manualshive.com logo in svg

Cisco Aironet 1200 Series, Software Configuration Manual

Share
Download
Cisco Aironet 1200 Series Software Configuration Manual Download Page 121

 

4-3

Cisco Aironet 1200 Series Access Point Software Configuration Guide

OL-2159-03

Chapter 4      Security Setup

Security Overview

If you don’t enable any security features on your access point, anyone with a 
wireless networking device is able to join your network. If you enable open or 
shared-key authentication with WEP encryption, your network is safe from casual 
outsiders but vulnerable to intruders who use a hacking algorithm to calculate the 
WEP key. If you enable server-based EAP authentication with Message Integrity 
Check (MIC), Temporal Key Integrity Protocol (TKIP, also known as key 
hashing), and broadcast key rotation, your network is safe from all but the most 
sophisticated attacks against wireless security.

Encrypting Radio Signals with WEP

Just as anyone within range of a radio station can tune to the station’s frequency 
and listen to the signal, any wireless networking device within range of an access 
point can receive the access point’s radio transmissions. Because WEP (Wired 
Equivalent Privacy) is the first line of defense against intruders, Cisco 
recommends that you use full encryption on your wireless network.

WEP encryption scrambles the communication between the access point and 
client devices to keep the communication private. Both the access point and client 
devices use the same WEP key to encrypt and unencrypt radio signals. WEP keys 
encrypt both unicast and multicast messages. Unicast messages are addressed to 
just one device on the network. Multicast messages are addressed to multiple 
devices on the network. 

Extensible Authentication Protocol (EAP) authentication provides dynamic WEP 
keys to wireless users. Dynamic WEP keys are more secure than static, or 
unchanging, WEP keys. If an intruder passively receives enough packets 
encrypted by the same WEP key, the intruder can perform a calculation to learn 
the key and use it to join your network. Because they change frequently, dynamic 
WEP keys prevent intruders from performing the calculation and learning the key.

Additional WEP Security Features

Three additional security features defend your wireless network’s WEP keys:

Message Integrity Check (MIC)—MIC prevents attacks on encrypted packets 
called 

bit-flip

 attacks. During a bit-flip attack, an intruder intercepts an 

encrypted message, alters it slightly, and retransmits it, and the receiver 
accepts the retransmitted message as legitimate. The MIC, implemented on 

Summary of Contents for Aironet 1200 Series

Page 1: ...West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco Aironet 1200 Series Access Point Software Configuration Guide Software Release 11 50T August 2002 Text Part Number OL 2159 03 ...

Page 2: ...TATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Cisco Aironet 1200 Series Access Point Software Configuration Guide Copyright 2002 Cisco Systems Inc All rights reserved CCIP the Cisco Arrow logo the Cisco Powered Network mark the Cisco Systems Verified logo Cisco...

Page 3: ...CD ROM xvi Ordering Documentation xvi Documentation Feedback xvii Obtaining Technical Assistance xvii Cisco com xvii Technical Assistance Center xviii Cisco TAC Web Site xviii Cisco TAC Escalation Center xix C H A P T E R 1 Overview 1 1 Key Features 1 2 Management Options 1 2 Roaming Client Devices 1 3 Network Configuration Examples 1 3 Root Unit on a Wired LAN 1 3 Repeater Unit that Extends Wirel...

Page 4: ... the Serial Cable 2 6 Setting Up the Terminal Emulator 2 7 Changing Settings with the CLI 2 7 Selecting Pages and Settings 2 9 Applying Changes to the Configuration 2 9 Using a Telnet Session 2 9 Using SNMP 2 10 Supported MIBs 2 10 C H A P T E R 3 Configuration 3 1 Basic Settings 3 2 Entering Basic Settings 3 3 System Name 3 3 MAC Address 3 3 Configuration Server Protocol 3 4 Default IP Address 3 ...

Page 5: ...mation 3 31 Settings on the AP Radio Advanced Page 3 32 Ethernet Configuration 3 41 Entering Identity Information 3 41 Settings on the Ethernet Identification Page 3 42 Entering Ethernet Hardware Information 3 43 Settings on the Ethernet Hardware Page 3 44 Entering Advanced Configuration Information 3 46 Settings on the Ethernet Advanced Page 3 46 Server Setup 3 48 Entering Time Server Settings 3 ...

Page 6: ... 68 Settings on the Association Table Advanced Page 3 69 Event Notification Setup 3 71 Event Display Setup Page 3 71 Settings on the Event Display Setup Page 3 72 Event Handling Setup Page 3 74 Settings on the Event Handling Setup Page 3 76 Event Notifications Setup Page 3 78 Settings on the Event Notifications Setup Page 3 79 C H A P T E R 4 Security Setup 4 1 Security Overview 4 2 Levels of Secu...

Page 7: ... Client 4 27 Setting Up MAC Based Authentication 4 29 Enabling MAC Based Authentication on the Access Point 4 29 Authenticating Client Devices Using MAC Addresses or EAP 4 34 Enabling MAC Based Authentication in Cisco Secure ACS 4 35 Summary of Settings for Authentication Types 4 37 Setting Up Backup Authentication Servers 4 40 Setting Up Administrator Authorization 4 41 Creating a List of Authori...

Page 8: ...tions 6 1 Updating Firmware 6 2 Updating with the Browser from a Local Drive 6 2 Full Update of the Firmware Components 6 3 Selective Update of the Firmware Components 6 4 Updating from a File Server 6 5 Full Update of the Firmware Components 6 5 Selective Update of the Firmware Components 6 7 Distributing Firmware 6 8 Distributing a Configuration 6 9 Limiting Distributions 6 11 Downloading Upload...

Page 9: ...ings on the Console Telnet Page 7 5 C H A P T E R 8 Special Configurations 8 1 Setting Up a Repeater Access Point 8 1 Using Hot Standby Mode 8 5 C H A P T E R 9 Diagnostics and Troubleshooting 9 1 Using Diagnostic Pages 9 2 Radio Diagnostics Page 9 2 Antenna Alignment Test 9 3 Carrier Test 9 5 Network Ports Page 9 7 Identifying Information and Status 9 8 Data Received 9 8 Data Transmitted 9 9 Ethe...

Page 10: ...0 vxdiag_tcpstatshow 9 31 vxdiag_udpstatshow 9 32 Tracing Packets 9 33 Reserving Access Point Memory for a Packet Trace Log File 9 33 Tracing Packets for Specific Devices 9 34 Tracing Packets for Ethernet and Radio Ports 9 35 Viewing Packet Trace Data 9 36 Packets Stored in a Log File 9 36 Packets Displayed on the CLI 9 37 Checking the Top Panel Indicators 9 37 Finding an Access Point by Blinking ...

Page 11: ... Contents A P P E N D I X A Channels Power Levels and Antenna Gains A 1 Channels A 2 Channels for IEEE 802 11a A 2 Channels for IEEE 802 11b A 3 Maximum Power Levels and Antenna Gains A 4 For IEEE 802 11a A 4 For IEEE 802 11b A 5 A P P E N D I X B Protocol Filter Lists B 1 I N D E X ...

Page 12: ...Contents xii Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Page 13: ...e familiar with some of the concepts and terminology of Ethernet and wireless local area networking The scope of this guide is to provide the information you need to configure an access point use the access point management system to browse to other devices on a wireless network and troubleshoot problems with the access point that might arise Organization This guide is organized into the following...

Page 14: ...m Chapter 8 Special Configurations describes how to set up the access point in network roles other than as a root unit on a wired LAN such as in repeater or Hot Standby mode Chapter 9 Diagnostics and Troubleshooting describes how to identify and resolve some of the problems that might arise when you configure an access point running this software release Appendix A Channels Power Levels and Antenn...

Page 15: ...d performance characteristics and how to mount the access point on a wall ceiling or desktop The Cisco Aironet 1200 Series Access Point Hardware Installation Guide also contains regulatory information for the device Cisco Secure Access Control Server for Windows 2000 NT Servers Version 2 6 User Guide provides complete instructions for using Cisco Secure ACS including steps for configuring Cisco Se...

Page 16: ...e Documentation CD ROM is updated monthly and may be more current than printed documentation The CD ROM package is available as a single unit or through an annual subscription Ordering Documentation You can order Cisco documentation in these ways Registered Cisco com users Cisco direct customers can order Cisco product documentation from the Networking Products MarketPlace http www cisco com cgi b...

Page 17: ...Cisco com as a starting point for all technical assistance Customers and partners can obtain online documentation troubleshooting tips and sample configurations from online tools by using the Cisco Technical Assistance Center TAC Web Site Cisco com registered users have complete access to the technical support resources on the Cisco TAC Web Site Cisco com Cisco com is the foundation of a suite of ...

Page 18: ...ion or assistance concerning Cisco product capabilities product installation or basic product configuration Priority level 3 P3 Your network performance is degraded Network functionality is noticeably impaired but most business operations continue Priority level 2 P2 Your production network is severely degraded affecting significant aspects of business operations No workaround is available Priorit...

Page 19: ...e Internet access we recommend that you open P3 and P4 cases through the Cisco TAC Web Site Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues These classifications are assigned when severe network degradation significantly impacts business operations When you contact the TAC Escalation Center with a P1 or P2 problem a Cisco TAC engine...

Page 20: ...Preface Obtaining Technical Assistance xx Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Page 21: ...t can contain two radios a 2 4 GHz radio in an internal mini PCI slot and a 5 GHz radio module in an external modified cardbus slot The access point supports one radio of each type but it does not support two 2 4 GHz or two 5 GHz radios You can configure the radios separately using different settings on each radio The access point uses a browser based management system but you can also configure t...

Page 22: ...y Features section on page 4 3 for more information on additional WEP protection Use EAP to Authenticate Repeater Access Points Set up repeater access points to authenticate to your network like other wireless client devices After you provide a network username and password for the repeater it authenticates to your network using LEAP Cisco s wireless authentication method and receives and uses dyn...

Page 23: ...or closer access points the extra radio traffic would slow throughput on the wireless LAN Network Configuration Examples This section describes the access point s role in three common wireless network configurations The access point s default configuration is as a root unit connected to a wired LAN or as the central unit in an all wireless network The repeater role requires a specific configuratio...

Page 24: ... the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN The data is sent through the route that provides the best performance for the client You can set up either of the radios in your access point as a repeater but one radio must be set up as a root unit Figure 1 2 shows an access point acting as a repeater Consult the Setting Up a Repeater Ac...

Page 25: ...In an all wireless network an access point acts as a stand alone root unit The access point is not attached to a wired LAN it functions as a hub linking all stations together The access point serves as the focal point for communications increasing the communication range of wireless users Figure 1 3 shows an access point in an all wireless network Access Point Root Unit Access Point Repeater 66000...

Page 26: ...erview Network Configuration Examples 1 6 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 Figure 1 3 Access Point as Central Unit in All Wireless Network Access Point Root Unit 65998 ...

Page 27: ...mand line interface through a terminal emulator or a Telnet session or a Simple Network Management Protocol SNMP application The access point s management system web pages are organized the same way for the web browser and command line interfaces The examples in this manual show the web browser interface This chapter contains the following sections Using the Web Browser Interface page 2 2 Using th...

Page 28: ...gement system See the Quick Start Guide Cisco Aironet 1200 Series Access Points for instructions on assigning an IP address to the access point Follow these steps to begin using the web browser interface Step 1 Start the browser Step 2 Enter the access point s IP address in the browser Location field Netscape Communicator or Address field Internet Explorer and press Enter If the access point has n...

Page 29: ...e Network Displays the Network Ports page Associations Displays the Association Table page which provides a list of all devices on the wireless network and links to the devices Setup Displays the Setup page which contains links to the management pages with configuration settings Logs Displays the Event Log page which lists system events and their severity levels Help Displays the online help for t...

Page 30: ...rnet browser must have Java enabled to use the map windows To display the sub pages for each main page click the bullet next to a main page link Microsoft Internet Explorer or click expand next to a main page link Netscape Communicator In Figure 2 1 the sub pages for the Network Ports page are expanded Figure 2 1 Map Window with Network Ports Pages Expanded The Network Map window appears when you ...

Page 31: ...home page if available Some devices such as PC Card clients might not have home pages Click show clients to display all the wireless client devices on your network The client names appear under the access point or bridge with which they are associated If clients are displayed click hide clients to display only non client devices Using the Command Line Interface You can use a command line interface...

Page 32: ...mulator connection 9600 baud 8 data bits no parity 1 stop bit and no flow control Use the Console Telnet Setup page to adjust the console and Telnet connection settings See the Console and Telnet Setup section on page 7 5 for details on the Console Telnet Setup page Connecting the Serial Cable Connect a DB 9 to RJ 45 serial cable to the COM port on a computer and to the RJ 45 serial port on the ac...

Page 33: ...int If the access point has not been configured before the Express Setup page appears as the home page If the access point is already configured the Summary Status page appears as the home page Changing Settings with the CLI The CLI pages use consistent techniques to present and save configuration information Table 2 2 lists the functions that appear on most CLI pages Table 2 2 Common Functions on...

Page 34: ...n page 9 20 for information on the CLI diagnostic commands Figure 2 4 shows a CLI page example Figure 2 4 CLI Page Example bottom Jumps to the bottom of a long page such as Event Log When you are at the bottom of a page this function becomes top down Moves down one page length 24 lines on a long page such as Event Log When you are at the bottom of a long page this function becomes up Table 2 2 Com...

Page 35: ...re is on by default so changes you make to any page are applied automatically when you move to another management page To apply changes and stay on the current page type apply and press Enter Using a Telnet Session Follow these steps to browse to the CLI pages with Telnet Step 1 On your computer s Start menu select Programs Accessories Telnet If Telnet is not listed in your Accessories menu select...

Page 36: ...xpress Setup page in the access point management system Step 3 Enter an SNMP community name in the SNMP Admin Community field and click OK or Apply Step 4 Follow this link path to reach the SNMP Setup page a On the Summary Status page click Setup b On the Setup page click SNMP in the Services section of the page Use the SNMP Setup page to enter detailed SNMP settings such as the SNMP trap destinat...

Page 37: ...ciscoCdpMIB 1 3 6 1 4 1 9 23 To download this MIB browse to http www cisco com public sw center netmgmt cmtk mibs shtml and click SNMP v1 MIBs Scroll down the list of files and select CISCO CDP MIB V1SMI my Cisco Aironet Access Point MIB AWCVX MIB my Supported branch awcVx 1 3 6 1 4 1 522 3 You can download the latest release of the access point MIB at the following URL http www cisco com public s...

Page 38: ...Chapter 2 Using the Management Interfaces Using SNMP 2 12 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Page 39: ...e provides links to all the pages containing access point settings This chapter contains the following sections Basic Settings page 3 2 Filter Setup page 3 9 Radio Configuration page 3 19 Ethernet Configuration page 3 41 Server Setup page 3 48 Routing Setup page 3 61 Association Table Display Setup page 3 64 Event Notification Setup page 3 71 Note See Chapter 4 Security Setup for information on se...

Page 40: ...ss point quickly with a simple configuration or change or update a basic setting you can enter all the access point s essential settings for basic operation on the Express Setup page The page contains radio settings for both the 2 4 GHz internal radio and the 5 GHz external radio module You can configure the radios separately using different settings on each radio Figure 3 1 shows the Express Setu...

Page 41: ...dio Service Set ID SSID Role in Radio Network Radio Network Optimization Optimize Radio Network For Radio Network Compatibility Ensure Compatibility With SNMP Admin Community System Name The system name appears in the titles of the management system pages and in the access point s Association Table page The system name is not an essential setting but it helps identify the access point on your netw...

Page 42: ...or predetermined periods of time Default IP Address Use this setting to assign or change the access point s IP address If DHCP or BOOTP is not enabled for your network the IP address you enter in this field is the access point s IP address If DHCP or BOOTP is enabled this field provides the IP address only if no server responds with an IP address for the access point Default IP Subnet Mask Enter a...

Page 43: ... twice on the page once for the internal radio and once for the external radio module You can use the same setting or different settings for each radio Role in Radio Network Use this pull down menu to select the role of the access point on your network This setting appears twice on the page once for the internal radio and once for the external radio module You can use the same setting or different...

Page 44: ...3 Configuration Basic Settings 3 6 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 Figure 3 2 Root Unit Access Points Access Point Root Unit Access Point Root Unit 65999 Wired LAN ...

Page 45: ... data between a client and another access point or repeater One or both access point radios can be set up as repeaters Figure 3 3 shows an access point operating as a repeater in a network Note Non Cisco client devices might have difficulty communicating with repeater access points Figure 3 3 Repeater Access Point Access Point Root Unit Access Point Repeater 66000 Wired LAN ...

Page 46: ...the access point but might reduce the access point s range Range Maximizes the access point s range but might reduce throughput Custom The access point uses the settings you enter on the AP Radio Hardware page Click Custom to go to the AP Radio Hardware page Radio Network Compatibility Ensure Compatibility With You use this setting to automatically configure the access point to be compatible with ...

Page 47: ...llowing sections Protocol Filtering page 3 9 MAC Address Filtering page 3 14 Protocol Filtering Protocol filters prevent or allow the use of specific protocols through the access point You can set up individual protocol filters or sets of filters You can filter protocols for wireless client devices users on the wired LAN or both For example an SNMP filter on the access point s radio port prevents ...

Page 48: ...AP Radio row under Network Ports The left side of the Protocol Filters page contains links to the Ethertype Filters the IP Protocol Filters and the IP Port Filters pages These links also appear on the main Setup page under Associations Use the Protocol Filters pages to assign protocols to a filter set Table B 1 Table B 2 and Table B 3 in Appendix B list the protocols available on each page Creatin...

Page 49: ...p 4 Enter an identification number in the Set ID entry field if you want to assign a specific SNMP identifier to the filter set If you don t enter an ID an SNMP identifier will be assigned to the set automatically starting with 1 for the first filter set and incrementing by one for each additional set Step 5 Click Add New The Filter Set page appears Figure 3 6 shows the Filter Set page Figure 3 6 ...

Page 50: ...ve settings default to 3 seconds for multicast packets and 5 seconds for unicast packets Step 8 Type the name or the ISO numeric designator for the protocol you want to add in the Special Cases entry field and click Add New For example to add Telnet to an IP port filter set type telnet or 23 The Protocol Filter Set page appears Figure 3 7 shows the Protocol Filter Set page Figure 3 7 Protocol Filt...

Page 51: ...e with the priority you select for the protocol For example if you select interactiveVoice as the priority and enter high time to live values voice packets will stay in the access point buffer longer than necessary causing delivery of stale useless packets Step 12 Select Alert yes to send an alert to the event log when a user transmits or receives the protocol through the access point Step 13 Clic...

Page 52: ...ort pull down menu Step 4 Click OK The filter set is enabled MAC Address Filtering MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses You can create a filter that passes traffic to all MAC addresses except those you specify or you can create a filter that blocks traffic to all MAC addresses except those you ...

Page 53: ...p 2 On the Setup page click Address Filters under Associations Creating a MAC Address Filter Follow these steps to create a MAC address filter Step 1 Follow the link path to the Address Filters page Step 2 Type a destination MAC address in the New MAC Address Filter Dest MAC Address field You can type the address with colons separating the character pairs 00 40 96 12 34 56 for example or without a...

Page 54: ... it and click Remove Tip You can create a list of allowed MAC addresses on an authentication server on your network Consult the Setting Up MAC Based Authentication section on page 4 29 for instructions on using MAC based authentication If you intend to list allowed MAC addresses on an authentication server select yes for the Look up MAC Address on Authentication Server if not in Existing Filter Li...

Page 55: ...lter The access point discards all unicast traffic except packets sent to the MAC addresses listed as allowed on the Address Filters page Select Allowed from the pull down menu for Default Unicast Address Filter if you want to allow traffic to all MAC addresses except those listed as disallowed on the Address Filters page Unicast packets are addressed to just one device on the network Multicast pa...

Page 56: ...Note The Ethernet Advanced page contains the Default Unicast and Multicast Address Filter settings for the Ethernet port These settings work as described above but you should use extra caution changing the settings on the Ethernet Advanced page because they can lock you out of your access point To reach the Ethernet Advanced page click Advanced in the Ethernet row of the Network Ports section at t...

Page 57: ...ccess point internal and module radio ports See the Entering Radio Hardware Information section on page 3 22 for instructions on using the AP Radio Hardware pages AP Radio Advanced pages Contain settings for the operational status of the access point s internal and module radio ports You can also use these pages to make temporary changes in port status to help with troubleshooting network problems...

Page 58: ...is link path to reach the AP Radio Identification page 1 On the Summary Status page click Setup 2 On the Setup page click Identification in on eof the AP Radio rows under Network Ports Settings on the AP Radio Identification Page The AP Radio Identification pages contain the following settings Primary Port Settings Default IP Address Default IP Subnet Mask Service Set ID SSID LEAP User Name LEAP P...

Page 59: ...t the primary port settings MAC and IP addresses for the radio port Select no to use different MAC and IP addresses for the radio port Access points acting as root units adopt the primary port settings for the radio port When you put an access point in standby mode however you select no for this setting Some advanced wireless bridge configurations also require different identity settings for the r...

Page 60: ...tup page LEAP User Name Use this field if the radio is set up as a repeater and authenticates to the network using LEAP When the radio authenticates using LEAP the access point sends this user name to the authentication server Follow the steps in the Setting up a Repeater Access Point as a LEAP Client section on page 4 27 to set up the radio as a LEAP client LEAP Password Use this field if the rad...

Page 61: ...odule Follow this link path to reach the AP Radio Hardware pages 1 On the Summary Status page click Setup 2 On the Setup page click Hardware in one of the AP Radio rows under Network Ports Settings on the AP Radio Hardware Page The AP Radio Hardware page contains the following settings Service Set ID SSID Allow Broadcast SSID to Associate Enable World Mode Data Rates Transmit Power ...

Page 62: ...etween multiple wireless networks in the same vicinity The SSID can be any alphanumeric entry up to 32 characters long You can also enter this setting on the Express Setup and AP Radio Identification pages Allow Broadcast SSID to Associate You use this setting to choose whether devices that do not specify an SSID devices that are broadcasting in search of an access point to associate with are allo...

Page 63: ... lists three options Basic Allows transmission at this rate for all packets both unicast and multicast At least one of the access point s data rates must be set to Basic Yes The access point transmits only unicast packets at this rate multicast packets are sent at one of the data rates set to Basic No The access point does not transmit data at this rate You can use the Data Rate settings to set up...

Page 64: ... 0 data rates are set to yes on the radio module 6 0 12 0 and 24 0 are set to basic and 9 0 18 0 36 0 48 0 and 54 0 are set to yes Transmit Power This setting determines the power level of radio transmission The default power setting is the highest transmit power allowed in your regulatory domain Note Government regulations define the highest allowable power level for radio devices This setting mu...

Page 65: ...ccess point and not each other Enter a setting ranging from 0 to 2339 bytes Max RTS Retries The maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio Enter a value from 1 to 128 Max Data Retries The maximum number of attempts the access point makes to send a packet before giving up and dropping the packet Beacon Period The amount of...

Page 66: ...an set up multiple access points in the same vicinity without causing interference The radio module operates on eight channels from 5180 to 5320 MHz Each channel on the radio module covers 20 MHz and the bandwidth for the channels overlaps slightly For best performance use channels that are not adjacent 44 and 46 for example for radios that are close to each other Note Too many access points in th...

Page 67: ... access point s regulatory domain Click the Search check boxes beside the channels to include channels in the scan for less congested channels All the channels are included in the scan by default Receive Antenna and Transmit Antenna Pull down menus for the receive and transmit antennas offer three options Diversity This default setting tells the access point to use the antenna that receives the be...

Page 68: ...eft connector you should use this setting for both receive and transmit When you look at the access point s back panel the left antenna is on the left Note The access point receives and transmits using one antenna at a time so you cannot increase range by installing high gain antennas on both connectors and pointing one north and one south When the access point used the north pointing antenna it w...

Page 69: ...n special configuration settings for the access point radios The internal radio and the radio module both have an AP Radio Advanced page Both pages contain the same settings but the Advanced page for the external radio module does not contain the Radio Modulation and Radio Preamble settings Figure 3 15 shows the AP Radio Advanced page for the internal radio Figure 3 15 AP Radio Advanced Page for I...

Page 70: ...anced pages contain the following settings Requested Status Packet Forwarding Default Multicast Address Filters Maximum Multicast Packets Second Radio Cell Role Maximum Number of Associations Use Aironet Extensions Classify Workgroup Bridges as Network Infrastructure Require Use of Radio Firmware x xx Ethernet Encapsulation Transform Enhanced MIC verification for WEP Temporal Key Integrity Protoco...

Page 71: ...rwarding Four other states are possible Unknown The state cannot be determined Disabled Forwarding capabilities are disabled Blocking The port is blocking transmission This is the state when no stations are associated Broken This state reports radio failure Default Multicast Address Filters MAC address filters allow or disallow the forwarding of multicast packets sent to specific MAC addresses You...

Page 72: ...s setting determines how the radio interacts with other wireless devices The menu contains the following options Root A wireless LAN transceiver that connects an Ethernet network with wireless client stations or with another Ethernet network Use this setting if the access point is connected to the wired LAN Repeater Non Root A wireless LAN transceiver that transfers data between a client and anoth...

Page 73: ...nt is set up as a repeater or if it communicates with a repeater The extensions also improve the access point s ability to understand the capabilities of Cisco Aironet client devices associated with the access point Classify Workgroup Bridges as Network Infrastructure Select no to allow more than 20 Cisco Aironet Workgroup Bridges to associate to the access point The default setting yes limits the...

Page 74: ...group Bridge Software Configuration Guide for a description of workgroup bridges Require Use of Radio Firmware x xx This setting affects the firmware upgrade process when you load new firmware for the access point Select yes to force the radio firmware to be upgraded to a firmware version compatible with the current version of the management system Select no to exempt the current radio firmware fr...

Page 75: ...n the AP Radio Advanced page is set to yes and WEP is enabled and set to full encryption Note When you enable MIC only MIC capable client devices can communicate with the access point Temporal Key Integrity Protocol This setting enables the temporal key integrity protocol TKIP also known as WEP key hashing which defends against an attack on WEP in which the intruder uses the unencrypted initializa...

Page 76: ... a new broadcast WEP key to all associated client devices every 15 minutes To disable broadcast WEP key rotation enter 0 Note When you enable broadcast key rotation only wireless client devices using LEAP or EAP TLS authentication can use the access point Client devices using static WEP with open shared key or EAP MD5 authentication cannot use the access point when you enable broadcast key rotatio...

Page 77: ...cess point discards all traffic except packets sent to the MAC addresses listed as allowed on the Address Filters page or on your authentication server Select Disallowed for each authentication type that also uses MAC based authentication Note If you plan to discard traffic to all MAC addresses except those you specify the Disallowed setting be sure to enter your own MAC address as allowed on the ...

Page 78: ...ndard published by the Institute of Electrical and Electronics Engineers IEEE Standards Association MOK This modulation was used before the IEEE finished the high speed 802 11 standard and may still be in use in older wireless networks Note This setting does not appear on the AP Radio Advanced page for the radio module Radio Preamble The radio preamble is a section of data at the head of a packet ...

Page 79: ...et port Ethernet Hardware Contains the setting for the access point s Ethernet port connection speed Ethernet Advanced Contains settings for the operational status of the access point s Ethernet port You can also use this page to make temporary changes in port status to help with troubleshooting network problems Ethernet Port Lists key information on the access point s Ethernet port Entering Ident...

Page 80: ... port adopts or assumes the identity of the primary port Primary Port The primary port determines the access point s MAC and IP addresses Ordinarily the access point s primary port is the Ethernet port so this setting is usually set to yes Select yes to set the Ethernet port as the primary port Select no to set the radio port as the primary port Adopt Primary Port Identity Select yes to adopt the ...

Page 81: ...nter an IP subnet mask to identify the subnetwork so the IP address can be recognized on the LAN If DHCP or BOOTP is not enabled this field is the subnet mask If DHCP or BOOTP is enabled this field provides the subnet mask only if no server responds to the access point s request The current IP subnet mask displayed under the setting shows the IP subnet mask currently assigned to the access point T...

Page 82: ...connection speed and duplex setting used by the port The option you select must match the actual connector type speed and duplex settings used to link the port with the wired network The default setting Auto is best for most networks because the best connection speed and duplex setting are automatically negotiated between the wired LAN and the access point If you use a setting other than Auto make...

Page 83: ...nt 10 Base T Half Duplex Ethernet network connector for 10 Mbps transmission speed over twisted pair wire and operating in half duplex mode 10 Base T Full Duplex Ethernet network connector for 10 Mbps transmission speed over twisted pair wire and operating in full duplex mode 100 Base T Half Duplex Ethernet network connector for 100 Mbps transmission speed over twisted pair wire and operating in h...

Page 84: ...this link path to reach the Ethernet Advanced page 1 On the Summary Status page click Setup 2 On the Setup page click Advanced in the Ethernet row under Network Ports Settings on the Ethernet Advanced Page The Ethernet Advanced page contains the following settings Requested Status Packet Forwarding Default Unicast and Multicast Address Filters Maximum Multicast Packets Second Requested Status This...

Page 85: ... Broken This state reports an Ethernet port failure Default Unicast and Multicast Address Filters MAC address filters allow or disallow the forwarding of unicast and multicast packets sent to specific MAC addresses You can create a filter that passes traffic to all MAC addresses except those you specify or you can create a filter that blocks traffic to all MAC addresses except those you specify Re...

Page 86: ...Packets Second Use this setting to control the number of multicast packets that can pass through the Ethernet port each second If you enter 0 the access point passes an unlimited number of multicast packets If you enter a number other than 0 the device passes only that number of multicast packets per second Server Setup This section describes how to configure the server to support access point fea...

Page 87: ...ows the Time Server Setup page Figure 3 19 Time Server Setup Page Follow this link path to reach the Time Server Setup page 1 On the Summary Status page click Setup 2 On the Setup page click Time Server under Services Settings on the Time Server Setup Page The Time Server Setup page contains the following settings Simple Network Time Protocol Default Time Server GMT Offset hr Use Daylight Savings ...

Page 88: ...CP or BOOTP server can override the default time server GMT Offset hr The GMT Offset pull down menu lists the world s time zones relative to Greenwich Mean Time GMT Select the time zone in which the access point operates Use Daylight Savings Time Select yes or no to have the access point automatically adjust to Daylight Savings Time Manually Set Date and Time Enter the current date and time in the...

Page 89: ...servers for automatic assignment of IP addresses Figure 3 20 shows the Boot Server Setup page Figure 3 20 Boot Server Setup Page Follow this link path to reach the Boot Server Setup page 1 On the Summary Status page click Setup 2 On the Setup page click Boot Server under Services Settings on the Boot Server Setup Page The Boot Server Setup page contains the following settings Configuration Server ...

Page 90: ...Boot Protocol in which IP addresses are hard coded based on MAC addresses DHCP With Dynamic Host Configuration Protocol IP addresses are leased for a period of time You can set the lease duration with the settings on this page Use Previous Configuration Server Settings Select yes to have the access point save the boot server s most recent response The access point uses the most recent settings if ...

Page 91: ...ll zeroes appear it means that no file server is set up to provide an ini file BOOTP Server Timeout sec This setting specifies the length of time the access point waits to receive a response from a single BOOTP server Enter the number of seconds the access point should wait This setting applies only when you select BOOTP from the Configuration Server Protocol pull down menu DHCP Multiple Offer Tim...

Page 92: ...field the setting under DHCP Client Identifier Type on the Boot Server Setup page select Other Non Hardware Table 3 1 lists the options in the DHCP Client Identifier Type pull down menu Table 3 1 Options in the DHCP Client Identifier Type Menu Option Definition Ethernet 10Mb This is the default setting Use this setting if you do not need your DHCP server to send responses based on the class identi...

Page 93: ...ecimal characters include the numbers 0 through 9 and the letters A through F DHCP Class Identifier Your DHCP server can be set up to send responses according to the group to which a device belongs Use this field to enter the access point s group name The DHCP server uses the group name to determine the response to send to the access point The access point s DHCP class identifier is a vendor class...

Page 94: ...nly through the console and Telnet interfaces HTTP Port This setting determines the port through which your access point provides web access Your System Administrator should be able to recommend a port setting Default Help Root URL This entry tells the access point where to look for the Help files The Help button on each management system page opens a new browser window displaying help for that pa...

Page 95: ...eless LAN If you use this location enter the full directory URL Your entry might look like this file drive letter folder or subdirectory wireless help Extra Web Page File If you need to create an alternative to the access point s management system you can create HTML pages and load them into the access point You use this entry field to specify the filename for your HTML page stored on the file ser...

Page 96: ...etwork s Domain Name System DNS server Figure 3 22 shows the Name Server Setup page Figure 3 22 The Name Server Setup Page Follow this link path to reach the Name Server Setup page On the Summary Status page click Setup On the Setup page click Name Server under Services Settings on the Name Server Setup Page The Name Server Setup page contains the following settings Domain Name System Default Doma...

Page 97: ...Boot Server Setup page you have DHCP or BOOTP set as the Configuration Server Protocol but you selected No for the setting Use previous Configuration Server settings when no server responds Domain Name Servers Enter the IP addresses of up to three domain name servers on your network The Current lines to the right of the entry fields list the servers the access point is currently using which may be...

Page 98: ...non browser file transfers are governed by the settings on this page Figure 3 23 shows the FTP Setup page Figure 3 23 The FTP Setup Page Follow this link path to reach the FTP Setup page On the Summary Status page click Setup On the Setup page click FTP under Services Settings on the FTP Setup Page The FTP Setup page contains the following settings File Transfer Protocol Default File Server FTP Di...

Page 99: ...er directory that contains the firmware image files FTP User Name Enter the username assigned to your FTP server You don t need to enter a name in this field if you select TFTP as the file transfer protocol FTP User Password Enter the password associated with the file server s username You don t need to enter a password in this field if you select TFTP as the file transfer protocol Routing Setup Y...

Page 100: ...ng Setup page 1 On the Summary Status page click Setup 2 On the Setup page click Routing under Services Entering Routing Settings The Routing Setup page contains the following settings Default Gateway New Network Route Settings Installed Network Routes list Default Gateway Enter the IP address of your network s default gateway in this entry field The entry 255 255 255 255 indicates no gateway ...

Page 101: ...lick Add To remove a route from the list highlight the route and click Remove The three entry fields include Dest Network Enter the IP address of the destination network Gateway Enter the IP address of the gateway used to reach the destination network Subnet Mask Enter the subnet mask associated with the destination network Installed Network Routes list The list of installed routes provides the de...

Page 102: ...ociation Table Filters Page Follow this link path to reach the Association Table Filters page 1 On the Summary Status page click Setup 2 On the Setup page click Display Defaults under Associations You can also reach the Association Table Filters page through the additional display filters link on the Association Table page When you reach the page through the additional display filters link four bu...

Page 103: ...Association Table Filters page contains the following settings Stations to Show Fields to Show Packets To From Station Bytes To From Station Primary Sort Secondary Sort Stations to Show Select the station types that you want to be displayed in the Association Table If you select all station types all stations of these types appear in the access point s Association Table Fields to Show The fields y...

Page 104: ...work Packets To From Station Use these settings to display packet volume information in the Association Table Select Total to display the total number of packets to and from each station on the network Select Alert to display the number of alert packets to and from each station on the network for which you have activated alert monitoring Select the Alert checkbox on a device s Station page to acti...

Page 105: ...03 Chapter 3 Configuration Association Table Display Setup Primary Sort This setting determines the information that appears in the first column in the Association Table Secondary Sort This setting determines the information that appears in the second column in the Association Table ...

Page 106: ...tal number of devices the access point can list in the Association Table and the amount of time the access point continues to track each device class when a device is inactive Figure 3 26 shows the Association Table Advanced page Figure 3 26 Association Table Advanced Page Follow this link path to reach the Association Table Advanced page 1 On the Summary Status page click Setup 2 On the Setup pag...

Page 107: ...pears on the Event Handling Setup page You can choose from four Severity Levels Fatal Severity Level System Protocol Port Fatal level events indicate an event that prevents operation of the port or device For operation to resume the port or device usually must be reset Fatal level events appear in red in the Event Log Alert Severity Level System Protocol Port External Alert level messages indicate...

Page 108: ...s point memory When you disable extended statistics you conserve memory and the access point can include more devices in the Association Table Block ALL Inter Client Communications PSPF Publicly Secure Packet Forwarding PSPF prevents client devices associated to an access point from inadvertently sharing files with other client devices on the wireless network It provides Internet access to client ...

Page 109: ...alerts warnings and normal activity Event Display Setup Page You use the Event Display Setup page to determine how time should be displayed on the Event Log In addition you can determine what severity level is significant enough to display an event Figure 3 27 shows the Event Display Setup page Figure 3 27 The Event Display Setup Page Follow this link path to reach the Event Display Setup page 1 O...

Page 110: ...ct wall clock time the events are displayed in a YY MM DD HH MM SS format If time has not been set on the access point either manually or by a time server the time display appears as uptime regardless of this selection How should Event Elapsed non wall clock Time be displayed Choose to display event time since the last boot up of the access point or the time that has elapsed since the event occurr...

Page 111: ...ion to resume the port or device usually must be reset System refers to the access point as a whole Protocol refers to a specific communications protocol in use such as HTTP or IP Port refers to the access point s Ethernet or radio network interface System alert Protocol alert Port alert External alert The Alert settings indicate events of which an administrator specifically requested to be inform...

Page 112: ...tings indicate that a failure has occurred System refers to the access point as a whole Protocol refers to a specific communications protocol in use such as HTTP or IP Port refers to the access point s Ethernet or radio network interface External refers to a device on the network other than the access point System information Protocol information Port information External information The Informati...

Page 113: ...on Guide OL 2159 03 Chapter 3 Configuration Event Notification Setup displaying them on the console or notify someone of the occurrence after displaying and recording the event Figure 3 28 shows the Event Handling Setup page Figure 3 28 The Event Handling Setup Page ...

Page 114: ...uffer Disposition of Events The event settings control how events are handled by the access point counted displayed in the log recorded or announced in a notification The settings are color coded red for fatal errors magenta for alerts blue for warnings and green for information You select an option from each setting s pull down menu Each option includes and builds upon the previous option Count T...

Page 115: ...ions on your network After you reserve space for the trace buffer browse to a device s Station page and select the Alert checkboxes in the To Station and From Station columns See the Browsing to Network Devices section on page 5 2 for instructions on opening a device s Station page Download Detailed Event Trace Buffer Use these links to view Headers Only or All Data in the detailed trace buffer Th...

Page 116: ...NMP server or a Syslog system Note For event notifications to be sent to an external destination the events must be set to Notify on the Event Handling Setup page See the Event Handling Setup Page section on page 3 74 for a description of the settings on the Event Handling Setup page Figure 3 29 shows the Event Notifications Setup page Figure 3 29 Event Notifications Setup Page Follow this link pa...

Page 117: ...r Should Notify Disposition Events generate SNMP Traps Select yes to send event notifications to an SNMP server Note For notifications to be sent to an SNMP server SNMP must be enabled on the SNMP Setup page and you must set an SNMP trap destination and an SNMP trap community SNMP Trap Destination Type the IP address or the host name of the server running the SNMP Management software This setting ...

Page 118: ...ning Syslog The Network Default Syslog Destination line under the syslog destination address field lists the syslog destination address provided by the DHCP or BOOTP server This default syslog destination is only used if the syslog destination address field is blank Syslog Facility Number Type the Syslog Facility number for the notifications The default setting is 16 which corresponds to the Local...

Page 119: ...following sections Security Overview page 4 2 Setting Up WEP page 4 9 Enabling Additional WEP Security Features page 4 14 Setting Up Open or Shared Key Authentication page 4 19 Setting Up EAP Authentication page 4 20 Setting Up MAC Based Authentication page 4 29 Summary of Settings for Authentication Types page 4 37 Setting Up Backup Authentication Servers page 4 40 Setting Up Administrator Author...

Page 120: ...or any wireless network and you should enable all the security features available on your network Figure 4 1 shows possible levels of security on Cisco Aironet wireless networking equipment from no security on the left to highest security on the right The highest level of security EAP authentication interacts with a Remote Authentication Dial In User Service RADIUS server on your network to provid...

Page 121: ...cryption on your wireless network WEP encryption scrambles the communication between the access point and client devices to keep the communication private Both the access point and client devices use the same WEP key to encrypt and unencrypt radio signals WEP keys encrypt both unicast and multicast messages Unicast messages are addressed to just one device on the network Multicast messages are add...

Page 122: ...ct Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices See the Enabling Broadcast WEP Key Rotation section on page 4 18 for instructions on enabling broadcast key rotation Network Authentication Types Before a wireless client device can ...

Page 123: ...ion of the user supplied password to generate a response to the challenge and sends that response to the RADIUS server Using information from its user database the RADIUS server creates its own response and compares that to the response from the client When the RADIUS server authenticates the client the process repeats in reverse and the client authenticates the RADIUS server Access point or bridg...

Page 124: ...s from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device See the Setting Up EAP Authentication section on page 4 20 for instructions on setting up EAP on the access point Note If you use EAP authentication you can select open or shared key authentication but you don t have to EAP authentication controls authentication both to your access point...

Page 125: ...r network Figure 4 4 shows the authentication sequence between a device trying to authenticate and an access point using open authentication In this example the device s WEP key does not match the access point s key so it can authenticate but not pass data Figure 4 4 Sequence for Open Authentication Shared key Cisco provides shared key authentication to comply with the IEEE 802 11b standard Howeve...

Page 126: ...r on your network Figure 4 5 shows the authentication sequence between a device trying to authenticate and an access point using shared key authentication In this example the device s WEP key matches the access point s key so it can authenticate and communicate Figure 4 5 Sequence for Shared Key Authentication Combining MAC Based EAP and Open Authentication You can set up the access point to authe...

Page 127: ...ized to view and adjust the access point settings unauthorized users are locked out See the Setting Up Administrator Authorization section on page 4 41 for instructions on using the user manager Setting Up WEP Use the AP Radio Data Encryption pages to set up WEP You also use the AP Radio Data Encryption pages to select authentication types for the access point The internal radio and the radio modu...

Page 128: ...Encryption page 1 On the Summary Status page click Setup 2 On the Setup page click Security 3 On the Security Setup page click Radio Data Encryption WEP for the internal radio or the radio module Follow these steps to set up WEP keys and enable WEP Step 1 Follow the link path to the AP Radio Data Encryption page Step 2 Before you can enable WEP you must enter a WEP key in at least one of the Encry...

Page 129: ...ou must select key 1 as the transmit key The access point uses the WEP key you enter in key slot 1 to encrypt multicast data signals it sends to EAP enabled client devices If you enable broadcast key rotation however you can select key 1 or key 2 as the transmit key or you can enable WEP without entering any keys Step 3 Use the Key Size pull down menu to select 40 bit or 128 bit encryption for eac...

Page 130: ...ient device associated to the access point must use the same key in its slot 1 and the key in the client s slot 1 must be selected as the transmit key The characters you type for the key contents appear only when you type them After you click Apply or OK you cannot view the key contents Select Not set from the Key Size pull down menu to clear a key Step 5 Select Optional or Full Encryption from th...

Page 131: ...tion Guide for instructions on configuring Cisco Aironet client devices Full Encryption Client devices must use WEP when communicating with the access point Devices not using WEP are not allowed to communicate Note You must select Full Encryption to enable Message Integrity Check MIC See the Enabling Message Integrity Check MIC section on page 4 14 for instructions on setting up MIC Step 6 Click O...

Page 132: ...grity Protocol TKIP Enabling Broadcast WEP Key Rotation Enabling Message Integrity Check MIC MIC prevents attacks on encrypted packets called bit flip attacks During a bit flip attack an intruder intercepts an encrypted message alters it slightly and retransmits it and the receiver accepts the retransmitted message as legitimate The MIC implemented on both the access point and all associated clien...

Page 133: ...anced page must be set to yes the default setting Note Enabling MIC on the internal radio module might reduce throughput for that radio by as much as 30 Use the AP Radio Advanced page to enable MIC Both the internal radio and the radio module have an AP Radio Advanced page Both pages contain the same settings Figure 4 7 shows the AP Radio Advanced page for the internal radio Figure 4 7 AP Radio Ad...

Page 134: ...if the MIC enabled access point uses the key in slot 1 as the transmit key a client device associated to the access point must use the same key in its slot 1 and the key in the client s slot 1 must be selected as the transmit key Step 2 Browse to the AP Radio Advanced page for the internal radio or the radio module Step 3 Select MMH from the Enhanced MIC verification for WEP pull down menu Step 4 ...

Page 135: ...g prevents intruders from calculating the static broadcast key so you do not need to rotate the broadcast key Follow these steps to enable TKIP Step 1 Follow the steps in the Setting Up WEP section on page 4 9 to set up and enable WEP Select either optional or full encryption for the WEP level Step 2 Follow this link path to browse to the AP Radio Advanced page a On the Summary Status page click S...

Page 136: ...n cannot use the access point when you enable broadcast key rotation Note If you enable Broadcast Key Rotation on one of the radios in a dual radio access point Broadcast Key Rotation is automatically enabled on the other radio Tip You might not need to enable broadcast key rotation if you enable TKIP You can use both key rotation and key hashing but these features provide similar protection Follo...

Page 137: ...ule both have an AP Radio Data Encryption page Both pages contain the same settings Figure 4 6 shows the AP Radio Data Encryption page for the internal radio Follow these steps to select Open or Shared Key authentication Step 1 Follow the instructions in the Setting Up WEP section on page 4 9 to set up and enable WEP You must enable WEP to use shared key authentication but you do not have to enabl...

Page 138: ...authentication messages between the RADIUS server on your network and the authenticating client device This section provides instructions for Enabling EAP on the Access Point Enabling EAP in Cisco Secure ACS Setting up a Repeater Access Point as a LEAP Client Enabling EAP on the Access Point You use the Authenticator Configuration page and the AP Radio Data Encryption pages to set up and enable EA...

Page 139: ...up page click Authentication Server Follow these steps to enable EAP on the access point Step 1 Follow the link path to the Authenticator Configuration page You can configure up to four servers for authentication services so you can set up backup authenticators If you set up more than one server for the same service the server first in the list is the primary server for that service and the others...

Page 140: ...ct this option if LEAP enabled client devices that associate with this access point use radio firmware versions 4 13 4 16 or 4 23 Draft 10 Select this option if client devices that associate with this access point use Microsoft Windows XP authentication or if LEAP enabled client devices that associate with this access point use radio firmware version 4 25 or later Note Functionality in Draft 10 is...

Page 141: ...point should wait before authentication fails If the server does not respond within this time the access point tries to contact the next authentication server in the list if one is specified Other backup servers are used in list order when the previous server times out Step 7 Select EAP Authentication under the server The EAP Authentication checkbox designates the server as an authenticator for an...

Page 142: ...t packets sent between the access point and the client device will not be encrypted To maintain secure communications use WEP at all times Step 12 Enter a WEP key in slot 1 of the Encryption Key fields The access point uses this key for multicast data signals signals sent from the access point to several client devices at once This key does not need to be set on client devices Step 13 Select 128 b...

Page 143: ...ecure ACS operates with Windows NT 4 0 Server and Windows 2000 Server Note You must use ACS version 2 6 or later to set up the access point in ACS Follow these steps to include the access point as a Network Access Server NAS in Cisco Secure ACS Step 1 On the ACS main menu click Network Configuration Step 2 Click Add New Access Server Step 3 In the Network Access Server Hostname entry field type th...

Page 144: ... issues a new dynamic WEP key for authenticated client devices Note If you enable TKIP on the access point you do not need to set up a session based WEP key timeout You can use both TKIP and a session key timeout but these features provide redundant protection You should consider several factors when determining the best session key timeout value for your wireless network Consult Product Bulletin ...

Page 145: ...ess client devices After you provide a network username and password for the repeater radio it authenticates to your network using LEAP Cisco s wireless authentication method and receives and uses dynamic WEP keys See the Setting Up a Repeater Access Point section on page 8 1 for instructions on setting up a repeater access point Follow these steps to enable LEAP authentication on a repeater radio...

Page 146: ...in the LEAP Password entry field Step 5 Click OK Step 6 Follow the steps in the Enabling EAP on the Access Point section on page 4 20 to enable Network EAP on the repeater access point The next time the repeater reboots it performs LEAP authentication and associates to the root access point Note If the repeater access point fails to authenticate because the root access point or the RADIUS server i...

Page 147: ...t management system or on a server used for MAC based authentication and you can enable MAC based authentication on one or both of the access point radios This section provides instructions for Enabling MAC Based Authentication on the Access Point Authenticating Client Devices Using MAC Addresses or EAP Enabling MAC Based Authentication in Cisco Secure ACS Enabling MAC Based Authentication on the ...

Page 148: ...ype a MAC address in the Dest MAC Address field You can type the address with colons separating the character pairs 00 40 96 12 34 56 for example or without any intervening characters 004096123456 for example Make sure the Allowed option is selected under the Dest MAC Address field Step 3 Click Add The MAC address appears in the Existing MAC Address Filters list The MAC address remains in the mana...

Page 149: ...icate Step 5 Click Apply to save the list of MAC addresses in the access point management system Step 6 Click the Authentication Server link to go to the Authenticator Configuration page Figure 4 11 shows the Authenticator Configuration page Figure 4 11 Authenticator Configuration Page You can configure up to four servers for authentication services so you can set up backup authenticators If you s...

Page 150: ...n server if one is specified Step 11 Select MAC Address Authentication under the server If you set up a backup authentication server select MAC Address Authentication under the backup server also Step 12 Click OK You return automatically to the Setup page Step 13 Create a list of allowed MAC addresses for your authentication server Enter the MAC addresses of all allowed clients as users in the ser...

Page 151: ...t Address Filter for each authentication type requiring MAC based authentication For example if the radio is configured for both open and Network EAP authentication you could set Default Unicast Address Filter under Open to Disallowed but leave Default Unicast Address Filter under Network EAP set to Allowed This configuration forces client devices using open authentication to authenticate using MA...

Page 152: ... up one or both access point radios to authenticate client devices using a combination of MAC based and EAP authentication When you enable this feature client devices that associate to the access point using open authentication first attempt MAC authentication If MAC authentication succeeds the client device joins the network if the client is also using EAP authentication it attempts to authentica...

Page 153: ...f the client is also using EAP authentication it attempts to authenticate using EAP c If MAC authentication fails for the client the access point allows the client to attempt to authenticate using EAP authentication The client cannot join the network until EAP authentication succeeds Enabling MAC Based Authentication in Cisco Secure ACS Cisco Secure Access Control Server for Windows NT 2000 Server...

Page 154: ...tep 4 Enter the MAC address in the CHAP MS CHAP ARAP Password and Confirm Password entry fields Step 5 Select the Separate CHAP MS CHAP ARAP checkbox Step 6 Click Submit Repeat these steps for each MAC address you want to add to the list of allowed MAC addresses MAC addresses that you enter in the authentication server s list appear in the access point s address filter list when the client device ...

Page 155: ...3 Select an 802 1x protocol draft that matches the protocol draft used by client devices that associate with the access point Enter the name or IP address type port shared secret and timeout value for your RADIUS server Select the EAP checkbox under the server On the AP Radio Data Encryption page for the internal radio or the radio module shown in Figure 4 6 Select the Network EAP checkbox Enter a...

Page 156: ...Note Selecting Require EAP blocks non EAP client devices from using the access point Enter a WEP key in key slot 1 and select 128 bit from the key size pull down menu EAP TLS EAP MD5 and static WEP under 802 11 Open The access point does not support this combination of authentication types When you select Require EAP on the Authenticator Configuration page to authenticate clients using EAP TLS and...

Page 157: ...the same server for both EAP authentication and MAC based authentication On the AP Radio Advanced page for the internal radio or the radio module shown in Figure 4 12 Select Disallowed from the pull down menu for Default Unicast Address Filter for each authentication type requiring MAC based authentication MAC based and EAP TLS and EAP MD5 Enter the settings for the EAP authentication types you ne...

Page 158: ...he entry field groups under the completed entry fields for your primary server a Enter the name or IP address of the backup server in the Server Name IP entry field b Enter the port number the server uses for authentication The default setting 1812 is the port setting for Cisco s RADIUS server the Cisco Secure Access Control Server ACS and for many other RADIUS servers Check your server s product ...

Page 159: ...protects the access point management system from unauthorized access Use the access point s user management pages to define a list of users who are authorized to view and change the access point management system Use the Security Setup page to reach the user management pages Figure 4 14 shows the Security Setup page Note Creating a list of users authorized to view and change the access point manag...

Page 160: ...age 1 On the Summary Status page click Setup 2 On the Setup page click Security Creating a List of Authorized Management System Users Follow these steps to create a list of users authorized to view and change the access point management system Step 1 Follow the link path to the Security Setup page Step 2 On the Security Setup page click User Information Figure 4 15 shows the User Information page ...

Page 161: ...er also automatically receives Admin capability SNMP Designates the username as an SNMP community name SNMP management stations can use this SNMP community name to perform SNMP operations The User Manager does not have to be enabled for SNMP communities to operate correctly Note Selecting the SNMP checkbox does not grant SNMP write capability to the user it only designates the username as an SNMP ...

Page 162: ...ick the browser s Back button to return to the Security Setup page On the Security Setup page click User Manager The User Manager Setup page appears Figure 4 17 shows the User Manager Setup page Figure 4 17 User Manager Setup Page Step 8 Select User Manager Enabled to restrict use of the access point management system to users in the user list Note You must define a full administrator user a user ...

Page 163: ...r 4 Security Setup Setting Up Administrator Authorization Protect Legal Credit Page Select yes to restrict access to the Legal Credits page to users in the user list Select no to allow any user to view the Legal Credits page Step 9 Click OK You return automatically to the Security Setup page ...

Page 164: ...Chapter 4 Security Setup Setting Up Administrator Authorization 4 46 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Page 165: ...o Discovery Protocol with your wireless networking equipment how to assign a specific network port to a MAC address and how to enable wireless network accounting This chapter contains the following sections Using the Association Table page 5 2 Using the Network Map Window page 5 11 Using Cisco Discovery Protocol page 5 13 Assigning Network Ports page 5 15 Enabling Wireless Network Accounting page ...

Page 166: ...iation Table page in the command line interface Browsing to Network Devices To browse to a device s browser based interface click the device s IP address in the IP Addr column The home page of the device s management system appears Cisco Aironet access points bridges and workgroup bridges have browser based interfaces and many servers and printers have them also If the device does not have a brows...

Page 167: ...mns of information that appear in the Association Table and the order in which devices are listed For more information on customizing the Association Table display read the Association Table Display Setup section on page 3 64 Using Station Pages Click a device s MAC address in the Association Table s MAC Addr column to display a Station page for the device Station pages provide an overview of a ne...

Page 168: ...Chapter 5 Network Management Using the Association Table 5 4 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 Figure 5 2 Station Page 209 165 201 5 ...

Page 169: ... have them also State Displays the operational state of the wireless station Possible states include Assoc The station is associated with an access point Client stations associated with this access point will also show an Association Identifier AID value that is an index into a table of stations associated with this access point Maximum AID count is 2007 Unauth The station is not authenticated wit...

Page 170: ...his box if you want detailed packet trace information captured for the Association Table page This option is only available to users with Administrator capability Packets OK Reports the number of good packets coming to the station Total Bytes OK Reports the number of good bytes coming to the station Total Errors Reports the total number of packet errors coming to the station Max Retry Pkts Reports...

Page 171: ...ate and signal quality information appears on Station pages for client devices On Station pages for access points this area shows network information such as system uptime Parent Displays the system name of the device to which the client bridge or repeater is associated The entry self indicates that the device is associated with this access point Current Rate Reports the current data transmission ...

Page 172: ...he access point presumes the client device has been turned off See the Settings on the Association Table Advanced Page section on page 3 69 for information on setting timeouts for each device class Communication Over Interface The network port over which the access point or bridge is communicating with the device Echo Packets The link test sequence number it lists the total number of link test pac...

Page 173: ...ng runs using the values in the Number of Pkts and Pkt Size fields and a ping window appears listing the test results To run the ping again click Test Again Figure 5 3 shows a ping window Figure 5 3 Ping Window Performing a Link Test Follow these steps to perform a link test between the access point and the device described on the Station page Step 1 To customize the size and number of packets sen...

Page 174: ...ults To run the test again click Test Again To run a continuous link test click Continuous Test Figure 5 4 shows a link test results window Figure 5 4 Link Test Results Window Clearing and Updating Statistics Use the Clear Stats and Refresh buttons to clear and update the Station page statistics Clear Stats Clears all packet octet and error counts and resets the counters to 0 Refresh Updates the c...

Page 175: ... client to break its current association re evaluate the currently associated access point and determine which of the surrounding access points has the best signal quality to associate with Using the Network Map Window To open the Network Map window click Map at the top of any management system page See the Navigating Using the Map Windows section on page 2 4 for information about the Map page Whe...

Page 176: ...e access point s local information for that device Click Go beside the device name to open a new browser window displaying that device s home page if available Some devices such as PC card clients do not have browser based interfaces Click show clients to display all the wireless client devices on your network The client names appear under the access point or bridge with which they are associated ...

Page 177: ...multicast address and each device monitors the messages sent by other devices Information in CDP packets is used in network management software such as CiscoWorks2000 Use the CDP Setup page to adjust the access point s CDP settings CDP is enabled by default Figure 5 6 shows the CDP Setup page Figure 5 6 CDP Setup Page Follow this link path to reach the CDP Setup page 1 On the Summary Status page c...

Page 178: ...lways be greater than the value in the Packets sent every field Packets sent every The number of seconds between each CDP packet the access point sends The default value is 60 This value should always be less than the packet hold time Individual Port Enable Ethernet When selected the access point sends CDP packets through its Ethernet port and monitors the Ethernet for CDP packets from other devic...

Page 179: ... Network Ports Assigning Network Ports Use the Port Assignments page to assign a specific network port to a repeater access point or to a non root bridge When you assign specific ports your network topology remains constant even when devices reboot Figure 5 7 shows the Port Assignments page Figure 5 7 Port Assignments Page ...

Page 180: ... address of the device to which you want to assign the port in the port s Station entry field When you click Apply or OK the port is reserved for that MAC address Enabling Wireless Network Accounting You can enable accounting on the access point to send network accounting information about wireless client devices to a RADIUS server on your network Cisco Secure ACS writes accounting records to a lo...

Page 181: ... Setup page click Accounting under Services Settings on the Accounting Setup Page The Accounting Setup page contains these settings Enable accounting Select Enabled to turn on accounting for your wireless network Enable delaying to report stop Select this option to delay sending a stop report to the server when a client device disassociates from the access point The delay reduces accounting activi...

Page 182: ...ng server in the list if one is specified The access point uses backup servers in list order when the previous server times out Enable Update Click the Enable Update checkbox to enable accounting update messages for wireless clients With updates enabled the access point sends an accounting start message when a wireless client associates to the access point sends updates at regular intervals while ...

Page 183: ...ice disassociates from the access point and the access point sends an ACCT_UPDATE frame to the server periodically while the authenticated client device is associated to the access point Acct Session ID A unique accounting identifier for each connection activity that is bounded by ACCT_START and ACCT_STOP The access point sends this attribute to the server with all three status types User Name The...

Page 184: ... The number of octets sent on the wireless network through the access point since the client device associated to the access point The access point sends this attribute only with the ACCT_STOP and ACCT_UPDATE status types Acct Input Packets The number of packets received on the wireless network through the access point since the client device associated to the access point The access point sends t...

Page 185: ...ed and the time that the attribute was sent to the server The access point sends this attribute to the server with all three status types RADIUS_IPADR The IP address of the access point sending the accounting information The access point sends this attribute to the server with all three status types Table 5 1 Accounting Attributes the Access Point Sends to the Accounting Server continued Attribute...

Page 186: ...Chapter 5 Network Management Enabling Wireless Network Accounting 5 22 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Page 187: ...her access points how to distribute the access point s configuration to other access points and how to download upload and reset the access point configuration You use the Cisco Services Setup page as a starting point for all these activities This chapter contains the following sections Updating Firmware page 6 2 Distributing Firmware page 6 8 Distributing a Configuration page 6 9 Downloading Uplo...

Page 188: ...p Page Follow this link path in the browser interface to reach the Cisco Services Setup page 1 On the Summary Status page click Setup 2 On the Setup page click Cisco Services Setup Updating with the Browser from a Local Drive When you update the firmware with your browser you browse to your hard drive or to a mapped network drive for the new firmware You can update the four firmware components the...

Page 189: ...components through the browser Step 1 If you know the exact path and filename of the new firmware image file type it in the New File for All Firmware entry field If you aren t sure of the exact path to the new firmware image file click Browse next to the New File entry field When the File Upload window appears go to the directory that contains the firmware image file and select the file Click Open...

Page 190: ...e Through Browser Page Follow these steps to update one of the firmware components through the browser Step 1 If you know the exact path and filename of the new firmware component type it in the New File for component entry field If you aren t sure of the exact path to the new component click Browse next to the component s New File entry field When the File Upload window appears go to the director...

Page 191: ...t to update all the components at once but in some situations you might want to update them individually Full Update of the Firmware Components To update all the firmware components at the same time click From File Server on the Fully Update Firmware line on the Cisco Services Setup page The Update All Firmware From File Server page appears Figure 6 4 shows the Update All Firmware From File Server...

Page 192: ...e server where the access point should look for FTP files c In the FTP Directory entry field enter the directory on the server where FTP files are located d In the FTP User Name entry field enter the user name assigned to the FTP server If you selected TFTP you can leave this field blank e In the FTP Password entry field enter the password associated with the user name If you selected TFTP you can...

Page 193: ...ely Update Firmware line on the Cisco Services Setup page The Update Firmware From File Server page appears Figure 6 6 shows the Update Firmware From File Server page Figure 6 6 Update Firmware From File Server Page To update one of the three firmware components from the file server follow the steps listed in the Full Update of the Firmware Components section on page 6 5 but in Step 3 type the fil...

Page 194: ...es Have their web servers enabled for external browsing see the Entering Web Server Settings and Setting Up Access Point Help section on page 3 55 Have the same HTTP port setting as the distributing access point the HTTP port setting is on the Web Server Setup page Have a Default Gateway setting other than the default setting which is 255 255 255 255 the Default Gateway setting is on the Express S...

Page 195: ...ents individually select no for Distribute All Firmware and click the checkboxes for the components you want to distribute Step 3 Click Start The access point s firmware is distributed to the access points on your network To cancel the distribution click Abort When the distribution is complete the access points that received the firmware automatically reboot Distributing a Configuration Use the Di...

Page 196: ...tain in their User Lists a user with the same user name password and capabilities as the user performing the distribution the person logged in on the distributing access point Figure 6 8 Distribute Configuration Page Follow this link path in the browser interface to reach the Distribute Configuration page 1 On the Summary Status page click Setup 2 On the Setup page click Cisco Services Setup 3 On ...

Page 197: ...t systems An access point accepts distributed firmware and configurations only if its user manager contains a user with the same user name password and capabilities as the user performing the distribution the person logged in on the distributing access point Follow these steps to limit distributions Step 1 On the distributing access point browse to the Security Setup page and create a new user and...

Page 198: ...a local drive upload a configuration from a local drive or file server and reset the configuration to default settings You can also use the System Configuration Setup page to restart the access point Figure 6 9 shows the System Configuration Setup page Figure 6 9 System Configuration Setup Page Follow this link path in the browser interface to reach the System Configuration Setup page 1 On the Sum...

Page 199: ...ave the current non default configuration including the access point s IP address click Download Non Default System Configuration To save the current default and non default configuration including the access point s IP address click Download All System Configuration If your web browser is Netscape Communicator use your right mouse button to click the download configuration links and select Save l...

Page 200: ...click Browse next to the entry field When the File Upload window appears go to the directory that contains the configuration file and select the file Click Open Step 3 When the filename appears in the Additional System Configuration File entry field click Browser Update Now The configuration file is loaded and applied in the access point Uploading from a File Server Follow these steps to upload a ...

Page 201: ...s c In the FTP Directory entry field enter the directory on the server where FTP files are located d In the FTP User Name entry field enter the user name assigned to the FTP server If you selected TFTP you can leave this field blank e In the FTP Password entry field enter the password associated with the user name If you selected TFTP you can leave this field blank f Click OK You return automatica...

Page 202: ...e reset the configuration to defaults Reset System Factory Defaults Except IP Identity this button returns all access point settings to their factory defaults except The access point s IP address subnet mask default gateway and boot protocol The users in the User Manager list The SNMP Administrator Community name Reset All System Factory Defaults this button returns all access point settings to th...

Page 203: ...m Factory Defaults to reset the configuration to the default settings including the IP identity Note If you reset the access point s IP identity you might lose your browser connection to the access point Restarting the Access Point Use the System Configuration Setup page to restart the access point Click Warm Restart System Now to perform a warm restart of the access point A warm restart reboots t...

Page 204: ...Chapter 6 Managing Firmware and Configurations Downloading Uploading and Resetting the Configuration 6 18 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Page 205: ...iguration Guide OL 2159 03 7 Management System Setup This chapter explains how to set up your access point to use SNMP Telnet or the console port to manage the access point This chapter contains the following sections SNMP Setup page 7 2 Console and Telnet Setup page 7 5 ...

Page 206: ...he SNMP Setup page Figure 7 1 SNMP Setup Page Follow this link path to reach the SNMP Setup page 1 On the Summary Status page click Setup 2 On the Setup page click SNMP in the Services section of the page Settings on the SNMP Setup Page The SNMP Setup page contains the following settings Simple Network Management Protocol SNMP Select Enabled to use SNMP with the access point System Description The...

Page 207: ...ress of the SNMP management station If your network uses DNS enter a host name that resolves into an IP address SNMP Trap Community The SNMP community name required by the trap destination before it records traps sent by the access point The Browse Management Information Base MIB link at the bottom of the SNMP Setup page leads to the Database Query page Using the Database Query Page Use the Databa...

Page 208: ...ck Get to find an object s value Set Click Set to assign a value to an object Reset Click Reset to return the page to default settings Changing Settings with the Database Query Page Follow these steps to change an access point setting from the Database Query page Step 1 Type the object identifier OID in the OID field You can use the integer or ASCII version of the OID If you use the integer versio...

Page 209: ...onsole Telnet Setup page 1 On the Summary Status page click Setup 2 On the Setup page click Console Telnet in the Services section of the page Settings on the Console Telnet Page The Console Telnet Setup page contains the following settings Baud Rate The rate of data transmission expressed in bits per second Select a baud rate from 110 to 115 200 depending on the capability of the computer you use...

Page 210: ...ed setting is ANSI which offers graphic features such as reverse video buttons and underlined links Not all terminal emulators support ANSI so the default setting is Teletype Columns Defines the width of the terminal emulator display within the range of 64 characters to 132 characters Adjust the value to get the optimum display for your terminal emulator Lines Defines the height of the terminal em...

Page 211: ...er contains the following sections Setting Up a Repeater Access Point page 8 1 Using Hot Standby Mode page 8 5 Setting Up a Repeater Access Point A repeater access point is not connected to the wired LAN it is placed within radio range of an access point connected to the wired LAN to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication Note Non Cisco c...

Page 212: ...ll configure the access point through the Ethernet port using a crossover cable when the repeater link is disactivated Figure 8 1 shows an access point acting as a repeater Figure 8 1 Access Point as Repeater You can set up a chain of several repeater access points but throughput for client devices at the end of the repeater chain will be quite low Because each repeater must receive and then re tr...

Page 213: ... label on the bottom of the access point Step 3 The repeater access point will need to duplicate some of the root access point s settings If the root access point has been completely configured browse to the root access point and write down the following settings so you can refer to them when you set up the repeater access point SSID for the root radio found on the Express Setup page Default IP Su...

Page 214: ... access point s Summary Status page If the repeater access point has never been configured before the Express Setup page will appear instead of the Summary Status page Step 9 On the Express Setup page enter the same SSID that is set on the root access point Note Step 10 and Step 11 describe assigning a static IP address subnet mask and gateway to the repeater However you can rely on your DHCP serv...

Page 215: ...evices associated to it The repeater s status LED is steady for 7 8 of a second and off for 1 8 of a second when it is associated to the root access point but has no client devices associated to it The repeater access point should also appear as associated to the root access point in the root access point s Association Table Using Hot Standby Mode Hot Standby mode designates an access point as a b...

Page 216: ...ent devices associated to the standby access point lose their connections during the hot standby setup process Follow these steps to enable Hot Standby mode Step 1 On the standby access point duplicate the settings that are entered on the monitored access point Critical settings include SSID found on the Express Setup page Default IP Subnet Mask also on the Express Setup page Default Gateway also ...

Page 217: ...nitored AP entry field Step 7 Enter the number of seconds between each query the standby access point sends to the monitored access point Step 8 Enter the number of seconds the standby access point should wait for a response from the monitored access point before it assumes that the monitored access point has malfunctioned Step 9 Click Start Hot Standby Mode The standby access point becomes a clie...

Page 218: ...Chapter 8 Special Configurations Using Hot Standby Mode 8 8 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Page 219: ...sic problems with the access point For the most up to date detailed troubleshooting information refer to the Cisco TAC website at http www cisco com tac Select Wireless LAN under Top Issues Sections in this chapter include Using Diagnostic Pages page 9 2 Using Command Line Diagnostics page 9 20 Tracing Packets page 9 33 Checking the Top Panel Indicators page 9 37 Checking Basic Settings page 9 40 ...

Page 220: ...page is described in the sections below Radio Diagnostics Page Use the Radio Diagnostics page to test antenna alignment between two wireless networking devices and to examine the radio spectrum in which the access point operates The antenna alignment test helps you find the best alignment for a repeater access point s directional antenna and the carrier test helps you determine which radio frequen...

Page 221: ...onstantly updated display in the Alignment Test window as you adjust the antenna You can run the antenna alignment test only on access points configured with the following Role in Radio Network settings Repeater Access Point Site Survey Client To run the antenna alignment test on a root access point change the Role in Radio Network setting on the Express Setup page Choose the number of seconds you...

Page 222: ... to see the relevant data If results for several devices were displayed it would be difficult to focus on the device with which you were trying to align the access point s antenna Each data sample is listed in the data columns The columns provide the following information ID The sequence number of the data sample The most recent sample appears at the top of the column Name The system name of each ...

Page 223: ...st measures the amount of radio activity on each frequency available to the access point s internal radio The access point does not perform the carrier test for the radio module Use the carrier test to determine the best frequency for the access point to use When you conduct a carrier test make sure all wireless networking devices within range of the access point are operating to make the test res...

Page 224: ...ed is labeled on the top left of the graph In this example the highest percentage used for any frequency is 77 The access point s available frequencies are listed vertically across the bottom of the graph from 2412 to 2462 GHz The access point s channel 1 is 2412 GHz channel 2 is 2417 GHz and so on up to channel 11 which is 2462 GHz The bar graph on the right side of the window displays the amount...

Page 225: ...age example Figure 9 4 Network Ports Page Click the Network link at the top of any main management system page to reach the Network Ports page or click Network Ports on the Summary Status home page The Network Diagnostics link at the top of the Network Ports page leads to the Cisco Network Diagnostics page where you can select diagnostic tests The Network Ports table is divided into three sections...

Page 226: ...econd IP Addr The IP address for the port When the access point is set up in standby mode the Ethernet and radio ports use different IP addresses Use the AP Radio Identification page to assign an IP address to the radio port that is different from the Ethernet IP address See the Settings on the AP Radio Identification Page section on page 3 20 for details on the AP Radio Identification page MAC Me...

Page 227: ...kets transmitted in point to point communication Multicast pkts The number of packets transmitted that were sent as a transmission to a set of nodes Total bytes Total number of bytes transmitted from the port Errors The number of packets determined to be in error Discards The number of packets discarded by the access point due to errors or network congestion Forwarded pkts The number of packets tr...

Page 228: ...lowing sections Configuration Information The top row of the Configuration section of the table contains a Set Properties link that leads to the Ethernet Hardware page Status of fec0 Fast Ethernet Controller is part of Motorola s naming convention for the Ethernet device used by the access point This field displays one of the three possible operating states for the port The added term primary iden...

Page 229: ...tal Errors Total number of packets determined to be in error Discarded Packets Packets discarded due to errors or network congestion Forwardable Packets Packets received by the port that were acceptable or passable through the filters Filtered Packets Packets that were stopped or screened by the filters set up on the port Packet CRC Errors Cyclic redundancy check CRC errors that were detected in a...

Page 230: ...errors or network congestion Forwarded Packets The number of packets transmitted by the port that were acceptable or passable through the filters Max Retry Packets Packets which failed after being retried several times Total Collisions The number of packet collisions that occurred through this port Late Collisions Packet errors that were likely caused by overlong wiring problems Could also indicat...

Page 231: ...ch row in the table is explained below Configuration Information The top row of the Configuration section of the table contains a Set Properties link that leads to the AP Radio Hardware page See the Entering Radio Hardware Information section on page 3 22 for details on the AP Radio Hardware page Status of awc0 awc0 Aironet Wireless Communications is part of Cisco Aironet s naming convention for t...

Page 232: ...on with client devices Transmit Power mW The power level of radio transmission You can reduce the transmit power to conserve power or reduce interference Click Set Properties to display the AP Radio Hardware page where you can change this setting Receive Statistics Unicast Packets The number of packets received in point to point communication Multicast Packets The number of packets received that w...

Page 233: ...ion with the MMH algorithm specifically due to sequence number and duplicate packet errors MIC Auth Errors Total number of packets received over this radio since system startup that failed MIC validation with the MMH algorithm specifically due to cryptographic key mismatch errors Transmit Statistics Unicast Packets The number of packets transmitted in point to point communication Multicast Packets...

Page 234: ... calculation with the MMH algorithm before being submitted for transmission over this radio since system startup Display Options Figure 9 6 shows the basic AP Radio Port page Three display options provide more details on the port configuration and operating statistics The basic page provides all the information needed to monitor and administer the port in normal operation You might need the other ...

Page 235: ...in management system page to reach the Event Log page Display Settings Use the entry fields and the buttons at the top of the page to control the event list Fields and buttons include Index Specifies the first event to display in the event list The most recent event is 0 earlier events are numbered sequentially To apply your entry click Apply New Number of Events Specifies the number of events dis...

Page 236: ...ential error condition Alert magenta Indicates that an event occurred which was pre selected as something to be recorded in the log A typical example of an alert would be a packet error condition The Station page provides check boxes that activate reporting of packet errors to and from the station as alerts in the event log FATAL red An event which prevents operation of the port or device For oper...

Page 237: ...hooting Using Diagnostic Pages Event Log Summary Page The Event Log Summary page lists the total number of events that occurred at each severity level Figure 9 8 shows an Event Log Summary page example Figure 9 8 Event Log Summary Page Click the Severity heading on the Event Log page to reach the Event Log Summary page ...

Page 238: ...iption of that command s results Table 9 1 CLI Diagnostic Commands Command Information Displayed eap_diag1_on authentication progress for client devices authenticating through the access point eap_diag2_on packet contents of each authentication step for client devices authenticating through the access point vxdiag_arpshow the ARP table vxdiag_checkstack task stack on the access point vxdiag_hostsh...

Page 239: ...rt menu select Programs Accessories Telnet If Telnet is not listed in your Accessories menu select Start Run enter Telnet in the entry field and press Enter Step 2 When the Telnet window appears click Connect and select Remote System Note In Windows 2000 the Telnet window does not contain pull down menus To start the Telnet session in Windows 2000 enter open followed by the access point s IP addre...

Page 240: ...ket for client Yakima RADIUS Received session timeout request of 60 seconds RADIUS Sending EAPOL packet to client RADIUS ACCEPT for Yakima RADIUS Found Cisco key RADIUS Sending EAPOL multicast key RADIUS Sending EAPOL session key parameters EAP Key set for client Yakima The EAP and RADIUS prefixes show which system process is handling the communication Follow the steps in the Entering Diagnostic C...

Page 241: ...mware dk RFC rfc rfc2865 html as well as on many other websites The IEEE s 802 1x authentication standard helps define the content of packets sent between client devices and the access point and is available to IEEE members at http www ieee org Follow the steps in the Entering Diagnostic Commands section on page 9 21 to open the CLI and enter the eap_diag2_on command vxdiag_arpshow Use the vxdiag_...

Page 242: ... in the Entering Diagnostic Commands section on page 9 21 to open the CLI and enter the vxdiag_arpshow command 0x8 Host or net is unreachable 0x10 Created dynamically by redirect 0x20 Modified dynamically by redirect 0x40 Message confirmed 0x80 Subnet mask is present 0x100 Generate new routes on use 0x200 External daemon resolves name 0x400 Generated by ARP 0x800 Manually added static 0x1000 Just ...

Page 243: ...InTas 0x000002e858 98fb88 16368 1416 2376 13992 These are the descriptions of the information in each column Name name of the task Entry entry point the top level function of the task TID task identifier the task control block Size stack size in bytes CUR current number of bytes of stack in use High highest number of bytes of stack which have been in use Margin the difference between the stack siz...

Page 244: ...nostic Commands section on page 9 21 to open the CLI and enter the vxdiag_hostshow command vxdiag_i Use the vxdiag_i command to display a list of current tasks on the access point A portion of the access point s task list display might look like this example NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY tExcTask 1a1fd0 fd4e80 0 PEND 1d9aac fd4da0 3006b 0 tSysIntegri1b188 a3b1c0 0 SUSPEND 1c06ac a3ae...

Page 245: ...curs Ready The task is ready to run Delay The task issued a delay command and will not run until the delay time elapses PC program counter a memory address of the task SP stack pointer another memory address of the task ERRNO error number the latest error reported by any function called by the task Delay delay interval in system clock ticks 1 52 second that must elapse before the task runs Follow ...

Page 246: ...th IP length less than the IP header length Infragments number of packets received that were fragmented Fragdropped number of fragmented packets received that were dropped Fragtimeout number of fragmented packets received that timed out Forward number of packets forwarded Cantforward number of packets received for an unreachable destination Redirectsent number of packets forwarded in the same subn...

Page 247: ... described in bytes blocks the memory for each status described in contiguous blocks indicates the level of fragmentation in the access point s memory avg block the average block size simply put the number in the bytes column divided by the number in the blocks column max block the maximum contiguous memory block available Follow the steps in the Entering Diagnostic Commands section on page 9 21 t...

Page 248: ...cription Aironet 802 11 Bridge Driver Protocol AWC Packet Router Type 257 Recv 0x5ad0c Shutdown 0x5fbd0 Protocol AWC DDP Protocol Type 34605 Recv 0x6986c Shutdown 0x6a728 Device rptr Unit 2 Follow the steps in the Entering Diagnostic Commands section on page 9 21 to open the CLI and enter the vxdiag_muxshow command vxdiag_routeshow Use the vxdiag_routeshow command to display current routing inform...

Page 249: ...nd to display Transmission Control Protocol TCP statistics for the access point The TCP statistics might look like this example TCP 3370 packets sent 1576 data packets 714752 bytes 3 data packets 1613 bytes retransmitted 1252 ack only packets 1 delayed 0 URG only packet 1 window probe packet 0 window update packet 538 control packets 3327 packets received 1564 acks for 710621 bytes 23 duplicate ac...

Page 250: ...opped by keepalive 63 pcb cache lookups failed Follow the steps in the Entering Diagnostic Commands section on page 9 21 to open the CLI and enter the vxdiag_tcpstatshow command vxdiag_udpstatshow Use the vxdiag_udpstatshow command to display User Datagram Protocol UDP statistics for the access point The UDP statistics might look like this example UDP 9244 total packets 9227 input packets 17 outpu...

Page 251: ... trace log file Use the instructions in the Tracing Packets for Specific Devices section on page 9 34 and the Tracing Packets for Ethernet and Radio Ports section on page 9 35 to select devices and ports to be traced Follow these steps to reserve access point memory for a packet trace log file Step 1 Use the Event Handling Setup page to enter instructions for the size of the packets you want to mo...

Page 252: ...ant to trace packets and click the device s MAC address The device s Station page appears Step 3 On the device s Station page click the alert checkbox in the To Station header to trace packets sent to the device Click the alert checkbox in the From Station header to trace packets the device sends Note Copying packets into access point memory slows the access point s performance When you finish tra...

Page 253: ...thernet in the yellow header row To trace packets sent or received through the access point s radio port click AP Radio in the yellow header row The Ethernet Port or AP Radio Port page appears Step 3 Click the alert checkbox in the Receive header to trace packets received through the Ethernet or radio port Click the alert checkbox in the Transmit header to trace packets sent through the Ethernet o...

Page 254: ...ted packet information Step 3 A File Download window appears asking if you want to save the access point name _trace log file or open it Choose to save or open the file and click OK A portion of the Headers Only packet trace file might look like this example Beginning of AP_North Detailed Trace Log 04 46 14 17174 384615 Station Alert 00 01 64 43 ef 41Aironet 40 6f e6Aironet 40 6f e6 0x0000 04 47 3...

Page 255: ...0 00 00 00 00 00 J o dC A _ o T JCOOL IBM W2K 04 47 37 83 326923 Station Alert 00 01 64 43 ef 41 Aironet 00 40 96 40 6f e6 Aironet 00 40 96 36 14 5a 0x0000 00 4a 40 81 00 40 96 36 14 5a 00 01 64 43 ef 41 01 7f 00 04 5f 00 00 40 96 40 6f e6 00 00 00 00 00 00 00 00 00 00 0a 54 8b a4 00 00 44 57 49 4c 4c 2d 49 42 4d 2d 57 32 4b 00 00 00 00 00 00 00 00 00 J 6 Z dC A _ o T JCOOL IBM W2K End of AP_North...

Page 256: ...h any wireless devices Steady green indicates that the access point is associated with a wireless client For repeater access points blinking 50 on 50 off indicates the repeater is not associated with the root access point blinking 7 8 on 1 8 off indicates that the repeater is associated with the root access point but no client devices are associated with the repeater steady green indicates that th...

Page 257: ...are associated check the unit s SSID and WEP settings Operational Steady green Blinking green Transmitting receiving radio packets Blinking green Steady green Transmitting receiving packets Steady green Blinking amber Maximum retries or buffer full occurred on one of the radios Error warning Blinking amber Steady green Transmit receive errors Blinking red Ethernet cable is disconnected 340 series ...

Page 258: ... Step 4 To make the indicators stop blinking and return to normal operation select Disabled for the Locate unit by flashing LEDs option and click Apply Checking Basic Settings Mismatched basic settings are the most common causes of lost connectivity with wireless clients If the access point does not communicate with client devices check the following settings SSID Wireless clients attempting to as...

Page 259: ... 802 1x Protocol Drafts Note This section applies to wireless networks set up to use LEAP If you do not use LEAP on your wireless network you can skip this section Wireless client devices use Extensible Authentication Protocol EAP to log onto a network and generate a dynamic client specific WEP key for the current logon session If your wireless network uses WEP without EAP client devices use the s...

Page 260: ...ow these steps to set the draft for your access point Step 1 Browse to the Authenticator Configuration page in the access point management system a On the Summary Status page click Setup b On the Setup page click Security c On the Security Setup page click Authentication Server PC PCI cards 4 23 x PC PCI cards 4 25 and later x WGB34x 352 8 58 x WGB34x 352 8 61 or later x AP34x 35x 11 05 and earlie...

Page 261: ...n 4 25 or later Functionality in Draft 10 is equivalent to the functionality in Draft 11 the ratified draft of the 802 1X standard Step 3 Click Apply or OK to apply the setting The access point reboots Resetting to the Default Configuration If you forget the password that allows you to configure the access point you might need to completely reset the configuration Follow the steps below to delete ...

Page 262: ...o parity 1 stop bit and No flow control Step 6 Click OK and press Enter Step 7 When the Summary Status screen appears reboot the access point by unplugging the power connector and then plugging it back in Step 8 When the access point reboots and the Summary Status screen reappears type resetall and press Enter Step 9 Type yes and press Enter to confirm the command Note The resetall command is vali...

Page 263: ...evels and Antenna Gains This appendix lists the IEEE 802 11a and IEEE 802 11b channels supported by the world s regulatory domains as well as the maximum power levels and antenna gains allowed per domain The following topics are covered in this appendix Channels page A 2 Maximum Power Levels and Antenna Gains page A 4 ...

Page 264: ...el are listed in Table A 1 Note All channel sets are restricted to indoor usage except the Americas A which allows for indoor and outdoor use on channels 52 through 64 in the United States Table A 1 Channels for IEEE 802 11a Channel Identifier Frequency in MHz Regulatory Domains Americas A Japan J Singapore S Taiwan T 34 5170 X 36 5180 X X 38 5190 X 40 5200 X X 42 5210 X 44 5220 X X 46 5230 X 48 5...

Page 265: ... channels 1 through 8 are for indoor use only while channels 9 through 11 can be used indoors and outdoors Users are responsible for ensuring that the channel set configuration complies with the regulatory standards of Mexico Table A 2 Channels for IEEE 802 11b Channel Identifier Frequency in MHz Regulatory Domains Americas A EMEA E Israel I China C Japan J 1 2412 X X X X 2 2417 X X X X 3 2422 X X...

Page 266: ... and Antenna Gains For IEEE 802 11a An improper combination of power level and antenna gain can result in equivalent isotropic radiated power EIRP above the amount allowed per regulatory domain Table A 3 indicates the maximum power levels and antenna gains allowed for each IEEE 802 11a regulatory domain Table A 3 Maximum Power Levels Per Antenna Gain for IEEE 802 11a Regulatory Domain Maximum Powe...

Page 267: ...sotropic radiated power EIRP above the amount allowed per regulatory domain Table A 4 indicates the maximum power levels and antenna gains allowed for each IEEE 802 11b regulatory domain Table A 4 Maximum Power Levels Per Antenna Gain for IEEE 802 11b Regulatory Domain Antenna Gain dBi Maximum Power Level mW Americas A 4 watts EIRP maximum 0 100 2 2 100 5 2 100 6 100 8 5 100 12 100 13 5 100 21 20 ...

Page 268: ...Israel I 100 mW EIRP maximum 0 100 2 2 50 5 2 30 6 30 8 5 5 12 5 13 5 5 21 1 China C 10 mW EIRP maximum 0 5 2 2 5 5 2 n a 6 n a 8 5 n a 12 n a 13 5 n a 21 n a Japan J 10 mW MHz EIRP maximum 0 50 2 2 30 5 2 30 6 30 8 5 n a 12 n a 13 5 5 21 n a Table A 4 Maximum Power Levels Per Antenna Gain for IEEE 802 11b continued Regulatory Domain Antenna Gain dBi Maximum Power Level mW ...

Page 269: ...Protocols on the Ethertype Filters Page Table B 2 Protocols on the IP Protocol Filters Page Table B 3 Protocols on the IP Port Protocol Filters Page In each table the Protocol column lists the protocol name and the Additional Identifier column lists other names for the same protocol You can type either name in the Special Cases field on the Filter Set page to select the protocol Table B 3 also lis...

Page 270: ...x0800 Berkeley Trailer Negotiation 0x1000 LAN Test 0x0708 X 25 Level3 X 25 0x0805 Banyan 0x0BAD CDP 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump Load 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802 2 0x00E0 IPX 802 3 0x00FF Novell IPX old 0x8137 Novell IPX new IPX 0x8138 EAPOL old 0x8180 EAPOL new 0x888E Telxon TXP TXP 0x8729 Aironet DDP DDP 0x87...

Page 271: ... Identifier ISO Designator dummy 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP 12 CHAOS 16 User Datagram Protocol UDP 17 XNS IDP IDP 22 ISO TP4 TP4 29 ISO CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw 255 ...

Page 272: ...pmux 1 echo 7 discard 9 9 systat 11 11 daytime 13 13 netstat 15 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp data 20 FTP Control 21 ftp 21 Secure Shell 22 ssh 22 Telnet 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Location Protocol RLP 39 IEN 116 Name Server name 42 whois nicname 43 43 Domain Name Server DNS domai...

Page 273: ...iso tsap 102 CSO Name Server cso ns csnet ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111 tap ident authentication auth 113 sftp 115 uucp path 117 Network News Transfer Protocol Network News readnews nntp 119 USENET News Transfer Protocol Network News readnews nntp 119 Network Time Protocol ntp 123 Table B 3 Protocols on the IP Port P...

Page 274: ... ISO CMIP Management Over IP CMIP Management Over IP cmip man CMOT 163 ISO CMIP Agent Over IP cmip agent 164 X Display Manager Control Protocol xdmcp 177 NeXTStep Window Server NeXTStep 178 Border Gateway Protocol BGP 179 Prospero 191 Internet Relay Chap IRC 194 SNMP Unix Multiplexer smux 199 AppleTalk Routing at rtmp 201 AppleTalk name binding at nbp 202 AppleTalk echo at echo 204 AppleTalk Zone ...

Page 275: ...526 courier RPC 530 conference chat 531 netnews 532 netwall wall 533 UUCP Daemon UUCP uucpd 540 Kerberos rlogin klogin 543 Kerberos rsh kshell 544 rfs_server remotefs 556 Kerberos kadmin kerberos adm 749 network dictionary webster 765 SUP server supfilesrv 871 swat for SAMBA swat 901 SUP debugging supfiledbg 1127 ingreslock 1524 Prospero non priveleged prospero np 1525 RADIUS 1812 Table B 3 Protoc...

Page 276: ...0 Series Access Point Software Configuration Guide OL 2159 03 Concurrent Versions System CVS 2401 Cisco IAPP 2887 Radio Free Ethernet RFE 5002 Table B 3 Protocols on the IP Port Protocol Filters Page continued Protocol Additional Identifier ISO Designator ...

Page 277: ...maximum number of 3 34 associations allowed more than 20 workgroup bridges 3 35 Association table Association Table Advanced page 3 68 Association Table page 5 2 Station page 5 3 authentication server Authentication Server Setup page 4 21 backup servers 4 40 EAP 4 5 port setting 4 23 shared secret 4 23 authentication types combining MAC based and EAP 4 34 LEAP 4 24 Network EAP 4 4 open 4 7 shared ...

Page 278: ...d 9 25 Cisco Discovery Protocol MIB 2 11 Cisco Secure ACS enabling EAP 4 25 setting session based WEP key timeout 4 26 classify workgroup bridges as network infrastructure 3 35 CLI auto apply 2 9 common functions 2 7 diagnostics 9 20 terminal emulator settings 2 6 client devices browsing to 5 2 deauthenticating 5 11 disassociating 5 11 EAP settings 4 24 in network map 2 5 Station page information ...

Page 279: ... Require EAP setting 4 23 setting up in Cisco Secure ACS 4 25 setting up on the access point 4 20 setting WEP key timeout 4 26 EIRP maximum A 5 to A 6 encryption See WEP ensure compatibility with 3 8 Ethernet configuration advanced settings 3 46 hardware settings 3 43 identity settings 3 41 speed 3 44 Ethernet encapsulation type 3 36 Ethernet indicator 9 38 Ethernet Port page 9 9 Event Log page 9 ...

Page 280: ...y features 1 2 key hashing WEP 4 16 Kilomicroseconds in beacon period 3 27 L LEAP enabling on a repeater access point 4 27 with Network EAP setting 4 19 LED indicators Ethernet 9 38 locate unit by flashing LEDs 9 40 radio traffic 9 38 status 9 38 limiting distributions 6 11 link test 5 8 load balancing 3 35 locate unit by flashing LEDs 9 40 logs 9 17 M MAC address 3 3 MAC address filters 3 14 MAC ...

Page 281: ...ndow 2 5 Network Ports page 9 7 O OK button 2 3 optimize radio network for 3 8 P packet tracing 9 33 parity 2 7 password reset 9 43 pings 5 8 ports assigning to MAC addresses 5 15 power level maximum A 5 to A 6 power level setting 3 26 preamble 3 40 primary port 3 21 protocol filters enabling filters 3 14 forward or block 3 12 list of available protocols B 1 priorities 3 12 time to live setting 3 ...

Page 282: ...ict searched channels 3 29 roaming 1 3 role in radio network 3 5 root unit 3 5 routing setup 3 61 RTS retries and threshold 3 27 S search for less congested channel restrict searched channels 3 29 security Cisco Secure ACS 4 25 overview 4 2 Security Setup page 4 42 user manager 4 41 serial number radio 3 21 serial number system 3 42 server setup boot server 3 51 FTP 3 60 name server 3 58 routing 3...

Page 283: ...3 50 TKIP 4 16 top panel indicators 9 37 tracing packets 9 33 transmit antenna 3 29 transmit power 3 26 U unicast packets filtering 3 39 updating firmware 6 2 user management capabilities 4 43 creating list of authorized users 4 42 user information 4 42 V vendor class identifier 3 55 W warm restart 6 17 Web based interface common buttons 2 3 compatible browsers 2 2 Web server 3 55 WEP broadcast ke...

Page 284: ...Index IN 8 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 workgroup bridges allowing more than 20 to associate 3 35 World mode 3 25 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands