manualshive.com logo in svg

Cisco Aironet SERIES, Software Manual

Introducing the Cisco Aironet SERIES, a cutting-edge wireless networking solution designed for seamless connectivity. Unlock its full potential with our comprehensive Software Manual, available for free download. Easily access step-by-step instructions and essential information about your Cisco Aironet SERIES directly from manualshive.com. Empower your network today!

Share
Download
background image

 

16-11

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-14209-01

Chapter 16      Configuring Filters

Configuring Filters Using the Web-Browser Interface

Creating an IP Filter

Follow these steps to create an IP filter:

Step 1

Follow the link path to the IP Filters page.

Step 2

If you are creating a new filter, make sure 

<NEW>

 (the default) is selected in the Create/Edit Filter 

Index menu. To edit an existing filter, select the filter name from the Create/Edit Filter Index menu.

Step 3

Enter a descriptive name for the new filter in the Filter Name field.

Step 4

Select 

Forward all

 or 

Block all

 as the filter’s default action from the Default Action menu. The filter’s 

default action must be the opposite of the action for at least one of the addresses in the filter. For 
example, if you create a filter containing an IP address, an IP protocol, and an IP port and you select 

Block

 as the action for all of them, you must choose 

Forward All

 as the filter’s default action.

Step 5

To filter an IP address, enter an address in the IP Address field.

Note

If you plan to block traffic to all IP addresses except those you specify as allowed, put the 
address of your own PC in the list of allowed addresses to avoid losing connectivity to the access 
point.

Step 6

Type the mask for the IP address in the Mask field. Enter the mask with periods separating the groups 
of characters (112.334.556.778, for example). If you enter 255.255.255.255 as the mask, the access point 
accepts any IP address. If you enter 0.0.0.0, the access point looks for an exact match with the IP address 
you entered in the IP Address field. The mask you enter in this field behaves the same way that a mask 
behaves when you enter it in the CLI.

Step 7

Select 

Forward

 or 

Block

 from the Action menu. 

Step 8

Click 

Add

. The address appears in the Filters Classes field. To remove the address from the Filters 

Classes list, select it and click 

Delete Class

. Repeat 

Step 5

 through 

Step 8

 to add addresses to the filter.

If you do not need to add IP protocol or IP port elements to the filter, skip to 

Step 15

 to save the filter 

on the access point. 

Step 9

To filter an IP protocol, select one of the common protocols from the IP Protocol drop-down menu, or 
select the 

Custom

 radio button and enter the number of an existing ACL in the Custom field. Enter an 

ACL number from 0 to 255. See 

Appendix A, “Protocol Filters,”

 for a list of IP protocols and their 

numeric designators.

Step 10

Select 

Forward

 or 

Block

 from the Action menu. 

Step 11

Click 

Add

. The protocol appears in the Filters Classes field. To remove the protocol from the Filters 

Classes list, select it and click 

Delete Class

. Repeat 

Step 9

 to 

Step 11

 to add protocols to the filter.

If you do not need to add IP port elements to the filter, skip to 

Step 15

 to save the filter on the access 

point. 

Step 12

To filter a TCP or UDP port protocol, select one of the common port protocols from the TCP Port or 
UDP Port drop-down menus, or select the 

Custom

 radio button and enter the number of an existing 

protocol in one of the Custom fields. Enter a protocol number from 0 to 65535. See 

Appendix A, 

“Protocol Filters,”

 for a list of IP port protocols and their numeric designators.

Step 13

Select 

Forward

 or 

Block

 from the Action menu. 

Step 14

Click 

Add

. The protocol appears in the Filters Classes field. To remove the protocol from the Filters 

Classes list, select it and click 

Delete Class

. Repeat 

Step 12

 to 

Step 14

 to add protocols to the filter.

Summary of Contents for Aironet SERIES

Page 1: ...Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points Cisco IOS Releases 12 4 10b JA and 12 3 8 JEC May 2010 Text Part Number OL 14209 01 ...

Page 2: ...EIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY IND...

Page 3: ...s 1 3 Network Configuration Examples 1 3 Root Access Point 1 3 Repeater Access Point 1 4 Bridges 1 5 Workgroup Bridge 1 5 Central Unit in an All Wireless Network 1 6 Using the Web Browser Interface 2 1 Using the Web Browser Interface for the First Time 2 3 Using the Management Pages in the Web Browser Interface 2 3 Using Action Buttons 2 4 Character Restrictions in Entry Fields 2 5 Enabling HTTPS ...

Page 4: ...cessing the CLI 3 9 Opening the CLI with Telnet 3 9 Opening the CLI with Secure Shell 3 9 Configuring the Access Point for the First Time 4 1 Before You Start 4 2 Resetting the Device to Default Settings 4 2 Resetting to Default Settings Using the MODE Button 4 2 Resetting to Default Settings Using the GUI 4 2 Resetting to Default Settings Using the CLI 4 3 Obtaining and Assigning an IP Address 4 ...

Page 5: ...P Method Profiles 4 32 Administering the Access PointWireless Device Access 5 1 Disabling the Mode Button 5 2 Preventing Unauthorized Access to Your Access Point 5 3 Protecting Access to Privileged EXEC Commands 5 3 Default Password and Privilege Level Configuration 5 4 Setting or Changing a Static Enable Password 5 4 Protecting Enable and Enable Secret Passwords with Encryption 5 6 Configuring Us...

Page 6: ...ow Commands 5 24 Clear Commands 5 25 Debug Command 5 25 Configuring the Access Point for Secure Shell 5 25 Understanding SSH 5 25 Configuring SSH 5 26 Configuring Client ARP Caching 5 26 Understanding Client ARP Caching 5 26 Optional ARP Caching 5 26 Configuring ARP Caching 5 27 Managing the System Time and Date 5 27 Understanding Simple Network Time Protocol 5 27 Configuring SNTP 5 28 Configuring...

Page 7: ...figuring Dual Radio Fallback 6 5 Radio Tracking 6 6 Fast Ethernet Tracking 6 6 MAC Address Tracking 6 6 Bridge Features Not Supported 6 7 Configuring Radio Data Rates 6 7 Access Points Send Multicast and Management Frames at Highest Basic Rate 6 8 Configuring MCS Rates 6 10 Configuring Radio Transmit Power 6 11 Limiting the Power Level for Associated Client Devices 6 13 Configuring Radio Channel S...

Page 8: ...figuring the Fragmentation Threshold 6 32 Enabling Short Slot Time for 802 11g Radios 6 33 Performing a Carrier Busy Test 6 33 Configuring VoIP Packet Handling 6 33 Viewing VoWLAN Metrics 6 34 Viewing Voice Reports 6 34 Viewing Wireless Client Reports 6 37 Viewing Voice Fault Summary 6 38 Configuring Voice QoS Settings 6 38 Configuring Voice Fault Settings 6 39 Configuring Multiple SSIDs 7 1 Under...

Page 9: ...s 8 3 Election of the Spanning Tree Root 8 4 Spanning Tree Timers 8 5 Creating the Spanning Tree Topology 8 5 Spanning Tree Interface States 8 5 Blocking State 8 7 Listening State 8 7 Learning State 8 7 Forwarding State 8 8 Disabled State 8 8 Configuring STP Features 8 8 Default STP Configuration 8 8 Configuring STP Settings 8 9 STP Configuration Examples 8 10 Root Bridge Without VLANs 8 10 Non Ro...

Page 10: ...up 10 5 Enabling Cipher Suites and WEP 10 6 Matching Cipher Suites with WPA and CCKM 10 7 Enabling and Disabling Broadcast Key Rotation 10 7 Configuring Authentication Types 11 1 Understanding Authentication Types 11 2 Open Authentication to the Access Point 11 2 Shared Key Authentication to the Access Point 11 3 EAP Authentication to the Network 11 4 MAC Address Authentication to the Network 11 5...

Page 11: ...s 12 6 Configuring WDS 12 7 Guidelines for WDS 12 8 Requirements for WDS 12 8 Configuration Overview 12 8 Configuring Access Points as Potential WDS Devices 12 9 CLI Configuration Example 12 13 Configuring Access Points to use the WDS Device 12 14 CLI Configuration Example 12 15 Configuring the Authentication Server to Support WDS 12 15 Configuring WDS Only Mode 12 19 Viewing WDS Information 12 20...

Page 12: ...n 13 4 Identifying the RADIUS Server Host 13 4 Configuring RADIUS Login Authentication 13 7 Defining AAA Server Groups 13 9 Configuring RADIUS Authorization for User Privileged Access and Network Services 13 11 Configuring Packet of Disconnect 13 12 Starting RADIUS Accounting m 13 13 Selecting the CSID Format 13 14 Configuring Settings for All RADIUS Servers 13 15 Configuring the Access Point to U...

Page 13: ...IUS Server for Dynamic Mobility Group Assignment 14 9 Viewing VLANs Configured on the Access Point 14 9 VLAN Configuration Example 14 10 Configuring QoS 15 1 Understanding QoS for Wireless LANs 15 2 QoS for Wireless LANs Versus QoS on Wired LANs 15 2 Impact of QoS on a Wireless LAN 15 2 Precedence of QoS Settings 15 3 Using Wi Fi Multimedia Mode 15 4 Configuring QoS 15 5 Configuration Guidelines 1...

Page 14: ...CLI Configuration Example 16 9 Configuring and Enabling IP Filters 16 9 Creating an IP Filter 16 11 Configuring and Enabling Ethertype Filters 16 12 Creating an Ethertype Filter 16 13 Configuring CDP 17 1 Understanding CDP 17 2 Configuring CDP 17 2 Default CDP Configuration 17 2 Configuring the CDP Characteristics 17 2 Disabling and Enabling CDP 17 3 Disabling and Enabling CDP on an Interface 17 4...

Page 15: ... a Repeater 19 5 Aligning Antennas 19 6 Verifying Repeater Operation 19 6 Setting Up a Repeater As a LEAP Client 19 7 Setting Up a Repeater As a WPA Client 19 8 Understanding Hot Standby 19 9 Configuring a Hot Standby Access Point 19 9 Verifying Standby Operation 19 12 Understanding Workgroup Bridge Mode 19 13 Treating Workgroup Bridges as Infrastructure Devices or as Client Devices 19 14 Configur...

Page 16: ...opying Configuration Files by Using TFTP 20 9 Preparing to Download or Upload a Configuration File by Using TFTP 20 10 Downloading the Configuration File by Using TFTP 20 10 Uploading the Configuration File by Using TFTP 20 11 Copying Configuration Files by Using FTP 20 11 Preparing to Download or Upload a Configuration File by Using FTP 20 12 Downloading a Configuration File by Using FTP 20 12 Up...

Page 17: ...ng 21 2 System Log Message Format 21 2 Default System Message Logging Configuration 21 3 Disabling and Enabling Message Logging 21 4 Setting the Message Display Destination Device 21 5 Enabling and Disabling Timestamps on Log Messages 21 6 Enabling and Disabling Sequence Numbers in Log Messages 21 6 Defining the Message Severity Level 21 7 Limiting Syslog Messages Sent to the History Table and to ...

Page 18: ...rowser TFTP Interface 22 23 Using the CLI 22 24 Obtaining the Access Point Image File 22 25 Obtaining TFTP Server Software 22 26 A P P E N D I X A Protocol Filters A 1 A P P E N D I X B Supported MIBs B 1 MIB List B 1 Using FTP to Access the MIB Files B 2 A P P E N D I X C Error and Event Messages C 1 Conventions C 2 Software Auto Upgrade Messages C 3 Association Management Messages C 5 Unzip Mess...

Page 19: ... xix Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 LWAPP Error Messages C 26 Sensor Messages C 27 SNMP Error Messages C 28 SSH Error Messages C 29 G L O S S A R Y I N D E X ...

Page 20: ...Contents xx Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 ...

Page 21: ...oes not cover lightweight access points Configuration for these devices can be found in the appropriate installation and configuration guides on cisco com Purpose This guide provides the information you need to install and configure your access point This guide provides procedures for using the Cisco IOS software commands that have been created or changed for use with the access point It does not ...

Page 22: ...ow to configure and manage multiple service set identifiers SSIDs and multiple basic SSIDs BSSIDs on your access point You can configure up to 16 SSIDs and up to eight BSSIDs on your access point Chapter 8 Configuring Spanning Tree Protocol describes how to configure Spanning Tree Protocol STP on your access point bridge or access point operating in a bridge mode STP prevents bridge loops from occ...

Page 23: ...22 Wireless Device Troubleshooting provides troubleshooting procedures for basic problems with the access point Appendix A Protocol Filters lists some of the protocols that you can filter on the access point Appendix B Supported MIBs lists the Simple Network Management Protocol SNMP Management Information Bases MIBs that the access point supports for this software release Appendix C Error and Even...

Page 24: ...yvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä Translated Safety Warnings käännetyt turvallisuutta koskevat varoitukset Attention Ce symbole d avertissement indique un danger Vous vous trouvez dans une situation pouvant entraîner des blessures Avant d accéder à cet équipement soyez conscient des dangers pos...

Page 25: ...du utfører arbeid på utstyr må du være oppmerksom på de faremomentene som elektriske kretser innebærer samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen kan du se i vedlegget Translated Safety Warnings Oversatte sikkerhetsadvarsler Aviso Este símbolo de aviso indica perigo Encontra se numa situação...

Page 26: ...C Web pages include Antenna Cabling Obtaining Documentation Obtaining Support and Security Guidelines For information on obtaining documentation obtaining support providing documentation feedback security guidelines and also recommended aliases and general Cisco documents see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at...

Page 27: ...face CLI the browser based management system or Simple Network Management Protocol SNMP Use the interface dot11radio global configuration CLI command to place the wireless device into the radio configuration mode Each access point platform contains one or two radios The 1100 series access point uses a single 802 11b 2 4 GHz mini PCI radio that can be upgraded to an 802 11g 2 4 GHz radio The 1130 s...

Page 28: ...ollowing interfaces The Cisco IOS command line interface CLI which you use through a console port or Telnet session Use the interface dot11radio global configuration command to place the wireless device into the radio configuration mode Most of the examples in this manual are taken from the CLI Chapter 3 Using the Command Line Interface provides a detailed description of the CLI A web browser inte...

Page 29: ...o traffic would slow throughput on the wireless LAN Using CCKM and a device providing WDS client devices can roam from one access point to another so quickly that there is no perceptible delay in voice or other time sensitive applications Network Configuration Examples This section describes the access point s role in common wireless network configurations The access point s default configuration ...

Page 30: ...ffic between wireless users and the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN The data is sent through the route that provides the best performance for the client Figure 1 2 shows an access point acting as a repeater Consult the Configuring a Repeater Access Point section on page 19 3 for instructions on setting up an access point as a...

Page 31: ...ction on page 6 2 for instructions on setting up an access point as a bridge When wirless bridges are used in a point to multipoint configuration the throughput is reduced depending on the number of non root bridges that associate with the root bridge The maximum throughput is about 25 Mbps in a point to point link The addition of three bridges to form a point to multipoint network reduces the thr...

Page 32: ...s point configured as a workgroup bridge Consult the Understanding Workgroup Bridge Mode section on page 19 13 and the Configuring Workgroup Bridge Mode section on page 19 16 for information on configuring your access point as a workgroup bridge Figure 1 5 Access Point as a Workgroup Bridge Central Unit in an All Wireless Network In an all wireless network an access point acts as a stand alone roo...

Page 33: ...ent pages that you use to change the wireless device settings upgrade firmware and monitor and configure other wireless devices on the network The following parameters can be configured by using the web browser interface VLAN Configuration SSID configuration VLAN to SSID mappings Gain and power settings Maximum reach Maximum throughput Light Extensible Authentication Protocol LEAP configuration in...

Page 34: ...ce Note Avoid using both the CLI and the web browser interfaces to configure the wireless device If you configure the wireless device using the CLI the web browser interface might display an inaccurate interpretation of the configuration However the inaccuracy does not necessarily mean that the wireless device is misconfigured ...

Page 35: ...lorer and press Enter The Summary StatusHome page appears Using the Management Pages in the Web Browser Interface The system management pages use consistent techniques to present and save configuration information A navigation bar is on the left side of the page and configuration action buttons appear at the bottom You use the navigation bar to browse to other management pages and you use the conf...

Page 36: ...ress and role in radio network Express Security Displays the Express Security page that you use to create SSID and assign security settings to them Network Map Displays a list of infrastructure devices on your wireless LAN Association Displays a list of all devices on your wireless LAN listing their system names network roles and parent client relationships Network Interfaces Displays status and s...

Page 37: ...ote When you enable HTTPS most browsers prompt you for approval each time you browse to a device that does not have a fully qualified domain name FQDN To avoid the approval prompts complete Step 2 through Step 9 in these instructions to create an FQDN for the access point However if you do not want to create an FQDN skip to Step 10 System Software Displays the version number of the firmware that t...

Page 38: ...create an FQDN and enable HTTPS Step 1 If your browser uses popup blocking software disable the popup blocking feature Step 2 Browse to the Express Setup page Figure 2 2 shows the Express Setup page Figure 2 2 Express Setup Page Step 3 Enter a name for the access point in the System Name field and click Apply Step 4 Browse to the Services DNS page Figure 2 3 shows the Services DNS page ...

Page 39: ...n name is cisco com Step 7 Enter at least one IP address for your DNS server in the Name Server IP Addresses entry fields Step 8 Click Apply The access point s FQDN is a combination of the system name and the domain name For example if your system name is ap1100 and your domain name is company com the FQDN is ap1100 company com Step 9 Enter the FQDN on your DNS server Tip If you do not have a DNS ...

Page 40: ...heck box and click Apply Step 12 Enter a domain name and click Apply Note Although you can enable both standard HTTP and HTTPS Cisco recommends that you enable one or the other A warning window appears stating that you will use HTTPS to browse to the access point The window also instructs you to change the URL that you use to browse to the access point from http to https Figure 2 5 shows the warni...

Page 41: ...icate is valid but is not from a known source However you can accept the certificate with confidence because the site in question is your own access point Figure 2 6 shows the certificate warning window Figure 2 6 Certificate Warning Window Step 15 Click View Certificate to accept the certificate before proceeding To proceed without accepting the certificate click Yes and skip to Step 24 in these ...

Page 42: ...209 01 Chapter 2 Using the Web Browser Interface Enabling HTTPS for Secure Browsing Figure 2 7 Certificate Window Step 16 On the Certificate window click Install Certificate The Microsoft Windows Certificate Import Wizard appears Figure 2 8 shows the Certificate Import Wizard window ...

Page 43: ...k Next The next window asks where you want to store the certificate Cisco recommends that you use the default storage area on your system Figure 2 9 shows the window that asks about the certificate storage area Figure 2 9 Certificate Storage Area Window Step 18 Click Next to accept the default storage area A window appears that states that you successfully imported the certificate Figure 2 10 show...

Page 44: ...TPS for Secure Browsing Figure 2 10 Certificate Completion Window Step 19 Click Finish Windows displays a final security warning Figure 2 11 shows the security warning Figure 2 11 Certificate Security Warning Step 20 Click Yes Windows displays another window stating that the installation is successful Figure 2 12 shows the completion window ...

Page 45: ...p name server 10 91 107 18 AP config ip http secure server AP config end In this example the access point system name is ap1100 the domain name is company com and the IP address of the DNS server is 10 91 107 18 For complete descriptions of the commands used in this example consult the Cisco IOS Commands Master List Release 12 3 Click this link to browse to the master list of commands http www cis...

Page 46: ...s from the Software Center on Cisco com Click this link to go to the Cisco Software Center home page http www cisco com cisco software navigator html Select the help files that match the software version on your access point Step 2 Unzip the help files on your network in a directory accessible to your access point When you unzip the help files the HTML help pages are stored in a folder named accor...

Page 47: ...rowser Interface To prevent all use of the web browser interface select the Disable Web Based Management check box on the Services HTTP Web Server page and click Apply To re enable the web browser interface enter this global configuration command on the access point CLI ap config ip http server Table 2 2 Example Help Root URL and Help Location Files Unzipped at This Location Default Help Root URL ...

Page 48: ...2 16 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 2 Using the Web Browser Interface Disabling the Web Browser Interface ...

Page 49: ...that you can use to configure the wireless device It contains these sections Cisco IOS Command Modes page 3 2 Getting Help page 3 3 Abbreviating Commands page 3 3 Using no and default Forms of Commands page 3 4 Understanding CLI Messages page 3 4 Using Command History page 3 4 Using Editing Features page 3 6 Searching and Filtering Output of show and more Commands page 3 8 Accessing the CLI page 3...

Page 50: ... wireless device reboots To access the various configuration modes you must start at global configuration mode From global configuration mode you can enter interface configuration mode and line configuration mode Table 3 1 describes the main command modes how to access each one the prompt you see in that mode and how to exit the mode The examples in the table use the host name ap Table 3 1 Command...

Page 51: ...he show configuration privileged EXEC command ap show conf Table 3 2 Help Summary Command Purpose help Obtains a brief description of the help system in any command mode abbreviated command entry Obtains a list of commands that begin with a particular character string For example ap di dir disable disconnect abbreviated command entry Tab Completes a partial command name For example ap sh conf tab ...

Page 52: ...ing Command History The CLI provides a history or record of commands that you have entered This feature is particularly useful for recalling long or complex commands or entries including access lists You can customize the command history feature to suit your needs as described in these sections Changing the Command History Buffer Size page 3 5 Recalling Commands page 3 5 Disabling the Command Hist...

Page 53: ...ling the Command History Feature The command history feature is automatically enabled To disable the feature during the current terminal session enter the terminal no history privileged EXEC command To disable command history for the line enter the no history line configuration command Table 3 4 Recalling Commands Action1 1 The arrow keys function only on ANSI compatible terminals such as VT100s R...

Page 54: ...onfiguration mode ap config line no editing Editing Commands Through Keystrokes Table 3 5 shows the keystrokes that you need to edit command lines Table 3 5 Editing Commands Through Keystrokes Capability Keystroke1 Purpose Move around the command line to make changes or corrections Ctrl B or the left arrow key Move the cursor back one character Ctrl F or the right arrow key Move the cursor forward...

Page 55: ...and line Ctrl U or Ctrl X Delete all characters from the cursor to the beginning of the command line Ctrl W Delete the word to the left of the cursor Esc D Delete from the cursor to the end of the word Capitalize or lowercase words or capitalize a set of letters Esc C Capitalize at the cursor Esc L Change the word at the cursor to lowercase Esc U Capitalize letters from the cursor to the end of th...

Page 56: ... you have a terminal screen that is 80 columns wide If you have a width other than that use the terminal width privileged EXEC command to set the width of your terminal Use line wrapping with the command history feature to recall and modify previous complex command entries For information about recalling previous command entries see the Editing Commands Through Keystrokes section on page 3 6 Searc...

Page 57: ...n the Host Name field type the wireless device s IP address and click Connect Step 4 At the username and password prompts enter your administrator username and password The default username is Cisco and the default password is Cisco The default enable password is also Cisco Usernames and passwords are case sensitive Opening the CLI with Secure Shell Secure Shell Protocol is a protocol that provide...

Page 58: ...3 10 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 3 Using the Command Line Interface Accessing the CLI ...

Page 59: ...ation This chapter contains these sections Before You Start page 4 2 Obtaining and Assigning an IP Address page 4 4 Connecting to the 1100 Series Access Point Locally page 4 5 Connecting to the 1130 Series Access Point Locally page 4 6 Connecting to the 1200 1230 1240 and 1250 Series Access Points Locally page 4 6 Connecting to the 1300 Series Access Point Bridge Locally page 4 7 Default Radio Set...

Page 60: ...reset the access point to factory default settings Resetting to Default Settings Using the MODE Button Follow these steps to reset the access point to factory default settings using the access point MODE button Step 1 Disconnect power the power jack for external power or the Ethernet cable for in line power from the access point Step 2 Press and hold the MODE button while you reconnect power to th...

Page 61: ...all NVRAM files including the startup configuration Note The erase nvram command does not erase a static IP address Step 2 Follow the step below to erase a static IP address and subnet mask Otherwise go to step 3 a Enter write default config Step 3 Enter Y when the following CLI message displays Erasing the nvram filesystem will remove all configuration files Continue confirm Step 4 Enter reload w...

Page 62: ...nts Locally section on page 4 6 to connect to the console port Provide your network administrator with the wireless device s Media Access Control MAC address Your network administrator will query the DHCP server using the MAC address to identify the IP address The access point s MAC address is on label attached to the bottom of the access point Default IP Address Behavior When you connect a 1130AG...

Page 63: ... after five minutes the unit has not been reconfigured it discards the 10 0 0 1 address and reverts to requesting an address from the DHCP server If it does not receive an address it sends requests indefinitely If you miss the five minute window for browsing to the access point at 10 0 0 1 you can power cycle the access point to repeat the process Follow these steps to connect to the access point ...

Page 64: ...the user exec mode entering en prompts you for a password then takes you to the privileged exec mode The default password is Cisco and is case sensitive I Connecting to the 1200 1230 1240 and 1250 Series Access Points Locally If you need to configure the access point locally without connecting the access point to a wired LAN you can connect a PC to its console port using a DB 9 to RJ 45 serial cab...

Page 65: ...ough cable Note Communication takes place between the power injector and the access point bridge using Ethernet Port 0 Do not attempt to change any of the Ethernet Port 0 settings Step 3 Connect the power injector to the access point bridge using dual coaxial cables Step 4 Connect the power injector power cable and power up the access point bridge Step 5 Follow the steps in the Assigning Basic Set...

Page 66: ...is fully compatible with Microsoft Internet Explorer version 6 0 on Windows 98 2000 XP platforms and with Netscape version 7 0 on Windows 98 2000 XP and Solaris platforms Step 2 Enter the wireless device s IP address in the browser address line and press Enter An Enter Network Password screen appears Step 3 Press Tab to bypass the Username field and advance to the Password field Step 4 Enter the c...

Page 67: ...t for the First Time Assigning Basic Settings Step 5 Click Express Setup The Express Setup screen appears Figure 4 2 and Figure 4 3 shows the Express Setup page for the 1100 series access points Your pages may differ depending on the access point model you are using Figure 4 2 Express Setup Page for 1100 Series Access Points ...

Page 68: ...iguring the Access Point for the First Time Assigning Basic Settings Figure 4 3 Express Setup Page for 1130 1200 and 1240 Series Access Points Note Figure 4 3 shows the Express Setup page for an 1130 series access point The 1200 series is similar but does not support the universal workgroup bridge role ...

Page 69: ...oftware Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Figure 4 4 Express Setup Page for the 1250 Series Access Point ...

Page 70: ...r up to 32 characters for the system name However when the wireless device identifies itself to client devices it uses only the first 15 characters in the system name If it is important for client users to distinguish between wireless devices make sure a unique portion of the system name appears in the first 15 characters Note When you change the system name the wireless device resets the radios c...

Page 71: ...rom the clients to the wireless LAN This setting can be applied to any access point Repeater A non root device accepts associations from clients and bridges wireless traffic from the clients to root access point connected to the wireless LAN This setting can be applied to any access point Root Bridge Establishes a link with a non root bridge In this mode the device also accepts associations from c...

Page 72: ...Network Interfaces to browse to the Network Interfaces Summary page Step 9 Click the radio interface to browse to the Network Interfaces Radio Status page Step 10 Click the Settings tab to browse to the Settings page for the radio interface Step 11 Click Enable to enable the radio Step 12 Click Apply Your wireless device is now running but probably requires additional configuring to conform to you...

Page 73: ... default if DHCP is disabled the default setting is 255 255 255 224 Default Gateway Assigned by DHCP by default if DHCP is disabled the default setting is 0 0 0 0 SNMP Community defaultCommunity Read only Role in Radio Network for each radio installed Access point Optimize Radio Network for Throughput Aironet Extensions Enable Table 4 1 Default Settings on the Express Setup Page continued Setting ...

Page 74: ...eless device you must configure security settings to prevent unauthorized access to your network Because it is a radio device the wireless device can communicate beyond the physical boundaries of your worksite Just as you use the Express Setup page to assign basic settings you can use the Express Security page to create unique SSIDs and assign one of four security types to them Figure 4 6 shows a ...

Page 75: ...L 14209 01 Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings The Express Security page helps you configure basic security settings You can use the web browser interface s main Security pages to configure more advanced security settings ...

Page 76: ...colon The following characters are invalid and cannot be used in an SSID Plus sign Right bracket Front slash Quotation mark Tab Trailing spaces Using VLANs If you use VLANs on your wireless LAN and assign SSIDs to VLANs you can create multiple SSIDs using any of the four security settings on the Express Security page However if you do not use VLANs on your wireless LAN the security options that yo...

Page 77: ...pace and assign it to a VLAN that restricts access to your network None Static WEP Key This option is more secure than no security However static WEP keys are vulnerable to attack If you configure this setting you should consider limiting association to the wireless device based on MAC address see the Using MAC Address ACLs to Block or Allow Client Association to the Access Point on page 16 6 or i...

Page 78: ...he CLI this warning message appears SSID CONFIG WARNING SSID If radio clients are using EAP FAST AUTH OPEN with EAP should also be configured WPA Wi Fi Protected Access WPA permits wireless access to users authenticated against a database through the services of an authentication server then encrypts their IP traffic with stronger algorithms than those used in WEP This setting uses encryption ciph...

Page 79: ...tion and EAP authentication To configure combinations of authentication types use the Security SSID Manager page Using the Express Security Page Follow these steps to create an SSID using the Express Security page Step 1 Type the SSID in the SSID entry field The SSID can contain up to 32 alphanumeric characters Step 2 To broadcast the SSID in the wireless device beacon check the Broadcast SSID in ...

Page 80: ...ty_ssid including the SSID in the beacon assigning it to VLAN 10 and selecting VLAN 10 as the native VLAN dot11 ssid no_security_ssid authentication open vlan 10 interface Dot11Radio0 1 10 encapsulation dot1Q 10 native no ip route cache bridge group 1 bridge group 1 subscriber loop control bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding brid...

Page 81: ...group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding bridge group 1 spanning disabled ssid statuc_wep_ssid interface Dot11Radio0 1 20 encapsulation dot1Q 20 no ip route cache bridge group 20 bridge group 20 subscriber loop control bridge group 20 block unknown source no bridge group 20 source learning no bridge group 20 unicast flooding bridge group 20 ...

Page 82: ... EAP should also be configured dot11 ssid eap_ssid vlan 30 authentication open eap eap_methods authentication network eap eap_methods interface Dot11Radio0 1 no ip address no ip route cache encryption vlan 30 mode wep mandatory ssid eap_ssid speed basic 1 0 basic 2 0 basic 5 5 basic 11 0 rts threshold 2312 station role root bridge group 1 bridge group 1 subscriber loop control bridge group 1 block...

Page 83: ...idge group 1 spanning disabled interface FastEthernet0 30 mtu 1500 encapsulation dot1Q 30 no ip route cache bridge group 30 no bridge group 30 source learning bridge group 30 spanning disabled interface BVI1 ip address 10 91 104 91 255 255 255 192 no ip route cache ip http server ip http help path http www cisco com warp public 779 smbiz prodconfig help eag ivory 1100 ip radius source interface BV...

Page 84: ... rad_pmip aaa accounting network acct_methods start stop group rad_acct aaa session id common bridge irb interface Dot11Radio0 1 no ip address no ip route cache encryption vlan 40 mode ciphers tkip ssid wpa_ssid speed basic 1 0 basic 2 0 basic 5 5 basic 11 0 rts threshold 2312 station role root bridge group 1 bridge group 1 subscriber loop control bridge group 1 block unknown source no bridge grou...

Page 85: ...tem Software System Configuration page on the web browser interface to select a power option Figure 4 7 shows the System Power Settings section of the System Configuration page Figure 4 7 Power Options on the System Software System Configuration Page Using the AC Power Adapter If you use the AC power adapter to provide power to the 1130 or 1240 access point you do not need to adjust the access poi...

Page 86: ... wireless device s Ethernet and radio ports the network uses the BVI When you assign an IP address to the wireless device using the CLI you must assign the address to the BVI Beginning in privileged EXEC mode follow these steps to assign an IP address to the wireless device s BVI Using a Telnet Session to Access the CLI Follow these steps to access the CLI by using a Telnet session These steps are...

Page 87: ...sider Second when a repeater access point is incorporated into a wireless network the repeater access point must authenticate to the root access point in the same way as a client does Note The 802 1X supplicant is available on 1130AG 1240AG 1250 and 1300 series access points It is not available on 1100 and 1200 series access points The supplicant is configured in two phases Create and configure a ...

Page 88: ...steps to apply the credentials to the access point s wired port Step 6 password 0 7 LINE Enter an unencrypted password for the credentials 0 An unencrypted password will follow 7 A hidden password will follow Hidden passwords are used when applying a previously saved configuration LINE An unencrypted clear text password Note Unencrypted and clear text are the same You can enter a 0 followed by the...

Page 89: ... to an SSID used for the uplink The following example applys the credentials profile test to the ssid testap1 on a repeater access point repeater ap enable Password xxxxxxx repeater ap config terminal Enter configuration commands one per line End with CTRL Z repeater ap config if dot11 ssid testap1 repeater ap config ssid dot1x credentials test repeater ap config ssid end repeater ap config Step 4...

Page 90: ...g the Access Point for the First Time Configuring the 802 1X Supplicant Creating and Applying EAP Method Profiles You can optionally configure an EAP method list to enable the supplicant to recognize a particular EAP method See Creating and Applying EAP Method Profiles for the 802 1X Supplicant on page 11 17 ...

Page 91: ...and Duplex Settings page 5 18 Configuring the Access Point for Wireless Network Management page 5 18 Configuring the Access Point for Local Authentication and Authorization page 5 19 Configuring the Authentication Cache and Profile page 5 20 Configuring the Access Point to Provide DHCP Service page 5 22 Configuring the Access Point for Secure Shell page 5 25 Configuring Client ARP Caching page 5 2...

Page 92: ... to disable the access point s mode button You can check the status of the mode button by executing the show boot or show boot mode button commands in the privileged EXEC mode The status does not appear in the running configuration The following shows a typical response to the show boot and show boot mode button commands ap show boot BOOT path list flash c1200 k9w7 mx v123_7_ja 20050430 c1200 k9w7...

Page 93: ...username is Cisco and the default password is Cisco Usernames and passwords are case sensitive Note Characters TAB and are invalid characters for passwords Username and password pairs stored centrally in a database on a security server For more information see the Controlling Access Point Access with RADIUS section on page 5 9 Protecting Access to Privileged EXEC Commands A simple way of providing...

Page 94: ...evel The password is encrypted in the configuration file Enable secret password and privilege level The default enable password is Cisco The default is level 15 privileged EXEC level The password is encrypted before it is written to the configuration file Line password Default password is Cisco The password is encrypted in the configuration file Command Purpose Step 1 configure terminal Enter glob...

Page 95: ...d to l1u2c3k4y5 The password is not encrypted and provides access to level 15 traditional privileged EXEC mode access AP config enable password l1u2c3k4y5 Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file The enable password is not encrypted and can be read in the w...

Page 96: ...type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is normal user EXEC mode privileges The default level is 15 privileged EXEC mod...

Page 97: ...he wireless device These pairs are assigned to lines or interfaces and authenticate each user before that user can access the wireless device If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Beginning in privileged EXEC mode follow these steps to establish a username based authentication sys...

Page 98: ...ommands For example if you want many users to have access to the clear line command you can assign it level 2 security and distribute the level 2 password fairly widely But if you want more restricted access to the configure command you can assign it level 3 security and distribute that password to a more restricted group of users This section includes this configuration information Setting the Pr...

Page 99: ...Access Point Access with RADIUS This section describes how to control administrator access to the wireless device using Remote Authentication Dial In User Service RADIUS For complete instructions on configuring the wireless device to support RADIUS see Chapter 13 Configuring RADIUS and TACACS Servers Step 3 enable password level level password Specify the enable password for the privilege level Fo...

Page 100: ...y that list to various interfaces The method list defines the types of authentication to be performed and the sequence in which they are performed it must be applied to a specific interface before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all interfa...

Page 101: ...thod1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only if the previous method returns an error not if it fails Select one of these methods local Use the local username database for authentication You must enter username information in the database Use the username password global configuration command radius Use RADIUS authenticati...

Page 102: ...the combination of the IP address and UDP port number allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service If you configure two different host entries on the same RADIUS server for the same service such as accounting the second configured host entry acts as a fail over backup to the first one You use the server group server configuration command to a...

Page 103: ...yption key used between the wireless device and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the last item in the radius server host command Leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in your key do not enclose the key in qu...

Page 104: ...ces AAA authorization limits the services available to a user When AAA authorization is enabled the wireless device uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can use the aaa authorization g...

Page 105: ...syntax and usage information for the commands used in this section refer to the Cisco IOS Security Command Reference for Release 12 3 These sections describe TACACS configuration Default TACACS Configuration page 5 15 Configuring TACACS Login Authentication page 5 15 Configuring TACACS Authorization for Privileged EXEC Access and Network Services page 5 17 Displaying the TACACS Configuration page ...

Page 106: ...terminal Enter global configuration mode Step 2 aaa new model Enable AAA Step 3 aaa authentication login default list name method1 method2 Create a login authentication method list To create a default list that is used when a named list is not specified in the login authentication command use the default keyword followed by the methods that are to be used in default situations The default method l...

Page 107: ...mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured Beginning in...

Page 108: ...rt to which the wireless device is connected change the settings on the wireless device Ethernet port to match The Ethernet speed and duplex are set to auto by default Beginning in privileged EXEC mode follow these steps to configure Ethernet speed and duplex Configuring the Access Point for Wireless Network Management You can enable the wireless device for wireless network management The wireless...

Page 109: ...tabase The default keyword applies the local user database authentication to all interfaces Step 4 aaa authorization exec local Configure user AAA authorization to determine if the user is allowed to run an EXEC shell by checking the local database Step 5 aaa authorization network local Configure user AAA authorization for all network related service requests Step 6 username name privilege level p...

Page 110: ...ofile Note See the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges 12 3 7 JA for information about these commands The following is a configuration example from an access point configured for Admin authentication using TACACS with the auth cache enabled While this example is based on a TACACS server the access point could be configured for Admin authentication using RADIUS v...

Page 111: ...ssion id common bridge irb interface Dot11Radio0 no ip address no ip route cache shutdown speed basic 1 0 basic 2 0 basic 5 5 6 0 9 0 basic 11 0 12 0 18 0 24 0 36 0 48 0 54 0 station role root bridge group 1 bridge group 1 subscriber loop control bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding bridge group 1 spanning disabled interface Dot11...

Page 112: ...rovide DHCP Service These sections describe how to configure the wireless device to act as a DHCP server Setting up the DHCP Server page 5 22 Monitoring and Maintaining the DHCP Server Access Point page 5 24 Setting up the DHCP Server By default access points are configured to receive IP settings from a DHCP server on your network You can also configure an access point to act as a DHCP server to a...

Page 113: ...ol subnet are available for assigning to DHCP clients You must specify the IP addresses that the DHCP Server should not assign to clients Optional To enter a range of excluded addresses enter the address at the low end of the range followed by the address at the high end of the range Step 3 ip dhcp pool pool_name Create a name for the pool of IP addresses that the wireless device assigns in respon...

Page 114: ...ig end Monitoring and Maintaining the DHCP Server Access Point These sections describe commands you can use to monitor and maintain the DHCP server access point Show Commands page 5 24 Clear Commands page 5 25 Debug Command page 5 25 Show Commands In Exec mode enter the commands in Table 5 2 to display information about the wireless device as DHCP server Table 5 2 Show Commands for DHCP Server Com...

Page 115: ...version number the access point defaults to version 2 SSH provides more security for remote connections than Telnet by providing strong encryption when a device is authenticated The SSH feature has an SSH server and an SSH integrated client The client supports these user authentication methods RADIUS for more information see the Controlling Access Point Access with RADIUS section on page 5 9 Local...

Page 116: ...N by stopping ARP requests for client devices at the wireless device Instead of forwarding ARP requests to client devices the wireless device responds to requests on behalf of associated client devices When ARP caching is disabled the wireless device forwards all ARP requests through the radio port to associated clients and the client to which the ARP request is directed responds When ARP caching ...

Page 117: ... for Release 12 3 This section contains this configuration information Understanding Simple Network Time Protocol page 5 27 Configuring SNTP page 5 28 Configuring Time and Date Manually page 5 28 Understanding Simple Network Time Protocol Simple Network Time Protocol SNTP is a simplified client only version of NTP SNTP can only receive the time from NTP servers it cannot be used to provide time se...

Page 118: ...espond to the SNTP messages from the access point If you enter both the sntp server command and the sntp broadcast client command the access point will accept time from a broadcast server but prefers time from a configured server assuming the strata are equal To display information about SNTP use the show sntp EXEC command Configuring Time and Date Manually If no other source of time is available ...

Page 119: ...til the clock is authoritative and the authoritative flag is set the flag prevents peers from synchronizing to the clock when the peers time is invalid The symbol that precedes the show clock display has this meaning Time is not authoritative blank Time is authoritative Time is authoritative but NTP is not synchronized Configuring the Time Zone Beginning in privileged EXEC mode follow these steps ...

Page 120: ...s and when the time is manually set For zone enter the name of the time zone to be displayed when standard time is in effect The default is UTC For hours offset enter the hours offset from UTC Optional For minutes offset enter the minutes offset from UTC Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save ...

Page 121: ... the ending month the system assumes that you are in the southern hemisphere To disable summer time use the no clock summer time global configuration command This example shows how to set summer time to start on October 12 2000 at 02 00 and end on April 26 2001 at 02 00 AP config clock summer time pdt date 12 October 2000 2 00 26 April 2001 2 00 Step 4 show running config Verify your entries Step ...

Page 122: ...he system name and prompt are ap If you have not configured a system prompt the first 20 characters of the system name are used as the system prompt A greater than symbol is appended The prompt is updated whenever the system name changes unless you manually configure the prompt by using the prompt global configuration command Note For complete syntax and usage information for the commands used in ...

Page 123: ...has defined the concept of a domain name server which holds a cache or database of names mapped to IP addresses To map domain names to IP addresses you must first identify the host names specify the name server that is present on your network and enable the DNS This section contains this configuration information Default DNS Configuration page 5 33 Setting Up DNS page 5 34 Displaying the DNS Confi...

Page 124: ...st names names without a dotted decimal domain name Do not include the initial period that separates an unqualified name from the domain name At boot time no domain name is configured however if the wireless device configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured ...

Page 125: ...r You can configure a message of the day MOTD and a login banner The MOTD banner appears on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also appears on all connected terminals It appears after the MOTD banner and before the login prompts Note For complete syntax and usage information for the c...

Page 126: ...on Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message of the day For c enter the delimiting character of your choice ...

Page 127: ...can communicate with wireless LAN controllers on your network For more information about using the upgrade utility go to the following URL http cisco images cisco com en US docs wireless access_point conversion lwapp upgrade guide lwap note html Migrating to Japan W52 Domain This utility is used to migrate 802 11a radios from the J52 to W52 domains The utility operates on the 1130 1200 with RM20 R...

Page 128: ...encies the U domain allows W52 frequencies WARNING This migration is permanent and is not reversible as required by law WARNING Once migrated the 802 11A radios will not operate with previous OS versions WARNING All migrated APs will reboot WARNING All migrated APs must be promptly reported to the manufacturer This AP is eligible for migration ap AIR AP1242AG A K9 0013 5f0e d1e0 J Regulatory Domai...

Page 129: ...ode disabled Local Rx sensitivity Config 127 Max 57 Min 17 Active 0 dBm CCA Sensitivity 64 dBm Cell Rx sensitivity 80 dBm CCA Sensitivity 60 dBm Tx Power 127 dBm Current Power 17 dBm Allowed Power Levels 1 2 5 8 11 14 15 17 Allowed Client Power Levels 2 5 8 11 14 15 17 Current Rates basic 6 0 9 0 basic 12 0 18 0 basic 24 0 36 0 48 0 54 0 Active Rates Allowed Rates 6 0 9 0 12 0 18 0 24 0 36 0 48 0 ...

Page 130: ...e configured rate The following configuration shows how to define a traffic class using the class map command and associate the criteria from the traffic class with the traffic policing configuration which is configured in the service policy using the policy map command In this example traffic policing is configured with an average rate of 8000 bits per second and a normal burst size of 1000 bytes...

Page 131: ...ode page 6 22 Disabling and Enabling Short Radio Preambles page 6 23 Configuring Transmit and Receive Antennas page 6 24 Enabling and Disabling Gratuitous Probe Response page 6 25 Disabling and Enabling Aironet Extensions page 6 26 Configuring the Ethernet Encapsulation Transformation Method page 6 27 Enabling and Disabling Reliable Multicast to Workgroup Bridges page 6 28 Enabling and Disabling P...

Page 132: ...2 alphanumeric characters SSIDs are case sensitive Step 3 interface dot11radio 0 1slot port Enter interface configuration mode for the radio interface The 2 4 GHz and the 802 11n 2 4 GHz radio is radio 0 The 5 GHz and the 802 11n 5 GHz radio is radio 1 Step 4 ssid ssid Assign the SSID you created in Step 2 to the appropriate radio interface Step 5 no shutdown Enable the radio port Step 6 end Retur...

Page 133: ...ociates all client devices Beginning in privileged EXEC mode follow these steps to set the wireless device s radio network role and fallback role Universal workgroup bridge1 X X X X Scanner X X X X X X 1 When configuring a universal workgroup bridge using AES CCM TKIP the non root device should use only TKIP or AES CCM TKIP as ciphers in order to associate to the root device The non root device wi...

Page 134: ...is configured as a repeater Only one radio per access point may be configured as a workgroup bridge or repeater The dot11radio 0 1 antenna alignment command is available when the access point is configured as a repeater A workgroup bridge can have a maximum of 254 clients presuming that no other wireless clients are associated to the root bridge or access point A universal workgroup bridge configu...

Page 135: ...e The universal workgroup bridge role supports only one wired client You can enable a recovery mechanism and make the workgroup bridge manageable again by disabling the Ethernet client causing the universal workgroup bridge to associate with an access point using its own BVI address A roaming keyword has been added to the world mode command to support an airline flying between different countries ...

Page 136: ... 1 enter the following command station role root access point fallback track d1 shutdown Fast Ethernet Tracking You can configure the access point for fallback when its Ethernet port is disabled or disconnected from the wired LAN You configure the access point for fast Ethernet tracking as described in the Configuring the Role in Radio Network section on page 6 2 Note Fast Ethernet tracking does n...

Page 137: ...this rate Note At least one data rate must be set to basic You can use the Data Rate settings to set an access point to serve client devices operating at specific data rates For example to set the 2 4 GHz radio for 11 megabits per second Mbps service only set the 11 Mbps rate to Basic and set the other data rates to Disabled To set the wireless device to serve only client devices operating at 1 an...

Page 138: ...oblems Access points running LWAPP or autonomous IOS should transmit multicast and management frames at the lowest configured basic rate This is necessary in order to provide for good coverage at the cell s edge especially for unacknowledged multicast transmissions where multicast wireless transmissions may fail to be received Since multicast frames are not retransmitted at the MAC layer stations ...

Page 139: ... Enter basic 1 0 basic 2 0 basic 5 5 and basic 11 0 to set these data rates to basic on the 802 11b 2 4 GHz radio Enter basic 1 0 basic 2 0 basic 5 5 basic 6 0 basic 9 0 basic 11 0 basic 12 0 basic 18 0 basic 24 0 basic 36 0 basic 48 0 and basic 54 0 to set these data rates to basic on the 802 11g 2 4 GHz radio Note The client must support the basic rate that you select or it cannot associate to t...

Page 140: ... 7 MCS is an important setting because it provides for potentially greater throughput High throughput data rates are a function of MCS bandwidth and guard interval 802 11 a b and g radios use 20 MHz channel widths Table 6 2 shows potential data rased based on MCS guard interval and channel width speed contined On the 802 11n 2 4 GHz radio the default option sets rates 1 0 2 0 5 5 and 11 0 to enabl...

Page 141: ... available at cisco com Follow these steps to view and download them Step 1 Browse to http www cisco com Step 2 Click Technical Support Documentation A small window appears containing a list of technical support links Step 3 Click Technical Support Documentation The Technical Support and Documentation page appears Step 4 In the Documentation Tools section choose Wireless The Wireless Support Resou...

Page 142: ... Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1slot port Enter interface configuration mode for the radio interface The 2 4 GHz radio is radio 0 and the 5 GHz radio is radio 1 The 2 4 GHz 802 11n radio is 0 and the 5 GHz 802 11n radio is 1 Step 3 power local These options are available for the 802 11b 2 4 GHz radio in mW 1 5 20 30 50 100 m...

Page 143: ...aximum power local ofdm settings 1 2 5 8 11 14 17 maximum Set the transmit power for the 802 11g 2 4 GHz radio to one of the power levels allowed in your regulatory domain Settings are in dBm On the 2 4 GHz 802 11g radio you can set Orthogonal Frequency Division Multiplexing OFDM power levels and Complementary Code Keying CCK power levels CCK modulation is supported by 802 11b and 802 11g devices ...

Page 144: ...our domain Step 3 power client These options are available for 802 11b 2 4 GHz clients in mW 1 5 20 30 50 100 maximum These options are available for 802 11g 2 4 GHz clients in mW 1 5 10 20 30 50 100 maximum These options are available for 5 GHz clients in mW 5 10 20 40 maximum If your access point contains an AIR RM21A 5 GHz radio module these power options are available for 5 GHz clients in dBm ...

Page 145: ...p to 27 channels from 5170 to 5850 MHz depending on regulatory domain Each channel covers 20 MHz and the bandwidth for the channels overlaps slightly For best performance use channels that are not adjacent 44 and 46 for example for radios that are close to each other Note Too many access points in the same vicinity creates radio congestion that can reduce throughput A careful site survey can deter...

Page 146: ...pating in WDS sends a DFS notification to the active WDS device that it is leaving the frequency Randomly selects a different 5 GHz channel Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1slot port Enter interface configuration mode for the radio interface The 2 4 GHz radioand the 802 11n 2 4 GHz is radio 0 The 5 GHz radio and the 802 11n 5 ...

Page 147: ...an for the presence of radar signals on the channel The following sample messages are displayed on the access point console showing the beginning and end of the CAC scan Mar 6 07 37 30 423 DOT11 6 DFS_SCAN_START DFS Scanning frequency 5500 MHz for 60 seconds Mar 6 07 37 30 385 DOT11 6 DFS_SCAN_COMPLETE DFS scan complete on frequency 5500 MHz When operating on any of the DFS channels listed in Tabl...

Page 148: ... occupancy period due to radar detection This example shows a line from the output for the show controller command for a channel on which DFS is enabled The indications listed in the previous paragraph are shown in bold ap show controller dot11radio1 interface Dot11Radio1 Radio AIR RM1251A Base Address 011 9290ec0 BBlock version 0 00 Software version 6 00 0 Serial number FOCO83114WK Number of supp...

Page 149: ...Hz This group of frequencies is also known as the UNII 1 band 2 Specifies frequencies 5 250 to 5 350 GHz This group of frequencies is also known as the UNII 2 band 3 Specifies frequencies 5 470 to 5 725 GHz 4 Specifies frequencies 5 725 to 5 825 GHz This group of frequencies is also known as the UNII 3 band Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface ...

Page 150: ...n guard interval is the period in nanoseconds between packets Two settings are available short 400ns and long 800ns Beginning in privileged EXEC mode follow these steps to set the 802 11n guard interval Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1 Enter interface configuration mode for the radio interface The 802 11n 2 4 GHz radio is rad...

Page 151: ... forwards the UDP packets to a location server The location server calculates the LBS tag s position based on the location information that it receives from the LBS enabled access points If your network has a WLSE the location server can query the WLSE for the status of LBS enabled access points Figure 6 2 shows the basic parts of an LBS enabled network Figure 6 2 Basic LBS Network Configuration T...

Page 152: ...r In this release rssi in which the access point measures the location packet s RSSI is the only option and is also the default Step 5 packet type short extended Optional Select the packet type that the access point accepts from the LBS tag short The access point accepts short location packets from the tag In short packets the LBS information is missing from the tag packet s frame body and the pac...

Page 153: ...e Cisco Aironet Wireless LAN Client Adapters support short preambles Early models of Cisco Aironet s Wireless LAN Adapter PC4800 and PC4800A require long preambles Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0slot port 1 Enter interface configuration mode for the radio interface Step 3 world mode dot11d country_code code both indoor outdoor...

Page 154: ...and transmit If the device has three removable antennas you can use this setting to have all of them operate in diversity mode Right If the wireless device has removable antennas and you install a high gain antenna on the wireless device s right connector you should use this setting for both receive and transmit When you look at the wireless device s back panel the right antenna is on the right Mi...

Page 155: ...tep 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1slot port Enter interface configuration mode for the radio interface The 2 4 GHz radio is radio 0 and the 5 GHz radio is radio 1 The 802 11n 2 4 GHz radio is radio 0 The 802 11n 5 GHz radio is radio 1 Step 3 gain dB Specifies the resultant gain of the antenna attached to the device Enter a value from 128 to 128...

Page 156: ...grity Protocol CKIP Cisco s WEP key permutation technique based on an early algorithm presented by the IEEE 802 11i security task group The standards based algorithm TKIP does not require Aironet extensions to be enabled Repeater mode Aironet extensions must be enabled on repeater access points and on the root access points to which they associate World mode legacy only Client devices with legacy ...

Page 157: ...rmation method Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1slot port Enter interface configuration mode for the radio interface The 2 4 GHz radio is radio 0 and the 5 GHz radio is radio 1 The 802 11n 2 4 GHz radio is radio 0 The 802 11n 5 GHz radio is radio 1 Step 3 no dot11 extension aironet Disable Aironet extensions Step 4 end Return ...

Page 158: ...e wireless device the wireless device must reduce the delivery reliability of multicast packets to workgroup bridges With reduced reliability the wireless device cannot confirm whether multicast packets reach the intended workgroup bridge so workgroup bridges at the edge of the wireless device s coverage area might lose IP connectivity When you treat workgroup bridges as client devices you increas...

Page 159: ...nds on the wireless device you use bridge groups You can find a detailed explanation of bridge groups and instructions for implementing them in this document Cisco IOS Bridging and IBM Networking Configuration Guide Release 12 2 Click this link to browse to the Configuring Transparent Bridging chapter http www cisco com univercd cc td doc product software ios122 122cgcr fibm_c bcfpart1 bcftb htm Y...

Page 160: ...he beacon contains a delivery traffic indication message DTIM The DTIM tells power save client devices that a packet is waiting for them For example if the beacon period is set at 100 its default setting and the data beacon rate is set at 2 its default setting then the wireless device sends a beacon containing a DTIM every 200 Kµsecs One Kµsec equals 1 024 microseconds The default beacon period is...

Page 161: ... and the default maximum RTS retries setting is 3264 Beginning in privileged EXEC mode follow these steps to configure the RTS threshold and maximum RTS retries Use the no form of the command to reset the RTS settings to defaults Step 4 beacon dtim period value Set the DTIM Enter a value in Kilomicroseconds Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Optiona...

Page 162: ... form of the command to reset the setting to defaults Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1slot port Enter interface configuration mode for the radio interface The 2 4 GHz radio and the 2 4 GHz 802 11n radio is 0 The 5 GHz radio and the 5 GHz 802 11n radio is 1 Step 3 packet retries value Set the maximum data retries Enter a setti...

Page 163: ...evice drops all associations with wireless networking devices for 4 seconds while it conducts the carrier test and then displays the test results In privileged EXEC mode enter this command to perform a carrier busy test dot11 interface number carrier busy For interface number enter dot11radio 0 to run the test on the 2 4 GHz radio or enter dot11radio 1 to run the test on the 5 GHz radio Use the sh...

Page 164: ...d Reference for Cisco Aironet Access Points and Bridges Viewing VoWLAN Metrics VoWLAN metrics provide you with diagnostic information pertinent to VoIP performance This information helps you determine whether problems are being introduced by the WLAN or the wired network VoWLAN metrics are stored on WLSE Note The WLSE updates VoWLAN metrics every 90 seconds and stores metrics for up to 1 5 hours V...

Page 165: ... the Report Name drop down menu To view the current metrics from the access point choose AP Detail Current from the Report Name drop down menu The resulting report displays the metrics for each client connected to the access points To view an aggregate of the metrics recorded during the last hour choose AP Detail Last Hour from the Report Name drop down menu To view queuing delay graphs during the...

Page 166: ...OL 14209 01 Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6 5 is an example of a voice queuing delay graph Figure 6 5 of Packets 40 ms Queuing Delay Figure 6 6 is an example of a graph showing voice streaming in progress Figure 6 6 Voice Streaming Progress ...

Page 167: ...ts for wireless clients follow these steps Step 1 Log in to a WLSE Step 2 Click the Reports tab Step 3 Click Wireless Clients Step 4 From the Report Name drop down menu choose the type of report to view For example to view the VoWLAN metrics for the last hour choose Voice Client Detail Last Hour Step 5 On the left hand side use the Search field to search for clients whose MAC addresses match a cer...

Page 168: ...low these steps Step 1 Log in to a WLSE Step 2 Click the Faults tab Step 3 Click Voice Summary For both fault types the screen lists the number of faults detected as shown in the example in Figure 6 8 Figure 6 8 Voice Fault Summary Configuring Voice QoS Settings You can use WLSE s Faults Voice QoS Settings screen to define the voice QoS thresholds for the following parameters Downstream Delay with...

Page 169: ...u in the Green column as shown in the example in Figure 6 9 Step 5 Click Apply when done Figure 6 9 Voice QoS Settings Configuring Voice Fault Settings You can use WLSE s Faults Manage Fault Settings screen to enable fault generation and specify the priority of the faults generated To configure fault settings follow these steps Step 1 Log in to a WLSE Step 2 Click the Faults tab Step 3 Click Manag...

Page 170: ...6 40 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6 10 Fault Settings ...

Page 171: ...to configure and manage multiple service set identifiers SSIDs on the access point This chapter contains these sections Understanding Multiple SSIDs page 7 2 Configuring Multiple SSIDs page 7 4 Configuring Multiple Basic SSIDs page 7 8 Assigning IP Redirection for an SSID page 7 11 Including an SSID in an SSIDL IE page 7 13 NAC Support for MBSSID page 7 13 ...

Page 172: ...est SSID in its beacon If the guest mode is disabled the SSID will not be broadcast in the beacon messages If you do not want clients that do not have a preconfigured SSID to connect to the wireless network disable the guest SSID feature For information on how to configure guest mode SSID and disable Guest mode SSID see the Creating an SSID Globally section on page 7 4 If your access point will be...

Page 173: ...ions from Cisco IOS Release 12 3 7 JA load the saved configuration file after the downgrade Table 7 2 shows an example SSID configuration on an access point running Cisco IOS Release 12 2 15 JA and the configuration as it appears after upgrading to Cisco IOS Release 12 3 7 JA Note that the VLAN configuration under each interface is retained in the global SSID configuration Note SSIDs VLANs and enc...

Page 174: ...tion interface command to assign the SSID to a specific interface When an SSID has been created in global configuration mode the ssid configuration interface command attaches the SSID to the interface but does not enter ssid configuration mode However if the SSID has not been created in global configuration mode the ssid command puts the CLI into SSID configuration mode for the new SSID Note SSIDs...

Page 175: ... another A root access point only allows a repeater access point to associate using the infrastructure SSID A root bridge only allows a non root bridge to associate using the infrastructure SSID Repeater access points and non root bridges use this SSID to associate with root devices The access point and bridge GUI requires the configuration of infrastructure ssid for repeater and non root bridge r...

Page 176: ...batman AP config ssid accounting accounting method list AP config ssid max associations 15 AP config ssid vlan 3762 AP config ssid exit AP config interface dot11radio 0 AP config if ssid batman AP config if end Viewing SSIDs Configured Globally Use this command to view configuration details for SSIDs that are configured globally AP show running config ssid ssid string Using Spaces in SSIDs In Cisc...

Page 177: ... RADIUS server the client is allowed network access after completing all authentication requirements b If the access point does not find a match for the client in the allowed list of SSIDs the access point disassociates the client c If the RADIUS server does not return any SSIDs no list for the client then the administrator has not configured the list and the client is allowed to associate and att...

Page 178: ...meet these minimum requirements VLANs must be configured Access points must run Cisco IOS Release 12 3 4 JA or later Access points must contain an 802 11a or 802 11g radio that supports multiple BSSIDs To determine whether a radio supports multiple basic SSIDs enter the show controllers radio_interface command The radio supports multiple basic SSIDs if the results include this line Number of suppo...

Page 179: ...o which the SSID is assigned Step 4 Select the radio interfaces on which the SSID is enabled The SSID remains inactive until you enable it for a radio interface Step 5 Enter a Network ID for the SSID in the Network ID field Step 6 Assign authentication authenticated key management and accounting settings to the SSID in the Authentication Settings Authenticated Key Management and Accounting Setting...

Page 180: ...IM period count delays the delivery of multicast packets Because multicast packets are buffered large DTIM period counts can cause a buffer overflow Step 9 In the Guest Mode Infrastructure SSID Settings section select Multiple BSSID Step 10 Click Apply CLI Configuration Example This example shows the CLI commands that you use to enable multiple BSSIDs on a radio interface create an SSID called vis...

Page 181: ...y packets directed to specific TCP or UDP ports as defined in an access control list When you configure the access point to redirect only packets addressed to specific ports the access point redirects those packets from clients using the SSID and drops all other packets from clients using the SSID Note When you perform a ping test from the access point to a client device that is associated using a...

Page 182: ...ices associated to the SSID batman AP configure terminal AP config interface dot11radio 0 AP config if ssid batman AP config if ssid ip redirection host 10 91 104 91 AP config if ssid redirect end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1 Enter interface configuration mode for the radio interface The 2 4 GHz radio and the 2 4 GHz 802 ...

Page 183: ...tain a list of SSIDs it contains only extended capabilities Beginning in privileged EXEC mode follow these steps to include an SSID in an SSIDL IE Use the no form of the command to disable SSIDL IEs NAC Support for MBSSID Networks must be protected from security threats such as viruses worms and spyware These security threats disrupt business causing downtime and continual patching Endpoint visibi...

Page 184: ... into one of the quarantine VLANs based on its health This VLAN is sent in the RADIUS server Access Accept response during the dot1x client authentication process If the client is healthy and NAC compliant the RADIUS server returns a normal VLAN assignment for the SSID and the client is placed in the correct VLAN and BSSID Each SSID is assigned a normal VLAN which is the VLAN on which healthy clie...

Page 185: ...or Cisco Aironet Access Points OL 14209 01 Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID A new keyword backup is added to the existing vlan name id under dot11 ssid ssid as described below vlan name id backup name id name id name id ...

Page 186: ...nfigure standalone access points and NAC enabled client EAP authentication Step 3 Configure the local profiles on the ACS server for posture validation Step 4 Configure the client and access point to allow the client to successful authenticate using EAP FAST Step 5 Ensure that the client posture is valid Step 6 Verify that the client associates to the access point and that the client is placed on ...

Page 187: ...t interface Dot11Radio0 100 encapsulation dot1Q 100 native no ip route cache bridge group 1 bridge group 1 subscriber loop control bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding bridge group 1 spanning disabled interface Dot11Radio0 102 encapsulation dot1Q 102 no ip route cache bridge group 102 bridge group 102 subscriber loop control bridg...

Page 188: ...7 18 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID ...

Page 189: ... access point This chapter contains these sections Understanding Spanning Tree Protocol page 8 2 Configuring STP Features page 8 8 Displaying Spanning Tree Status page 8 14 Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS Command Reference for Access Points and Bridges for this release Note STP is available only when the access point is in...

Page 190: ...astructure devices might also learn end station MAC addresses on multiple Layer 2 interfaces These conditions result in an unstable network STP defines a tree with a root bridge and a loop free path from the root to all infrastructure devices in the Layer 2 network Note STP discussions use the term root to describe two concepts the bridge on the network that serves as a central point in the spanni...

Page 191: ... the native VLAN is blocked you can experience bridge flapping Therefore the best configuration for STP interoperability is when the 350 and 1300 series access point STP feature is enabled and VLANs are not configured Note When the 350 and 1300 series access points are configured as workgroup bridges they can operate with STP disabled and allow for associations with access points However this conf...

Page 192: ...ted port Interfaces included in the spanning tree instance are selected Root ports and designated ports are put in the forwarding state All interfaces not included in the spanning tree are blocked Election of the Spanning Tree Root All access points in the Layer 2 network participating in STP gather information about other access points in the network through an exchange of BPDU data messages This...

Page 193: ...orce a spanning tree recalculation to form a new topology with the ideal bridge as the spanning tree root Figure 8 1 Spanning Tree Topology Spanning Tree Interface States Propagation delays can occur when protocol information passes through a wireless LAN As a result topology changes can take place at different times and at different places in the network When an interface transitions directly fro...

Page 194: ... not participating in spanning tree because of a shutdown port no link on the port or no spanning tree instance running on the port An interface moves through these states From initialization to blocking From blocking to listening or to disabled From listening to learning or to disabled From learning to forwarding or to disabled From forwarding to disabled Figure 8 2 illustrates how an interface m...

Page 195: ...e access point in the network no exchange occurs the forward delay timer expires and the interfaces move to the listening state An interface always enters the blocking state when you enable STP An interface in the blocking state performs as follows Discards frames received on the port Does not learn addresses Receives BPDUs Note If a access point port is blocked some broadcast or multicast packets...

Page 196: ...rface performs as follows Discards frames received on the port Does not learn addresses Does not receive BPDUs Configuring STP Features You complete three major steps to configure STP on the access point 1 If necessary assign interfaces and sub interfaces to bridge groups 2 Enable STP for each bridge group 3 Set the STP priority for each bridge group These sections include spanning tree configurat...

Page 197: ... dot11radio number fastethernet number Enter interface configuration mode for radio or Ethernet interfaces or sub interfaces The 2 4 GHz radio and the 2 4 GHz 802 11n radio is 0 The 5 GHz radio and the 5 GHz 802 11n radio is 1 The fast Ethernet interface is 0 Step 3 bridge group number Assign the interface to a bridge group You can number your bridge groups from 1 to 255 Step 4 no bridge group num...

Page 198: ... configuration of a root bridge with no VLANs configured and with STP enabled hostname master bridge south ip subnet zero bridge irb interface Dot11Radio0 no ip address no ip route cache ssid tsunami authentication open guest mode speed basic 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role root no cdp enable infrastructure client bridge group 1 interface FastEthernet0 no ip a...

Page 199: ...guest mode speed basic 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role non root no cdp enable bridge group 1 interface FastEthernet0 no ip address no ip route cache duplex auto speed auto bridge group 1 path cost 40 interface BVI1 ip address 1 4 64 24 255 255 0 0 no ip route cache bridge 1 protocol ieee bridge 1 route ip bridge 1 priority 10000 line con 0 line vty 0 4 login l...

Page 200: ...nable bridge group 1 interface Dot11Radio0 2 encapsulation dot1Q 2 no ip route cache no cdp enable bridge group 2 interface Dot11Radio0 3 encapsulation dot1Q 3 no ip route cache bridge group 3 bridge group 3 path cost 500 interface FastEthernet0 no ip address no ip route cache duplex auto speed auto interface FastEthernet0 1 encapsulation dot1Q 1 native no ip route cache bridge group 1 interface F...

Page 201: ... remote ip subnet zero ip ssh time out 120 ip ssh authentication retries 3 bridge irb interface Dot11Radio0 no ip address no ip route cache ssid vlan1 vlan 1 authentication open infrastructure ssid speed basic 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role non root no cdp enable interface Dot11Radio0 1 encapsulation dot1Q 1 native no ip route cache no cdp enable bridge group...

Page 202: ...s use one or more of the privileged EXEC commands in Table 8 3 For information about other keywords for the show spanning tree privileged EXEC command refer to the Cisco Aironet IOS Command Reference for Cisco Aironet Access Points and Bridges for this release Table 8 3 Commands for Displaying Spanning Tree Status Command Purpose show spanning tree Displays information on your network s spanning t...

Page 203: ... the access point as a local authenticator to serve as a stand alone authenticator for a small wireless LAN or to provide backup authentication service As a local authenticator the access point performs LEAP EAP FAST and MAC based authentication for up to 50 client devices This chapter contains these sections Understanding Local Authentication page 9 2 Configuring a Local Authenticator page 9 2 ...

Page 204: ...Ds that a client is allowed to use Note If your wireless LAN contains only one access point you can configure the access point as both the 802 1x authenticator and the local authenticator However users associated to the local authenticator access point might notice a drop in performance when the access point authenticates client devices You can configure your access points to use the local authent...

Page 205: ...nticator access point the access point uses itself to authenticate the client 2 On the local authenticator create user groups and configure parameters to be applied to each group optional 3 On the local authenticator create a list of up to 50 LEAP users EAP FAST users or MAC addresses that the local authenticator is authorized to authenticate Note You do not have to specify which type of authentic...

Page 206: ...ings Step 6 vlan vlan Optional Specify a VLAN to be used by members of the user group The access point moves group members into that VLAN overriding other VLAN assignments You can assign only one VLAN to the group Step 7 ssid ssid Optional Enter up to 20 SSIDs to limit members of the user group to those SSIDs The access point checks that the SSID that the client used to associate matches one of th...

Page 207: ... count 2 time 600 AP config radsrv group exit AP config radsrv user jsmith password twain74 group clerks AP config radsrv user stpatrick password snake100 group clerks AP config radsrv user nick password uptown group clerks AP config radsrv user 00095125d02b password 00095125d02b group clerks mac auth only Step 11 user username password nthash password group group name mac auth only Enter the LEAP...

Page 208: ...ackets It discards the accounting packets but sends acknowledge packets back to RADIUS clients to prevent clients from assuming that the server is down Use the radius server deadtime command to set an interval during which the access point does not attempt to use servers that do not respond thus avoiding the wait for a request to time out before trying the next configured server A server marked as...

Page 209: ...mit the number of days for which PACs are valid and a grace period during which PACs are valid after they have expired By default PACs are valid for 2 days one day default period plus one day grace period You can also apply the expiration of time and the grace period settings to a group of users Use this command to configure the expiration time and grace period for PACs AP config radsrv group no e...

Page 210: ... fails with the primary the authenticator attempts to decrypt the PAC with the secondary key if one is configured If decryption fails the authenticator rejects the PAC as invalid Use these commands to configure server keys AP config radsrv no eapfast server key primary auto generate 0 7 key AP config radsrv no eapfast server key secondary 0 7 key Keys can contain up to 32 hexadecimal digits Enter ...

Page 211: ...onfig radsrv no authentication eapfast AP config radsrv no authentication mac Unblocking Locked Usernames You can unblock usernames before the lockout time expires or when the lockout time is set to infinite In Privileged Exec mode on the local authenticator enter this command to unblock a locked username AP clear radius local server user username Viewing Local Authenticator Statistics In privileg...

Page 212: ...enticator The second section lists stats for each access point NAS authorized to use the local authenticator The EAP FAST statistics in this section include these stats Auto provision success the number of PACs generated automatically Auto provision failure the number of PACs not generated because of an invalid handshake packet or invalid username or password PAC refresh the number of PACs renewed...

Page 213: ...essages related to failed client authentications Use the eapfast option to display error messages related to EAP FAST authentication Use the sub options to select specific debugging information encryption displays information on the encryption and decryption of received and transmitted packets events displays information on all EAP FAST events pac displays information on events related to PACs suc...

Page 214: ...9 12 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator ...

Page 215: ...w to configure the cipher suites required to use WPA and CCKM authenticated key management Wired Equivalent Privacy WEP WEP features including AES Message Integrity Check MIC Temporal Key Integrity Protocol TKIP and broadcast key rotation This chapter contains these sections Understanding Cipher Suites and WEP page 10 2 Configuring Cipher Suites and WEP page 10 3 ...

Page 216: ...led information on EAP and other authentication types Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN You must use a cipher suite to enable Wi Fi Protected Access WPA or Cisco Centralized Key Management CCKM Because cipher suites provide the protection of WEP while also allowing use of authenticated key management Cisco rec...

Page 217: ...up Key Update Broadcast key rotation allows the access point to generate the best possible random group key and update all key management capable clients periodically Wi Fi Protected Access WPA also provides additional options for group key updates See the Using WPA Key Management section on page 11 7 for details on WPA Note Client devices using static WEP cannot use the access point when you enab...

Page 218: ... a WEP key and set up its properties Optional Select the VLAN for which you want to create a key Name the key slot in which this WEP key resides Up to 16 VLANs can be assigned You can assign up to 4 WEP keys for each VLAN4 WEP keys to one of the VLANs Enter the key and set the size of the key either 40 bit or 128 bit 40 bit keys contain 10 hexadecimal digits 128 bit keys contain 26 hexadecimal dig...

Page 219: ...t 4 Cipher suite with 40 bit WEP Cannot configure a 128 bit key Cipher suite with 128 bit WEP Cannot configure a 40 bit key Cipher suite with TKIP Cannot configure any WEP keys Cipher suite with TKIP and 40 bit WEP or 128 bit WEP Cannot configure a WEP key in key slot 1 and 4 Static WEP with MIC or CMIC Access point and client devices must use the same WEP key as the transmit key and the key must ...

Page 220: ...ection you need Table 10 3 lists guidelines for selecting a cipher suite that matches the type of authenticated key management you configure Optional Select the VLAN for which you want to enable WEP and WEP features Set the cipher options and WEP level You can combine TKIP with 128 bit or 40 bit WEP Note If you enable a cipher suite with two elements such as TKIP and 128 bit WEP the second cipher ...

Page 221: ...y management Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key management For a complete description of WPA and CCKM and instructions for configuring authenticated key management see the Using CCKM for Authenticated Clients section on page 11 6 and the Using WPA Key Management section on page 11 7 Enabling and Disabling Broadcast Key Rotation Broadca...

Page 222: ...Enter a VLAN for which you want to enable broadcast key rotation Optional If you enable WPA authenticated key management you can enable additional circumstances under which the access point changes and distributes the WPA group key Membership termination the access point generates and distributes a new group key when any authenticated client device disassociates from the access point This feature ...

Page 223: ...g Authentication Types This chapter describes how to configure authentication types on the access pointwireless device This chapter contains these sections Understanding Authentication Types page 11 2 Configuring Authentication Types page 11 10 Matching Access Point and Client Device Authentication Types page 11 19 ...

Page 224: ...rosoft IAS servers recognize reauthentication requests from the access point Use the dot11 aaa authentication attributes service type login only global configuration command to set the service type attribute in reauthentication requests to login only The access point uses several authentication mechanisms or types and can use more than one at the same time These sections explain each authenticatio...

Page 225: ... monitored however which leaves the access point open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings Because of this weakness shared key authentication can be less secure than open authentication Like open authentication shared key authentication does not rely on a RADIUS server on your network Figure 11 2 shows the authentication sequ...

Page 226: ...enerate a response to the challenge and sends that response to the RADIUS server Using information from its user database the RADIUS server creates its own response and compares that to the response from the client When the RADIUS server authenticates the client the process repeats in reverse and the client authenticates the RADIUS server When mutual authentication is complete the RADIUS server an...

Page 227: ...f allowed MAC addresses Intruders can create counterfeit MAC addresses so MAC based authentication is less secure than EAP authentication However MAC based authentication provides an alternate authentication method for client devices that do not have EAP capability See the Assigning Authentication Types to an SSID section on page 11 10 for instructions on enabling MAC based authentication Tip If y...

Page 228: ...eates a cache of security credentials for CCKM enabled client devices on the subnet The WDS access point s cache of credentials dramatically reduces the time required for reassociation when a CCKM enabled client device roams to a new access point When a client device roams the WDS access point forwards the client s security credentials to the new access point and the reassociation process is reduc...

Page 229: ...Using WPA the server generates the PMK dynamically and passes it to the access point Using WPA PSK however you configure a pre shared key on both the client and the access point and that pre shared key is used as the PMK Note Unicast and multicast cipher suites advertised in WPA information element and negotiated during 802 11 association may potentially mismatch with the cipher suite supported in...

Page 230: ...ccess point Authentication server Wired LAN Server uses the EAP master key to generate a pairwise master key PMK to protect communication between the client and the access point However if the client is using 802 1x authentication and both the access point and the client are configured with the same pre shared key the pre shared key is used as the PMK and the server does not generate a PMK Client ...

Page 231: ... and Configuration Guide for Windows http www cisco com en US products hw wireless ps4555 products_installation_and_configuration_g uides_list html Table 11 1 Software and Firmware Requirements for WPA CCKM CKIP and WPA TKIP Key Management and Encryption Protocol Third Party Host Supplicant1 Required 1 Such as Funk Odyssey Client supplicant version 2 2 or Meetinghouse Data Communications Aegis Cli...

Page 232: ...igning Authentication Types to an SSID page 11 10 Configuring Authentication Holdoffs Timeouts and Intervals page 11 16 Creating and Applying EAP Method Profiles for the 802 1X Supplicant page 11 17 Note There are no default authentication SSIDs for the wireless router Assigning Authentication Types to an SSID Beginning in privileged EXEC mode follow these steps to configure authentication types f...

Page 233: ...etwork Optional Set the SSID s authentication type to open with EAP authentication The access point forces all client devices to perform EAP authentication before they are allowed to join the network For list name specify the authentication method list Use the optional keyword to allow client devices using either open or EAP authentication to associate and become authenticated This setting is used...

Page 234: ...d to use the SSID To enable CCKM for an SSID you must also enable Network EAP authentication When CCKM and Network EAP are enabled for an SSID client devices using LEAP EAP FAST PEAP GTC MSPEAP EAP TLS and EAP FAST can authenticate using the SSID To enable WPA for an SSID you must also enable Open authentication or Network EAP or both Note When you enable both WPA and CCKM for an SSID you must ent...

Page 235: ...key management If all three client types associate using the same SSID the multicast cipher suite for the SSID must be WEP If only the first two types of clients use the same SSID the multicast key can be dynamic but if the static WEP clients use the SSID the key must be static The access point can switch automatically between a static and a dynamic group key to accommodate associated client devic...

Page 236: ...s but it might generate some overhead traffic if clients on your network roam frequently among access points Capability change the access point generates and distributes a dynamic group key when the last non key management static WEP client disassociates and it distributes the statically configured WEP key when the first non key management static WEP client authenticates In WPA migration mode this...

Page 237: ...ntication caching Step 6 exit Return to privileged EXEC mode Step 7 broadcast key vlan vlan id change seconds membership termination capability change Use the broadcast key rotation command to configure additional updates of the WPA group key Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Ente...

Page 238: ...number of seconds a client device must wait before it can reattempt to authenticate following a failed authentication The holdoff time is invoked when a client fails three login attempts or fails to respond to three authentication requests from the access point Enter a value from 1 to 65555 seconds Step 3 dot1x timeout supp response seconds local Enter the number of seconds the access point should...

Page 239: ...nter the server keyword to configure the access point to use the reauthentication period specified by the authentication server If you use this option configure your authentication server with RADIUS attribute 27 Session Timeout This attribute sets the maximum number of seconds of service to be provided to the client before termination of the session or prompt The server sends this attribute to th...

Page 240: ...inal Enter global configuration mode Step 2 eap profile profile name Enter a name for the profile Step 3 description Optional Enter a description for the EAP profile Step 4 method fast Enter an allowed EAP method or methods Note Although they appear as sub parameters EAP GTC EAP MD5 and EAP MSCHAPV2 are intended as inner methods for tunneled EAP authentication and should not be used as the primary...

Page 241: ...he access point unless you configure Open authentication with EAP To allow both Cisco Aironet clients using LEAP and non Cisco Aironet clients using LEAP to associate using the same SSID you might need to configure the SSID for both Network EAP authentication and Open authentication with EAP Likewise to allow both Cisco Aironet 802 11a b g client adapters CB21AG and PI21AG running EAP FAST and non...

Page 242: ... up and enable WEP and enable Network EAP for the SSID1 If radio clients are configured to authenticate using EAP FAST open authentication with EAP should also be configured If you don t configure open authentication with EAP the following GUI warning message appears WARNING Network EAP is used for LEAP authentication only If radio clients are configured to authenticate using EAP FAST Open Authent...

Page 243: ...thentication method Select a cipher suite and enable Open authentication and WPA for the SSID you can also enable Network EAP authentication in addition to or instead of Open authentication Enter a WPA pre shared key Note To allow both WPA clients and non WPA clients to use the SSID enable optional WPA EAP TLS authentication If using ACU to configure card Enable Host Based EAP and Use Dynamic WEP ...

Page 244: ...ire EAP and Open Authentication for the SSID EAP SIM authentication If using ACU to configure card Enable Host Based EAP and Use Dynamic WEP Keys in ACU and select Enable network access control using IEEE 802 1X and SIM Authentication as the EAP Type in Windows 2000 with Service Pack 3 or Windows XP Set up and enable WEP with full encryption and enable EAP and Open authentication for the SSID If u...

Page 245: ...ng WDS page 12 2 Understanding Fast Secure Roaming page 12 3 Understanding Radio Management page 12 5 Understanding Layer 3 Mobility page 12 5 Understanding Wireless Intrusion Detection Services page 12 6 Configuring WDS page 12 7 Configuring Fast Secure Roaming page 12 21 Configuring Management Frame Protection page 12 24 Configuring Radio Management page 12 28 Configuring Access Points to Partic...

Page 246: ...S device The WDS device aggregates the information and forwards it to a wireless LAN solution engine WLSE device on your network Role of the WDS Device The WDS device performs several tasks on your wireless LAN Advertises its WDS capability and participates in electing the best WDS device for your wireless LAN When you configure your wireless LAN for WDS you set up one device as the main WDS candi...

Page 247: ... device Understanding Fast Secure Roaming Access points in many wireless LANs serve mobile client devices that roam from access point to access point throughout the installation Some applications running on client devices require fast reassociation when they roam to a different access point Voice applications for example require seamless roaming to prevent delays and gaps in conversation During no...

Page 248: ...e 12 2 Client Reassociation Using CCKM and a WDS Access Point The WDS device maintains a cache of credentials for CCKM capable client devices on your wireless LAN When a CCKM capable client roams from one access point to another the client sends a reassociation request to the new access point and the new access point relays the request to the WDS Access point or bridge Wired LAN Client device RADI...

Page 249: ... Refer to the Configuring Radio Management section on page 12 28 for instructions on configuring radio management Click this URL to browse to the WLSE documentation http www cisco com en US products sw cscowork ps3915 index html This link takes you to the Tools and Resources Downloads page Select Wireless LAN Management to access the WLSE documentation Understanding Layer 3 Mobility When you use a...

Page 250: ...DS on your wireless LAN your access points WLSE and an optional non Cisco WIDS engine work together to detect and prevent attacks on your wireless LAN infrastructure and associated client devices Working with the WLSE access points can detect intrusions and take action to defend the wireless LAN WIDS consists of these features Switch port tracing and rogue suppression Switch port tracing and suppr...

Page 251: ...ion attacks EAPOL flood detection MIC encryption failures detection MAC spoofing detection Frame capture mode In frame capture mode a scanner access point collects 802 11 frames and forwards them to the address of a WIDS engine on your network Note See the Configuring Access Points to Participate in WIDS section on page 12 30 for instructions on configuring the access point to participate in WIDS ...

Page 252: ...ou can configure 350 series access points to participate in WDS Requirements for WDS To configure WDS you must have these items on your wireless LAN At least one access point Integrated Services Router ISR or switch equipped with a Wireless LAN Services Module that you can configure as the WDS device An authentication server or an access point or ISR configured as a local authenticator Note The 13...

Page 253: ...ure a WDS access point to fall back to repeater mode in case of Ethernet failure Note When WDS is enabled the WDS access point performs and tracks all authentications Therefore you must configure EAP security settings on the WDS access point See Chapter 11 Configuring Authentication Types for instructions on configuring EAP on the access point Note You cannot configure a 350 series access point as...

Page 254: ...o configure the access point as the main WDS candidate Step 1 Browse to the Wireless Services Summary page Figure 12 5 shows the Wireless Services Summary page Figure 12 5 Wireless Services Summary Page Step 2 Click WDS to browse to the WDS WNM Summary page Step 3 On the WDS WNM Summary page click General Setup to browse to the WDS WNM General Setup page Figure 12 6 shows the General Setup page Fi...

Page 255: ...in the local list of addresses configured on the WDS device If you do not select this check box the WDS device uses the server specified for MAC address authentication on the Server Groups page to authenticate clients based on MAC addresses Note Selecting the Use Local MAC List for Client Authentication check box does not force client devices to perform MAC based authentication It provides a local...

Page 256: ... Step 11 Select the primary server from the Priority 1 drop down menu If a server that you need to add to the group does not appear in the Priority drop down menus click Define Servers to browse to the Server Manager page Configure the server there and then return to the WDS Server Groups page Note If you don t have an authentication server on your network you can configure an access point or an I...

Page 257: ...vers to browse to the Server Manager page Configure the server there and then return to the WDS Server Groups page Step 16 Optional Select backup servers from the Priority 2 and 3 drop down menus Step 17 Optional Select Restrict SSIDs to limit use of the server group to client devices using specific SSIDs Enter an SSID in the SSID field and click Add To remove an SSID highlight it in the SSID list...

Page 258: ...k Enable for the Participate in SWAN Infrastructure setting Step 4 Optional If you use a WLSM switch module as the WDS device on your network select Specified Discovery and enter the IP address of the WLSM in the entry field When you enable Specified Discovery the access point immediately authenticates with the WDS device instead of waiting for WDS advertisements If the WDS device that you specify...

Page 259: ...t is enabled to interact with the WDS device and it authenticates to your authentication server using APWestWing as its username and wes7win8 as its password You must configure the same username and password pair when you set up the access point as a client on your authentication server For complete descriptions of the commands used in this example consult the Cisco IOS Command Reference for Cisco...

Page 260: ...209 01 Chapter 12 Configuring WDS Fast Secure Roaming Radio Management and Wireless Intrusion Detection Configuring WDS Figure 12 9 Network Configuration Page Step 2 Click Add Entry under the AAA Clients table The Add AAA Client page appears Figure 12 10 shows the Add AAA Client page ...

Page 261: ...d AAA Client Page Step 3 In the AAA Client Hostname field enter the name of the WDS device Step 4 In the AAA Client IP Address field enter the IP address of the WDS device Step 5 In the Key field enter exactly the same password that is configured on the WDS device Step 6 From the Authenticate Using drop down menu select RADIUS Cisco Aironet Step 7 Click Submit Step 8 Repeat Step 2 through Step 7 f...

Page 262: ...Click User Setup to browse to the User Setup page You must use the User Setup page to create entries for the access points that use the WDS device Figure 12 11 shows the User Setup page Figure 12 11 User Setup Page Step 10 Enter the name of the access point in the User field Step 11 Click Add Edit Step 12 Scroll down to the User Setup box Figure 12 12 shows the User Setup box Figure 12 12 ACS User...

Page 263: ...y Mode WDS access points can operate in WDS only mode using the wlccp wds mode wds only command After issuing this command and reloading the access point starts working in the WDS only mode In WDS only mode the dot11 subsystems are not initialized and the dot11 interface related commands cannot be configured In WDS only mode the WDS supports up to 60 infrastructure access points and up to 1200 cli...

Page 264: ...cess points participating in CCKM The command displays each access point s MAC address IP address state authenticating authenticated or registered and lifetime seconds remaining before the access point must reauthenticate Use the mac addr option to display information about a specific access point mn Use this option to display cached information about client devices also called mobile nodes The co...

Page 265: ...cipate in WDS Access points configured for fast secure roaming An authentication server or an access point ISR or switch configured as a local authenticator Cisco Aironet client devices or Cisco compatible client devices that comply with Cisco Compatible Extensions CCX version 2 or later For instructions on configuring WDS refer to the Configuring WDS section on page 12 7 Command Description debug...

Page 266: ...be configured to participate in WDS and they must allow CCKM authenticated key management for at least one SSID Follow these steps to configure CCKM for an SSID Step 1 Browse to the Encryption Manager page on the access point GUI Figure 12 14 shows the top section of the Encryption Manager page Figure 12 14 Encryption Manager Page Step 2 Click the Cipher button Step 3 Select CKIP CMIC from the Cip...

Page 267: ...tection Services Configuring Fast Secure Roaming Figure 12 15 Global SSID Manager Page Step 6 On the SSID that supports CCKM select these settings b If your access point contains multiple radio interfaces select the interfaces on which the SSID applies c Select Network EAP under Authentication Settings When you enable CCKM you must enable Network EAP as the authentication type ...

Page 268: ...if exit AP config end In this example the SSID fastroam is configured to support Network EAP and CCKM the CKIP CMIC cipher suite is enabled on the 2 4 GHz radio interface and the SSID fastroam is enabled on the 2 4 GHz radio interface For complete descriptions of the commands used in this example consult the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges Configuring Manage...

Page 269: ...d between an AP and a client station that is authenticated and associated Client MFP leverages the security mechanisms defined by IEEE 802 11i to protect class 3 Unicast management frames The unicast cipher suite negotiated by the STA in the reassociation request s RSNIE is used to protect both unicast data and class 3 management frames An access point in workgroup bridge repeater or non root brid...

Page 270: ...ays and the command is rejected no ids mfp client This ssid configuration command disables Client MFP on a particular SSID The Dot11Radio interface is reset when the command is executed if the SSID is bound to the Dot11Radio interface ids mfp client optional This ssid configuration command enables Client MFP as optional on a particular SSID The Dot11Radio interface is reset when the command is exe...

Page 271: ...ll report the discrepancy to the WDS The access point must be a member of a WDS Step 4 sntp server server IP address Enter the name or ip address of the SNTP server Step 5 end Return to the privileged EXEC mode Step 6 copy running config startup config Optional Save your entries in the configuration file Command Description Command Description Step 1 configure terminal Enter global configuration m...

Page 272: ...hey interact with the WDS device To complete the radio management configuration you configure the WDS device to interact with the WLSE device on your network Follow these steps to enable radio management on an access point configured as a WDS device Step 1 Browse to the Wireless Services Summary page Figure 12 16 shows the Wireless Services Summary page Figure 12 16 Wireless Services Summary Page ...

Page 273: ...WLSE device on your network Step 6 Click Apply The WDS access point is configured to interact with your WLSE device CLI Configuration Example This example shows the CLI commands that are equivalent to the steps listed in the Configuring Radio Management section on page 12 28 AP configure terminal AP config wlccp wnm ip address 192 250 0 5 AP config end In this example the WDS access point is enabl...

Page 274: ... an access point is configured as a scanner it can also capture frames in monitor mode In monitor mode the access point captures 802 11 frames and forwards them to the WIDS engine on your network The access point adds a 28 byte capture header to every 802 11 frame that it forwards and the WIDS engine on your network uses the header information for analysis The access point uses UDP packets to forw...

Page 275: ... Q Failed 0 Current No of frames in SCAN Q 0 Total No of frames captured 0 Total No of data frames captured 425 Total No of control frames captured 1957 Total No of Mgmt frames captured 20287 Total No of CRC errored frames captured 0 Total No of captured frames forwarded 23179 Total No of captured frames forward failed 0 Use the clear wlccp ap rm statistics command to clear the monitor mode statis...

Page 276: ...e access point generates an alert when the authentication threshold has been exceeded You can configure these limits on the access point Number of 802 1X attempts through the access point EAPOL flood duration in seconds on the access point When the access point detects excessive authentication attempts it sets MIB variables to indicate this information An EAPOL flood was detected Number of authent...

Page 277: ...s until the WLSM software is back online Resilient tunnel recovery is automatic and does not require any configuration Figure 12 18 Resilient Tunnel Recovery Active Standby WLSM Failover In addition to resilient tunnel recovery WLSM supports another level of resiliency by allowing you to deploy two WLSMs per chassis an active WLSM and a standby WLSM If the active WLSM fails the standby WLSM become...

Page 278: ... Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 12 Configuring WDS Fast Secure Roaming Radio Management and Wireless Intrusion Detection Configuring WLSM Failover ...

Page 279: ... for your main server or to provide authentication service on a network without a RADIUS server See Chapter 11 Configuring Authentication Types for detailed instructions on configuring your access point as a local authenticator Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS Security Command Reference for Release 12 2 This chapter contain...

Page 280: ...access control system In one case RADIUS has been used with Enigma s security cards to validate users and to grant access to network resources Networks already using RADIUS You can add a Cisco access point containing a RADIUS client to the network Networks that require resource accounting You can use RADIUS accounting independently of RADIUS authentication or authorization The RADIUS accounting fu...

Page 281: ... sends the WEP key called a session key over the wired LAN to the access point The access point encrypts its broadcast key with the session key and sends the encrypted broadcast key to the client which uses the session key to decrypt it The client and access point activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session There is more than o...

Page 282: ...entication page 13 7 required Defining AAA Server Groups page 13 9 optional Configuring RADIUS Authorization for User Privileged Access and Network Services page 13 11 optional Configuring Packet of Disconnect page 13 12 optional Starting RADIUS Accounting m page 13 13 optional Selecting the CSID Format page 13 14 optional Configuring Settings for All RADIUS Servers page 13 15 optional Configuring...

Page 283: ...ing to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the access point The timeout retransmission and encryption key values can be configured globally per server for all RADIUS servers or in some combination of global and per server settings To ...

Page 284: ...t to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the access point and the RADIUS daemon running on the RADIUS server Note The ke...

Page 285: ...cation to be performed and the sequence in which they are performed it must be applied to a specific interface before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined A method list...

Page 286: ...ctual method the authentication algorithm tries The additional methods of authentication are used only if the previous method returns an error not if it fails Select one of these methods line Use the line password for authentication You must define a line password before you can use this authentication method Use the password password line configuration command local Use the local username databas...

Page 287: ...ch lists the IP addresses of the selected server hosts Server groups also can include multiple host entries for the same server if each entry has a unique identifier the combination of the IP address and UDP port number allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service If you configure two different host entries on the same RADIUS server for the s...

Page 288: ...ey used between the access point and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the last item in the radius server host command Leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in your key do not enclose the key in quotation mar...

Page 289: ... 1001 AP config sg radius exit AP config aaa group server radius group2 AP config sg radius server 172 20 0 1 auth port 2000 acct port 2001 AP config sg radius exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the access point uses information retrieved from the user s pr...

Page 290: ...r sends a disconnect message to the Network Access Server NAS an access point or WDS For 802 11 sessions the Calling Station ID 31 RADIUS attribute the MAC address of the client must be supplied in the Pod request The access point or WDS attempts to disassociate the relevant session and then sends a disconnect response message back to the RADIUS server The message types are as follows 40 Disconnec...

Page 291: ...ow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa pod server port port number auth type any all session key clients client 1 ignore server key string session key server key string Enables user sessions to be disconnected by requests from a RADIUS server when spe...

Page 292: ...ommand or enter dot11 aaa csid default Note You can also use the wlccp wds aaa csid command to select the CSID format Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa accounting network start stop radius Enable RADIUS accounting for all network related service requests Step 3 ip radius source interface bvi1 Configure the access point to send its BVI IP address i...

Page 293: ...up The default is 3 the range 1 to 1000 Step 4 radius server timeout seconds Specify the number of seconds an access point waits for a reply to a RADIUS request before resending the request The default is 5 seconds the range is 1 to 1000 Step 5 radius server deadtime minutes Use this command to cause the Cisco IOS software to mark as dead any RADIUS servers that fail to respond to authentication r...

Page 294: ...l use The Cisco RADIUS implementation supports one vendor specific option by using the format recommended in the specification Cisco s vendor ID is 9 and the supported option has vendor type 1 which is named cisco avpair The value is a string with this format protocol attribute sep value Protocol is a value of the Cisco protocol attribute for a particular type of authorization Attribute and value ...

Page 295: ... global configuration commands Beginning in privileged EXEC mode follow these steps to specify a vendor proprietary RADIUS server host and a shared secret text string Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server vsa send accounting authentication Enable the access point to recognize and use VSAs as defined by RADIUS IETF attribute 26 Optional Use t...

Page 296: ...nfigure these attributes on the access point The WISPr Best Current Practices for Wireless Internet Service Provider WISP Roaming document also requires the access point to include a class attribute in RADIUS authentication replies and accounting requests The access point includes the class attribute automatically and does not have to be configured to do so You can find a list of ISO and ITU count...

Page 297: ...a server s IP address instead of its name Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server location location Specify the WISPr location name attribute The WISPr Best Current Practices for Wireless Internet Service Provider WISP Roaming document recommends that you enter the location name in this format hotspot_operator_name location Step 3 dot11 location...

Page 298: ...nt Refer to the Configuring WISPr RADIUS Attributes section on page 13 18 for instructions Table 13 2 Attributes Sent in Access Request Packets Attribute ID Description 1 User Name 4 NAS IP Address 5 NAS Port 12 Framed MTU 30 Called Station ID MAC address 31 Calling Station ID MAC address 32 NAS Identifier1 1 The access point sends the NAS Identifier if attribute 32 include in access req is config...

Page 299: ...bute 26 SSID VSA attribute 26 NAS Location VSA attribute 26 Cisco NAS Port VSA attribute 26 Interface Table 13 5 Attributes Sent in Accounting Request update Packets Attribute ID Description 1 User Name 4 NAS IP Address 5 NAS Port 6 Service Type 25 Class 41 Acct Delay Time 42 Acct Input Octets 43 Acct Output Octets 44 Acct Session Id 46 Acct Session Time 47 Acct Input Packets 48 Acct Output Packet...

Page 300: ... point Use the dot11 aaa authentication attributes service type login only global configuration command to set the service type attribute in reauthentication requests to login only Table 13 6 Attributes Sent in Accounting Request stop Packets Attribute ID Description 1 User Name 4 NAS IP Address 5 NAS Port 6 Service Type 25 Class 41 Acct Delay Time 42 Acct Input Octets 43 Acct Output Octets 44 Acc...

Page 301: ...tication of administrators through login and password dialog challenge and response and messaging support The authentication facility can conduct a dialog with the administrator for example after a username and password are provided to challenge a user with several questions such as home address mother s maiden name service type and social security number The TACACS authentication service can also...

Page 302: ...ived the access point typically tries to use an alternative method for authenticating the administrator CONTINUE The administrator is prompted for additional authentication information After authentication the administrator undergoes an additional authorization phase if authorization has been enabled on the access point Administrators must first successfully complete TACACS authentication before p...

Page 303: ...nd contains the list of IP addresses of the selected server hosts Beginning in privileged EXEC mode follow these steps to identify the IP host or host maintaining TACACS server and optionally set the encryption key Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts mainta...

Page 304: ...es the sequence and authentication methods to be queried to authenticate an administrator You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method i...

Page 305: ...fied in the login authentication command use the default keyword followed by the methods that are to be used in default situations The default method list is automatically applied to all interfaces For list name specify a character string to name the list you are creating For method1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only...

Page 306: ...attribute value AV pairs and is stored on the security server This data can then be analyzed for network management client billing or auditing Beginning in privileged EXEC mode follow these steps to enable TACACS accounting for each Cisco IOS privilege level and for network services Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa authorization network tacacs Co...

Page 307: ...sable accounting use the no aaa accounting network exec start stop method1 global configuration command Displaying the TACACS Configuration To display TACACS server statistics use the show tacacs privileged EXEC command Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose ...

Page 308: ...13 30 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 13 Configuring RADIUS and TACACS Servers Configuring and Enabling TACACS ...

Page 309: ...ng VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN in the following sections These sections describe how to configure your access point to support VLANs Understanding VLANs page 14 2 Configuring VLANs page 14 4 VLAN Configuration Example page 14 10 ...

Page 310: ... VLANs You extend VLANs into a wireless LAN by adding IEEE 802 11Q tag awareness to the access point Frames destined for different VLANs are transmitted by the access point wirelessly on different SSIDs with different WEP keys Only the clients associated with that VLAN receive those packets Conversely packets coming from a client associated with a certain VLAN are 802 11Q tagged before they are fo...

Page 311: ...k this link to browse to this document http www cisco com en US docs internetworking design guide idg4 html Cisco Internetworking Technology Handbook Click this link to browse to this document http www cisco com en US docs internetworking technology handbook ito_doc html Cisco Internetworking Troubleshooting Guide Click this link to browse to this document http www cisco com en US docs internetwor...

Page 312: ...ss devices with greater efficiency and flexibility For example one access point can now handle the specific requirements of multiple users having widely varied network access and permissions Without VLAN capability multiple access points would have to be employed to serve classes of users based on the access and permissions they were assigned These are two common strategies for deploying wireless ...

Page 313: ...uthentication settings to SSIDs This section describes how to assign SSIDs to VLANs and how to enable a VLAN on the access point radio and Ethernet ports For detailed instructions on assigning authentication types to SSIDs see Chapter 11 Configuring Authentication Types For instructions on assigning other settings to SSIDs see Chapter 7 Configuring Multiple SSIDs You can configure up to 16 SSIDs o...

Page 314: ...l Assign the SSID to a VLAN on your network Client devices that associate using the SSID are grouped into this VLAN Enter a VLAN ID from 1 to 4095 You can assign only one SSID to a VLAN Tip If your network uses VLAN names you can also assign names to the VLANs on your access point See the Assigning Names to VLANs section on page 14 7 for instructions Step 5 exit Return to interface configuration m...

Page 315: ...N names can contain up to 32 ASCII characters The access point stores each VLAN name and ID pair in a table Guidelines for Using VLAN Names Keep these guidelines in mind when using VLAN names The mapping of a VLAN name to a VLAN ID is local to each access point so across your network you can assign the same VLAN name to a different VLAN ID Note If clients on your wireless LAN require seamless roam...

Page 316: ...d after the initial 802 11 cipher negotiation phase In this scenario the client device is disassociated from the wireless LAN The VLAN mapping process consists of these steps 1 A client device associates to the access point using any SSID configured on the access point 2 The client begins RADIUS authentication 3 When the client authenticates successfully the RADIUS server maps the client to a spec...

Page 317: ...S server Based on the login information the RADIUS server assigns the users to the appropriate mobility group and sends their credentials back To enable dynamic mobility group assignment you need to configure the following attributes on the RADIUS server Tunnel Type 64 Tunnel Medium Type 65 Tunnel Private Group ID 81 Figure 14 2 Dynamic Mobility Group Assignment Viewing VLANs Configured on the Acc...

Page 318: ...view internal information such as human resources payroll and other faculty related material Faculty users are required to authenticate using Cisco LEAP Student access Lowest level of access users can access school s Intranet and the Internet obtain class schedules view grades make appointments and perform other student related activities Students are allowed to join the network using static WEP I...

Page 319: ...0Router config ssid vlan 03 ap1200Router config ssid end ap1200Router configure terminal ap1200Router config interface FastEthernet0 1 ap1200Router config subif encapsulation dot1Q 1 native ap1200Router config subif exit ap1200Router config interface FastEthernet0 2 ap1200Router config subif encapsulation dot1Q 2 ap1200Router config subif bridge group 2 ap1200Router config subif exit ap1200Router ...

Page 320: ...p 1 bridge group 1 subscriber loop control bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding bridge group 1 spanning disabled interface Dot11Radio0 0 2 encapsulation dot1Q 2 no ip route cache no cdp enable bridge group 2 bridge group 2 subscriber loop control bridge group 2 block unknown source no bridge group 2 source learning no bridge group...

Page 321: ...he access point offers best effort service to each packet regardless of the packet contents or size It sends the packets without any assurance of reliability delay bounds or throughput Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges for this release This chapter consists of the...

Page 322: ...fy packets they prioritize packets based on DSCP value client type such as a wireless phone or the priority value in the 802 1q or 802 1p tag They do not construct internal DSCP values they only support mapping by assigning IP DSCP Precedence or Protocol values to Layer 2 COS values They carry out EDCF like queuing on the radio egress port only They do only FIFO queueing on the Ethernet egress por...

Page 323: ...ch packet The access point applies QoS policies in this order 1 Packets already classified When the access point receives packets from a QoS enabled switch or router that has already classified the packets with non zero 802 1Q P user_priority values the access point uses that classification and does not apply other QoS policy rules to the packets An existing classification takes precedence over al...

Page 324: ... mode The access point adds each packet s class of service to the packet s 802 11 header to be passed to the receiving station Each access class has its own 802 11 sequence number The sequence number allows a high priority packet to interrupt the retries of a lower priority packet without overflowing the duplicate checking buffer on the receiving side WPA replay detection is done per access class ...

Page 325: ...rmance QoS does not create additional bandwidth for your wireless LAN it helps control the allocation of bandwidth If you have plenty of bandwidth on your wireless LAN you might not need to configure QoS The ampdu command is available for the 802 11n radio interfaces Aggregate MAC protocol data unit AMPDU is a structure containing multiple MPDUs transported as a single PSDU by the physical layer F...

Page 326: ... in the Create Edit Policy field type a name for the QoS policy in the Policy Name entry field The name can contain up to 25 alphanumeric characters Do not include spaces in the policy name Note You can also select two preconfigured QoS policies WMM and Spectralink When you select either of these a set of default classifications are automatically populated in the Classification field ...

Page 327: ...u include Best Effort 0 Background 1 Spare 2 Excellent 3 Control Lead 4 Video 100ms Latency 5 Voice 100ms Latency 6 Network Control 7 Step 6 Click the Add button beside the Class of Service menu for IP Precedence The classification appears in the Classifications field To delete a classification select it and click the Delete button beside the Classifications field Step 7 If the packets that you ne...

Page 328: ... the MAC addresses of IP phones Note The access list you use in QoS does not affect the access points packet forwarding decisions Step 13 Use the Apply Class of Service drop down menu to select the class of service that the access point will apply to packets that match the filter that you selected from the Filter menu The access point matches your filter selection with your class of service select...

Page 329: ...igure 15 3 Figure 15 3 QoS Policies Advanced Page Select Enable or and click Apply to give top priority to all voice packets QoS Element for Wireless Phones When you enable the QoS Element for Wireless Phones the access point gives top priority to voice packets even if you do not enable QoS This setting operates independently from the QoS policies that you configure Select dot11e to use the latest...

Page 330: ... apply the correct priority to voice packets for compatibility with Cisco AVVID networks AVVID priority mapping is enabled by default To disable it browse to the QoS Policies Advanced page select No for Map Ethernet Packets with CoS 5 to CoS 6 and click Apply WiFi Multimedia WMM Using the Admission Control check boxes you can enable WMM on the access point s radio interface When you enable admissi...

Page 331: ...ave a Radio Access Categories page for each radio Figure 15 4 Radio Access Categories Page Table 15 1 Default QoS Radio Access Categories Class of Service Min Contention Window Max Contention Window Fixed Slot Time Transmit Opportunity Admission Control Local Cell Local Cell Local Cell Local Cell Local Cell Background 4 10 6 0 Best Effort 4 10 2 0 Video 100ms Latency 3 2 1 3008 Voice 100ms Latency...

Page 332: ... different nominal rate or minimum PHY rate You may need to enable additional nominal rates for these phones Optimized Voice Settings Using the Admission Control check boxes you can control client use of the access categories When you enable admission control for an access category clients associated to the access point must complete the WMM admission control procedure before they can use that acc...

Page 333: ... settings you have configured in this section will not take effect until you enable admission control on an SSID Enabling Admission Control This section describes how to enable admission control on an SSID For a list of Cisco IOS commands for enabling admission control using the CLI consult the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges Follow these steps to enable adm...

Page 334: ...5 Giving Priority to Voice Traffic This section demonstrates how you can apply a QoS policy to your wireless networks voice VLAN to give priority to wireless phone traffic In this example the network administrator creates a policy named voice_policy that applies voice class of service to traffic from Spectralink phones protocol 119 packets The user applies the voice_policy to the incoming and outg...

Page 335: ... This setting gives priority to all voice traffic regardless of VLAN Giving Priority to Video Traffic This section demonstrates how you could apply a QoS policy to a VLAN on your network dedicated to video traffic In this example the network administrator creates a policy named video_policy that applies video class of service to video traffic The user applies the video_policy to the incoming and o...

Page 336: ...15 16 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 15 Configuring QoS QoS Configuration Examples Figure 15 6 QoS Policies Page for Video Example ...

Page 337: ...ess point Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco Aironet IOS Command Reference for Access Points and Bridges for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12 2 This chapter contains these sections Understanding CDP page 17 2 Configuring CDP page 17 2 Monitoring and Maintaining CDP page 17...

Page 338: ...t VLAN number configured be used as the native VLAN Note For best performance on your wireless LAN disable CDP on all radio interfaces and on sub interfaces if VLANs are enabled on the access point Configuring CDP This section contains CDP configuration information and procedures Default CDP Configuration page 17 2 Configuring the CDP Characteristics page 17 2 Disabling and Enabling CDP page 17 3 ...

Page 339: ... CDP device discovery capability Beginning in privileged EXEC mode follow these steps to enable CDP Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp holdtime seconds Optional Specify the amount of time a receiving device should hold the information sent by your device before discarding it The range is from 10 to 255 seconds the default is 180 seconds Step 3 cdp ...

Page 340: ...re of these tasks beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the interface on which you are disabling CDP Step 3 no cdp enable Disable CDP on an interface Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your en...

Page 341: ...as frequency of transmissions and the holdtime for packets being sent show cdp entry entry name protocol version Display information about a specific neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or informat...

Page 342: ...otocol information for tstswitch2 IP address 172 20 135 204 IP address 172 20 135 202 AP show cdp interface GigabitEthernet0 1 is up line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0 2 is up line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0 3 is administratively d...

Page 343: ... S Switch H Host I IGMP r Repeater Device IDLocal InterfaceHoldtmeCapabilityPlatformPort ID Perdido2Gig 0 6125R S IWS C3550 1Gig0 6 Perdido2Gig 0 5125R S IWS C3550 1Gig 0 5 AP show cdp traffic CDP counters Total packets output 50882 Input 52510 Hdr syntax 0 Chksum error 0 Encaps failed 0 No memory 0 Invalid packet 0 Fragmented 0 CDP version 1 advertisements output 0 Input 0 CDP version 2 advertise...

Page 344: ...17 8 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 17 Configuring CDP Monitoring and Maintaining CDP ...

Page 345: ...lters This chapter describes how to configure and manage MAC address IP and Ethertype filters on the access point using the web browser interface This chapter contains these sections Understanding Filters page 16 2 Configuring Filters Using the CLI page 16 2 Configuring Filters Using the Web Browser Interface page 16 3 ...

Page 346: ...ng Using the web browser interface however you can configure only up to 43 MAC addresses for filtering Configuring Filters Using the CLI To configure filters using CLI commands you use access control lists ACLs and bridge groups You can find explanations of these concepts and instructions for implementing them in these documents Cisco IOS Bridging and IBM Networking Configuration Guide Release 12 ...

Page 347: ...ast and multicast packets either sent from or addressed to specific MAC addresses You can create a filter that passes traffic to all MAC addresses except those you specify or you can create a filter that blocks traffic to all MAC addresses except those you specify You can apply the filters you create to either or both the Ethernet and radio ports and to either or both incoming and outgoing packets...

Page 348: ...ss filter Step 1 Follow the link path to the MAC Address Filters page Step 2 If you are creating a new MAC address filter make sure NEW the default is selected in the Create Edit Filter Index menu To edit a filter select the filter number from the Create Edit Filter Index menu Step 3 In the Filter Index field name the filter with a number from 700 to 799 The number you assign creates an access con...

Page 349: ...s default action must be the opposite of the action for at least one of the addresses in the filter For example if you enter several addresses and you select Block as the action for all of them you must choose Forward All as the filter s default action Tip You can create a list of allowed MAC addresses on an authentication server on your network Consult the Configuring Authentication Types section...

Page 350: ...lients associate to another access point Using MAC Address ACLs to Block or Allow Client Association to the Access Point You can use MAC address ACLs to block or allow association to the access point Instead of filtering traffic across an interface you use the ACL to filter associations to the access point radio Follow these steps to use an ACL to filter associations to the access point radio Step...

Page 351: ...to the Advanced Security MAC Address Authentication page Figure 16 4 shows the MAC Address Authentication page Figure 16 4 Advanced Security MAC Address Authentication Page Step 4 Click the Association Access List tab to browse to the Association Access List page Figure 16 5 shows the Association Access List page Figure 16 5 Association Access List Page Step 5 Select your MAC address ACL from the ...

Page 352: ...pplied on the Bridge Group Virtual Interface BVI Follow these steps to create a time based ACL Step 1 Log in to the AP through the CLI Step 2 Use the console port or Telnet in order to access the ACL through the Ethernet interface or the wireless interface Step 3 Enter global configuration mode Step 4 Create a Time Range For this example Test AP config time range Test Step 5 Create a time range AP...

Page 353: ...o associate to the access point The access point blocks associations from all other MAC addresses For complete descriptions of the commands used in this example consult the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges Configuring and Enabling IP Filters IP filters IP address IP protocol and IP port prevent or allow the use of specific protocols through the access point s...

Page 354: ...guring Filters Configuring Filters Using the Web Browser Interface Figure 16 6 IP Filters Page Follow this link path to reach the IP Filters page 1 Click Services in the page navigation bar 2 In the Services page list click Filters 3 On the Apply Filters page click the IP Filters tab at the top of the page ...

Page 355: ...ou enter in this field behaves the same way that a mask behaves when you enter it in the CLI Step 7 Select Forward or Block from the Action menu Step 8 Click Add The address appears in the Filters Classes field To remove the address from the Filters Classes list select it and click Delete Class Repeat Step 5 through Step 8 to add addresses to the filter If you do not need to add IP protocol or IP ...

Page 356: ...tep 17 Select the filter name from one of the IP drop down menus You can apply the filter to either or both the Ethernet and radio ports and to either or both incoming and outgoing packets Step 18 Click Apply The filter is enabled on the selected ports Configuring and Enabling Ethertype Filters Ethertype filters prevent or allow the use of specific protocols through the access point s Ethernet and...

Page 357: ...ow the link path to the Ethertype Filters page Step 2 If you are creating a new filter make sure NEW the default is selected in the Create Edit Filter Index menu To edit an existing filter select the filter number from the Create Edit Filter Index menu Step 3 In the Filter Index field name the filter with a number from 200 to 299 The number you assign creates an access control list ACL for the fil...

Page 358: ...least one of the Ethertypes in the filter For example if you enter several Ethertypes and you select Block as the action for all of them you must choose Forward All as the filter s default action Step 9 Click Apply The filter is saved on the access point but it is not enabled until you apply it on the Apply Filters page Step 10 Click the Apply Filters tab to return to the Apply Filters page Figure...

Page 359: ...r access point Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12 3 This chapter consists of these sections Understanding SNMP page 18 2 Configuring SNMP page 18 5 Displaying SNMP Sta...

Page 360: ... SNMP Manager Functions page 18 3 SNMP Agent Functions page 18 4 SNMP Community Strings page 18 4 Using SNMP to Access MIB Variables page 18 4 SNMP Versions This software release supports these SNMP versions SNMPv1 The Simple Network Management Protocol a full Internet standard defined in RFC 1157 SNMPv2C which has these features SNMPv2 Version 2 of the Simple Network Management Protocol a draft I...

Page 361: ...ch None v3 NoAuthNoPriv Username match None v3 AuthNoPriv HMAC MD5 or HMAC SHA algorithms None v3 AuthPriv HMAC MD5 or HMAC SHA algorithms DES 56 bit encryption Table 18 2 SNMP Operations Operation Description get request Retrieves a value from a specific variable get next request Retrieves a value from a variable within a table 1 1 With this operation an SNMP manager does not need to know the exa...

Page 362: ...ead access to authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software CiscoWorks 2000 ...

Page 363: ...ge 18 10 Default SNMP Configuration Table 18 3 shows the default SNMP configuration Enabling the SNMP Agent No specific CLI command exists to enable SNMP The first snmp server global configuration command that you enter enables the supported versions of SNMP You can also enable SNMP on the SNMP Properties page on the web browser interface When you enable SNMP on the web browser interface the acces...

Page 364: ...is different from the MIB agent behavior on access points not running Cisco IOS software Beginning in privileged EXEC mode follow these steps to configure a community string on the access point Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server community string access list number view mib view ro rw Configure the community string For string specify a strin...

Page 365: ...s list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in Step 2 then create the list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched Fo...

Page 366: ...ss point traps notification types You can enable any or all of these traps and configure a trap manager to receive them Command Purpose snmp server host host traps informs version 1 2c 3 auth noauth priv community string udp port port notification type Configures the recipient of an SNMP trap operation Command Purpose snmp server user username groupname remote ip address udp port port v1 v2c v3 en...

Page 367: ...specify the name or address of the host the targeted recipient Specify traps the default to send SNMP traps to the host Specify informs to send SNMP informs to the host Specify the SNMP version to support Version 1 the default is not available with informs Version 3 has three security levels auth Specifies authentication of packets without encryption noauth Specifies no authentication and no encry...

Page 368: ...g AP config snmp server view ieee ieee802dot11 included AP config snmp server community dot11 view ieee RW SNMP Examples This example shows how to enable SNMPv1 SNMPv2C and SNMPv3 The configuration permits any SNMP manager to access all objects with read only permissions using the community string public This configuration does not cause the access point to send any traps AP config snmp server com...

Page 369: ...unity comaccess ro 4 AP config snmp server enable traps snmp authentication AP config snmp server host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the access point to send Entity MIB traps in addition to any traps previously enabled The second line specifies the destination of these trap...

Page 370: ...ypted auth md5 abc789 priv des56 key99 Note After you enter the last command in this example the show running config and show startup config commands display only a partial SNMP configuration Displaying SNMP Status To display SNMP input and output statistics including the number of illegal community string entries errors and requested variables use the show snmp privileged EXEC command For informa...

Page 371: ...t as a repeater as a hot standby unit or as a workgroup bridge This chapter contains these sections Understanding Repeater Access Points page 19 2 Configuring a Repeater Access Point page 19 3 Understanding Hot Standby page 19 9 Configuring a Hot Standby Access Point page 19 9 Understanding Workgroup Bridge Mode page 19 13 Configuring Workgroup Bridge Mode page 19 16 The Workgroup Bridge in a Ligh...

Page 372: ...o the access point with which it has the best connectivity However you can specify the access point to which the repeater associates Setting up a static specific association between a repeater and a root access point improves repeater performance To set up repeaters you must enable Aironet extensions on both the parent root access point and the repeater access points Aironet extensions which are e...

Page 373: ...ng a Repeater Access Point This section provides instructions for setting up an access point as a repeater and includes these sections Default Configuration page 19 4 Guidelines for Repeaters page 19 4 Setting Up a Repeater page 19 5 Verifying Repeater Operation page 19 6 Aligning Antennas page 19 6 Setting Up a Repeater As a LEAP Client page 19 7 Setting Up a Repeater As a WPA Client page 19 8 Ac...

Page 374: ...iguring data rates see the Configuring Radio Data Rates section on page 6 7 Repeater access points support only the native VLAN You cannot configure multiple VLANs on a repeater access point Note Repeater access points running Cisco IOS software cannot associate to parent access points that that do not run Cisco IOS software Note Repeater access points do not support wireless domain services WDS D...

Page 375: ...reated on an access point or wireless bridge an infrastructure SSID cannot be assigned to a non native VLAN The following message appears when the infrastructure SSID is configured on non native VLAN SSID xxx must be configured as native vlan before enabling infrastructure ssid Step 5 exit Exit SSID configuration mode and return to radio interface configuration mode Step 6 station role repeater Se...

Page 376: ...est Use the show dot11 antenna alignment command to list the MAC addresses and signal level for the last 10 devices that responded to the probe Verifying Repeater Operation After you set up the repeater check the LEDs on top of the repeater access point If your repeater is functioning correctly the LEDs on the repeater and the root access point to which it is associated behave like this The status...

Page 377: ...d on the parent access point 3 Configure the repeater to act as a LEAP client Beginning in Privileged Exec mode follow these instructions to set up the repeater as a LEAP client Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1 Enter interface configuration mode for the radio interface The 2 4 GHz radio and the 2 4 GHz 802 11n radio is 0 The ...

Page 378: ...nfig startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1 Enter interface configuration mode for the radio interface The 2 4 GHz radio and the 2 4 GHz 802 11n radio is 0 The 5 GHz radio and the 5 GHz 802 11n radio is 1 Step 3 ssid ssid string Create an SSID and e...

Page 379: ...e standby s 2 4 GHz radio to monitor the 2 4 GHz radio in access point bravo You also cannot configure one radio in a dual radio access point as a standby radio and configure the other radio to serve client devices Hot standby mode is disabled by default Note If the monitored access point malfunctions and the standby access point takes its place repeat the hot standby setup on the standby access p...

Page 380: ... of both the monitored 2 4 GHz and 5 GHz radios Enter the 2 4 GHz radio MAC address first followed by the 5 GHz radio MAC address Note The MAC address of the monitored access point might change if a BSSID on the monitored unit is added or deleted If you use multiple BSSIDs on your wireless LAN check the status of the standby unit when you add or delete BSSIDs on the monitored access point If neces...

Page 381: ...lt timeout is 20 seconds Note You should increase the standby timeout setting if the bridged path between the standby and monitored access points can be lost for periods greater than 20 seconds during spanning tree recalculation for example Note If the monitored access point is configured to select the least congested radio channel you might need to increase the standby timeout setting The monitor...

Page 382: ...ot configured for standby mode IAPP AP is in standby mode The access point is in standby mode IAPP AP is operating in active mode The standby access point has taken over for the monitored access point and is functioning as a root access point IAPP AP is operating in repeater mode The standby access point has taken over for the monitored access point and is functioning as a repeater access point St...

Page 383: ...nfigure one radio interface as a workgroup bridge the other radio interface the other remains up Caution An access point in workgroup bridge mode can introduce a bridge loop if you connect its Ethernet port to your wired LAN To avoid a bridge loop on your network disconnect the workgroup bridge from your wired LAN before or soon after you configure it as a workgroup bridge Note If multiple BSSIDs ...

Page 384: ...ke access points or bridges Treating a workgroup bridge as an infrastructure device means that the access point reliably delivers multicast packets including Address Resolution Protocol ARP packets to the workgroup bridge You use the infrastructure client configuration interface command to configure access points and bridges to treat workgroup bridges as infrastructure devices Configuring access p...

Page 385: ... bridge as a mobile station ap config mobile station When you enable this setting the workgroup bridge scans for a new parent association when it encounters a poor Received Signal Strength Indicator RSSI excessive radio interference or a high frame loss percentage Using these criteria a workgroup bridge configured as a mobile station searches for a new parent association and roams to a new parent ...

Page 386: ...CX reports to update its known channel list Use the mobile station ignore neighbor list command to disable processing of CCX neighbor list reports This command is effective only if the workgroup bridge is configured for limited scanning channel scanning The following example shows how this command is used ap ap confure terminal Enter configuration commands one per line End with CNTL Z ap config in...

Page 387: ...ould associate You can enter MAC addresses for up to four parent access points The workgroup bridge attempts to associate to MAC address 1 first if that access point does not respond the workgroup bridge tries the next access point in its parent list Note If multiple BSSIDs are configured on the parent access point the MAC address for the parent might change if a BSSID on the parent is added or de...

Page 388: ...nt to operate as a workgroup bridge so that it can provide wireless connectivity to a lightweight access point on behalf of clients that are connected by Ethernet to the workgroup bridge access point A workgroup bridge connects to a wired network over a single wireless segment by learning the MAC address of its wired clients on the Ethernet interface and reporting them to the lightweight access po...

Page 389: ...lue are supported Those in infrastructure mode are not supported Perform one of the following to enable client mode on the workgroup bridge On the workgroup bridge access point GUI choose Disabled for the Reliable Multicast to workgroup bridge parameter On the workgroup bridge access point CLI enter this command no infrastructure client Note VLANs are not supported for use with workgroup bridges T...

Page 390: ...tion commands one per line End with CNTL Z ap config dot11 ssid WGB_with_static_WEP ap config ssid authentication open ap config ssid guest mode ap config ssid exit ap config interface dot11Radio 0 ap config station role workgroup bridge ap config if encry mode wep 40 ap config if encry key 1 size 40 0 1234567890 ap config if WGB_with_static_WEP ap config if end To verify that the workgroup bridge...

Page 391: ...stem page 20 1 Working with Configuration Files page 20 7 Working with Software Images page 20 18 Working with the Flash File System The Flash file system on your access point provides several commands to help you manage software image and configuration files The Flash file system is a single Flash device on which you can store files This Flash device is called flash This section contains this inf...

Page 392: ... free memory in the file system in bytes Type Type of file system flash The file system is for a Flash memory device network The file system is for a network device nvram The file system is for a nonvolatile RAM NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Flags...

Page 393: ... with the same name Similarly before copying a Flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table 20 2 Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode follow these steps to change directories and ...

Page 394: ...ation use the copy erase source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of Flash memory to be used as the configuration during system initialization Network file system ...

Page 395: ...pting that confirms a deletion of each file in the directory You are prompted only once at the beginning of this deletion process Use the force and recursive keywords for deleting old software images that were installed by using the archive download sw command but are no longer needed If you omit the filesystem option the access point uses the default device specified by the cd command For file ur...

Page 396: ...cal or network file system These options are supported For the local Flash file system the syntax is flash For the File Transfer Protocol FTP the syntax is ftp username password location directory tar filename tar For the Remote Copy Protocol RCP the syntax is rcp username location directory tar filename tar For the Trivial File Transfer Protocol TFTP the syntax is tftp location directory tar file...

Page 397: ... for extraction If none are specified all files and directories are extracted This example shows how to extract the contents of a tar file located on the TFTP server at 172 20 10 30 This command extracts just the new configs directory into the root directory on the local Flash file system The remaining files in the saved tar file are ignored ap archive tar xtract tftp 172 20 10 30 saved tar flash ...

Page 398: ...ration File by Using a Text Editor page 20 9 Copying Configuration Files by Using TFTP page 20 9 Copying Configuration Files by Using FTP page 20 11 Copying Configuration Files by Using RCP page 20 14 Clearing Configuration Information page 20 17 Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your access point configuration Configuration files can con...

Page 399: ... NVRAM section of Flash memory Creating a Configuration File by Using a Text Editor When creating a configuration file you must list commands logically so that the system can respond appropriately This is one method of creating a configuration file Step 1 Copy an existing configuration from an access point to a server For more information see the Downloading the Configuration File by Using TFTP se...

Page 400: ...rect directory on the TFTP server usually tftpboot on a UNIX workstation For download operations ensure that the permissions on the file are set correctly The permission on the file should be world read Before uploading the configuration file you might need to create an empty file on the TFTP server To create an empty file enter the touch filename command where filename is the name of the file you...

Page 401: ...nd the destination filename Use one of these privileged EXEC commands copy system running config tftp location directory filename copy nvram startup config tftp location directory filename The file is uploaded to the TFTP server This example shows how to upload a configuration file from an access point to a TFTP server ap copy system running config tftp 172 16 2 155 tokyo confg Write file tokyo co...

Page 402: ...loading or uploading a configuration file by using FTP perform these tasks Ensure that the access point has a route to the FTP server The access point and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the FTP server by using the ping command If you are accessing the access point through a Telnet session and you do n...

Page 403: ...ypass ap config end ap copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK ap SYS 5 CONFIG_NV Non volatile store configured from host2 config by ftp from 172 16 101 101 Uploading a Configuratio...

Page 404: ...ss point Unlike TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TF...

Page 405: ...sing RCP page 20 15 Downloading a Configuration File by Using RCP page 20 16 Uploading a Configuration File by Using RCP page 20 17 Preparing to Download or Upload a Configuration File by Using RCP Before you begin downloading or uploading a configuration file by using RCP perform these tasks Ensure that the workstation acting as the RCP server supports the remote shell rsh Ensure that the access ...

Page 406: ...rectory on the remote server with an IP address of 172 16 101 101 to the startup configuration ap configure terminal ap config ip rcmd remote username netadmin1 ap config end ap copy rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Load...

Page 407: ...e username netadmin2 ap config end ap copy nvram startup config rcp Remote host 172 16 101 101 Name of configuration file to write ap2 confg Write file ap2 confg on host 172 16 101 101 confirm OK Clearing Configuration Information This section describes how to clear configuration information Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to D...

Page 408: ... depends on which type of server you are using The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP These improvements are possible because FTP and RCP are built on and use the Transmission Control Protocol Internet Protocol TCP IP stack which is connection oriented This section includes this information Image Location on the Access Point pag...

Page 409: ... Using TFTP You can download an access point image from a TFTP server or upload the image from the access point to a TFTP server You download an access point image file from a server to upgrade the access point software You can overwrite the current image with the new one You upload an access point image file to a server for backup purposes this uploaded image can be used for future downloads to t...

Page 410: ...y The permission on the file should be world read Before uploading the image file you might need to create an empty file on the TFTP server To create an empty file enter the touch filename command where filename is the name of the file you will use when uploading the image to the server During upload operations if you are overwriting an existing file including an empty file if you had to create on...

Page 411: ...and you want to overwrite one of these images with the same version you must specify the overwrite option If you specify the leave old sw the existing files are not removed If there is not enough space to install the new image and keep the current running image the download process stops and an error message is displayed Step 3 archive download sw overwrite reload tftp location directory image nam...

Page 412: ...server by uploading these files in order info the Cisco IOS image the HTML files and info ver After these files are uploaded the upload algorithm creates the tar file format Copying Image Files by Using FTP You can download an access point image from an FTP server or upload the image from the access point to an FTP server You download an access point image file from a server to upgrade the access ...

Page 413: ...nd ip ftp password commands to specify a username and password for all copies Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username only for that operation If the server has a directory structure the image file is written to or copied from the directory associated with the username on the server For example if the image file ...

Page 414: ...eps 1 through 7 to download a new image from an FTP server and overwrite the existing image To keep the current image skip Step 7 Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload an Image File by Using FTP section on page 20 23 Step 2 Log into the access point through a Telnet session Step 3 configure terminal Enter global...

Page 415: ...e downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File by Using FTP section on page 20 23 For location specify the IP address...

Page 416: ...ice For file url enter the directory name of the old software image All the files in the directory and the directory are removed Uploading an Image File by Using FTP You can upload an image from the access point to an FTP server You can later download this image to the same access point or to another access point of the same type Caution For the download and upload algorithms to operate properly d...

Page 417: ...e hosts and the access point Unlike TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distributi...

Page 418: ...orts the remote shell rsh Ensure that the access point has a route to the RCP server The access point and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP server by using the ping command If you are accessing the access point through a Telnet session and you do not have a valid username make sure that the current R...

Page 419: ... 1 through 6 to download a new image from an RCP server and overwrite the existing image To keep the current image skip Step 6 Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File by Using RCP section on page 20 27 Step 2 Log into the access point through a Telnet session Step 3 configure terminal Enter global co...

Page 420: ...anged and not saved For username specify the username For the RCP copy request to execute successfully an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File by Using RCP section on page 20 27 For location specify the IP address of the RCP server For directory image name tar specify the directory optional ...

Page 421: ...mmand For filesystem use flash for the system board Flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Uploading an Image File by Using RCP You can upload an image from the access point to an RCP server You can later download this image to the same access point or to another access point of the same type Caution...

Page 422: ... later or Netscape Navigator version 4 x Step 2 Enter the access point s IP address in the browser address line and press Enter An Enter Network Password screen appears Step 3 Enter your username in the User Name field Step 4 Enter the access point password in the Password field and press Enter The Summary Status page appears Step 5 Click the System Software tab and then click Software Upgrade The...

Page 423: ... press Enter An Enter Network Password screen appears Step 3 Enter your username in the User Name field Step 4 Enter the access point password in the Password field and press Enter The Summary Status page appears Step 5 Click the System Software tab and then click Software Upgrade The HTTP Upgrade screen appears Step 6 Click the TFTP Upgrade tab Step 7 Enter the IP address for the TFTP server in t...

Page 424: ...20 34 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL 14209 01 Chapter 20 Managing Firmware and Configurations Working with Software Images ...

Page 425: ... message logging on your access point Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12 3 This chapter consists of these sections Understanding System Message Logging page 21 2 Configuring System Message Logging page 21 2 Displaying the Logging Configuration page 21 12 ...

Page 426: ...by saving them to a properly configured syslog server The access point software saves syslog messages in an internal buffer You can remotely monitor system messages by accessing the access point through Telnet or by viewing the logs on a syslog server Configuring System Message Logging This section describes how to configure system message logging It contains this configuration information System ...

Page 427: ...ce number only if the service sequence numbers global configuration command is configured For more information see the Enabling and Disabling Sequence Numbers in Log Messages section on page 21 6 timestamp formats mm dd hh mm ss or hh mm ss short uptime or d h long uptime Date and time of the message or event This information appears only if the service timestamps log datetime log global configura...

Page 428: ...ommand output The logging synchronous global configuration command also affects the display of messages to the console When this command is enabled messages appear only after you press Return For more information see the Enabling and Disabling Timestamps on Log Messages section on page 21 6 To re enable message logging after it has been disabled use the logging on global configuration command Time...

Page 429: ...ing buffered size level Log messages to an internal buffer The default buffer size is 4096 The range is 4096 to 2147483647 bytes Levels include emergencies 0 alerts 1 critical 2 errors 3 warnings 4 notifications 5 informational 6 and debugging 7 Note Do not make the buffer size too large because the access point could run out of memory for other tasks Use the show memory privileged EXEC command to...

Page 430: ...y refer to a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages To disable sequence numbers use the no service sequence numbers global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service timestamps log uptime or service...

Page 431: ...ging monitor global configuration command To disable logging to syslog servers use the no logging trap global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logged to the console By default the console receives debugging messages and numerically lower levels see Table 21 3 on page 21 8 Step 3 logging monit...

Page 432: ...d Note Authentication request log messages are not logged on to a syslog server This feature is not supported on Cisco Aironet access points Limiting Syslog Messages Sent to the History Table and to SNMP If you have enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you can change the level of messages sen...

Page 433: ... logging rate limit global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging history level1 1 Table 21 3 lists the level keywords and severity level For SNMP usage the severity level values increase by 1 For example emergencies equal 1 not 0 and critical equals 3 not 2 Change the default level of syslog messages stored in the history fil...

Page 434: ... on the facilities The debug keyword specifies the syslog level see Table 21 3 on page 21 8 for information on the severity levels The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands at the UNIX shel...

Page 435: ...slog servers receive informational messages and lower See Table 21 3 on page 21 8 for level keywords Step 4 logging facility facility type Configure the syslog facility See Table 21 4 on page 21 11 for facility type keywords The default is local7 Step 5 end Return to privileged EXEC mode Step 6 show running config Verify your entries Step 7 copy running config startup config Optional Save your ent...

Page 436: ...aying the Logging Configuration To display the current logging configuration and the contents of the log buffer use the show logging privileged EXEC command For information about the fields in this display refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12 2 To display the logging history file use the show logging history privileged EXEC command ...

Page 437: ...t up to date detailed troubleshooting information refer to the Cisco TAC website at the following URL select Top Issues and then select Wireless Technologies http www cisco com tac Sections in this chapter include Checking the Top Panel Indicators page 22 2 Checking Power page 22 17 Low Power Condition page 22 17 Checking Basic Settings page 22 18 Resetting to the Default Configuration page 22 19 ...

Page 438: ... Figure 22 1 shows the indicators on the 1200 series access point Figure 22 2 shows the indicators on the 1100 series access point Figure 22 3 and Figure 22 4 show the indicators on the 350 series access point Note The 1130 series access point has a status LED on the top of the unit and two LEDs inside the protective cover See the Indicators on 1130 Series Access Points section on page 22 6 for in...

Page 439: ...eless Device Troubleshooting Checking the Top Panel Indicators Figure 22 2 Indicators on the 1100 Series Access Point Figure 22 3 Indicators on the 350 Series Access Point Plastic Case Ethernet Status Radio 81597 S CISCO AIRONET 350 SERIES W I R E L E S S AC C E S S P O I N T Ethernet Status Radio 49075 ...

Page 440: ...t Blinking green indicates that the wireless device is operating normally but is not associated with any wireless devices The radio indicator blinks green to indicate radio traffic activity The light is normally off but it blinks whenever a packet is received or transmitted over the wireless device s radio 60511 CISCO AIRONET 350 SERIES W I R E L E S S A C C E S S P O I N T ETHERNET ACTIVITY ASSOC...

Page 441: ...Amber Boot environment error Red Green Red No Cisco IOS image file Amber Amber Amber Boot failure Operation Errors Green Blinking amber Maximum retries or buffer full occurred on the radio Blinking amber Transmit receive Ethernet errors Blinking amber General warning Configuration Reset Amber Resetting the configuration options to factory defaults Failures Red Red Red Firmware failure try disconne...

Page 442: ...point is not working properly check the LED ring on the top panel or the Ethernet and Radio LEDs in the cable bay area You can use the LED indications to quickly assess the unit s status Figure 22 5 shows the access point LEDs Figure 22 5 1130 Series Access Point LEDs Note To view the Ethernet and Radio LEDs you must open the access point cover 1 Status LED 3 Ethernet LED 2 Access point cover 4 Ra...

Page 443: ...ating condition but no wireless client devices are associated with the unit n a n a Light blue Normal operating condition at least one wireless client device is associated with the unit Operating status Green n a n a Ethernet link is operational Blinking green n a n a Transmitting or receiving Ethernet packets n a Blinking green n a Transmitting or receiving radio packets n a n a Blinking dark blu...

Page 444: ...mage recovery Amber Amber Blinking red and off Boot environment error Red Amber Blinking red and off No Cisco IOS image file Amber Amber Blinking red and off Boot failure Cisco IOS errors Blinking amber n a n a Transmit or receive Ethernet errors n a Blinking amber n a Maximum retries or buffer full occurred on the radio Red Red Orange Software failure try disconnecting and reconnecting unit power...

Page 445: ...oint LED Signals 1 Ethernet LED 3 Radio LED 2 Radio LED STATUS RADIO ETHERNET MODE CONSOLE ETHERNET 48VDC 2 4 GHz RIGHT PRIMARY 2 4 GHz LEFT 135497 3 2 1 Message type Ethernet LED Radio LED Status LED Meaning Boot loader status Green Green Green DRAM memory test ok Off Blinking green Blue green Initialize Flash file system Off Green Pink Flash memory test ok Green Off Dark blue Ethernet test ok Gr...

Page 446: ...st failure Off Red Blinking red and blue Flash file system failure Off Amber Blinking red and blue green Environment variable ENVAR failure Amber Off Blinking red and yellow Bad MAC address Red Off Blinking red and off Ethernet failure during image recovery Amber Amber Blinking red and off Boot environment error Red Amber Blinking red and off No Cisco IOS image file Amber Amber Blinking red and of...

Page 447: ...orking properly check the Ethernet Status and Radio LEDs on the 2 4 GHz end of the unit You can use the LED indications to quickly assess the unit s status Table 22 4 shows the access point LEDs for additional information refer to the Event Log using the access point browser interface Figure 22 7 shows the 1250 series access point LEDs Figure 22 7 1250 Series Access Point LEDs ETHERNET STATUS RADI...

Page 448: ...ation ok Association status Green Normal operating condition but no wireless client devices are associated with the unit Blue Normal operating condition at least one wireless client device is associated with the unit Operating status Green Ethernet link is operational Blinking green Transmitting or receiving Ethernet packets Blinking green Transmitting or receiving radio packets Blinking blue Soft...

Page 449: ...off Off Ethernet failure during image recovery Amber Blinking red and off Amber Boot environment error Red Blinking red and off Amber No Cisco IOS image file Amber Blinking red and off Amber Boot failure Cisco IOS errors Blinking amber Transmit or receive Ethernet errors Blinking amber Maximum retries or buffer full occurred on the radio Red Off Red Software failure try disconnecting and reconnect...

Page 450: ...ess Point Bridge Mounting Instructions that shipped with your access point bridge Figure 22 8 shows the access point bridge LEDs Figure 22 8 LEDs Normal Mode LED Indications During access point bridge operation the LEDs provide status information as shown in Table 22 5 R Radio LED E Ethernet LED S Status LED I Install LED 117061 R S I E Table 22 5 1300 Series Access Point Bridge LED Indications Et...

Page 451: ...ues contact technical support for assistance Amber Loading firmware Red Amber Red Loading Firmware error disconnect and reconnect the power injector power If the problem continues contact technical support for assistance Off Normal operation Blinking green Transmitting and receiving radio packets normal operation Blinking amber Maximum retries or buffer full occurred on the radio interface disconn...

Page 452: ...ower Injector Table 22 6 LED Blinking Error Codes LED Blinking Codes Description First Digit Second Digit Ethernet 2 1 Ethernet cable problem verify that the cable is properly connected and not defective This error might also indicate a problem with the Ethernet link If the cable is connected properly and not defective contact technical support for assistance Radio 1 2 Radio not detected contact t...

Page 453: ...tage condition Off indicates input power is not available verify that the power module is connected to the power injector and that AC power is available or that 12 to 40 VDC input power is connected to the power injector Low Power Condition Access points can be powered from the 48 VDC power module or from an in line power source The 1130 and 1240 access points support the IEEE 802 3af power standa...

Page 454: ...WEP Key 3 on the wireless device to exactly the same value The wireless device does not need to use Key 3 as its transmit key however Refer to Chapter 10 Configuring Cipher Suites and WEP for instructions on setting the wireless device s WEP keys Security Settings Wireless clients attempting to authenticate with the wireless device must support the same security options configured in the wireless ...

Page 455: ... and password are both Cisco which is case sensitive Using the MODE Button Follow these steps to delete the current configuration and return all access point settings to the factory defaults using the MODE button Note You cannot use the mode button to reset the configuration to defaults on 350 series access points To reset the configuration on 350 series access points follow the instructions in th...

Page 456: ...ept IP button Note Select Reset to Defaults Except IP if you want to retain a static IP address Step 8 Click Restart The system reboots Step 9 After the wireless device reboots you must reconfigure the wireless device by using the Web browser interface or the CLI The default username and password are Cisco which is case sensitive Using the CLI Follow the steps below to delete the current configura...

Page 457: ...l eeprom WRDTR CLKTR 0x80000800 0x80000000 RQDC RFDC 0x80000033 0x000001cb Step 8 When the access point has finished reloading the software Establish a new Telnet session to the access point Note The wireless device is configured with factory default values including the IP address set to receive an IP address using DHCP and the default username and password Cisco Step 9 When IOS software is loade...

Page 458: ...0 series access point or c1200 k9w7 tar 123 8 JA tar for a 1200 series access point in the TFTP server folder and that the TFTP server is activated For additional information refer to the Obtaining the Access Point Image File and Obtaining TFTP Server Software sections Step 3 Rename the access point image file in the TFTP server folder For example if the image file is c1100 k9w7 tar 123 8 JA tar f...

Page 459: ...ade screen Browser TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the wireless device image file Follow the instructions below to use a TFTP server Step 1 Open your Internet browser You must use Microsoft Internet Explorer version 5 x or later or Netscape Navigator version 4 x Step 2 Enter the wireless device s IP address in the browser address line a...

Page 460: ...P address subnet mask and default gateway to the wireless device Note You must use upper case characters when you enter the IP ADDR NETMASK and DEFAULT_ROUTER options with the set command Your entries might look like this example ap set IP_ADDR 192 168 133 160 ap set NETMASK 255 255 255 0 ap set DEFAULT_ROUTER 192 168 133 1 Step 5 Enter the tftp_init command to prepare the wireless device for TFTP...

Page 461: ..._last_flat gif 318 bytes extracting c350 k9w7 mx 122 13 JA1 html level1 images apps_button_nth gif 1177 bytes extracting c350 k9w7 mx 122 13 JA1 html level1 images apps_leftnav_dkgreen gif 869 bytes MORE Note If you do not press the spacebar to continue the process eventually times out and the wireless device stops inflating the image Step 8 Enter the set BOOT command to designate the new image as...

Page 462: ...bution Authorization page appears Step 10 Answer the questions on the page and click Submit The Download page appears Step 11 Click DOWNLOAD The Software Download Rules page appears Step 12 Read the Software Download Rules carefully and click Agree Step 13 If prompted enter your login and password A File Download window appears Step 14 Save the file to a director on your hard drive Obtaining TFTP ...

Page 463: ...f the protocols that you can filter on the access point The tables include Table A 1 Ethertype Protocols Table A 2 IP Protocols Table A 3 IP Port Protocols In each table the Protocol column lists the protocol name the Additional Identifier column lists other names for the same protocol and the ISO Designator column lists the numeric designator for each protocol ...

Page 464: ...eley Trailer Negotiation 0x1000 LAN Test 0x0708 X 25 Level3 X 25 0x0805 Banyan 0x0BAD CDP 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump Load 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802 2 0x00E0 IPX 802 3 0x00FF Novell IPX old 0x8137 Novell IPX new IPX 0x8138 EAPOL old 0x8180 EAPOL new 0x888E Telxon TXP TXP 0x8729 Aironet DDP DDP 0x872D Enet Co...

Page 465: ... Designator dummy 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP 12 CHAOS 16 User Datagram Protocol UDP 17 XNS IDP IDP 22 ISO TP4 TP4 29 ISO CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw 255 ...

Page 466: ...ote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp data 20 FTP Control 21 ftp 21 Secure Shell 22 ssh 22 Telnet 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Location Protocol RLP 39 IEN 116 Name Server name 42 whois nicname 43 43 Domain Name Server DNS domain 53 MTP 57 BOOTP Server 67 BOOTP Client 68 TFTP 69 gopher 70 rje netrjs 77 finger 79 Hyper...

Page 467: ...ws nntp 119 Network Time Protocol ntp 123 NETBIOS Name Service netbios ns 137 NETBIOS Datagram Service netbios dgm 138 NETBIOS Session Service netbios ssn 139 Interim Mail Access Protocol v2 Interim Mail Access Protocol IMAP2 143 Simple Network Management Protocol SNMP 161 SNMP Traps snmp trap 162 ISO CMIP Management Over IP CMIP Management Over IP cmip man CMOT 163 ISO CMIP Agent Over IP cmip age...

Page 468: ... 515 talk 517 ntalk 518 route RIP 520 timeserver timed 525 newdate tempo 526 courier RPC 530 conference chat 531 netnews 532 netwall wall 533 UUCP Daemon UUCP uucpd 540 Kerberos rlogin klogin 543 Kerberos rsh kshell 544 rfs_server remotefs 556 Kerberos kadmin kerberos adm 749 network dictionary webster 765 SUP server supfilesrv 871 swat for SAMBA swat 901 SUP debugging supfiledbg 1127 ingreslock 1...

Page 469: ... SNMPv3 This appendix contains these sections MIB List page B 1 Using FTP to Access the MIB Files page B 2 MIB List IEEE802dot11 MIB Q BRIDGE MIB P BRIDGE MIB CISCO DOT11 LBS MIB CISCO DOT11 IF MIB CISCO WLAN VLAN MIB CISCO IETF DOT11 QOS MIB CISCO IETF DOT11 QOS EXT MIB CISCO DOT11 ASSOCIATION MIB CISCO L2 DEV MONITORING MIB CISCO DDP IAPP MIB CISCO IP PROTOCOL FILTER MIB CISCO SYSLOG EVENT EXT M...

Page 470: ...3 MIB RFC1398 MIB SNMPv2 MIB SNMPv2 SMI SNMPv2 TC Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP Step 1 Use FTP to access the server ftp cisco com Step 2 Log in with the username anonymous Step 3 Enter your e mail username when prompted for the password Step 4 At the ftp prompt change directories to pub mibs v1 or pub mibs v2 Step 5 Use the get MIB_filena...

Page 471: ...C 3 Association Management Messages page C 5 Unzip Messages page C 6 802 11 Subsystem Messages page C 7 Inter Access Point Protocol Messages page C 20 Local Authenticator Messages page C 21 WDS Messages page C 23 Mini IOS Messages page C 24 Access Point Bridge Messages page C 25 Cisco Discovery Protocol Messages page C 25 External Radius Server Error Messages page C 26 LWAPP Error Messages page C ...

Page 472: ... CRIT warns of a possible serious critical error 3 LOG ERR warning of error condition most features functional user should exercise care 4 LOG WARNING warning that user can ignore if they prefer 5 LOG NOTICE notice that may be of concern to user 6 LOG INFO informational not serious 7 LOG DEBUG debug information not serious Action Flags Internal to the code for which additional action is displayed ...

Page 473: ...grade of the software failed Recommended Action Make sure that the DHCP server is configured correctly Error Message SW AUTO UPGRADE 7_BOOT_FAILURE s Auto upgrade of the software failed Explanation Auto upgrade of the software failed Recommended Action Reboot the unit If the message appears again copy the error message exactly as it appears and report it to your technical support representative Er...

Page 474: ...ation interface command to configure the radio for a role other than install mode Error Message AVR_IMAGE_UPDATE 7 UPDATE_COMPLETE The AVR d firmware was successfully updated Explanation The access point AVR firmware was successfully updated Recommended Action No action is required Error Message AVR_IMAGE_UPDATE 2 UPDATE_FAILURE The AVR d firmware is not current Update error s Explanation The AVR ...

Page 475: ...s e s KEY_MGMT s MSGDEF_LIMIT_MEDIUM Explanation The indicated station associated to an access point on the indicated interface Recommended Action None Error Message DOT11 6 ADD Interface s Station e associated to parent e Explanation The indicated station associated to the parent access point on the indicated interface Recommended Action None Error Message DOT11 6 DISASSOC Interface s Deauthentic...

Page 476: ...tes to be used Recommended Action Copy the error message exactly as it appears on the console or in the system log Research and attempt to resolve the error using the Output Interpreter https www cisco com cgi bin Support OutputInterpreter home pl Also perform a search of the Bug Toolkit http www cisco com cgi bin Support Bugtool home pl If you still require assistance open a case with the Technic...

Page 477: ...found the wrong firmware version The radio will be loaded with the required version Recommended Action None Error Message DOT11 2 VERSION_INVALID Interface d unable to find required radio version x x d Explanation When trying to re flash the radio firmware on the indicated interface the access point recognized that the indicated radio firmware packaged with the Cisco IOS software had the incorrect...

Page 478: ...y on the indicated interface Recommended Action Remove unit from network and service Error Message DOT11 6 FREQ_SCAN Interface s Scanning frequencies for d seconds Explanation Starting a scan for a least congested frequency on the interface indicated for a the time period indicated Recommended Action None Error Message DOT11 2 NO_CHAN_AVAIL Interface s no channel available Explanation No frequency...

Page 479: ... deleted from the configuration At least one must be configured for the radio to run Recommended Action Configure at least one SSID on the access point Error Message DOT11 4 NO_SSID_VLAN No SSID with VLAN configured s not started Explanation No SSID was configured for a VLAN The indicated interface was not started Recommended Action At least one SSID must be configured per VLAN Add at least one SS...

Page 480: ...aded from a network when the access point boots Recommended Action Place the image on the root directory of the flash file system Error Message DOT11 4 FW_LOAD_DELAYED Interface s network filesys not ready Delaying firmware s load Explanation The network filesystem was not running or not ready when trying to flash new firmware into the indicated interface Loading the identified firmware file has b...

Page 481: ...ridge mode and is seen if the WGB repeater or non root is configured with Client MFP SD required or mandatory but root Client MFP is disabled Recommended Action Check the configuration of the parent access point and this unit to make sure there is a match Error Message DOT11 2 PROCESS_INITIALIZATION_FAILED The background process for the radio could not be started s Explanation The initialization p...

Page 482: ...e same area they could be overlapping the channel signal or with any other wireless device in the surrounding area Change the channels under Network Interfaces and select Radio 802 11 There are three non overlapping channels 1 6 and 11 Error Message DOT11 4 RM_INCAPABLE Interface s Explanation Indicated interface does not support the radio management feature Recommended Action None Error Message D...

Page 483: ...e too many different DTIM periods defined s is down Explanation Beacon burst mode can only support up to 4 unique DTIM values each with a maximum of 4 BSSes Recommended Action Change the number of unique DTIMs on the SSIDs configured for the interface to a more reasonable set of values Error Message DOT11 2 RADIO_INITIALIZATION_ERROR The radio subsystem could not be initialized s Explanation A cri...

Page 484: ...of radio used To resolve this issue you may have to reload the access point with a new Cisco IOS image Instructions for reloading an image are found in Reloading the Access Point Image section on page 22 21 If the IOS on the access point is corrupt reload the access point image using the Mode button method Error Message DOT11 2 BAD_FIRMWARE Interface s radio firmware file s is invalid Explanation ...

Page 485: ...planation A packet sent to the client has not been successfully delivered many times and the max retries limit has been reached The client is deleted from the association table Recommended Action None Error Message DOT11 4 BRIDGE_LOOP Bridge loop detected between WGB e and device e Explanation The indicated workgroup bridge reported the address of one of its indicated Ethernet clients and the acce...

Page 486: ...essage DOT11 3 RF LOOPBACK_FAILURE Interface s Radio failed to pass RF loopback test Explanation Radio loopback test failed for the interface indicated Recommended Action None Error Message DOT11 3 RF LOOPBACK_FREQ_FAILURE Interface s failed to pass RF loopback test Explanation Radio loopback test failed at a given frequency for the indicated interface Recommended Action None Error Message DOT11 7...

Page 487: ...ed on a frame A replay of the CKIP SEQ in a received packet almost indicates an active attack Recommended Action None Error Message DOT11 4 TKIP_MIC_FAILURE Received TKIP Michael MIC failure report from the station e on the packet TSC 0x 11x encrypted and protected by s key Explanation TKIP Michael MIC failure was detected from the indicated station on a unicast frame decrypted locally with the in...

Page 488: ...s long use the countermeasure tkip hold time command to adjust the hold time Error Message DOT11 4 TKIP_REPLAY TKIP TSC replay was detected on a packet TSC 0x ssx received from e Explanation TKIP TSC replay was detected on a frame A replay of the TKIP TSC in a received packet almost indicates an active attack Recommended Action None Error Message DOT11 4 WLAN_RESOURCE_LIMIT WLAN limit exceeded on ...

Page 489: ... Error Message SOAP_FIPS 2 INIT_FAILURE SOAP FIPS initialization failure s Explanation SOAP FIPS initialization failure Recommended Action None Error Message SOAP_FIPS 4 PROC_FAILURE SOAP FIPS test failure s Explanation SOAP FIPS test critical failure Recommended Action None Error Message SOAP_FIPS 4 PROC_WARNING SOAP FIPS test warning s Explanation SOAP FIPS test non critical failure Recommended ...

Page 490: ...ps infrastructure mode multicast packets in client mode and drops client mode multicast packets in infrastructure mode Recommended Action None Inter Access Point Protocol Messages Error Message DOT11 6 STANDBY_ACTIVE Standby to Active Reason s d Explanation The access point is transitioning from standby mode to active mode for the indicated reason Recommended Action None Error Message DOT11 6 STAN...

Page 491: ...guration on either the NAS or on the local RADIUS server Error Message RADSRV 4_BLOCKED Client blocked due to repeated failed authentications Explanation A user failed authentication the number of times configured to trigger a block and the account been disabled Recommended Action Use the clear radius local server user username privileged EXEC command to unblock the user or allow the block on the ...

Page 492: ...curred when the shim layer tried to transmit the dot1x packet The packet encapsulation failed Recommended Action None Error Message DOT1X SHIM 3 SUPP_START_FAIL Unable to start supplicant on s Explanation An unexpected error occurred when the shim layer tried to start the dot1x suppliant on the indicated interface Recommended Action None Error Message DOT1X SHIM 3 NO_UPLINK No uplink found for s E...

Page 493: ...WDS 6 PREV_VER_AP A previous version of AP is detected Explanation The WDS device detected a previous version of the access point Recommended Action None Error Message WLCCP AP 6 INFRA WLCCP Infrastructure Authenticated Explanation The access point successfully authenticated to the WDS device Recommended Action None Error Message WLCCP AP 6 STAND_ALONE Connection lost to WLCCP server changing to S...

Page 494: ... Error Message WLCCP NM 6 RESET Resetting WLCCP NM Explanation A change in the network manager IP address or a temporary out of resource state might have caused a reset on the WDS network manager subsystem but operation will return to normal shortly Recommended Action None Error Message WLCCP WDS 3 RECOVER s Explanation WDS graceful recovery errors Recommended Action None Mini IOS Messages Error M...

Page 495: ...they simply show that the radio went down at some point The rcore files can be listed on the CLI session and appear similar to this r15_5705_AB50_A8341F30 rcore Access Point Bridge Messages Error Message APBR 4 SEND_PCKT_FAILED Failed to Send Packet on port ifDescr error errornum errornum status error number HASH 0x2096974 Explanation The access point or bridge failed to send a packet This conditi...

Page 496: ...Recommended Action No action is required Error Message LWAPP 3 CLIENTERRORLOG s Explanation This log message indicates an LWAPP client error event The message is logged to help in troubleshooting LWAPP access point join problems Recommended Action No action is required Error Message LWAPP 3 CLIENTEVENTLOG s Explanation This log message indicates an LWAPP client notification event The message is lo...

Page 497: ...s under normal operating temperature Recommended Action None required Error Message SENSOR 3 TEMP_SHUTDOWN Shuting down the system because of dangerously HIGH temperature at sensor d Explanation One of the measured environmental test points exceeds the operating temperature environment of the router Recommended Action Investigate the cause of the high temperature Error Message SENSOR 3 TEMP_WARNIN...

Page 498: ...at P Explanation An SNMP request was sent by this host which was not properly authenticated Recommended Action Make sure that the community user name used in the SNMP req has been configured on the router Error Message SNMP 3 INPUT_QFULL_ERR Packet dropped due to input queue full Explanation Snmp packet dropped due to input queue full error Recommended Action Use the command show snmp to see the n...

Page 499: ...stination Recommended Action Run the show snmp host and show snmp commands Copy the error message and output from the show commands exactly as they appear and report it to your technical support representative Deleting and re adding the informs destination via the snmp server host configuration command may clear the condition Otherwise reloading the system may be necessary SSH Error Messages Error...

Page 500: ... Recommended Action No action necessary informational message Error Message SSH 5 SSH_SESSION SSH Session request from s tty d using crypto cipher s s Explanation The SSH session request information Recommended Action No action necessary informational message Error Message SSH 5 SSH_USERAUTH User s authentication for SSH Session from s tty d using crypto cipher s s Explanation The SSH user authent...

Page 501: ...8 and 54 Mbps LANs operating in the 2 4 GHz frequency band 802 3af The IEEE standard that specifies a mechanism for Power over Ethernet PoE The standard provides the capability to deliver both power and data over standard Ethernet cabling A access point A wireless LAN data transceiver that uses radio waves to connect a wired network with wireless stations ad hoc network A wireless network composed...

Page 502: ...nabled client devices on the subnet The WDS access point s cache of credentials dramatically reduces the time required for reassociation when a CCKM enabled client device roams to a new access point cell The area of radio range or coverage in which the wireless devices can communicate with the base station The size of the cell depends upon the speed of the transmission the type of antenna used and...

Page 503: ... IEEE 802 1x security feature ideal for organizations with a large user base and access to an EAP enabled Remote Authentication Dial In User Service RADIUS server Ethernet The most widely used wired local area network Ethernet uses carrier sense multiple access CSMA to allow computers to share a network and operates at 10 100 or 1000 Mbps depending on the physical layer used F file server A reposi...

Page 504: ... a radio signal bounces off of physical objects multicast packet A single data message packet sent to multiple addresses O omni directional This typically refers to a primarily circular antenna radiation pattern Orthogonal Frequency Division Multiplex OFDM A modulation technique used by IEEE 802 11a compliant wireless LANs for transmission at 6 9 12 18 24 36 48 and 54 Mbps P packet A basic message...

Page 505: ...ansmission technology that spreads the user information over a much wider bandwidth than otherwise required in order to gain benefits such as improved interference tolerance and unlicensed operation SSID Service Set Identifier also referred to as Radio Network Name A unique identifier used to identify a radio network and which stations must use to be able to communicate with each other or to an ac...

Page 506: ... Wireless LAN Solutions Engine The WLSE is a specialized appliance for managing Cisco Aironet wireless LAN infrastructures It centrally identifies and configures access points in customer defined groups and reports on throughput and client associations WLSE s centralized management capabilities are further enhanced with an integrated template based configuration tool for added configuration ease a...

Page 507: ...7 12 access point security settings matching client devices 11 20 accounting with RADIUS 13 13 with TACACS 13 23 13 28 accounting command 7 5 ACL logging 7 12 Address Resolution Protocol ARP 6 28 AES CCMP 10 2 Aironet Client Utility ACU 22 19 Aironet extensions 6 14 6 26 ampdu command 15 5 antenna selection 6 25 antenna command 6 25 Apply button 2 5 ARP caching 5 26 associations limiting by MAC ad...

Page 508: ...ching MAC authentications 11 15 Called Station ID See CSID Cancel button 2 5 capture frames 12 30 carrier busy test 6 33 Catalyst 6500 Series 12 1 CCKM 11 6 authenticated clients 11 6 CCK modulation 6 13 CDP disabling for routing device 17 4 enabling and disabling on an interface 17 4 monitoring 17 4 cdp enable command 17 4 cdp run command 17 3 channel width 6 15 Cisco Discovery Protocol CDP 17 1 ...

Page 509: ... encryption 10 4 fragment threshold 6 32 guest mode 7 5 help 3 3 infrastructure client 6 28 infrastructure ssid 7 5 interface dot11radio 1 1 1 2 6 2 ip domain name 5 34 ip redirect 7 12 no and default 3 4 no shutdown 3 4 packet retries 6 32 payload encapsulation 6 27 permit tcp port 7 12 power client 6 14 power local 6 12 recall 3 5 rts retries 6 31 rts threshold 6 31 set 22 25 set BOOT 22 25 sett...

Page 510: ... 18 5 system message logging 21 3 system name and prompt 5 32 TACACS 5 15 13 25 default gateway 4 13 default radio settings description of 4 7 default username 4 2 del command 22 21 delivery traffic indication message DTIM 6 30 DFS 6 16 DHCP server configuring access point as 5 22 receiving IP settings from 4 12 directories changing 20 3 creating and removing 20 4 displaying the working 20 3 disab...

Page 511: ...6 encapsulation dot1q command 14 6 encapsulation method 6 27 encrypted software image 5 25 encryption command 10 4 encryption for passwords 5 6 error and event messages C 1 error messages 802 11 subsystem messages C 7 access point bridge messages C 25 association management messages C 5 Cisco discovery protocol messages C 25 CLI 3 4 during command entry 3 4 explained C 2 external radius server err...

Page 512: ...ownloading 20 12 overview 20 11 preparing the server 20 12 uploading 20 13 image files deleting old image 20 26 downloading 20 24 preparing the server 20 23 uploading 20 26 G gain 6 24 get bulk request operation 18 3 get next request operation 18 3 18 4 get request operation 18 3 18 4 get response operation 18 3 global configuration mode 3 2 Gratuitous Probe Response GPR enabling and disabling 6 2...

Page 513: ...ting client associations by MAC address 16 6 limiting client power level 6 13 line configuration mode 3 2 load balancing 6 26 local authenticator access point as 9 1 Location Based Services 6 21 login authentication with RADIUS 5 10 13 7 with TACACS 5 15 13 26 login banners 5 35 log messages See system message logging low power condition 22 17 M MAC address ACLs blocking association with 16 6 filt...

Page 514: ...commands 3 4 non root 4 13 no shutdown command 3 4 notification 2 5 O OFDM 6 13 OK button 2 5 optional ARP caching 5 26 Orthogonal Frequency Division Multiplexing OFDM See OFDM P packet of disconnect PoD configuring 13 12 packet retries command 6 32 packet size fragment 6 32 password reset 22 19 passwords default configuration 5 4 encrypting 5 6 overview 5 3 setting enable 5 4 enable secret 5 6 wi...

Page 515: ...DIUS attributes CSID format selecting 13 14 sent by the access point 13 20 vendor proprietary 13 17 vendor specific 13 16 WISPr 13 18 configuring access point as local server 9 2 accounting 13 13 authentication 5 10 13 7 authorization 5 14 13 11 communication global 13 5 13 15 communication per server 13 4 13 5 multiple UDP ports 13 5 default configuration 5 10 13 4 defining AAA server groups 5 12...

Page 516: ...etwork 6 2 root 4 13 rotation broadcast key 10 1 rts retries command 6 31 RTS threshold 6 31 rts threshold command 6 31 S sample configuration 6 11 secure remote connections 5 25 Secure Shell See SSH security 2 4 troubleshooting 22 18 security features synchronizing 11 20 security settings Express Security page 4 16 self healing wireless LAN 12 5 sequence numbers in log messages 21 6 serial serial...

Page 517: ...cribed 20 19 software upgrade error and event messages C 3 sort CLI commands 3 8 spaces in an SSID 7 6 speed command 6 9 SSH 3 9 configuring 5 26 crypto software image 5 25 described 5 25 displaying settings 5 26 SSH Communications Security Ltd 3 9 SSID 7 2 14 6 guest mode 7 2 invalid characters in 7 4 11 10 multiple SSIDs 7 1 troubleshooting 22 18 using spaces in 7 6 VLAN 7 2 ssid command 7 4 11 ...

Page 518: ... configuring the logging facility 21 10 facilities supported 21 11 system name default configuration 5 32 manual configuration 5 32 See also DNS system prompt default setting 5 32 T TAC 22 1 TACACS accounting defined 13 23 authentication defined 13 23 authorization defined 13 23 configuring accounting 13 28 authentication key 13 25 authorization 5 17 13 27 login authentication 5 15 13 26 default c...

Page 519: ...ized access 5 3 universal workgroup bridge 6 2 universal workgroup bridge mode 4 13 UNIX syslog servers daemon configuration 21 10 facilities supported 21 11 message logging configuration 21 10 upgrading software images See downloading uploading configuration files preparing 20 10 20 12 20 15 reasons for 20 8 using FTP 20 13 using RCP 20 17 using TFTP 20 11 image files preparing 20 19 20 23 20 27 ...

Page 520: ...8 WMM 15 4 Workgroup bridge configuring limited channel scanning 19 15 configuring the limited channel set 19 15 ignoring the CCX neighbor list 19 16 workgroup bridge 6 28 guidelines for using in lightweight environment 19 18 in lightweight environment 19 18 maximum number of clients allowed 6 4 sample lightweight network configuration 19 20 world mode 6 22 6 26 always on setting 6 22 world mode c...

Reviews:

No comments

Related manuals for Aironet SERIES

Paradyne iMarc SLV9128 Upgrade Instructions preview
iMarc SLV9128
Brand: Paradyne Pages: 2
T-Mobile Franklin T9 Getting Started preview
Franklin T9
Brand: T-Mobile Pages: 4
Extreme Networks EN-SLX 9640-24S-12C Installation Manual preview
EN-SLX 9640-24S-12C
Brand: Extreme Networks Pages: 113
StarTech.com AP300WN2X2W Quick Start Manual preview
AP300WN2X2W
Brand: StarTech.com Pages: 2
HABITECH RIVI RV65 Quick Setup preview
RIVI RV65
Brand: HABITECH Pages: 3
Sena Parani MSP1000 User Manual preview
Parani MSP1000
Brand: Sena Pages: 82
HP Enterprise Aruba 340 Series Startup Manual preview
Aruba 340 Series
Brand: HP Enterprise Pages: 3
USR IOT USR-G808 User Manual preview
USR-G808
Brand: USR IOT Pages: 66
u-blox EVK-R4 Series User Manual preview
EVK-R4 Series
Brand: u-blox Pages: 31
Nortel 120 Using Manual preview
120
Brand: Nortel Pages: 130
Ubiquiti PowerBeam ac ISO Quick Start Manual preview
PowerBeam ac ISO
Brand: Ubiquiti Pages: 28
Westermo Ibex-RT-310 Series User Manual preview
Ibex-RT-310 Series
Brand: Westermo Pages: 31
Westermo 3623-072201 User Manual preview
3623-072201
Brand: Westermo Pages: 30
Sierra Wireless Clear Spot 4G+ User Manual preview
Clear Spot 4G+
Brand: Sierra Wireless Pages: 136
Sierra Wireless Overdrive User Manual preview
Overdrive
Brand: Sierra Wireless Pages: 172
Sierra Wireless Overdrive Pro User Manual preview
Overdrive Pro
Brand: Sierra Wireless Pages: 180
Sierra Wireless 4G LTE Tri-Fi Hotspot User Manual preview
4G LTE Tri-Fi Hotspot
Brand: Sierra Wireless Pages: 208
Sierra Wireless Overdrive Pro 3G User Manual preview
Overdrive Pro 3G
Brand: Sierra Wireless Pages: 174

Brands by name

Popular brands

Load more brands