SMI my CDP Neighbors Table This section displays the type of device that is discovered Specifically it displays these values Device ID The config...

Page 140: ...ou need to make sure that the DNS Server has a record of the WAP For more information about using a DNS see Enabling HTTPS for Secure Browsing on page 69 Figure 63 DNS Page Table 47 DNS Page Parameter...

Page 141: ...pe Filters pages are not applied until they are enabled on this Apply Filters page Apply filters with caution Misconfigured filters can lock you out of the access point If this happens the recovery me...

Page 142: ...ter Index Name the filter with a number from 700 799 The number you assign creates an access control list ACL for the filter Add MAC Address Type a destination MAC address withthe periods separating t...

Page 143: ...s default action must be opposite of the action for at least one of the addresses in the filter For example if you enter several addresses and you select Block as the action for all of them you must...

Page 144: ...all addresses except those you specify You can create filters that contain elements of one two or all three IP filtering methods You can apply the filters you create to either or both the Ethernet an...

Page 145: ...ype the mask for the destination IP address Enter the mask with periods separating the three groups of four characters for example 112 334 556 778 If you enter 255 255 255 255 as the mask the access p...

Page 146: ...d in the Create Edit Filter Index menu To edit an existing filter select the filter number from the Create Edit Filter Index menu Filter Index Name the filter with a number from 200 299 The number you...

Page 147: ...The certificate is based on your current System Name and Domain Name The certificate is presented to the browser on each subsequent access to establish an SSI connection The certificate can be install...

Page 148: ...setting provided by your System Administrator The default is 80 HTTPS Port This setting determines what port your device provides secure SSL web access Use the port setting provided by your system ad...

Page 149: ...on Create Edit Policies If you are entering a new policy make sure NEW the default is selected in the Create Edit Policy menu To edit an existing policy select the policy name from the Create Edit Pol...

Page 150: ...n Filter If you have filters set up you can assign a priority to packets that match the selected filter FromtheFilterpull downmenu selectthefilteryouwanttoincludeinthepolicy For example youcould assig...

Page 151: ...each access category enter the minimum contention page value Channel access is prioritized by assigning smaller contention page values to a higher prioritytraffic class If achannelis busy or atransmis...

Page 152: ...this button the following changes are made The values of Access Category Definition are changed for optimized voice The packet handling for user priority 5 and 6 are changed to low latency See Servic...

Page 153: ...SS Load IE version is used IGMP Snooping Snooping Helper When Internet Group Membership Protocol IGMP snooping is enabled on a switch and a client roams from one access point to another the client s m...

Page 154: ...riority Select the userprioritytousefor stream services Foreachuserpriority listed use the pull down menu to choose either Reliable or Low Latency for the packet handling descriptor Then determine the...

Page 155: ...Express Setup page the community associates using read only or read write capabilities Figure 72 SNMP Page Table 57 SNMP Page Parameter Description Parameter Description SimpleNetworkManagement Proto...

Page 156: ...Object Identifier Afteryouchooseacommunitystringto edit intheCurrentCommunityStrings list theObjectIdentifiervalueforthatparticularcommunitystringisdisplayed oryou can enter a new object identifier f...

Page 157: ...t 802 11 Event Traps Enables traps for client authentication failure client deauthentication and client disassociation Encryption Key Trap Enables traps on any change in the WEP encryption key setting...

Page 158: ...status Time Server optional If your network has a default time server enter the server s IP address or host name Time Settings GMT Offset The GMT Offset pull down menu lists the world s time zones rel...

Page 159: ...or network equipment such as bridges and routers connected by a single bridging domain The bridging domain is supported on various pieces of network equipment for example LAN switches that operate bri...

Page 160: ...sign the SSID to it VLAN ID Specifies the virtual Ethernet LAN identification number tied to the SSID You can assign a name to a VLAN in addition to its numerical ID VLAN Name optional You can assign...

Page 161: ...eceives an ARP request for an IP address not in the cache the access point drops the request and does not forward it Figure 76 ARP Caching Page Table 61 ARP Caching Page Parameter Descriptions Paramet...

Page 162: ...Band selection works by regulating probe responses to clients It makes 5 GHz channels more attractive to clients by delaying probe responses to clients on 2 4 GHz channels You can enable band selectio...

Page 163: ...nd clients The default value is 60 seconds After this time elapses clients become new and are subject to probe response suppression Expire Suppression 10 2000 s Sets the expiration time for pruning pr...

Page 164: ...you want to login to a network that allows guest access they are brought to a web page that states the Terms and Conditions of using the Wifi Once the guests accept the terms and Enter the password i...

Page 165: ...web users the first time they access the Wireless Network if Web Authentication is turned on SSID Figure 79 Webauth Login Page Table 64 Webauth Login Page Parameter Descriptions Parameter Description...

Page 166: ...ion Product Model Number The model number of the access point Top Assembly Serial Number The serial number of the access point System Software Filename The software that was installed on the system Sy...

Page 167: ...meter Description System Software Filename The software that is installed on the system System Software Version The version of Cisco IOS software that is running on the access point Bootloader Version...

Page 168: ...ame The software that is installed on the system System Software Version The version of Cisco IOS software that is running on the access point Bootloader Version The version of bootloader that is inst...

Page 169: ...Startup Configuration File Browse to the location where you stored the config txt file you saved using the Current Startup Configuration File feature Click Load to upload the new file to any access po...

Page 170: ...ditionindicatesthatthePSEis unable to provide sufficient power or that the power injector has not been configured properly See System Power Settings for instructions on how to correct this Power Sourc...

Page 171: ...he Event log In CLI this command is show logging Table 69 Event Log Page Parameter Descriptions Parameter Description Start Display at Index Enter the event where you want the event log to begin Max N...

Page 172: ...time zone The system clock must be set for this time stamp to work Severity This table lists the severity of events Description Gives a description of the error event The radio MAC address appears in...

Page 173: ...evel whether you want the event displayed on the event log by placing a check mark in the check box Events displayed on the event log are available on the event log page Notify via SNMP Syslog Trap De...

Page 174: ...ime The time of day the event occurred in UTC time recorded as Month dd hh mm ss usecand3 lettertimezone UTC Thesystemclockmustbe set for this time stamp to work Local Time The time of day the event o...

Page 175: ...ds are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands that show the current configuration status and clear commands that clear count...

Page 176: ...ogout or quit Use this mode to Change terminal settings Perform basic tests Display system information Privileged EXEC Whileinuser EXECmode enter the enable command ap Enter disable to exit Use this m...

Page 177: ...the keyword no to enable a disabled feature again or enable a feature that is disabled by default Configuration commands can also have a default form The default form of a command returns the command...

Page 178: ...ne configuration mode enter this command to configure the number of command lines the wireless device records for all sessions on a particular line ap config line history size number of lines The rang...

Page 179: ...d in privileged EXEC mode ap terminal editing To reconfigure a specific line to have enhanced editing mode enter this command in line configuration mode ap config line editing To globally disable enha...

Page 180: ...t 10items that youhave deleted or cut If you press Esc Y more than ten times you cycle to the first buffer entry Delete entries ifyoumake amistake or change your mind Delete or Backspace Erase the cha...

Page 181: ...sign shows that the line has been scrolled to the left Each time the cursor reaches the end of the line the line is again shifted ten spaces to the left ap config access list 101 permit tcp 131 108 2...

Page 182: ...ocol is up Vlan10 is up line protocol is down GigabitEthernet0 1 is up line protocol is down GigabitEthernet0 2 is up line protocol is up Accessing CLI You can open the wireless device CLI by using Te...

Page 183: ...ting up the wireless device for SSH access Reset Default Settings by Using CLI If you want to reset the access point to its default settings and maintain a static IP address use this command write era...

Page 184: ...contains these example configurations Example 1 No Security This example shows part of the configuration that results from using the Security page to create an SSID called no_security_ssid including...

Page 185: ...basic 24 0 36 0 48 0 54 0 rts threshold 2312 station role root interface Dot11Radio1 1 10 encapsulation dot1Q 10 native no ip route cache bridge group 1 bridge group 1 subscriber loop control bridge...

Page 186: ...o ip address no ip route cache encryption vlan 20 key 3 size 128bit 7 FFD518A21653687A4251AEE1230C transmit key encryption vlan 20 mode wep mandatory speed basic 1 0 basic 2 0 basic 5 5 basic 11 0 rts...

Page 187: ...54 0 rts threshold 2312 station role root bridge group 1 bridge group 1 subscriber loop control bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast floodin...

Page 188: ...o ip route cache encryption vlan 30 mode wep mandatory ssid eap_ssid speed basic 1 0 basic 2 0 basic 5 5 basic 11 0 rts threshold 2312 station role root bridge group 1 bridge group 1 subscriber loop c...

Page 189: ...ory ssid eap_ssid speed basic 6 0 9 0 basic 12 0 18 0 basic 24 0 36 0 48 0 54 0 rts threshold 2312 station role root bridge group 1 bridge group 1 subscriber loop control bridge group 1 block unknown...

Page 190: ...oup 30 source learning bridge group 30 spanning disabled interface BVI1 ip address 10 91 104 91 255 255 255 192 no ip route cache ip http server ip http help path http www cisco com warp public 779 sm...

Page 191: ...etwork eap eap_methods authentication key management wpa aaa new model aaa group server radius rad_eap server 10 91 104 92 auth port 1645 acct port 1646 aaa group server radius rad_mac aaa group serve...

Page 192: ...ridge group 1 bridge group 1 subscriber loop control bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding bridge group 1 spanning disabled interface...

Page 193: ...for the wireless device Ethernet and radio ports the network uses the BVI When you assign an IP address to the wireless device by using CLI you must assign the address to the BVI Beginning in privileg...

Page 194: ...nnect Configuring the 802 1X Supplicant Traditionally the dot1x authenticator client relationship has always been a network device and a personal computer client respectively as it was the personal co...

Page 195: ...unencrypted password for the credentials 0 an unencrypted password follows 7 a hidden password follows Hidden passwords are used when applying a previously saved configuration LINE an unencrypted cle...

Page 196: ...d port 1 Enter global configuration mode configure terminal 2 Enter the interface configuration mode for the access point Fast Ethernet port You can also use interface fa0 to enter the fast Ethernet c...

Page 197: ...annot contain the or character The characters TAB and trailing spaces are invalid characters for SSIDs dot11 ssid ssid 3 Enter the name of a preconfigured credentials profile dot1x credentials profile...

Page 198: ...198 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 5 Configure the Stratix 5100 WAP Using the Command Line Interface Notes...

Page 199: ...Point Access with RADIUS 208 Controlling Access Point Access with TACACS 215 Configuring Ethernet Speed and Duplex Settings 218 Configuring the Access Point for Wireless Network Management 219 Config...

Page 200: ...show boot or show boot mode button commands in the privileged EXEC mode The status does not appear in the running configuration The following shows a typical response to the show boot and show boot mo...

Page 201: ...ch username and password pair The default username is blank and the default password is wirelessap Usernames and passwords are case sensitive For more information in CLI see the Configuring Username a...

Page 202: ...wirelessap For password specify a string from 1 25 alphanumeric characters The string cannot start with a number is case sensitive and allows spaces but ignores leading spaces It can contain the quest...

Page 203: ...end 5 Verify your entries show running config 6 Optional Save your entries in the configuration file copy running config startup config The enable password is not encrypted and can be read in the wir...

Page 204: ...minal 2 Define a new password or change an existing password for access to privileged EXEC mode enable password level level password encryption type encrypted password or enable secret level level pas...

Page 205: ...d and console and virtual terminal line passwords To remove a password and level use the no enable password level level or no enable secret level level global configuration command To disable password...

Page 206: ...e The password must be from 1 25 characters can contain embedded spaces and must be the last option specified in the username command 3 Enable local password checking at login time Authentication is b...

Page 207: ...guration mode configure terminal 2 Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line fo...

Page 208: ...configure AP config enable password level 14 SecretPswd14 Logging Into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and...

Page 209: ...protocols to be used for authentication thus ensuring a back up system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that metho...

Page 210: ...n page 410 4 Enter line configuration mode and apply the authentication list line console tty vty line number ending line number 5 Apply the authentication list to a line or set of lines If you specif...

Page 211: ...optional auth port and acct port keywords Beginning in privileged EXEC mode follow these steps to define the AAA server group and associate a particular RADIUS server with it 1 Enter global configura...

Page 212: ...rver in the AAA server group Each server in the group must be previously defined in Step 2 server ip address 6 Return to privileged EXEC mode end 7 Verify your entries show running config 8 Optional S...

Page 213: ...g sg radius exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the wirele...

Page 214: ...Configure the wireless device for user RADIUS authorization to determine if the user has privileged EXEC access The exec keyword can return user profile information such as autocommand information aa...

Page 215: ...e a named list of authentication methods and then apply that list to various interfaces The method list defines the types of authentication that is performed and the sequence that they are performed i...

Page 216: ...creating For method1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only if the previous method returns an error not if it fails Choose...

Page 217: ...n the local user database or on the security server to configure the user session The user is granted access to a requested service only if the information in the user profile allows it You can use th...

Page 218: ...e Ethernet port speed and duplex settings We recommend that you use auto the default setting for both the speed and duplex settings on the wireless device Ethernet port When the wireless device receiv...

Page 219: ...full half 5 Return to privileged EXEC mode end 6 Verify your entries show running config 7 Optional Save your entries in the configuration file copy running config startup config Configuring the Acces...

Page 220: ...EXEC shell by checking the local database aaa authorization exec local 5 Configure user AAA authorization for all service requests that are network related aaa authorization network local 6 Enter the...

Page 221: ...To disable authorization use the no aaa authorization network exec method1 global configuration command Configuring the Authentication Cache and Profile The authentication cache and profile feature al...

Page 222: ...ip subnet zero aaa new model aaa group server radius rad_eap server 192 168 134 229 auth port 1645 acct port 1646 aaa group server radius rad_mac server 192 168 134 229 auth port 1645 acct port 1646...

Page 223: ...1 subscriber loop control bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding bridge group 1 spanning disabled interface Dot11Radio1 no ip address...

Page 224: ...2 168 133 231 key 7 105E080A16001D1908 tacacs server directed request radius server attribute 32 include in access req format h radius server host 192 168 134 229 auth port 1645 acct port 1646 key 7 1...

Page 225: ...gning to DHCP clients You must specify the IP addresses that the DHCP Server must not assign to clients Optional To enter a range of excluded addresses enter the address at the low end of the range fo...

Page 226: ...ddress is required however you can specify up to eight addresses in one command line default router address address2 address 8 7 Return to privileged EXEC mode end 8 Verify your entries show running c...

Page 227: ...address Providesalistofalladdressconflictsrecordedbyaspecific DHCP Server Enter the wireless device IP address to show conflicts recorded by the wireless device show ip dhcp database url Provides rec...

Page 228: ...orts both SSH versions If you don t specify the version number the access point defaults to version 2 SSH provides more security for remote connections than Telnet by providing strong encryption when...

Page 229: ...ts beacon the wireless device includes an information element to alert client devices that they can safely ignore broadcast messages to increase battery life Optional ARP Caching If a client device is...

Page 230: ...other systems SNTP typically provides time within 100 milliseconds of the accurate time but it does not provide the complex filtering and statistical mechanisms of NTP You can configure SNTP to reque...

Page 231: ...e remains accurate until the next system restart We recommend that you use manual configuration only as a last resort If you have an outside source that the wireless device can synchronize to you don...

Page 232: ...urposes Until the clock is authoritative and the authoritative flag is set the flag prevents peers from synchronizing to the clock when the peers time is invalid The symbol that precedes the show cloc...

Page 233: ...e follow these steps to configure summer time daylight saving time in areas where it starts and ends on a particular day of the week each year 1 Enter global configuration mode configure terminal 2 Co...

Page 234: ...00 last Sunday October 2 00 Beginning in privileged EXEC mode follow these steps if summer time in your area does not follow a recurring pattern configure the exact date and time of the next summer t...

Page 235: ...01 2 00 Defining HTTP Access By default 80 is used for HTTP access and port 443 is used for HTTPS access These values can be customized by the user Follow these steps to define the HTTP access 1 From...

Page 236: ...nt devices disassociate and quickly reassociate You can enter up to 63 characters for the system name However when the wireless device identifies itself to client devices it uses only the first 15 cha...

Page 237: ...ds a cache or database of names mapped to IP addresses To map domain names to IP addresses you must first identify the host names specify the name server that is present on your network and enable the...

Page 238: ...bal Internet naming scheme DNS ip domain lookup 4 Return to privileged EXEC mode end 5 Verify your entries show running config Optional Save your entries in the configuration file copy running config...

Page 239: ...Access Chapter 6 Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command When DNS is configured on the wireless device the sh...

Page 240: ...240 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 6 Administering the WAP Access Notes...

Page 241: ...ing Short Radio Preambles 265 Configuring Transmit and Receive Antennas 266 Enabling and Disabling Gratuitous Probe Response 267 Disabling and Enabling Aironet Extensions 268 Configuring the Ethernet...

Page 242: ...z radio is radio 1 4 Assign the SSID you created in Step 2 to the appropriate radio interface ssid ssid 5 Enable the radio port no shutdown 6 Return to privileged EXEC mode end 7 Optional Save your en...

Page 243: ...t radio connectivity Shutdown The wireless access point workgroup bridge shuts down its radio and disassociates all client devices Beginning in privileged EXEC mode follow these steps to set the wirel...

Page 244: ...less device can either shut down its radio port or become a repeater access point associated to any nearby root access point station role non root bridge wireless clients repeater root access point ap...

Page 245: ...sabling the Ethernet client causing the universal workgroup bridge to associate with an access point by using its own BVI address Configuring Dual radio Fallback The dual radio fallback features lets...

Page 246: ...ss points you must use the following command in the radio interface configuration mode station role root access point fallback shutdown Fast Ethernet Tracking You can configure the access point for fa...

Page 247: ...nt always attempts to transmit at the highest data rate set to Basic also called Require on the browser based interface If there are obstacles or interference the wireless access point steps down to t...

Page 248: ...ty of the client to connect to the access point Typically the trade off is between throughput and range When the signal degrades possibly due to distance from the access point the rates renegotiate do...

Page 249: ...oal then multicasts can be transmitted at a low data rate If support for high data rate multicasts is required then shrink the cell size and to disable all lower data rates Depending on your specific...

Page 250: ...rates to basic on the 802 11b 2 4 GHz radio enter the following basic 1 0 basic 2 0 basic 5 5 and basic 11 0 To set these data rates to basic on the 802 11g 2 4 GHz radio enter the following basic 1...

Page 251: ...it provides for potentially greater throughput High throughput data rates are a function of MCS bandwidth and guard interval 802 11 a b and g radios use 20 MHz channel widths This table shows the pote...

Page 252: ...id 1250test speed basic 1 0 2 0 5 5 11 0 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 m0 m1 m2 m3 m4 m8 m9 m10 m11 m12 m13 m14 m15 11 52 108 57 7 9 120 12 78 162 86 2 3 180 13 104 216 115 5 9 240 14 117 243...

Page 253: ...radio or the 5 GHz radio to one of the power levels allowed in your regulatory domain power local These options are available for the 802 11b 2 4 GHz radio in mW 1 5 20 30 50 100 maximum These option...

Page 254: ...he wireless access point sends the maximum power level setting to the client Beginning in privileged EXEC mode follow these steps to specify a maximum allowed power setting on all client devices that...

Page 255: ...client power command to disable the maximum power level for associated clients Aironet extensions must be enabled to limit the power level on associated client devices Aironet extensions are enabled b...

Page 256: ...put clients use the control channel Beacons can be sent only on this channel The second 20 Mhz channel is called the extension channel 40 Mhz stations use this channel and the control channel simultan...

Page 257: ...t use DFS When a DFS enabled 5 GHz radio operates on one of the 15 channels listed in Table 84 on page 258 the access point automatically uses DFS to set the operating frequency When DFS is enabled th...

Page 258: ...bility Check CAC The CAC is a 60 second scan for the presence of radar signals on the channel The following sample messages are displayed on the access point console showing the beginning and end of t...

Page 259: ...s that apply to DFS Confirming that DFS is Enabled Use the show controllers dot11radio1 command to confirm that DFS is enabled The command also includes indications that uniform spreading is required...

Page 260: ...0 136 5700 140 5745 149 5765 153 5785 157 5805 161 May only be selected by Dynamic Frequency Selection DFS Listen Frequencies 5170 34 5190 38 5210 42 5230 46 5180 36 5200 40 5220 4 4 5240 48 5260 52 5...

Page 261: ...mber frequency can only be used by Dynamic Frequency Selection DFS channel number dfs band 1 5 4 Return to the privileged EXEC mode end 5 Verify your entries show running config 6 Optional Save your e...

Page 262: ...shows how to unblock frequencies 5 150 5 350 for DFS ap config if no dfs band 1 2 block This example shows how to unblock all frequencies for DFS ap config if no dfs band block Setting the 802 11n Gua...

Page 263: ...et it measures the received signal strength indication RSSI and creates a UDP packet that contains the RSSI value and the time that the location packet was received The access point forwards the UDP p...

Page 264: ...point accepts short location packets from the tag In short packets the LBS information is missing from the tag packet frame body and the packet indicates the tag transmit channel extended This is the...

Page 265: ...ort A short preamble improves throughput performance Cisco Aironet Wireless LAN Client Adapters support short preambles Early models of Cisco Aironet s Wireless LAN Adapter PC4800 and PC4800A require...

Page 266: ...on Description Gain Sets the resultant antenna gain in dB Diversity This default setting tells the wireless access point to use the antenna that receives the best signal If the wireless access point h...

Page 267: ...us Probe Response GPR aids in conserving battery power in dual mode phones that support cellular and WLAN modes of operation GPR is available on 5 GHz radios and is disabled by default You can configu...

Page 268: ...form of the command to disable the GPR feature Disabling and Enabling Aironet Extensions By default the wireless access point uses Stratix 802 11 extensions to detect the capabilities of Cisco Aironet...

Page 269: ...he wireless access point the wireless access point sends the maximum allowed power level setting to the client Disabling Aironet extensions disables the features listed above but it sometimes improves...

Page 270: ...02 11n 2 4 GHz radio is radio 0 The 802 11n 5 GHz radio is radio 1 interface dot11radio 0 1 3 Set the encapsulation transformation method to RFC 1042 rfc1042 the default setting or 802 1h dot1h payloa...

Page 271: ...devices you increase performance but reduce reliability A Cisco Aironet Workgroup Bridge provides a wireless LAN connection for up to eight Ethernet enabled devices This feature is not supported on th...

Page 272: ...ging and IBM Networking Configuration Guide You can also enable and disable PSPF by using the web browser interface The PSPF setting is on the Radio Settings pages PSPF is disabled by default Beginnin...

Page 273: ...port 6 Optional Save your entries in the configuration file copy running config startup config To disable protected port use the no switchport protected interface configuration command For detailed in...

Page 274: ...access point issues a request to send RTS before sending the packet A low RTS Threshold setting can be useful in areas where many client devices are associating with the wireless access point or in ar...

Page 275: ...configuration mode for the radio interface The 2 4 GHz radio and the 2 4 GHz 802 11n radio is 0 The 5 GHz radio and the 5 GHz 802 11n radio is 1 interface dot11radio 0 1 3 Set the maximum data retries...

Page 276: ...an increase throughput on the 802 11g 2 4 GHz radio by enabling short slot time Reducing the slot time from the standard 20 microseconds to the 9 microsecond short slot time decreases the overall back...

Page 277: ...ts Configuring ClientLink Cisco ClientLink referred to as Beam Forming is an intelligent beamforming technology that directs the RF signal to 802 11a g devices to improve performance by 65 improve cov...

Page 278: ...ckets This example shows how to begin debugging of the radio system log AP debug dot11 syslog This example shows how to stop debugging of all radio related events AP no debug dot11 events Table 85 Syn...

Page 279: ...o each SSID VLAN Client authentication method Maximum number of client associations by using the SSID RADIUS accounting for traffic by using the SSID Guest mode Repeater mode including authentication...

Page 280: ...at the interface level on CLI but the SSIDs are stored in global mode Storing all SSIDs in global mode makes sure that the SSID configuration remains correct when you upgrade to release later than Cis...

Page 281: ...interface Table 87 Example SSID Configuration Converted to Global Mode after Upgrade SSID Configuration in 12 2 15 JA SSID Configuration after Upgrade to 12 3 7 JA interface dot11Radio 0 ssid engineer...

Page 282: ...TAB and trailing spaces are invalid characters for SSIDs dot11 ssid ssid string 3 Optional Set an authentication username and password that the access point uses to authenticate to the network when i...

Page 283: ...radio If multiple SSIDs are configured on the radio you must use the infrastructure ssid command to specify the SSID the non root bridge uses to connect to the root bridge However from 12 4 21a JA1 a...

Page 284: ...onfig ssid exit AP config interface dot11radio 0 AP config if ssid batman AP config if end Viewing SSIDs Configured Globally Use this command to view configuration details for SSIDs that are configure...

Page 285: ...authorized SSIDs that clients must use on your RADIUS authentication server The SSID authorization process consists of these steps 1 A client device associates to the access point by using any SSID co...

Page 286: ...can have zero or more SSID VSAs per client In this example the following AV pair adds the SSID batman to the list of allowed SSIDs for a user cisco avpair ssid batman For instructions on configuring t...

Page 287: ...orts multiple basic SSIDs if the results include this line Number of supported simultaneous BSSID on radio_interface 8 Guidelines for Using Multiple BSSIDs Keep these guidelines in mind when configuri...

Page 288: ...figuring Multiple BSSIDs Follow these steps to configure multiple BSSIDs 1 Click Security The Security summary page appears If you use CLI instead of the GUI refer to CLI commands listed in the CLI Co...

Page 289: ...are supported on SSIDs 8 Optional In the Multiple BSSID Beacon Settings section select the Set SSID as Guest Mode check box to include the SSID in beacons 9 Optional To increase the battery life for...

Page 290: ...ce d0 ap config if mbssid ap config if exit ap config dot11 ssid visitor ap config ssid mbssid guest mode dtim period 75 ap config ssid exit ap config interface d0 ap config if ssid visitor You can al...

Page 291: ...rect only packets directed to specific TCP or UDP ports as defined in an access control list When you configure the access point to redirect only packets addressed to specific ports the access point r...

Page 292: ...is 0 The 5 GHz radio and the 5 GHz 802 11n radio is 1 interface dot11radio 0 1 3 Enter configuration mode for a specific SSID ssid ssid string 4 Enter IP redirect configuration mode for the IP addres...

Page 293: ...onfig interface bvi1 AP config if ssid ip redirection host 10 91 104 91 access group redirect acl in AP config if ssid end Including an SSID in an SSIDL IE The access point beacon can advertise only o...

Page 294: ...tisement wps Use the no form of the command to disable SSIDL IEs NAC Support for MBSSID Networks must be protected from security threats such as viruses worms and spyware These security threats disrup...

Page 295: ...er When an infected client associates with an access point and sends its state to the RADIUS server the RADIUS server puts it into one of the quarantine VLANs based on its health This VLAN is sent in...

Page 296: ...ssociated Data corresponding to the all the back up VLANs are sent and received by using the BSSID that is assigned to the SSID Therefore all clients healthy and unhealthy listening to the BSSID corre...

Page 297: ...authentication 3 Configure the local profiles on the ACS server for posture validation 4 Configure the client and access point to let the client to successful authenticate by using EAP FAST 5 Verify t...

Page 298: ...basic 1 0 basic 2 0 basic 5 5 6 0 9 0 basic 11 0 12 0 18 0 24 0 36 0 48 0 54 0 station role root interface Dot11Radio0 100 encapsulation dot1Q 100 native no ip route cache bridge group 1 bridge group...

Page 299: ...FastEthernet0 100 encapsulation dot1Q 100 native no ip route cache bridge group 1 no bridge group 1 source learning bridge group 1 spanning disabled interface FastEthernet0 102 encapsulation dot1Q 10...

Page 300: ...300 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 8 Configuring Multiple SSIDs Notes...

Page 301: ...structure devices such as wireless access points and switches send and receive spanning tree frames called bridge protocol data units BPDUs at regular intervals The devices don t forward these frames...

Page 302: ...oint maintains a separate spanning tree instance for each active VLAN configured on it A bridge ID consisting of the bridge priority and the access point s MAC address is associated with each instance...

Page 303: ...ated access point If a access point receives a configuration BPDU that contains inferior information that is currently stored for that port it discards the BPDU If the access point is a designated acc...

Page 304: ...s point priority value you change the probability that the access point is elected as the root access point Configuring a higher value decreases the probability a lower value increases the probability...

Page 305: ...imes and at different places in the network When an interface transitions directly from nonparticipation in the spanning tree topology to the forwarding state it can create temporary data loops Interf...

Page 306: ...he forwarding or blocking state When the spanning tree algorithm places a Layer 2 interface in the forwarding state this process occurs 1 The interface is in the listening state while spanning tree wa...

Page 307: ...frames received on the port Does not learn addresses Receives BPDUs Listening State The listening state is the first state an interface enters after the blocking state The interface enters this state...

Page 308: ...ed State An interface in the disabled state does not participate in frame forwarding or in the spanning tree An interface in the disabled state is nonoperational A disabled interface performs as follo...

Page 309: ...to configure STP on the access point 1 Enter global configuration mode configure terminal 2 Enter interface configuration mode for radio or Ethernet interfaces or sub interfaces The 2 4 GHz radio and...

Page 310: ...nd 9 Verify your entries show spanning tree bridge 10 Optional Save your entries in the configuration file copy running config startup config STP Configuration Examples These configuration examples sh...

Page 311: ...ation role root no cdp enable infrastructure client bridge group 1 interface FastEthernet0 no ip address no ip route cache duplex auto speed auto bridge group 1 interface BVI1 ip address 1 4 64 23 255...

Page 312: ...t zero bridge irb interface Dot11Radio0 no ip address no ip route cache ssid tsunami authentication open guest mode speed basic 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role no...

Page 313: ...shows the configuration of a root bridge with VLANs configured with STP enabled hostname master bridge hq ip subnet zero ip ssh time out 120 ip ssh authentication retries 3 bridge irb interface Dot11R...

Page 314: ...encapsulation dot1Q 2 no ip route cache no cdp enable bridge group 2 interface Dot11Radio0 3 encapsulation dot1Q 3 no ip route cache bridge group 3 bridge group 3 path cost 500 interface FastEthernet...

Page 315: ...y 1 4 0 1 bridge 1 protocol ieee bridge 1 route ip bridge 1 priority 9000 bridge 2 protocol ieee bridge 2 priority 10000 bridge 3 protocol ieee bridge 3 priority 3100 line con 0 exec timeout 0 0 line...

Page 316: ...18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role non root no cdp enable interface Dot11Radio0 1 encapsulation dot1Q 1 native no ip route cache no cdp enable bridge group 1 interface Dot11Radio...

Page 317: ...2 encapsulation dot1Q 2 no ip route cache bridge group 2 interface FastEthernet0 3 encapsulation dot1Q 3 no ip route cache bridge group 3 bridge group 3 path cost 400 interface BVI1 ip address 1 4 64...

Page 318: ...1 Commands for Displaying Spanning tree Status Command Description show spanning tree Information on your network s spanning tree show spanning tree blocked ports List of blocked ports on this bridge...

Page 319: ...ntirely local To provide local authentication service or back up authentication service in case of a WAN link or a server failure you can configure an access point to act as a local authentication ser...

Page 320: ...al authenticator 1 On the local authenticator create a list of access points authorized to use the authenticator to authenticate client devices Each access point that uses the local authenticator is a...

Page 321: ...nd is MAC authentication co existing with EAP authentication This mode enables a combination of MAC address authentication and EAP for authenticating the device or user The first step in either method...

Page 322: ...From the Security menu click Advanced Security 3 Click the MAC Address Authentication tab to move to the MAC Address Authentication page 4 Select Local List Only for the MAC Address Authenticated by...

Page 323: ...4 Otherwise skip to step 7 4 Select NEW from the Current SSID List 5 Provide the SSID name in the SSID text field 6 At the VLAN list select the VLAN to be used for this SSID Select NONE if VLANs are n...

Page 324: ...nt Server List pull down menu select the server to be used for MAC authentication If you need to create a new server continue to step 4Step 4 Otherwise skip to step 11 4 Select NEW from the Current Se...

Page 325: ...ver Timeout field specify the number of seconds an access point waits for a reply to a TACACS request before resending the request 15 In the RADIUS Server Timeout field specify the number of seconds a...

Page 326: ...ist if you want to use the RADIUS server in conjunction with a local list 5 Click Apply in the MAC Address Authentication section Then complete Step 6 through Step 9 Otherwise choose Authentication Se...

Page 327: ...elect NEW from the Current SSID List 5 Provide the SSID name in the SSID text field 6 From the VLAN pull down list select the VLAN to be used for this SSID Select NONE if VLANs are not enabled You can...

Page 328: ...Apply Now that encryption is configured you must add a RADIUS or TACACS server Complete the following steps to add the RADIUS server 1 Click Security 2 From the Security menu click Server Manager 3 I...

Page 329: ...e accounting updates are performed in the Accounting Updates Interval field 14 In the TACACS Server Timeout field specify the number of seconds an access point waits for a reply to a TACACS request be...

Page 330: ...2 From the Security menu click Advanced Security 3 Click the Timers tab to go to the page where EAP authentication is specified 4 Choose one of the options that enable reauthentication These interval...

Page 331: ...he local authenticator access point as a NAS Repeat this step to add each access point that uses the local authenticator nas ip address key shared key 5 Optional Enter user group configuration mode an...

Page 332: ...it group configuration mode and return to authenticator configuration mode exit 11 Enter the LEAP and EAP FAST users allowed to authenticate by using the local authenticator You must enter a username...

Page 333: ...d batman AP config radsrv group ssid robin AP config radsrv group reauthentication time 1800 AP config radsrv group block count 2 time 600 AP config radsrv group group cashiers AP config radsrv group...

Page 334: ...S server The order of access point attempts to use the servers matches the order that you entered the servers in the access point configuration If you are configuring the access point to use RADIUS fo...

Page 335: ...second server as dead 3 It tries and succeeds by using the local authenticator If another client device needs to authenticate during the 10 minute dead time interval the access point skips the first...

Page 336: ...d where the PACs are valid after they have expired By default PACs are valid for 2 days one day default period plus one day grace period You can also apply the expiration of time and the grace period...

Page 337: ...ring an Authority ID All EAP FAST authenticators are identified by an authority identity AID The local authenticator sends its AID to an authenticating client and the client checks its database for a...

Page 338: ...clock to both generate PACs and to determine whether PACs are valid However relying on the access point clock can lead to PAC failures If your local authenticator access point receives its time settin...

Page 339: ...no authentication eapfast AP config radsrv no authentication mac Unblocking Locked Usernames You can unblock usernames before the lockout time expires or when the lockout time is set to infinite In P...

Page 340: ...to provision success the number of PACs generated automatically Auto provision failure the number of PACs not generated because of an invalid handshake packet or invalid username or password PAC refre...

Page 341: ...to failed client authentications Use the eapfast option to display error messages related to EAP FAST authentication Use the sub options to select specific debugging information encryption information...

Page 342: ...342 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 10 Configure an Access Point as a Local Authenticator Notes...

Page 343: ...e access point and client devices to keep the communication private Both the access point and client devices use the same WEP key to encrypt and unencrypt radio signals WEP keys encrypt both unicast a...

Page 344: ...gned to achieve the best possible security on legacy hardware built to run WEP TKIP adds four enhancements to WEP A per packet key mixing function to defeat weak key attacks A new IV sequencing discip...

Page 345: ...ce dot11radio 0 1 3 Create a WEP key and set up its properties Optional Select the VLAN to create a key Name the key slot where the WEP key resides You can assign up to four WEP keys for each VLAN Ent...

Page 346: ...y Restriction CCKM or WPA authenticated key management Cannot configure a WEP key in key slot 1 LEAP or EAP authentication Cannot configure a WEP key in key slot 4 Cipher suite with 40 bit WEP Cannot...

Page 347: ...idelines for selecting a cipher suite that matches the type of authenticated key management you configure 4 Optional Select the VLAN that you want enabled for WEP and WEP features 5 Set the cipher opt...

Page 348: ...er TKIP not TKIP WEP 128 or TKIP WEP 40 for an SSID the SSID must use WPA or CCKM key management Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key manag...

Page 349: ...and the 2 4 GHz 802 11n radio is 0 The 5 GHz radio and the 5 GHz 802 11n radio is 1 interface dot11radio 0 1 Table 94 Cipher Suites Compatible with WPA and CCKM Authenticated Key Management Types Com...

Page 350: ...tes a dynamic group key when the last non key management static WEP client disassociates and it distributes the statically configured WEP key when the first non key management static WEP client authen...

Page 351: ...types that rely on an authentication server on your network The access point uses several authentication mechanisms or types and can use more than one at the same time Topic Page Understanding Authent...

Page 352: ...red key authentication the access point sends an unencrypted challenge text string to any device attempting to communicate with the access point The device requesting authentication encrypts the chall...

Page 353: ...key and sends it to the client When you enable EAP on your access points and client devices authentication to the network occurs in the sequence shown in this figure Figure 93 Sequence for EAP Authent...

Page 354: ...keys for all communication during the remainder of the session There is more than one type of EAP authentication but the access point behaves the same way for each type it relays authentication messa...

Page 355: ...cation fails EAP authentication takes place See the Assigning Authentication Types to an SSID on page 359 for instructions on setting up this combination of authentications TIP If MAC authenticated cl...

Page 356: ...ccess point and the reassociation process is reduced to a two packet exchange between the roaming client and the new access point Roaming clients reassociate so quickly that there is no perceptible de...

Page 357: ...ise master key PMK By using WPA the server generates the PMK dynamically and passes it to the access point When using WPA PSK however you configure a pre shared key on both the client and the access p...

Page 358: ...ni PCI and PC cardbus card driver version 3 7 Aironet Client Utility ACU version 6 2 Client firmware version 5 30 13 88965 Client and server authenticate to each other generating an EAP master key Cli...

Page 359: ...ent version 2 1 Supported Platform Operating Systems LEAP with CKIP This security combination requires 12 2 11 JA or later No pages 95 98 Me NT 2000 XP pages CE Mac OS X Linux DOS LEAP with CCKM and C...

Page 360: ...st name a Optional Set the SSID s authentication type to open with MAC address authentication The access point forces all client devices to perform MAC address authentication before they are allowed t...

Page 361: ...le RADIUS server the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key However the access point does not force all...

Page 362: ...n mode for the SSID s VLAN to one of the cipher suite options To enable both CCKM and WPA you must set the encryption mode to a cipher suite that includes TKIP See the Configuring Cipher Suites and WE...

Page 363: ...ient device types to associate to the access point by using the same SSID WPA clients capable of TKIP and authenticated key management 802 1X 2001 clients such as legacy LEAP clients and clients by us...

Page 364: ...fig interface dot11radio 0 ap1200 config if ssid migrate ap1200 config ssid end Configuring Additional WPA Settings Use two optional settings to configure a pre shared key on the access point and adju...

Page 365: ...EP key when the first non key management static WEP client authenticates In WPA migration mode this feature significantly improves the security of key management capable clients when there are no stat...

Page 366: ...sk ascii batmobile65 ap config interface dot11radio 0 ap config ssid ssid batman ap config if exit ap config broadcast key vlan 87 membership termination capability change Configuring MAC Authenticati...

Page 367: ...ac authen filter cache address 5 Clear all entries in the cache Include client MAC addresses to clear specific clients from the cache clear dot11 aaa mac authen filter cache address 6 Return to privil...

Page 368: ...response seconds local The RADIUS server can be configured to send a different timeout value that overrides the one that is configured Enter the local keyword to configure the access point to ignore...

Page 369: ...o reset the values to default settings TIP If you configure both MAC address authentication and EAP authentication for an SSID the server sends the Session Timeout attribute for both MAC and EAP authe...

Page 370: ...te a command or set its defaults Use the show eap registrations method command to view the currently available registered EAP methods Use the show eap sessions command to view existing EAP sessions Se...

Page 371: ...t1x eap profile profile 4 Exit the interface configuration mode end Applying an EAP Profile to an Uplink SSID This operation typically applies to repeater access points Beginning in the privileged exe...

Page 372: ...s and WEP on the access point TIP Some non Cisco Aironet client adapters don t perform 802 1X authentication to the access point unless you configure Open authentication with EAP To allow both Cisco A...

Page 373: ...SID To allow both WPA and non WPA clients to use the SSID enable optional WPA 802 1X authentication and CCKM Enable LEAP Choose a cipher suite and enable Network EAP and CCKM for the SSID Toallowboth8...

Page 374: ...l encryption and enable EAP and Open authentication for the SSID If using pages XP to configure card Choose Enable network access control by using IEEE 802 1X and SIM Authentication as the EAP Type Se...

Page 375: ...s Module WLSM An access point configured as the WDS device supports up to 60 participating access points an Integrated Services Router ISR configured as the WDS devices supports up to 100 participatin...

Page 376: ...lace Authenticates all access points in the subnet and establishes a secure communication channel with each of them Collects radio data from access points in the subnet aggregates the data and forward...

Page 377: ...t to access point throughout the installation Some applications running on client devices require fast reassociation when they roam to a different access point Voice applications for example require s...

Page 378: ...che of credentials for CCKM capable client devices on your wireless LAN When a CCKM capable client roams from one access point to another the client sends a reassociation request to the new access poi...

Page 379: ...sw cscowork ps3915 tsd_products_support_series_home html Understanding Layer 3 Mobility When you use a WLSM as the WDS device on your network you can install access points anywhere in a large Layer 3...

Page 380: ...8 ns337 networking_solutions_package html CiscoWorks Wireless LAN Solution Engine WLSE CiscoSecure ACS AAA Server Catalyst 6500 Wireless Domain Services WDS on the Wireless LAN Solutions Module WLSM C...

Page 381: ...nt frames over the radio to overwhelm access points that have to process the frames As part of the WIDS feature set access points in scanning mode and root access points monitor radio signals and dete...

Page 382: ...not configure a WDS access point to return fall back to repeater mode in case of Ethernet failure You cannot configure a Cisco 350 series access point as your main WDS device However you can configur...

Page 383: ...re the rest of your access points to use the WDS device 3 Configure the authentication server on your network to authenticate the WDS device and the access points that use the WDS device This figure s...

Page 384: ...WDS access point to fall back to repeater mode in case of Ethernet failure When WDS is enabled the WDS access point performs and tracks all authentications Therefore you must configure EAP security s...

Page 385: ...o to the WDS WNM Summary page 3 On the WDS WNM Summary page click General Setup to go to the WDS WNM General Setup page The WDS WNM General Setup page appears Figure 102 WDS WNM General Setup Page 4 C...

Page 386: ...f you don t check this check box the WDS device uses the server specified for MAC address authentication on the Server Groups page to authenticate clients based on MAC addresses 7 Optional If you use...

Page 387: ...ame in the Server Group Name field 2 From the Priority 1 pull down menu choose the primary server If a server that you need to add to the group does not appear in the Priority pull down menus click De...

Page 388: ...group does not appear in the Priority pull down menus click Define Servers to browse to the Server Manager page Configure the server there and then return to the WDS Server Groups page 8 Optional Choo...

Page 389: ...ig wlccp wds priority 200 interface bvi1 AP config wlccp authentication server infrastructure infra_devices AP config wlccp authentication server client any client_devices AP config wlccp auth ssid fr...

Page 390: ...Wireless Services AP Page 3 Click Enable for the Participate in SWAN Infrastructure setting 4 Optional If you use a WLSM switch module as the WDS device on your network choose Specified Discovery and...

Page 391: ...7 wes7win8 AP config end In this example the access point is enabled to interact with the WDS device and it authenticates to your authentication server by using APWestWing as its username and wes7win8...

Page 392: ...IP address of the client device MN authenticator show wlccp wds ap mn detail mac addr mac address On the WDS device use only this command to display cached information about access points and client d...

Page 393: ...ess point ISR or switch configured as a local authenticator Cisco Aironet client devices or Cisco compatible client devices that comply with Cisco Compatible Extensions CCX version 2 or later For inst...

Page 394: ...ing the access points on your wireless LAN must be configured to participate in WDS and they must allow CCKM authenticated key management for at least one SSID Follow these steps to configure CCKM for...

Page 395: ...our access point contains multiple radio interfaces select the interfaces that the SSID applies to b Under Authentication Settings choose Network EAP When you enable CCKM you must enable Network EAP a...

Page 396: ...g end In this example the SSID fastroam is configured to support Network EAP and CCKM the CKIP CMIC cipher suite is enabled on the 2 4 GHz radio interface and the SSID fastroam is enabled on the 2 4 G...

Page 397: ...MFP access point for Simple Network Transfer Protocol SNTP Overview Client MFP encrypts class 3 management frames sent between access points and CCXv5 capable client stations so that both AP and clie...

Page 398: ...optional for a particular SSID To configure Client MFP as required you must configure the SSID with key management WPA version 2 mandatory If the key management is not WPAv2 mandatory an error message...

Page 399: ...rticular SSID 1 Enter global configuration mode configure terminal 2 Configures the access point as an MFP generator When enabled the access point protects the management frames it transmits by adding...

Page 400: ...ectors dot11 ids mfp distributor 3 Return to the privileged EXEC mode end 4 Optional Save your entries in the configuration file copy running config startup config Configuring Radio Management When yo...

Page 401: ...Intrusion Detection Services Chapter 13 2 Click WDS 3 Check Use this AP as Wireless Domain Services and Configure Wireless Network Manager 4 In the Wireless Network Manager IP Address field enter the...

Page 402: ...onfigured to participate in WDS and in radio management Follow the steps in the Configuring Access Points to Use the WDS Device on page 390 and in the Configuring Radio Management on page 400 to confi...

Page 403: ...vity However in monitor mode the access point monitors only the channel that is configured Beginning in privileged EXEC mode follow these steps to configure the access point to capture and forward 802...

Page 404: ...nt IP address 10 91 107 19 Endpoint port 2000 Frame Truncation Length 535 bytes Dot11Radio 1 WLAN Monitoring Disabled WLAN Monitor Statistics Total No of frames rx by DOT11 driver 58475 Total No of Do...

Page 405: ...ough authentication requests to impact your network In monitor mode the access point tracks the rate that 802 1X clients attempt to authenticate through the access point If your network is attacked th...

Page 406: ...etween client and SUP Because of the WLSM failure the control traffic going between the access point and the WLSM is disrupted as shown in Figure 108 on page 406 This prevents the access points from a...

Page 407: ...running RADIUS server software from Cisco Secure Access Control Server version 3 0 Livingston Merit Microsoft or another software provider For more information refer to the RADIUS server documentation...

Page 408: ...data to be sent at the start and end of services showing the amount of resources such as time packets bytes and so forth used during the session An Internet service provider can use a freeware based...

Page 409: ...server When mutual authentication is complete the RADIUS server and the client determine a WEP key that is unique to the client and provides the client with the appropriate level of network access th...

Page 410: ...user You can use method lists to designate one or more security protocols to be used thus ensuring a back up system if the initial method fails The software uses the first method listed to authentica...

Page 411: ...use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the access point The timeout retransmission and encryption key...

Page 412: ...onding or responding slowly The range is 1 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optio...

Page 413: ...hostname ip address global configuration command This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting AP config radius server host...

Page 414: ...to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process continues until there is successful communication with a list...

Page 415: ...e console tty vty line number ending line number 5 Apply the authentication list to a line or set of lines If you specify default use the default list created with the aaa authentication login command...

Page 416: ...ts IP address or identify multiple host instances or entries by using the optional authport and acct port keywords Beginning in privileged EXEC mode follow these steps to define the AAA server group a...

Page 417: ...IUS server in the AAA server group Each server in the group must be previously defined in Step 2 server ip address 6 Return to privileged EXEC mode end 7 Verify your entries show running config 8 Opti...

Page 418: ...services available to a user When AAA authorization is enabled the access point uses information retrieved from the user s profile that is in the local user database or on the security server to confi...

Page 419: ...onfig 6 Optional Save your entries in the configuration file copy running config startup config To disable authorization use the no aaa authorization network exec method1 global configuration command...

Page 420: ...listens for PoD requests The default value is 1700 auth type This parameter is not supported for 802 11 sessions clients Optional Up to four RADIUS servers can be nominated as clients If this configur...

Page 421: ...S security server in the form of accounting records Each accounting record contains accounting attribute value AV pairs and is stored on the security server This data can then be analyzed for network...

Page 422: ...Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode follow these steps to configure global communication settings between the access point and all RADIUS servers 1 Enter glob...

Page 423: ...ribute for authentication radius server attribute 32 include in access req format h 7 Return to privileged EXEC mode end 8 Verify your settings show running config 9 Optional Save your entries in the...

Page 424: ...tory attributes and the asterisk for optional attributes This lets a full set of features available for TACACS authorization to also be used for RADIUS For example the following AV pair activates Cisc...

Page 425: ...cess point and the RADIUS server some vendors have extended the RADIUS attribute set in a unique way Cisco IOS software supports a subset of vendor proprietary RADIUS attributes As mentioned earlier t...

Page 426: ...DIUS Attributes The Wi Fi Alliance s WISPr Best Current Practices for Wireless Internet Service Provider WISP Roaming document lists RADIUS attributes that access points must send with RADIUS accounti...

Page 427: ...ter the location name in this format hotspot_operator_name location snmp server location location 3 Specify ISO and ITU country and area codes that the access point includes in accounting and authenti...

Page 428: ...and RADIUS Attributes Sent by the Access Point Table 99 on page 428 through Table 101 on page 429 identify the attributes sent by an access point to a client in access request access accept and accoun...

Page 429: ...a VLAN override number 65 Tunnel Medium Type1 79 EAP Message 80 Message Authenticator 81 Tunnel Private Group ID1 VSA attribute 26 LEAP session key VSA attribute 26 Auth Algo Type VSA attribute 26 SS...

Page 430: ...Packets 48 Acct Output Packets 61 NAS Port Type VSA attribute 26 SSID VSA attribute 26 NAS Location VSA attribute 26 VLAN ID VSA attribute 26 Connect Progress VSA attribute 26 Cisco NAS Port VSA attr...

Page 431: ...ted to the access point TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or pages NT workstation Access and configure a TACACS server before configuring TACA...

Page 432: ...CS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track administrator...

Page 433: ...oint to support TACACS you must identify the host or hosts maintaining the TACACS daemon and define the method lists for TACACS authentication You can optionally define method lists for TACACS authori...

Page 434: ...CS server and optionally set the encryption key 1 Enter global configuration mode configure terminal 2 Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to cr...

Page 435: ...ethod list defines the types of authentication and the sequence performed it must be applied to a specific interface before any of the defined authentication methods are performed The only exception i...

Page 436: ...the previous method returns an error not if it fails Choose one of these methods line Use the line password for authentication You must define a line password before you can use this authentication m...

Page 437: ...leged EXEC Access and Network Services AAA authorization limits the services available to an administrator When AAA authorization is enabled the access point uses information retrieved from the admini...

Page 438: ...your entries in the configuration file copy running config startup config To disable authorization use the no aaa authorization network exec method1 global configuration command Starting TACACS Accoun...

Page 439: ...at the end aaa accounting exec start stop tacacs 4 Return to privileged EXEC mode end 5 Verify your entries show running config 6 Optional Save your entries in the configuration file copy running conf...

Page 440: ...440 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 14 Configuring RADIUS and TACACS Servers Notes...

Page 441: ...than physically unplugging and moving devices or wires A VLAN can be thought of as a broadcast domain that exists within a defined set of switches A VLAN consists of a number of end systems either hos...

Page 442: ...ed on the access point As a result the Ethernet switch connects to the access point and generates a warning message There is no loss of function on both the access point and the switch However the swi...

Page 443: ...detailed information pertaining to VLAN design and configuration Cisco IOS Switching Services Configuration Guide Cisco Internetwork Design Guide Cisco Internetworking Technology Handbook Cisco Intern...

Page 444: ...can support up to 16 VLANs You can assign only one SSID to a VLAN You can use the VLAN feature to deploy wireless devices with greater efficiency and flexibility For example one access point can now...

Page 445: ...etailed instructions on assigning authentication types to SSIDs see Configuring Authentication Types on page 351 For instructions on assigning other settings to SSIDs see Configuring Multiple SSIDs on...

Page 446: ...adio interface Optional Designate the VLAN as the native VLAN On many networks the native VLAN is VLAN 1 encapsulation dot1q vlan id native 8 Return to global configuration mode exit 9 Enter interface...

Page 447: ...interface fastEthernet0 1 ap1200Router config subif encapsulation dot1q 1 native ap1200Router config subif exit ap1200Router config end Assigning Names to VLANs You can assign a name to a VLAN in add...

Page 448: ...me and ID pairs configured on the access point Using a RADIUS Server to Assign Users to VLANs You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN...

Page 449: ...y Group Assignment You can configure a RADIUS server to dynamically assign mobility groups to users or user groups This eliminates the need to configure multiple SSIDs on the access point Instead you...

Page 450: ...of access are available through VLANs configured on the wired network Management access Highest level of access users can access all internal drives and files departmental databases top level financi...

Page 451: ...te to the access point they automatically belong to the correct VLAN Complete these steps to support the VLANs in this example 1 Configure or confirm the configuration of these VLANs on one of the swi...

Page 452: ...native ap1200Router config subif exit You don t need to configure a bridge group on the subinterface that youset upas the nativeVLAN This bridge group is moved to thenative subinterface automatically...

Page 453: ...onfiguring VLANs Chapter 15 no bridge group 2 unicast flooding bridge group 2 spanning disabled When you configure a bridge group on the FastEthernet interface these commands are set automatically no...

Page 454: ...LAN and all untagged frames are implicitly associated with this default VLAN ID Configure one of your VLANs to be configured as the native Complete these steps to configure the VLAN 1 From the Service...

Page 455: ...e Encryption Manager page appears 3 Choose the VLAN you are configuring from the Set Encryption Mode and Keys for VLAN pull down list 4 In the Encryption Mode section determine what encryption if any...

Page 456: ...456 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 15 Configuring VLANs...

Page 457: ...ss point you can select specific network traffic prioritize it and use congestion management and congestion avoidance techniques to provide preferential treatment Implementing QoS in your wireless LAN...

Page 458: ...pectralink phones by using the class map IP protocol clause with the protocol value set to 119 To contrast the wireless LAN QoS implementation with the QoS implementation on other Cisco network device...

Page 459: ...based on the Layer 2 class of service value for each packet The access point applies QoS policies in this order Packetsalreadyclassified When the access point receives packets from a QoS enabled swit...

Page 460: ...t Implementing QoS in your wireless LAN makes network performance more predictable and bandwidth utilization more effective When you configure QoS you create QoS policies and apply the policies to the...

Page 461: ...y 4 Type a name for the QoS policy in the Policy Name entry field The name can contain up to 25 alphanumeric characters Do not include spaces in the policy name If the packets you need to prioritize c...

Page 462: ...l 7 7 Click Add beside the Class of Service menu for IP Precedence The classification appears in the Classifications field To delete a classification select it and click Delete beside the Classificati...

Page 463: ...vice that you want the access point to apply to Spectralink phone packets The access point matches Spectralink phone packets with your class of service selection 10 Click Add beside the Class of Servi...

Page 464: ...example shows how to enable IEEE 802 11 phone support with the legacy QBSS Load element AP config dot11 phone This example shows how to enable IEEE 802 11 phone support with the standard IEEE 802 11e...

Page 465: ...ty retries without signalling a replay on the receiving station For access classes that are configured to allow it transmitters that are qualified to transmit through the normal backoff procedure are...

Page 466: ...helps control the allocation of bandwidth If you have plenty of bandwidth on your wireless LAN you do not need to configure QoS The ampdu command is available for the 802 11n radio interfaces Aggregat...

Page 467: ...recedence classification from the IP Precedence pull down menu The classifications include these choices Routine 0 Priority 1 Immediate 2 Flash 3 Flash Override 4 Critic CCP 5 Internet Control 6 Netwo...

Page 468: ...sification from the IP DSCP pull down menu The classifications include these choices Best Effort Assured Forwarding Class 1 Low Assured Forwarding Class 1 Medium Assured Forwarding Class 1 High Assure...

Page 469: ...oint a link to the Apply Filters page appears instead of the Filter pull down menu For example you could assign a high priority to a MAC address filter that includes the MAC addresses of IP phones 15...

Page 470: ...d on the access point pull down menus for each VLANs virtual ports appear in this section If VLANs are not configured on the access point pull down menus for each interface appear 19 Click Apply at th...

Page 471: ...mapping is enabled by default To disable it browse to the QoS Policies Advanced page select No for Map Ethernet Packets with CoS 5 to CoS 6 and click Apply WiFiMultimedia WMM By using the Admission C...

Page 472: ...d The values listed in this table are to the power of 2 The access point computes Contention page values with this equation CW 2 X minus 1 where X is the value from Table 107 on page 472 IMPORTANT Rat...

Page 473: ...HY rate in the ADDTS request against the nominal rates defined by the CLI command traffic stream If they don t match the access point rejects the ADDTS request If you choose Optimized Voice Settings s...

Page 474: ...n an access point s radio For a list of Cisco IOS commands for configuring admission control by using CLI see the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges Guide 1 Click...

Page 475: ...sionControl You can use two CLI commands to display information to help you troubleshoot admission control problems To display current admission control settings on radio 0 enter the following command...

Page 476: ...476 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 16 Configuring QoS Notes...

Page 477: ...access from the wired LAN IP address and MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific IP or MAC addresses You can cre...

Page 478: ...I 2 Use the console port or Telnet to access the ACL through the Ethernet interface or the wireless interface 3 Enter global configuration mode 4 Create a Time Range For this example Test AP config ti...

Page 479: ...e BVI interfaces as long as a separate ACL is used for the BVI interface CLIConfigurationExample This example shows the CLI commands that are equivalent to the steps listed in the Using MAC Address AC...

Page 480: ...NMP filter on the access point s radio port prevents wireless client devices from using SNMP with the access point but does not block SNMP access from the wired LAN IP address and MAC address filters...

Page 481: ...these steps to create a MAC address filter 1 From the top navigation menu click Services 2 From the Services menu click Filters to move to the Services Filters Apply Filters page 3 On the Apply Filte...

Page 482: ...482 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 17 Configuring Filters...

Page 483: ...Add MAC Address field Enter the address with periods separating the three groups of four characters for example 0040 9612 3456 6 Use the Mask entry field to indicate how many bits from left to right...

Page 484: ...step 8 to add addresses to the filter 10 From the Default Action menu choose Forward All or Block All The default action of the filter must be the opposite of the action for at least one of the addres...

Page 485: ...can use MAC address ACLs to block or allow association to the access point Instead of filtering traffic across an interface you use the ACL to filter associations to the access point radio Follow thes...

Page 486: ...oose Forward from the Action menu Select Block for addresses that you want to prevent from associating Select Block All from the Default Action menu 2 From the main menu click Security This figure sho...

Page 487: ...n Publication 1783 UM006A EN P May 2014 487 Configuring Filters Chapter 17 4 Click Association Access List tab Figure 117 Association Access List Page 5 Select your MAC address ACL from the pull down...

Page 488: ...addresses except those you specify You can create filters that contain elements of one two or all three IP filtering methods You can apply the filters you create to either or both the Ethernet and ra...

Page 489: ...Rockwell Automation Publication 1783 UM006A EN P May 2014 489 Configuring Filters Chapter 17...

Page 490: ...action for all of them you must choose Forward All as the filter s default action Filteran IPaddress Follow these steps to filter an IP Address 1 Enter an address in the Destination Address and Sourc...

Page 491: ...1 through step 3 to add addresses to the filter If you do not need to add IP protocol or IP port elements to the filter click Apply 5 From the IP Protocol pull down menu select one of the common proto...

Page 492: ...the access point FilteraTCPorUDPPortNumber Follow these steps to filter a TCP or UDP port number 1 From the TCP Port or UDP Port pull down menus select one of the common port protocols or select Cust...

Page 493: ...ss point s Ethernet and radio ports and IP address filters allow or prevent the forwarding of unicast and multicast packets either sent from or addressed to specific IP addresses You can create a filt...

Page 494: ...edit an existing filter select the filter name 2 Enter a descriptive name for the new filter in the Filter Name field 3 From the Default Action pull down select Forward all or Block all The filter s d...

Page 495: ...an IP protocol select one of the common protocols from the IP Protocol pull down menu or select the Custom radio button and enter the number of an existing ACL in the Custom field Enter an ACL number...

Page 496: ...ers page Figure 119 Apply Filters Page 16 From one of the IP pull down menu select the filter name You can apply the filter to either or both the Ethernet and radio ports and to either or both incomin...

Page 497: ...create an Ethertype filter 1 Follow the link path to the Ethertype Filters page 2 If you are creating a new filter make sure NEW the default is selected in the Create Edit Filter Index menu To edit a...

Page 498: ...or Block All The filter s default action must be the opposite of the action for at least one of the Ethertypes in the filter For example if you enter several Ethertypes and you choose Block as the act...

Page 499: ...oint radio port when the radio is associated to another wireless infrastructure device such as an access point or a bridge CDP is sent on the lowest VLAN number configured on the access point When mor...

Page 500: ...ure terminal 2 Optional Specify the amount of time you want a receiving device to hold the information sent by the device before discarding it The range is from 10 255 s the default is 180 s cdp holdt...

Page 501: ...teps to disable the CDP device discovery capability 1 Enter global configuration mode configure terminal 2 Disable CDP no cdp run 3 Return to Privileged EXEC mode end Beginning in privileged EXEC mode...

Page 502: ...entries in the configuration file copy running config startup config Beginning in privileged EXEC mode follow these steps to enable CDP on an interface 1 Enter global configuration mode configure term...

Page 503: ...as frequency of transmissions and the holdtime for packets being sent show cdp entry entry name protocol version Display information about a specific neighbor You can enter an asterisk to display all...

Page 504: ...ilities Trans Bridge Switch Interface GigabitEthernet0 1 Port ID outgoing port FastEthernet0 10 Holdtime 141 sec Version Cisco Internetwork Operating System Software IOS tm C3500XL Software C3500XL C3...

Page 505: ...is administratively down line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0 4 is up line protocol is down Encapsulation ARPA Sending...

Page 506: ...tch H Host I IGMP r Repeater Device ID Local Interface Holdtme Capability Platform Port ID Perdido2 Gig 0 6 125 R S I WS C3550 1Gig 0 6 Perdido2 Gig 0 5 125 R S I WS C3550 1Gig 0 5 AP show cdp traffic...

Page 507: ...ent information base MIB reside on the access point To configure SNMP on the access point you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose valu...

Page 508: ...and SNMPv2 are stored and transferred as plain text without encryption In the SNMPv3 security model SNMP users authenticate and join a user group Access to system data is restricted based on the grou...

Page 509: ...event has occurred on the agent Examples of trap conditions include but are not limited to when a port or module goes up or down when spanning tree topology changes occur and when authentication failu...

Page 510: ...les to set device variables and to poll devices on the network for specific information The results of a poll can be displayed as a graph and analyzed to troubleshoot internet working problems increas...

Page 511: ...se the SNMP community string to define the relationship between the SNMP manager and the agent The community string acts like a password to permit access to the agent on the access point Optionally yo...

Page 512: ...ement stations to retrieve and modify MIB objects By default the community string permits read only access to all objects snmp server community string access list number view mib view ro rw 3 Optional...

Page 513: ...for that community to the null string don t enter a value for the community string To remove a specific community string use the no snmp server community string global configuration command This examp...

Page 514: ...at the access point generates when certain events occur By default no trap manager is defined and no traps are issued Access points running this Cisco IOS release can have an unlimited number of trap...

Page 515: ...ersion 1 the default is not available with informs Version 3 has three security levels auth Specifies authentication of packets without encryption noauth Specifies no authentication and no encryption...

Page 516: ...act and Location Information Beginning in privileged EXEC mode follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the config...

Page 517: ...hows how to assign the strings open and ieee to SNMP to allow read write access for both and to specify that open is the community string for queries on non IEEE802dot11 MIB objects and ieee is the co...

Page 518: ...ds for the host cisco com AP config snmp server enable traps entity AP config snmp server host cisco com restricted entity This example shows how to enable the access point to send all traps to the ho...

Page 519: ...snmp server user fred admin v3 encrypted auth md5 abc789 priv des56 key99 Displaying SNMP Status To display SNMP input and output statistics including the number of illegal community string entries er...

Page 520: ...520 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 19 Configuring SNMP Notes...

Page 521: ...the wired LAN The data is sent through the route that provides the best performance for the client When you configure an access point as a repeater the access point s Ethernet port does not forward t...

Page 522: ...oint to which repeaters are associated The infrastructure SSID must be assigned to the native VLAN If more than one VLAN is created on an access point or wireless bridge an infrastructure SSID cannot...

Page 523: ...int match the data rates on the parent access point For instructions on configuring data rates see Configuring Radio Data Rates on page 247 Repeater access points support only the native VLAN You cann...

Page 524: ...s SSID unless you also enter the optional keyword The infrastructure SSID must be assigned to the native VLAN If more than one VLAN is created on an access point or wireless bridge an infrastructure S...

Page 525: ...erminal AP config interface dot11radio 0 AP config if ssid chicago AP config ssid infrastructure ssid AP config ssid exit AP config if station role repeater AP config if dot11 extensions aironet AP co...

Page 526: ...p the repeater check the status indicators on top of the repeater access point If your repeater is functioning correctly the status indicators on the repeater and the root access point behave like thi...

Page 527: ...ged Exec mode follow these instructions to set up the repeater as a LEAP client 1 Enter global configuration mode configure terminal 2 Enter interface configuration mode for the radio interface The 2...

Page 528: ...onal 7 Return to privileged EXEC mode end 8 Optional Save your entries in the configuration file copy running config startup config Setting Up a Repeater as a WPA Client WPA key management uses a comb...

Page 529: ...h both the Ethernet and the radio ports If the monitored access point fails to respond the standby access point comes online and takes the monitored access point s place in the network Except for the...

Page 530: ...red access point Default IP Subnet Mask Default Gateway Data rates WEP settings Authentication types and authentication servers If the monitored access point goes offline and the standby access point...

Page 531: ...e monitored access point and is functioning as a repeater access point IAPP AP is operating in repeater mode The standby access point has taken over for the monitored access point and is functioning a...

Page 532: ...he standby unit to use the BSSID s new MAC address Hot standby is not supported on the BR1410 configured for AP mode iapp standby mac address 3 Enter interface configuration mode for the radio interfa...

Page 533: ...ioned The default timeout is 20 seconds Increase the standby timeout setting if the bridged path between the standby and monitored access points can be lost for periods greater than 20 seconds during...

Page 534: ...access point is not configured for standby mode IAPP AP is in standby mode The access point is in standby mode IAPP AP is operating in active mode The standby access point has taken over for the moni...

Page 535: ...as a workgroup bridge the other radio interface remains up If multiple BSSIDs are configured on a root access point that is designated as the parent of a workgroup bridge the parent MAC address can ch...

Page 536: ...and Workgroup Bridge Mode This figure shows an access point in workgroup bridge mode Figure 123 Access Point in Workgroup Bridge Mode Access Point Root Unit 121646 Wired LAN ETHERNE T SPEED 1 5 2 6 3...

Page 537: ...ucture SSID The performance cost of reliable multicast delivery duplication of each multicast packet sent to each workgroup bridge limits the number of infrastructure devices including workgroup bridg...

Page 538: ...set of limited channels to reduce the hand off delay when the workgroup bridge roams from one access point to another By limiting the number of channels the workgroup bridge scans only to those requir...

Page 539: ...the mobile station ignore neighbor list command to disable processing of CCX neighbor list reports This command is effective if the workgroup bridge is configured only for limited scanning channel sca...

Page 540: ...sending to the WLC In the downstream direction while forwarding the packet to the switch connecting the wired client the WLC sends the packet to WGB without the 802 1q tag and WGB adds a 4 byte 802 1q...

Page 541: ...ured on the parent access point the MAC address for the parent can change if a BSSID on the parent is added or deleted Optional You can also enter a timeout value in seconds that determines how long t...

Page 542: ...ronment You can configure an access point to operate as a workgroup bridge so that it can provide wireless connectivity to a lightweight access point on behalf of clients that are connected by Etherne...

Page 543: ...in client mode default value are supported Those in infrastructure mode are not supported Perform one of the following to enable client mode on the workgroup bridge On the workgroup bridge access poi...

Page 544: ...after the workgroup bridge has roamed to another controller for example to a foreign controller the wired client s IP address appears only on the anchor controller not on the foreign controller When...

Page 545: ...y that the workgroup bridge is associated to an access point enter this command on the workgroup bridge show dot11 association If a wired client does not send traffic for an extended period of time th...

Page 546: ...nicast frame Cisco IOS Releases 15 2 2 JA and later provide VideoStream support for wired devices connected to workgroup bridges For access points running release 15 2 2 JA and later the workgroup bri...

Page 547: ...ges to the console When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are interspersed with prompts or o...

Page 548: ...mmand service sequence numbers service timestamps log datetime service timestamps log datetime localtime msec show timezone or service timestamps log uptime This table describes the elements of syslog...

Page 549: ...System Message Logging Configuration This table shows the default system message logging configuration Disabling and Enabling Message Logging Message logging is enabled by default It must be enabled...

Page 550: ...bling the logging process can slow down the access point because a process must wait until the messages are written to the console before continuing When the logging process is disabled messages are d...

Page 551: ...ost to be used as the syslog server To build a list of syslog servers that receive logging messages enter this command more than once For complete syslog server configuration steps see the Configuring...

Page 552: ...severity level number type global configuration command Enabling and Disabling Timestamps on Log Messages By default log messages are not timestamped Beginning in privileged EXEC mode follow these st...

Page 553: ...ages Because there is a chance that more than one log message can have the same timestamp you can display messages with sequence numbers so that you can unambiguously refer to a single message By defa...

Page 554: ...debugging messages and numerically lower levels see Table 115 on page 555 logging console level 3 Limit messages logged to the terminal lines By default the terminal receives debugging messages and n...

Page 555: ...e typically used only by the Technical Assistance Center TAC Interface up or down transitions and system restart messages displayed at the notifications level This message is only for information acce...

Page 556: ...traps are not enabled Beginning in privileged EXEC mode follow these steps to change the level and history table size defaults 1 Enter global configuration mode configure terminal 2 Change the default...

Page 557: ...imit You can enable a limit on the number of messages that the access point logs per second You can enable the limit for all messages or for messages sent to the console and you can specify that messa...

Page 558: ...syslog level see Table 115 on page 555 for information on the severity levels The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field The file...

Page 559: ...that receive logging messages enter this command more than once logging host 3 Limit messages logged to the syslog servers Be default syslog servers receive informational messages and lower logging t...

Page 560: ...formation about the fields in this display see publication Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference To display the logging history f...

Page 561: ...point workgroup bridge See Access Point Status Indicators on page 48 for detailed descriptions Checking Basic Settings Mismatched basic settings are the most common causes of lost connectivity with wi...

Page 562: ...r radio clients are using EAP FAST authentication you must configure open authentication with EAP If you don t configure open authentication with EAP a warning message appears If you are using CLI the...

Page 563: ...to delete the current configuration and return all wireless device settings to the factory defaults by using the web browser interface 1 Open your Internet browser You must use Microsoft Internet Exp...

Page 564: ...eturn all wireless device settings to the factory defaults by using CLI commands 1 Open CLI by using a Telnet session or a connect to the wireless device by using the console port 2 Restart the wirele...

Page 565: ...d to restart the wireless device ap reset Are you sure you want to reset the system y n y System resetting using eeprom values WRDTR CLKTR 0x80000800 0x80000000 RQDC RFDC 0x80000033 0x000001cb ddr ini...

Page 566: ...y using CLI through a Telnet or console port connection Using the HTTP Interface You can also use the Web browser interface to reload the wireless device image file The Web browser interface supports...

Page 567: ...Click Upload Using the TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the wireless device image file Follow the instructions below to use a TFTP server 1...

Page 568: ...6 Click the TFTP Upgrade tab 7 Enter the IP address for the TFTP server in the TFTP Server field 8 Enter the file name for the image file in the Upload New System Image Tar File field If the file is l...

Page 569: ...9w7 mx v122_13_ja 20031010 c350 k9w7 mx v122_13_ja 20031010 4 When the ap command prompt appears enter the set command to assign an IP address subnet mask and default gateway to the wireless device Yo...

Page 570: ...ing c350 k9w7 mx 122 13 JA1 html level1 cookies js 5027 bytes extracting c350 k9w7 mx 122 13 JA1 html level1 forms js 15704 bytes extracting c350 k9w7 mx 122 13 JA1 html level1 sitewide js 14621 bytes...

Page 571: ...command Your entry can look like this example ap set BOOT flash c350 k9w7 mx 122 13 JA1 c350 k9w7 mx 122 13 JA1 9 Enter the set command to check your bootloader entries ap set BOOT flash c350 k9w7 mx...

Page 572: ...572 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 21 Troubleshooting Notes...

Page 573: ...the numeric designator for each protocol Topic Page Ethertype Protocols 573 IP Protocols 574 IP Port Protocols 574 Table 1 Ethertype Protocols Protocol Additional Identifier ISODesignator ARP 0x0806 R...

Page 574: ...e Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP 12 CHAOS 16 User Datagram Protocol UDP 17 XNS IDP IDP 22 ISO TP4 TP4...

Page 575: ...finger 79 Hypertext Transport Protocol HTTP www 80 ttylink link 87 Kerberos v5 Kerberos krb5 88 supdup 95 hostname hostnames 101 TSAP iso tsap 102 CSO Name Server cso ns csnet ns 105 Remote Telnet rt...

Page 576: ...way Protocol BGP 179 Prospero 191 Internet Relay Chap IRC 194 SNMP Unix Multiplexer smux 199 AppleTalk Routing at rtmp 201 AppleTalk name binding at nbp 202 AppleTalk echo at echo 204 AppleTalk Zone I...

Page 577: ...Appendix A SUP server supfilesrv 871 swat for SAMBA swat 901 SUP debugging supfiledbg 1127 ingreslock 1524 Prospero non priveleged prospero np 1525 RADIUS 1812 Concurrent Versions System CVS 2401 Cis...

Page 578: ...578 Rockwell Automation Publication 1783 UM006A EN P May 2014 Appendix A Protocol Filters Notes...

Page 579: ...BRIDGE MIB P BRIDGE MIB CISCO DOT11 LBS MIB CISCO DOT11 IF MIB CISCO WLAN VLAN MIB CISCO IETF DOT11 QOS MIB CISCO IETF DOT11 QOS EXT MIB CISCO DOT11 ASSOCIATION MIB CISCO L2 DEV MONITORING MIB CISCO...

Page 580: ...g FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP 1 Use FTP to access the server ftp cisco com 2 Log in with the username anonymous 3 Enter your e mail username whe...

Page 581: ...591 LWAPP Error Messages 592 Sensor Messages 592 SNMP Error Messages 593 SSH Error Messages 593 Table 1 Conventions for System Error Messages Message Component Description Example Error identifier A...

Page 582: ...URE s Auto upgrade of the software failed Auto upgrade of the software failed Restarttheunit Ifthemessageappears again copy the error message exactly as it appears and report it to your technical supp...

Page 583: ...d interface and indicated station can be mismatched Check the encryption configuration of this interface and the failingstation to verify thatthe configurations match DOT11 4 DIVER_USED Interface s Mc...

Page 584: ...not started Add at least one infrastructure SSID to the radio configuration DOT11 4 VERSION_UPGRADE Interface d upgrading radio firmware When starting the indicated interface the access point found t...

Page 585: ...n the device IF 4 MISPLACED_VLAN_TAG Detected a misplaced VLAN tag on source Interface Dropping packet Received an 802 1Q VLAN tag was detected on the indicated interface that could not be parsedcorre...

Page 586: ...o A radio management request discovered that the interface either does not exist or is not a radio interface None DOT11 3 POWERS_INVALID Interface s no valid power levels available The radio driver fo...

Page 587: ...Packet to client mac reached max retries remove the client Apacket sent to theclient has not been successfully delivered many times and the max retries limit has been reached The client is deleted fro...

Page 588: ...indicates an active attack on your network the interface is put on hold for the indicated time During this holdtime stationsbyusingTKIPciphersaredisassociated and cannot reassociate until the hold tim...

Page 589: ...adio interfaces None DOT11 6 ROGUE_AP Rogue AP e reported Reason s A station has reported a potential rogue access point for the indicated reason None Message Explanation Recommended Action RADSRV 4 N...

Page 590: ...servers are marked dead Configuring dead time for 10 minutes means that the server cannot be used for 10 minutes You can disable this command if you want thislogtodisappear Actuallythismessageis not r...

Page 591: ...files have a rcore extension The files can be deleted because they simply show that the radio went down atsomepoint The rcorefilescanbelistedon CLI session and appear similar to this r15_5705_AB50_A8...

Page 592: ...ease verify that the router fans are operating and that the room cooling and air conditioning are functioning This condition could cause the system to fail to operate properly SENSOR 3 TEMP_NORMAL s t...

Page 593: ...representative SNMP_MGR 3 MISSINGHOSTIPV6 Cannot locate information on SNMP informs host Unrecognized format P A table entry for the mentioned SNMP informs destination cannot be found As a result inf...

Page 594: ...594 Rockwell Automation Publication 1783 UM006A EN P May 2014 Appendix C Error and Event Messages Notes...

Page 595: ...s point A wireless LAN data transceiver that uses radio waves to connect a wired network with wireless stations ad hoc network A wireless network composed of stations without Access Points antenna gai...

Page 596: ...gain The greater the dBi value the higher the gain and the more acute the angle of coverage DHCP Dynamic host configuration protocol A protocol available with many operating systems that automaticall...

Page 597: ...IP address for example 255 255 255 0 isotropic An antenna that radiates its signal in a spherical pattern MAC Media Access Control address A unique 48 bit number used in Ethernet data packets to ident...

Page 598: ...eferred to as Radio Network Name A unique identifier used to identify a radio network and which stations must use to be able to communicate with each other or to an access point The SSID can be any al...

Page 599: ...integrated template based configuration tool for added configuration ease and improved productivity WNM Wireless Network Manager workstation A computing device with an installed client adapter WPA Wi...

Page 600: ...600 Rockwell Automation Publication 1783 UM006A EN P May 2014 Glossary Notes...

Page 601: ...s point 428 vendor proprietary 425 vendor specific 424 authentication 183 local mode with AAA 220 RADIUS key 411 login 209 414 SSID 279 TACACS defined 432 key 434 login 215 435 authentication client c...

Page 602: ...key 366 cdp enable 502 clear 175 countermeasure tkip hold time 369 debug 547 default form 177 del 565 dot11 aaa mac authen filter cache 366 dot11 extension aironet 269 dot11 interface number carrier...

Page 603: ...s DNS 237 dot11 aaa mac authen filter cache command 366 dot11 extension aironet command 269 dot11 interface number carrier busy command 277 dot1x reauth period command 368 DTIM 273 dual band radios 21...

Page 604: ...276 FTP accessing MIB files 580 G gain 266 get bulk request operation 509 get next request operation 509 510 get request operation 509 510 get response operation 509 Gigabit Ethernet port 32 global co...

Page 605: ...gement frames 397 Management Frame Protection 2 configuring 398 maximum data retries 275 maximum reach 52 Maximum RTS Retries 274 MCS rates 251 252 Media Access Control MAC address 54 Message Integrit...

Page 606: ...oning packets 263 power client command 255 power connection 32 power injector 49 power level on client devices 254 radio 269 power save client device 273 preferential treatment of traffic See QoS pre...

Page 607: ...nts 521 request to send RTS 274 restricting access overview 201 passwords and privilege levels 201 RADIUS 407 TACACS 215 RFC 1042 270 1157 SNMPv1 508 1901 SNMPv2C 508 1902 to 1907 SNMPv2 508 roaming f...

Page 608: ...nt and access point 373 statistics CDP 503 status indicator blinking blue 49 blinking green 48 blue 48 cycling through green red and off 49 green 48 red 49 STP BPDU message exchange 302 designated por...

Page 609: ...oubleshooting 561 error messages CLI 178 system message logging 547 with CiscoWorks 510 U unauthorized access 201 universal workgroup bridge 60 UNIX syslog servers daemon configuration 558 facilities...

Page 610: ...610 Rockwell Automation Publication 1783 UM006A EN P May 2014 Index Notes...

Page 611: ......

Page 612: ...Customer Support for initial help in getting your product up and running New Product Satisfaction Return Rockwell Automation tests all of its products to help ensure that they are fully operational wh...

Reviews:

No comments

Brands by name

Popular brands

Load more brands