Cisco HWIC Configuration Manual Download Page 120 | Manualshive

Page: 120 / 188

background image

7-14

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Chapter 7 Configuring RADIUS Servers

Configuring and Enabling RADIUS

To return to the default setting for retransmit, timeout, and deadtime, use the

no

forms of these

commands.

Configuring the Access Point to Use Vendor-Specific RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific information between the access point and the RADIUS server by using the
vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their
own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one
vendor-specific option by using the format recommended in the specification. Cisco’s vendor ID is 9,
and the supported option has vendor type 1, which is named

cisco-avpair

. The value is a string with this

format:

protocol : attribute sep value *

Protocol

is a value of the Cisco protocol attribute for a particular type of authorization.

Attribute

and

value

are an appropriate AV pair defined in the Cisco specification, and

sep

is

=

for

mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features
available for authorization to also be used for RADIUS.

For example, the following AV pair activates Cisco’s

multiple named ip address pools

feature during IP

authorization (during PPP’s IPCP address assignment):

cisco-avpair= ”ip:addr-pool=first“

The following example shows how to provide a user logging in from an access point with immediate
access to privileged EXEC commands:

cisco-avpair= ”shell:priv-lvl=15“

Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information
about vendor IDs and VSAs, refer to RFC 2138, “Remote Authentication Dial-In User Service
(RADIUS).”

Beginning in privileged EXEC mode, follow these steps to configure the access point to recognize and
use VSAs:

Step 6

radius-server attribute 32
include-in-access-req format %h

Configure the access point to send its system name in the NAS_ID attribute
for authentication.

Step 7

end

Return to privileged EXEC mode.

Step 8

show running-config

Verify your settings.

Step 9

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Command

Purpose

«
...
118
119
120
121
122
...
»

Summary of Contents for HWIC

Page 1: ...stems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco Wireless ISR and HWIC Access Point Configuration Guide December 2006 Text Part Number 0L 6415 04 ...

Page 2: ...ABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCVP the Cisco Logo and the Cisco Square Bridge logo are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and...

Page 3: ...15 Obtaining Technical Assistance 16 Cisco Technical Support Documentation Website 16 Submitting a Service Request 16 Definitions of Service Request Severity 17 Obtaining Additional Publications and Information 17 C H A P T E R 1 Overview 1 Wireless Device Management 1 Network Configuration Example 2 Root Unit on a Wired LAN 2 Features 3 5 C H A P T E R 2 Configuring Radio Settings 1 Enabling the ...

Page 4: ...5 Configuring Protected Ports 26 Configuring Beacon Period and DTIM 26 Configuring RTS Threshold and Retries 27 Configuring Maximum Data Retries 27 Configuring Fragmentation Threshold 28 Enabling Short Slot Time for 802 11g Radios 28 Performing a Carrier Busy Test 29 C H A P T E R 3 Configuring Multiple SSIDs 1 Understanding Multiple SSIDs 2 SSID Configuration Methods Supported by Cisco IOS Releas...

Page 5: ...n 7 Security Type in Universal Client Mode 8 C H A P T E R 6 Configuring Authentication Types 1 Understand Authentication Types 2 Open Authentication to Access Point 2 Shared Key Authentication to Access Point 3 EAP Authentication to Network 4 MAC Address Authentication to the Network 5 Combining MAC Based EAP and Open Authentication 6 Using WPA Key Management 6 Software and Firmware Requirements ...

Page 6: ...guring QoS 1 Understanding QoS for Wireless LANs 2 QoS for Wireless LANs Versus QoS on Wired LANs 2 Impact of QoS on a Wireless LAN 2 Precedence of QoS Settings 3 Using Wi Fi Multimedia Mode 4 Configuring QoS 4 Configuration Guidelines 5 Adjusting Radio Access Categories 5 Disabling IGMP Snooping Helper 6 Sample Configuration Using the CLI 6 A P P E N D I X A Channel Settings 1 IEEE 802 11b 2 4 GH...

Page 7: ...7 Cisco Wireless Router and HWIC Configuration Guide OL 6415 04 Message Traceback Reports 2 Association Management Messages 2 802 11 Subsystem Messages 3 Local Authenticator Messages 12 G L O S S A R Y I N D E X ...

Page 8: ...Contents 8 Cisco Wireless Router and HWIC Configuration Guide OL 6415 04 ...

Page 9: ...AP HWIC Cisco 800 series routers with wireless capabilities Cisco 1800 series routers with wireless capabilities Purpose This guide provides the information you need to install and configure your Cisco wireless device for example AP HWIC Cisco 800 series and Cisco 1800 series routers This guide provides procedures for using the Cisco IOS software commands that have been created or changed for use ...

Page 10: ...e authentication methods to join your network Chapter 7 Configuring RADIUS Servers describes how to enable and configure the RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes Chapter 8 Configuring VLANs describes how to configure your wireless device to interoperate with the VLANs set up on your wired LAN Chapt...

Page 11: ...it waarschuwingssymbool betekent gevaar U verkeert in een situatie die lichamelijk letsel kan veroorzaken Voordat u aan enige apparatuur gaat werken dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico s en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen kunt u he...

Page 12: ...e publikasjonen kan du se i vedlegget Translated Safety Warnings Oversatte sikkerhetsadvarsler Aviso Este símbolo de aviso indica perigo Encontra se numa situação que lhe poderá causar danos fisicos Antes de começar a trabalhar com qualquer equipamento familiarize se com os perigos relacionados com circuitos eléctricos e com quaisquer práticas comuns que possam prevenir possíveis acidentes Para ve...

Page 13: ... Memory in Cisco 800 Routers Cisco 1800 series routers Cisco 1800 Series Integrated Services Routers Modular Quick Start Guide Cisco 1800 Series Routers Hardware Installation Documents Cisco 1800 Series Software Configuration Guide Cisco 1800 Series Cards and Modules Regulatory Compliance and Safety Information for Cisco 1840 Routers Cisco Modular Access Router Cable Specifications Cisco IOS softw...

Page 14: ... as a single unit or as a subscription Registered Cisco com users Cisco direct customers can order a Product Documentation DVD product number DOC DOCDVD from the Ordering tool or Cisco Marketplace Cisco Ordering tool http www cisco com en US partner ordering Cisco Marketplace http www cisco com go marketplace Ordering Documentation Beginning June 30 2005 registered Cisco com users may order Cisco ...

Page 15: ...om go psirt If you prefer to see advisories and notices as they are updated in real time you can access a Product Security Incident Response Team Really Simple Syndication PSIRT RSS feed from this URL http www cisco com en US products products_psirt_rss_feed html Reporting Security Problems in Cisco Products Cisco is committed to delivering secure products We test our products internally before we...

Page 16: ...If you have a valid service contract but do not have a user ID or password you can register at this URL http tools cisco com RPF register register do Note Use the Cisco Product Identification CPI tool to locate your product serial number before submitting a web or phone request for service You can access the CPI tool from the Cisco Technical Support Documentation website by clicking the Tools Reso...

Page 17: ...e the situation Severity 3 S3 Operational performance of your network is impaired but most business operations remain functional You and Cisco will commit resources during normal business hours to restore service to satisfactory levels Severity 4 S4 You require information or assistance with Cisco product capabilities installation or configuration There is little or no effect on your business oper...

Page 18: ...coiq sample Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing developing and operating public and private internets and intranets You can access the Internet Protocol Journal at this URL http www cisco com ipj Networking products offered by Cisco Systems as well as customer support services can be obtained at this URL ht...

Page 19: ...vides information for the following devices Access Point High speed WAN Interface Card AP HWIC Cisco 800 Series routers with wireless capabilities Cisco 1800 Series routers with wireless capabilities This chapter provides information on the following topics Wireless Device Management Network Configuration Example Features Wireless Device Management You can use the wireless device management system...

Page 20: ...The access point default configuration is as a root unit connected to a wired LAN or as the central unit in an all wireless network Root Unit on a Wired LAN An access point connected directly to a wired LAN provides a connection point for wireless users Figure 1 1 shows access points acting as root units on a wired LAN Figure 1 1 Access Points as Root Units on a Wired LAN Access Point Root Unit Ac...

Page 21: ...ultiple virtual access points It does this by assigning an access point with multiple Basic Service Set IDs MBSSIDs or MAC addresses To determine whether a radio supports multiple basic SSIDs enter the show controllers command for the radio interface The radio supports multiple basic SSIDs if the results include this line Number of supported simultaneous BSSID on radio_interface 8 Support for Wi F...

Page 22: ... to act as a local authentication server to provide authentication service for small wireless LANs without a RADIUS server or to provide backup authentication service in case of a WAN link or a server failure The number of clients supported varies based on platform with up to 1000 user accounts supported on the higher end platforms Support for 802 11g radios Cisco IOS Releases 12 4 2 T or later su...

Page 23: ... SSIDs This feature provides a bandwidth efficient software upgradeable alternative to multiple broadcast SSIDs MB SSIDs HTTP Web Server v1 1 This feature provides a consistent interface for users and applications by implementing the HTTP 1 1 standard see RFC 2616 In previous releases Cisco software supported only a partial implementation of HTTP 1 0 The integrated HTTP Server API supports server ...

Page 24: ...1 6 Cisco Wireless Router and HWIC Configuration Guide OL 6415 04 Chapter 1 Overview ...

Page 25: ...2 12 Configuring Radio Channel Settings page 2 14 Enabling and Disabling World Mode page 2 20 Enabling and Disabling Short Radio Preambles page 2 21 Configuring Transmit and Receive Antennas page 2 22 Disabling and Enabling Access Point Extensions page 2 23 Configuring the Ethernet Encapsulation Transformation Method page 2 23 Enabling and Disabling Reliable Multicast to Workgroup Bridges page 2 2...

Page 26: ...ch device Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1 Enter interface configuration mode for the radio interface The 2 4 GHz radio is radio 0 and the 5 GHz radio is radio 1 Step 3 ssid Enter the SSID The SSID can consist of up to 32 alphanumeric characters SSIDs are case sensitive Step 4 no shutdown Enable the radio port Step 5 end Retu...

Page 27: ...back repeater wireless clients shutdown Sets the wireless device role to universal client mode Set the role to non root bridge with or without wireless clients repeater access point root access point or bridge scanner or workgroup bridge The bridge mode radio supports point to point configuration only The Ethernet port is shut down when any one of the radios is configured as a repeater Only one ra...

Page 28: ...terface is supported Routing mode is not supported for root and non root bridging operations Sample Bridging Configuration The following is a sample of a Root Bridge Configuration aaa new model aaa group server radius rad_eap server 20 0 0 1 auth port 1812 acct port 1813 aaa authentication login eap_methods group rad_eap aaa session id common resource policy mmi polling interval 60 no mmi auto con...

Page 29: ...idge group 1 bridge group 1 spanning disabled interface Dot11Radio0 0 1 no ip address speed basic 6 0 9 0 basic 12 0 18 0 basic 24 0 36 0 48 0 54 0 station role root interface BVI1 ip address 20 0 0 1 255 0 0 0 ip route 0 0 0 0 0 0 0 0 20 0 0 5 ip http server no ip http secure server radius server local nas 20 0 0 1 key 0 wireless user non root nthash 0 3741A4EE66E1AA56CD8B3A9038580DC9 radius serv...

Page 30: ...address duplex auto speed auto interface FastEthernet0 1 no ip address duplex auto speed auto bridge group 1 bridge group 1 spanning disabled interface Dot11Radio0 1 0 no ip address encryption vlan 1 mode ciphers tkip ssid airlink2 bridge speed basic 1 0 basic 2 0 basic 5 5 6 0 9 0 basic 11 0 12 0 18 0 24 0 36 0 48 0 54 0 station role non root bridge interface Dot11Radio0 1 0 1 encapsulation dot1Q...

Page 31: ...bridging The user cannot configure a dot11radio interface with a bridge group when in universal client mode SSIDs are required to be configured on the dot11 interface operating as a universal client association to an access point running in guest mode is not supported The universal client can associate to Cisco access points 3rd party access points and repeaters It cannot associate to Cisco root b...

Page 32: ...t brief Interface IP Address OK Method Status Protocol FastEthernet0 0 unassigned YES NVRAM administratively down down FastEthernet0 1 unassigned YES NVRAM administratively down down Dot11Radio0 1 0 unassigned YES DHCP up up Dot11Radio0 1 1 unassigned YES NVRAM administratively down down Virtual Dot11Radio0 200 1 1 2 YES DHCP up up c2801_uc NAT Network Address Translation NAT translation takes pla...

Page 33: ...e dot11 ssid tsunami authentication open guest mode dot11 priority map avvid ip cef no ip dhcp use vrf connected ip dhcp excluded address 100 1 1 1 ip dhcp pool jimmy network 100 1 1 0 255 255 255 0 default router 100 1 1 1 controller DSL 0 line term cpe bridge irb interface Dot11Radio0 ip address 100 1 1 1 255 255 255 0 ip nat inside ip virtual reassembly no ip route cache cef no ip route cache s...

Page 34: ... be set to basic You can use the Data Rate settings to set an access point to serve client devices operating at specific data rates For example to set the 2 4 GHz radio for 11 megabits per second Mbps service only set the 11 Mbps rate to Basic and set the other data rates to Disabled To set the wireless device to serve only client devices operating at 1 and 2 Mbps set 1 and 2 to Basic and set the ...

Page 35: ... 0 basic 36 0 basic 48 0 and basic 54 0 to set these data rates to basic on the 802 11g 2 4 GHz radio Note The client must support the basic rate that you select or it cannot associate to the wireless device If you select 12 Mbps or higher for the basic data rate on the 802 11g radio 802 11b client devices cannot associate to the wireless device s 802 11g radio Enter basic 6 0 basic 9 0 basic 12 0...

Page 36: ...tp www cisco com Step 2 Click Technical Support Documentation A small window appears containing a list of technical support links Step 3 Click Technical Support Documentation The Technical Support and Documentation page appears Step 4 In the Documentation Tools section choose Wireless The Wireless Support Resources page appears Step 5 In the Wireless LAN Access section choose the device you are wo...

Page 37: ...for the radio interface The 2 4 GHz radio is radio 0 and the 5 GHz radio is radio 1 Step 3 power local power settings should be 3 4 5 6 7 10 13 15 17 18 20 maximum Set the transmit power for the 802 11g 2 4 GHz radio to one of the power levels allowed in your regulatory domain All settings are in mW On the 2 4 GHz 802 11g radio you can set Orthogonal Frequency Division Multiplexing OFDM power leve...

Page 38: ... up multiple access points in the same vicinity without causing interference Both 802 11b and 802 11g 2 4 GHz radios use the same channels and frequencies The 5 GHz radio operates on eight channels from 5180 to 5320 MHz Each channel covers 20 MHz and the bandwidth for the channels overlaps slightly For best performance use channels that are not adjacent 44 and 46 for example for radios that are cl...

Page 39: ...efault channel for the wireless device radio Table 2 3 through Table 2 6 show the available channels and frequencies for all radios To search for the least congested channel on startup enter least congested Note The channel command is disabled for 5 GHz radios that comply with European Union regulations on dynamic frequency selection DFS See the DFS Automatically Enabled on Some 5 GHz Radio Channe...

Page 40: ...requency MHz Regulatory Domains Americas A EMEA E Japan J CCK OFDM CCK OFDM CCK OFDM 1 2412 X X X X X X 2 2417 X X X X X X 3 2422 X X X X X X 4 2427 X X X X X X 5 2432 X X X X X X 6 2437 X X X X X X 7 2442 X X X X X X 8 2447 X X X X X X 9 2452 X X X X X X 10 2457 X X X X X X 11 2462 X X X X X X 12 2467 X X X X 13 2472 X X X X 14 2484 X Channel Identifier Center Frequency MHz Regulatory Domains Ame...

Page 41: ...int Configuration Guide OL 6415 04 Chapter 2 Configuring Radio Settings Configuring Radio Channel Settings 13 2472 X X X X 14 2484 X Channel Identifier Center Frequency MHz Regulatory Domains Americas A EMEA N Japan P CCK OFDM CCK OFDM CCK OFDM ...

Page 42: ...he frequencies allowed in your regulatory domain might differ from the frequencies listed here Channel ID Center Freq MHz Americas B China C EMEA E New Zealand Australia N Japan P 34 5170 36 5180 x x x x 38 5190 40 5200 x x x x 42 5210 44 5220 x x x x 46 5230 48 5240 x x x x 52 5260 x x x 56 5280 x x x 60 5300 x x x 64 5320 x x x 100 5500 x 104 5520 x 108 5540 x 112 5560 x 116 5580 x 120 5600 x 12...

Page 43: ... remaining client devices Randomly selects a different 5 GHz channel If the channel selected is one of the channels in Table 2 7 scans the new channel for radar signals for 60 seconds If there are no radar signals on the new channel enables beacons and accepts client associations Note The maximum legal transmit power is greater for some 5 GHz channels than for others When it randomly selects a 5 G...

Page 44: ...quencies 5 470 to 5 725 GHz 4 Specifies frequencies 5 725 to 5 825 GHz This group of frequencies is also known as the UNII 3 band This example shows how to prevent the access point from selecting frequencies 5 150 to 5 350 GHz during DFS router config if dfs band 1 2 block This example shows how to unblock frequencies 5 150 to 5 350 for DFS router config if no dfs band 1 2 block This example shows...

Page 45: ...vileged EXEC mode follow these steps to disable short radio preambles Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1 Enter interface configuration mode for the radio interface Step 3 world mode dot11d country_code code both indoor outdoor legacy Enable world mode Enter the dot11d option to enable 802 11d world mode When you enter the dot11...

Page 46: ...should use this setting for both receive and transmit When you look at the wireless device s back panel the left antenna is on the left Beginning in privileged EXEC mode follow these steps to select the antennas the wireless device uses to receive and transmit data Step 3 no preamble short Disable short preambles and enable long preambles Step 4 end Return to privileged EXEC mode Step 5 copy runni...

Page 47: ... to the wireless device the wireless device sends the maximum allowed power level setting to the client Disabling Access Point extensions disables the features listed above but it sometimes improves the ability of other companies devices to associate to the wireless device Access Point extensions are enabled by default Beginning in privileged EXEC mode follow these steps to disable Access Point ex...

Page 48: ...ice To increase beyond 20 the number of workgroup bridges that can maintain a radio link to the wireless device the wireless device must reduce the delivery reliability of multicast packets to workgroup bridges With reduced reliability the wireless device cannot confirm whether multicast packets reach the intended workgroup bridge so workgroup bridges at the edge of the wireless device s coverage ...

Page 49: ...ge groups You can find a detailed explanation of bridge groups and instructions for implementing them in this document Cisco IOS Bridging and IBM Networking Configuration Guide Release 12 2 Click this link to browse to the Configuring Transparent Bridging chapter http www cisco com univercd cc td doc product software ios122 122cgcr fibm_c bcfpart1 bcftb htm You can also enable and disable PSPF usi...

Page 50: ...le of the beacon period determines how often the beacon contains a delivery traffic indication message DTIM The DTIM tells power save client devices that a packet is waiting for them For example if the beacon period is set at 100 its default setting and the data beacon rate is set at 2 its default setting then the wireless device sends a beacon containing a DTIM every 200 kilo microseconds One kil...

Page 51: ...evice makes to send a packet before giving up and dropping the packet The default setting is 32 Beginning in privileged EXEC mode follow these steps to configure the maximum data retries Step 3 beacon period value Set the beacon period Enter a value in Kilomicroseconds Step 4 beacon dtim period value Set the DTIM Enter a value in Kilomicroseconds Step 5 end Return to privileged EXEC mode Step 6 co...

Page 52: ...ending a packet on the LAN Many 802 11g radios support short slot time but some do not When you enable short slot time the wireless device uses the short slot time only when all clients associated to the 802 11g 2 4 GHz radio support short slot time Short slot time is supported only on the 802 11g 2 4 GHz radio Short slot time is disabled by default Step 4 end Return to privileged EXEC mode Step 5...

Page 53: ...t the wireless device drops all associations with wireless networking devices for 4 seconds while it conducts the carrier test and then displays the test results In privileged EXEC mode enter this command to perform a carrier busy test dot11 interface number carrier busy For interface number enter dot11radio 0 to run the test on the 2 4 GHz radio or enter dot11radio 1 to run the test on the 5 GHz ...

Page 54: ...2 30 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 Chapter 2 Configuring Radio Settings Performing a Carrier Busy Test ...

Page 55: ...his chapter describes how to configure and manage multiple service set identifiers SSIDs on the access point This chapter contains the following sections Understanding Multiple SSIDs page 3 2 Configuring Multiple SSIDs page 3 3 Configuring Multiple Basic SSIDs page 3 6 Enabling MBSSID and SSIDL at the same time page 3 7 ...

Page 56: ...ccess point that acts as a parent for a repeater you can set up an SSID for use in repeater mode You can assign an authentication username and password to the repeater mode SSID to allow the repeater to authenticate to your network like a client device If your network uses VLANs you can assign one SSID to a VLAN and client devices using the SSID are grouped in that VLAN SSID Configuration Methods ...

Page 57: ...the ssid command puts the CLI into SSID configuration mode for the new SSID Note SSIDs created in Cisco IOS Releases 12 3 7 JA and later become invalid if you downgrade the software version to an earlier release Beginning in privileged EXEC mode follow these steps to create an SSID globally After you create an SSID you can assign it to specific radio interfaces Command Purpose Step 1 configure ter...

Page 58: ...s that associate using the SSID are grouped into this VLAN You can assign only one SSID to a VLAN Step 6 guest mode Optional Designate the SSID as your access point s guest mode SSID The access point includes the SSID in its beacon and allows associations from client devices that do not specify an SSID Step 7 infrastructure ssid optional Optional Designate the SSID as the SSID that other access po...

Page 59: ...rom a show dot11 associations privileged EXEC command shows the spaces in the SSIDs SSID buffalo SSID buffalo SSID buffalo Using a RADIUS Server to Restrict SSIDs To prevent client devices from associating to the access point using an unauthorized SSID you can create a list of authorized SSIDs that clients must use on your RADIUS authentication server The SSID authorization process consists of the...

Page 60: ...SID and to broadcast more than one SSID in beacons A large DTIM value increases battery life for power save client devices that use an SSID and broadcasting multiple SSIDs makes your wireless LAN more accessible to guests Note Devices on your wireless LAN that are configured to associate to a specific access point based on the access point MAC address for example client devices repeaters hot stand...

Page 61: ...nable multiple BSSIDs on all radio interfaces that support multiple BSSIDs Displaying Configured BSSIDs Use the show dot11 bssid privileged EXEC command to display the relationship between SSIDs and BSSIDs or MAC addresses This example shows the command output router1230 show dot11 bssid Interface BSSID Guest SSID Dot11Radio1 0011 2161 b7c0 Yes atlantic Dot11Radio0 0005 9a3e 7c0f Yes WPA2 TLS g En...

Page 62: ...hentication key management wpa wpa psk ascii 0 12345678 dot11 ssid 181x_gvlan04 vlan 4 authentication open authentication key management wpa wpa psk ascii 0 12345678 interface Dot11Radio0 no ip address encryption vlan 1 key 1 size 40bit 0 1234567890 transmit key encryption vlan 1 mode ciphers wep40 encryption vlan 2 mode ciphers tkip encryption vlan 3 mode ciphers tkip encryption vlan 4 mode ciphe...

Page 63: ...tion key management wpa wpa psk ascii 0 12345678 information element ssidl advertisement wps interface Dot11Radio0 0 0 no ip address no snmp trap link status encryption vlan 1 key 1 size 128bit 0 12345678901234567890123456 transmit key encryption vlan 1 key 2 size 128bit 0 12345678901234567890123456 encryption vlan 1 mode ciphers wep128 encryption vlan 2 mode ciphers tkip encryption vlan 3 mode ci...

Page 64: ...3 10 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 Chapter 3 Configuring Multiple SSIDs Enabling MBSSID and SSIDL at the same time ...

Page 65: ... access point as a local authenticator to serve as a stand alone authenticator for a small wireless LAN or to provide backup authentication service As a local authenticator the access point performs LEAP EAP FAST and MAC based authentication for up to 1000 client devices This chapter contains these sections Understand Local Authentication page 4 2 Configure a Local Authenticator page 4 2 ...

Page 66: ... client is allowed to use Note If your wireless LAN contains only one access point you can configure the access point as both the 802 1x authenticator and the local authenticator However users associated to the local authenticator access point might notice a drop in performance when the access point authenticates client devices You can configure your access points to use the local authenticator wh...

Page 67: ...r access point the access point uses itself to authenticate the client 2 On the local authenticator create user groups and configure parameters to be applied to each group optional 3 On the local authenticator create a list of up to 50 LEAP users EAP FAST users or MAC addresses that the local authenticator is authorized to authenticate Note You do not have to specify which type of authentication t...

Page 68: ...ep 6 vlan vlan Optional Specify a VLAN to be used by members of the user group The access point moves group members into that VLAN overriding other VLAN assignments You can assign only one VLAN to the group Step 7 ssid ssid Optional Enter up to 20 SSIDs to limit members of the user group to those SSIDs The access point checks that the SSID that the client used to associate matches one of the SSIDs...

Page 69: ...router config radsrv group block count 2 time 600 router config radsrv group exit router config radsrv user jsmith password twain74 group clerks router config radsrv user stpatrick password snake100 group clerks router config radsrv user nick password uptown group clerks router config radsrv user 00095125d02b password 00095125d02b group clerks mac auth only Step 11 user username password nthash pa...

Page 70: ...estamps log datetime msec service password encryption hostname Router enable secret 5 1 dkOn EcccqZvFdjoEi3geC66da0 ip subnet zero aaa new model aaa group server radius rad_eap server 192 168 1 66 auth port 1812 acct port 1813 aaa authentication login eap_methods group rad_eap aaa session id common dot11 ssid test ssid authentication open eap eap_methods authentication network eap eap_methods auth...

Page 71: ... eag ip radius source interface BVI1 radius server local eapfast authority id 12345678901234567890123456789012 eapfast authority info sample_eap fast eapfast server key primary 7 41754A0073F16A0E093EA2089A3FDECD32 nas 192 168 1 66 key 7 110A1016141D group EAP_FAST usr eapfast pac expiry 30 grace 120 user cisco nthash 7 06532C791C1E2F4856364128295C7C0E007A6661723723422656050A09 760D2F51 radius serv...

Page 72: ...ional requests for the duration of minutes that you specify up to 1440 24 hours This example shows how to set up two main servers and a local authenticator with a server deadtime of 10 minutes router config aaa new model router config radius server host 172 20 0 1 auth port 1000 acct port 1001 key 77654 router config radius server host 172 10 0 1 auth port 1645 acct port 1646 key 77654 router conf...

Page 73: ...days Enter a number of days from 2 to 4095 Enter the no form of the command to reset the expiration time or grace period to infinite days In this example PACs for the user group expire in 100 days with a grace period of two days router config radsrv group eapfast pac expiry 100 grace 2 Generating PACs Manually The local authenticator automatically generates PACs for EAP FAST clients that request t...

Page 74: ...jects the PAC as invalid Use these commands to configure server keys router config radsrv no eapfast server key primary auto generate 0 7 key router config radsrv no eapfast server key secondary 0 7 key Keys can contain up to 32 hexadecimal digits Enter 0 before the key to enter an unencrypted key Enter 7 before the key to enter an encrypted key Use the no form of the commands to reset the local a...

Page 75: ...ires or when the lockout time is set to infinite In Privileged Exec mode on the local authenticator enter this command to unblock a locked username router clear radius local server user username Viewing Local Authenticator Statistics In privileged exec mode enter this command to view statistics collected by the local authenticator router show radius local server statistics This example shows local...

Page 76: ...rs at the end of the stat line for that user Use this privileged exec mode command to reset local authenticator statistics to zero router clear radius local server statistics Using Debug Messages In privileged exec mode enter this command to control the display of debug messages for the local authenticator router debug radius local server client eapfast error packets Use the command options to dis...

Page 77: ... This chapter describes how to configure the encryption types required to use WPA authenticated key management Wired Equivalent Privacy WEP AES CCM Temporal Key Integrity Protocol TKIP and broadcast key rotation This chapter contains these sections Understand Encryption Types page 5 2 Configure Encryption Types page 5 3 ...

Page 78: ...uite to enable Wi Fi Protected Access WPA Because cipher suites provide the protection of WEP while also allowing use of authenticated key management Cisco recommends that you enable encryption by using the encryption mode cipher command in the CLI or by using the cipher drop down menu in the web browser interface Cipher suites that contain AES CCM provide the best security for your wireless LAN a...

Page 79: ...Creating Cipher Suites page 5 5 Enabling and Disabling Broadcast Key Rotation page 5 7 Note All encryption types are disabled by default Creating WEP Keys Note You need to configure static WEP keys only if your access point needs to support client devices that use static WEP If all the client devices that associate to the access point use key management WPA or 802 1x authentication you do not need...

Page 80: ...set the size of the key either 40 bit or 128 bit 40 bit keys contain 10 hexadecimal digits 128 bit keys contain 26 hexadecimal digits Optional Specify whether the key is encrypted 7 or unencrypted 0 Optional Set this key as the transmit key The key in slot 1 is the transmit key by default Note Using security features such as authenticated key management can limit WEP key configurations See the WEP...

Page 81: ...d 4 Broadcast key rotation Keys in slots 2 and 3 are overwritten by rotating broadcast keys Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation When you enable broadcast key rotation only wireless client devices using 802 1x authentication such as LEAP EAP TLS or PEAP can use the access point Table 5 1 WEP Key Restrictions continued Security Conf...

Page 82: ...on you need Table 5 3 lists guidelines for selecting a cipher suite that matches the type of authenticated key management you configure Optional Select the VLAN for which you want to enable WEP and WEP features Set the cipher options and WEP level You can combine TKIP with 128 bit or 40 bit WEP Note You can also use the encryption mode wep command to set up static WEP However you should use encryp...

Page 83: ...ote Client devices using static WEP cannot use the access point when you enable broadcast key rotation When you enable broadcast key rotation only wireless client devices using 802 1x authentication such as LEAP EAP TLS or PEAP can use the access point Beginning in privileged EXEC mode follow these steps to enable broadcast key rotation Table 5 3 Cipher Suites Compatible with WPA Authenticated Key...

Page 84: ... want to enable broadcast key rotation Optional If you enable WPA authenticated key management you can enable additional circumstances under which the access point changes and distributes the WPA group key Membership termination the access point generates and distributes a new group key when any authenticated client device disassociates from the access point This feature protects the privacy of th...

Page 85: ...he universal client would have the multicast suite of 0x0050F204 for TKIP but instead received the multicast suite of 0x0050F202 for AES TKIP Here are the different scenarios If the universal client is configured for AES WPAv2 encryption mode ciphers aes ccm the access point must be configured for AES WPAv2 The universal client will associate with AES encryption If the universal client is configur...

Page 86: ...conds Power save Off Last Activity 0 seconds ago Packets Input 2449 Packets Output 15 Bytes Input 451711 Bytes Output 4664 Duplicates Rcvd 3 Data Retries 1 Decrypt Failed 0 RTS Retries 0 MIC Failed 0 MIC Missing 0 Packets Redirected 0 Redirect Filtered 0 c2801_uc Caveats When the Cisco dot11radio is in the universal client mode and associates to a 3rd party access point there are some additional c...

Page 87: ...e NONE Encryption WEP Current Rate 11 0 Capability Supported Rates 1 0 2 0 5 5 11 0 Signal Strength 55 dBm Connected for 39 seconds Signal Quality N A Activity Timeout 15 seconds Power save Off Last Activity 13 seconds ago Packets Input 408 Packets Output 16 Bytes Input 46619 Bytes Output 3495 Duplicates Rcvd 2 Data Retries 8 Decrypt Failed 0 RTS Retries 0 MIC Failed 0 MIC Missing 0 Packets Redire...

Page 88: ...5 12 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 Chapter 5 Configuring Encryption Types Configure Encryption Types ...

Page 89: ...iguring Authentication Types This chapter describes how to configure authentication types on the access point This chapter contains these sections Understand Authentication Types page 6 2 Configure Authentication Types page 6 9 Matching Access Point and Client Device Authentication Types page 6 16 ...

Page 90: ... that Microsoft IAS servers recognize reauthentication requests from the access point Use the dot11 aaa authentication attributes service type login only global configuration command to set the service type attribute in reauthentication requests to login only The access point uses several authentication mechanisms or types and can use more than one at the same time These sections explain each auth...

Page 91: ...ck from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings Because of this weakness shared key authentication can be less secure than open authentication Like open authentication shared key authentication does not rely on a RADIUS server on your network Figure 6 2 shows the authentication sequence between a device trying to authenticate and an access poi...

Page 92: ...sponse to the challenge and sends that response to the RADIUS server Using information from its user database the RADIUS server creates its own response and compares that to the response from the client When the RADIUS server authenticates the client the process repeats in reverse and the client authenticates the RADIUS server When mutual authentication is complete the RADIUS server and the client...

Page 93: ...owed MAC addresses Intruders can create counterfeit MAC addresses so MAC based authentication is less secure than EAP authentication However MAC based authentication provides an alternate authentication method for client devices that do not have EAP capability See the Assigning Authentication Types to an SSID section on page 6 9 for instructions on enabling MAC based authentication Tip If you don ...

Page 94: ...ion and access control for existing and future wireless LAN systems It is derived from and will be forward compatible with the upcoming IEEE 802 11i standard WPA leverages AES CCM and TKIP Temporal Key Integrity Protocol for data protection and 802 1X for authenticated key management WPA key management supports two mutually exclusive management types WPA and WPA Pre shared key WPA PSK Using WPA ke...

Page 95: ...s on configuring WPA key management on your access point Figure 6 5 shows the WPA key management process Figure 6 5 WPA Key Management Process 88965 Client and server authenticate to each other generating an EAP master key Client device Access point Authentication server Wired LAN Server uses the EAP master key to generate a pairwise master key PMK to protect communication between the client and t...

Page 96: ...you configure AES CCM and TKIP only cipher encryption not TKIP WEP 128 or TKIP WEP 40 on any radio interface or VLAN every SSID on that radio or VLAN must be set to use WPA key management If you configure TKIP on a radio or VLAN but you do not configure key management on the SSIDs client authentication fails on the SSIDs Table 6 1 Software and Firmware Requirements for WPA and WPA TKIP Key Managem...

Page 97: ...g up multiple SSIDs This section contains these topics Assigning Authentication Types to an SSID page 6 9 Configuring Authentication Holdoffs Timeouts and Intervals page 6 15 Assigning Authentication Types to an SSID Beginning in privileged EXEC mode follow these steps to configure authentication types for SSIDs Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 dot11...

Page 98: ...re information on method lists http www cisco com univercd cc td doc product softwar e ios122 122cgcr fsecur_c fsaaa scfathen htm xtocid2 Use the alternate keyword to allow client devices to join the network using either MAC or EAP authentication clients that successfully complete either authentication are allowed to join the network Optional Set the SSID authentication type to open with EAP authe...

Page 99: ...t devices to perform EAP authentication Optional Set the SSID s authentication type to Network EAP with MAC address authentication All client devices that associate to the access point are required to perform MAC address authentication For list name specify the authentication method list Step 6 authentication key management wpa optional Optional Set the authentication type for the SSID to WPA If y...

Page 100: ...the same SSID the multicast cipher suite for the SSID must be WEP If only the first two types of clients use the same SSID the multicast key can be dynamic but if the static WEP clients use the SSID the key must be static The access point can switch automatically between a static and a dynamic group key to accommodate associated client devices To support all three types of clients on the same SSID...

Page 101: ...ps the group key private for associated devices but it might generate some overhead traffic if clients on your network roam frequently among access points Capability change the access point generates and distributes a dynamic group key when the last non key management static WEP client disassociates and it distributes the statically configured WEP key when the first non key management static WEP c...

Page 102: ...ching Step 6 broadcast key vlan vlan id change seconds membership termination capability change Use the broadcast key rotation command to configure additional updates of the WPA group key Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 dot11 aaa authentica...

Page 103: ...ot1x client timeout seconds Enter the number of seconds the access point should wait for a reply from a client attempting to authenticate before the authentication fails Enter a value from 1 to 65555 seconds Step 5 dot1x reauth period seconds server Enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate Enter the server keyword to configu...

Page 104: ...clients using LEAP and non Cisco clients using LEAP to associate using the same SSID you might need to configure the SSID for both Network EAP authentication and Open authentication with EAP Step 6 countermeasure tkip hold time seconds Configure a TKIP MIC failure holdtime If the access point detects two MIC failures within 60 seconds it blocks all the TKIP clients on that interface for the holdti...

Page 105: ...d of Open authentication Note To allow both WPA clients and non WPA clients to use the SSID enable optional WPA 802 1x authentication and WPA PSK Enable any 802 1x authentication method Select a cipher suite and enable Open authentication and WPA for the SSID you can also enable Network EAP authentication in addition to or instead of Open authentication Enter a WPA pre shared key Note To allow bot...

Page 106: ...rol using IEEE 802 1X and PEAP as the EAP Type in Windows 2000 with Service Pack 3 or Windows XP Set up and enable WEP and enable EAP and Open authentication for the SSID If using Windows XP to configure card Select Enable network access control using IEEE 802 1X and PEAP as the EAP Type Set up and enable WEP and enable Require EAP and Open Authentication for the SSID EAP SIM authentication If usi...

Page 107: ...cesses RADIUS is facilitated through AAA and can be enabled only through AAA commands Note You can configure your access point as a local authenticator to provide a backup for your main server or to provide authentication service on a network without a RADIUS server See Chapter 6 Configuring Authentication Types for detailed instructions on configuring your access point as a local authenticator No...

Page 108: ...n users are authenticated through a RADIUS server that is customized to work with the Kerberos security system Turnkey network security environments in which applications support the RADIUS protocol such as an access environment that uses a smart card access control system In one case RADIUS has been used with Enigma s security cards to validate users and to grant access to network resources Netwo...

Page 109: ...e level of network access thereby approximating the level of security in a wired switched segment to an individual desktop The client loads this key and prepares to use it for the logon session During the logon session the RADIUS server encrypts and sends the WEP key called a session key over the wired LAN to the access point The access point encrypts its broadcast key with the session key and sen...

Page 110: ...d You should have access to and should configure a RADIUS server before configuring RADIUS features on your access point This section contains this configuration information Default RADIUS Configuration page 7 4 Identifying the RADIUS Server Host page 7 5 required Configuring RADIUS Login Authentication page 7 7 required Defining AAA Server Groups page 7 9 optional Configuring RADIUS Authorization...

Page 111: ...ed secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the access point The timeout retransmission and encryption key values can be configured globally per server for all RADIUS servers or in some combination of global and per s...

Page 112: ...DIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the last item in the radius server host command Leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in your key do not enclose the key in quotation marks unless the quotation marks are part of the key To configure the acces...

Page 113: ...hich they are performed it must be applied to a specific interface before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined A method list describes the sequence and authentication m...

Page 114: ...s an error not if it fails Select one of these methods line Use the line password for authentication You must define a line password before you can use this authentication method Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the username password global configuration command radi...

Page 115: ...address and UDP port number allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service If you configure two different host entries on the same RADIUS server for the same service such as accounting the second configured host entry acts as a fail over backup to the first one You use the server group server configuration command to associate a particular serv...

Page 116: ...ween the access point and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the last item in the radius server host command Leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in your key do not enclose the key in quotation marks unless t...

Page 117: ...er config sg radius exit router config aaa group server radius group2 router config sg radius server 172 20 0 1 auth port 2000 acct port 2001 router config sg radius exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the access point uses information retrieved from the use...

Page 118: ...o disable accounting use the no aaa accounting network exec start stop method1 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network related service requests Step 3 aaa authorization exec radius Configure the access point for user RADIUS ...

Page 119: ...shared secret text string used between the access point and all RADIUS servers Note The key is a text string that must match the encryption key used on the RADIUS server Leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in your key do not enclose the key in quotation marks unless the quotation marks are part of the key Step 3 radius server retransmit...

Page 120: ...are an appropriate AV pair defined in the Cisco TACACS specification and sep is for mandatory attributes and the asterisk for optional attributes This allows the full set of features available for TACACS authorization to also be used for RADIUS For example the following AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP s IPCP address assignment ci...

Page 121: ...iguration commands Beginning in privileged EXEC mode follow these steps to specify a vendor proprietary RADIUS server host and a shared secret text string Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server vsa send accounting authentication Enable the access point to recognize and use VSAs as defined by RADIUS IETF attribute 26 Optional Use the accountin...

Page 122: ...these attributes on the access point The WISPr Best Current Practices for Wireless Internet Service Provider WISP Roaming document also requires the access point to include a class attribute in RADIUS authentication replies and accounting requests The access point includes the class attribute automatically and does not have to be configured to do so You can find a list of ISO and ITU country and a...

Page 123: ... s IP address instead of its name Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server location location Specify the WISPr location name attribute The WISPr Best Current Practices for Wireless Internet Service Provider WISP Roaming document recommends that you enter the location name in this format hotspot_operator_name location Step 3 dot11 location isocc I...

Page 124: ... the Configuring WISPr RADIUS Attributes section on page 7 16 for instructions Table 7 2 Attributes Sent in Access Request Packets Attribute ID Description 1 User Name 4 NAS IP Address 5 NAS Port 12 Framed MTU 30 Called Station ID MAC address 31 Calling Station ID MAC address 32 NAS Identifier1 1 The access point sends the NAS Identifier if attribute 32 include in access req is configured 61 NAS P...

Page 125: ... VSA attribute 26 NAS Location VSA attribute 26 Cisco NAS Port VSA attribute 26 Interface Table 7 5 Attributes Sent in Accounting Request update Packets Attribute ID Description 1 User Name 4 NAS IP Address 5 NAS Port 6 Service Type 25 Class 41 Acct Delay Time 42 Acct Input Octets 43 Acct Output Octets 44 Acct Session Id 46 Acct Session Time 47 Acct Input Packets 48 Acct Output Packets 61 NAS Port...

Page 126: ...the dot11 aaa authentication attributes service type login only global configuration command to set the service type attribute in reauthentication requests to login only Table 7 6 Attributes Sent in Accounting Request stop Packets Attribute ID Description 1 User Name 4 NAS IP Address 5 NAS Port 6 Service Type 25 Class 41 Acct Delay Time 42 Acct Input Octets 43 Acct Output Octets 44 Acct Session Id...

Page 127: ...Configuring VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN These sections describe how to configure your access point to support VLANs Understanding VLANs page 8 2 Configuring VLANs page 8 4 VLAN Configuration Example page 8 9 ...

Page 128: ... bridging domain is supported on various pieces of network equipment such as LAN switches that operate bridging protocols between them with a separate group for each VLAN VLANs provide the segmentation services traditionally provided by routers in LAN configurations VLANs address scalability security and network management You should consider several key issues when designing and building switched...

Page 129: ...network Design Guide Click this link to browse to this document http www cisco com univercd cc td doc cisintwk idg4 index htm Cisco Internetworking Technology Handbook Click this link to browse to this document http www cisco com univercd cc td doc cisintwk ito_doc index htm Cisco Internetworking Troubleshooting Guide Click this link to browse to this document http www cisco com univercd cc td doc...

Page 130: ...evices with greater efficiency and flexibility For example one access point can now handle the specific requirements of multiple users having widely varied network access and permissions Without VLAN capability multiple access points would have to be employed to serve classes of users based on the access and permissions they were assigned These are two common strategies for deploying wireless VLAN...

Page 131: ...o you can support up to 16 VLANs that are configured on your LAN Beginning in privileged EXEC mode follow these steps to assign an SSID to a VLAN and enable the VLAN on the access point radio and Ethernet ports Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface dot11radio 0 1 Enter interface configuration mode for the radio interface Step 3 ssid ssid string ...

Page 132: ...t0 1 router config subif encapsulation dot1q 1 native router config subif exit router config end Step 7 encapsulation dot1q vlan id native Enable a VLAN on the radio interface Optional Designate the VLAN as the native VLAN On many networks the native VLAN is VLAN 1 Step 8 exit Return to global configuration mode Step 9 interface fastEthernet0 x Enter interface configuration mode for the Ethernet V...

Page 133: ...mbers 1 through 4095 for VLAN IDs Creating a VLAN Name Beginning in privileged EXEC mode follow these steps to assign a name to a VLAN Use the no form of the command to remove the name from the VLAN Use the show dot11 vlan name privileged EXEC command to list all the VLAN name and ID pairs configured on the access point Using a RADIUS Server to Assign Users to VLANs You can configure your RADIUS a...

Page 134: ...ss point These are the RADIUS user attributes used for vlan id assignment Each attribute must have a common tag value between 1 and 31 to identify the grouped relationship IETF 64 Tunnel Type Set this attribute to VLAN IETF 65 Tunnel Medium Type Set this attribute to 802 IETF 81 Tunnel Private Group ID Set this attribute to vlan id Viewing VLANs Configured on the Access Point In privileged EXEC mo...

Page 135: ... student related activities Students are allowed to join the network using static WEP In this scenario a minimum of three VLAN connections are required one for each level of access Because the access point can handle up to 16 SSIDs you can use the basic design shown in Table 8 1 Managers configure their wireless client adapters to use SSID boss faculty members configure their clients to use SSID t...

Page 136: ...nfig subif exit router config interface Dot11Radio 0 2 router config subif encapsulation dot1Q 2 router config subif bridge group 2 router config subif exit router config interface Dot11Radio 0 3 router config subif encapsulation dot1Q 3 router config subif bridge group 3 router config subif exit Table 8 3 Results of Example Configuration Commands VLAN 1 Interfaces VLAN 2 Interfaces VLAN 3 Interfa...

Page 137: ... interface these commands are set automatically bridge group 2 subscriber loop control bridge group 2 block unknown source no bridge group 2 source learning no bridge group 2 unicast flooding bridge group 2 spanning disabled When you configure a bridge group on the FastEthernet interface these commands are set automatically no bridge group 2 source learning bridge group 2 spanning disabled ...

Page 138: ...8 12 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 Chapter 8 Configuring VLANs VLAN Configuration Example ...

Page 139: ...is feature you can provide preferential treatment to certain traffic at the expense of others Without QoS the access point offers best effort service to each packet regardless of the packet contents or size It sends the packets without any assurance of reliability delay bounds or throughput This chapter consists of these sections Understanding QoS for Wireless LANs page 9 2 Configuring QoS page 9 ...

Page 140: ...ets they prioritize packets based on DSCP value client type such as a wireless phone or the priority value in the 802 1q or 802 1p tag They do not construct internal DSCP values they only support mapping by assigning IP DSCP Precedence or Protocol values to Layer 2 COS values They carry out EDCF like queuing on the radio egress port only They do only FIFO queueing on the Ethernet egress port They ...

Page 141: ...et The access point applies QoS policies in this order 1 Packets already classified When the access point receives packets from a QoS enabled switch or router that has already classified the packets with non zero 802 1Q P user_priority values the access point uses that classification and does not apply other QoS policy rules to the packets An existing classification takes precedence over all other...

Page 142: ... QoS mode The access point adds each packet s class of service to the packet s 802 11 header to be passed to the receiving station Each access class has its own 802 11 sequence number The sequence number allows a high priority packet to interrupt the retries of a lower priority packet without overflowing the duplicate checking buffer on the receiving side For access classes that are configured to ...

Page 143: ...cket As a rule high priority packets have short backoff times The default values in the Min and Max Contention Window fields and in the Slot Time fields are based on settings recommended in IEEE Draft Standard 802 11e For detailed information on these values consult that standard Cisco strongly recommends that you use the default settings on the Radio Access Categories page Changing these values c...

Page 144: ...ry to the wireless LAN prompting the client to send in an IGMP membership report When the network infrastructure receives the host s IGMP membership report it ensures delivery of that host s multicast data stream The IGMP snooping helper is enabled by default To disable it browse to the QoS Policies Advanced page select Disable and click Apply Sample Configuration Using the CLI class map match all...

Page 145: ...Hz Band The channel identifiers channel center frequencies and regulatory domains of each IEEE 802 11b 22 MHz wide channel are shown in Table A 1 Table A 1 Channels for IEEE 802 11b Channel Identifier Center Frequency MHz Regulatory Domains Americas A EMEA E Japan J 1 2412 X X X 2 2417 X X X 3 2422 X X X 4 2427 X X X 5 2432 X X X 6 2437 X X X 7 2442 X X X 8 2447 X X X 9 2452 X X X 10 2457 X X X 11...

Page 146: ... 22 MHz wide channel are shown in Table A 2 IEEE 802 11a 5 GHz Band The channel identifiers channel center frequencies and regulatory domains of each IEEE 802 11a 20 MHz wide channel are shown in Table A 3 Table A 2 Channels for IEEE 802 11g Channel Identifier Center Frequency MHz Regulatory Domains Americas A EMEA E Japan J CCK OFDM CCK OFDM CCK OFDM 1 2412 X X X X X X 2 2417 X X X X X X 3 2422 X...

Page 147: ... use on channels 52 through 64 in the United States 44 5220 X X X 48 5240 X X X 52 5260 X X X 56 5280 X X X 60 5300 X X X 64 5320 X X X 100 5500 X 104 5520 X 108 5540 X 112 5560 X 116 5580 X 120 5600 X 124 5620 X 128 5640 X 132 5660 X 136 5680 X 140 5700 X 149 5745 X X 153 5765 X X 157 5785 X X 161 5805 X X Table A 3 5 GHz Radio Band continued Channel Identifier Center Frequency MHz Regulatory Dom...

Page 148: ...A 4 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 Appendix A Channel Settings IEEE 802 11a 5 GHz Band ...

Page 149: ...protocols that you can filter on the access point The tables include Table A 1 Ethertype Protocols Table A 2 IP Protocols Table A 3 IP Port Protocols In each table the Protocol column lists the protocol name the Additional Identifier column lists other names for the same protocol and the ISO Designator column lists the numeric designator for each protocol ...

Page 150: ...railer Negotiation 0x1000 LAN Test 0x0708 X 25 Level3 X 25 0x0805 Banyan 0x0BAD CDP 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump Load 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802 2 0x00E0 IPX 802 3 0x00FF Novell IPX old 0x8137 Novell IPX new IPX 0x8138 EAPOL old 0x8180 EAPOL new 0x888E Telxon TXP TXP 0x8729 Aironet DDP DDP 0x872D Enet Config T...

Page 151: ...nator dummy 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP 12 CHAOS 16 User Datagram Protocol UDP 17 XNS IDP IDP 22 ISO TP4 TP4 29 ISO CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw 255 ...

Page 152: ... Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp data 20 FTP Control 21 ftp 21 Secure Shell 22 ssh 22 Telnet 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Location Protocol RLP 39 IEN 116 Name Server name 42 whois nicname 43 43 Domain Name Server DNS domain 53 MTP 57 BOOTP Server 67 BOOTP Client 68 TFTP 69 gopher 70 rje netrjs 77 finger 79 Hypertext T...

Page 153: ...p 119 Network Time Protocol ntp 123 NETBIOS Name Service netbios ns 137 NETBIOS Datagram Service netbios dgm 138 NETBIOS Session Service netbios ssn 139 Interim Mail Access Protocol v2 Interim Mail Access Protocol IMAP2 143 Simple Network Management Protocol SNMP 161 SNMP Traps snmp trap 162 ISO CMIP Management Over IP CMIP Management Over IP cmip man CMOT 163 ISO CMIP Agent Over IP cmip agent 164...

Page 154: ...alk 517 ntalk 518 route RIP 520 timeserver timed 525 newdate tempo 526 courier RPC 530 conference chat 531 netnews 532 netwall wall 533 UUCP Daemon UUCP uucpd 540 Kerberos rlogin klogin 543 Kerberos rsh kshell 544 rfs_server remotefs 556 Kerberos kadmin kerberos adm 749 network dictionary webster 765 SUP server supfilesrv 871 swat for SAMBA swat 901 SUP debugging supfiledbg 1127 ingreslock 1524 Pr...

Page 155: ... appendix contains these sections MIB List page C 1 Using FTP to Access the MIB Files page C 2 MIB List IEEE802dot11 MIB Q BRIDGE MIB P BRIDGE MIB CISCO DOT11 IF MIB CISCO WLAN VLAN MIB CISCO IETF DOT11 QOS MIB CISCO IETF DOT11 QOS EXT MIB CISCO DOT11 ASSOCIATION MIB CISCO DOT11 QOS MIB CISCO DOT11 SSID SECURITY MIB CISCO L2 DEV MONITORING MIB CISCO IP PROTOCOL FILTER MIB CISCO SYSLOG EVENT EXT MI...

Page 156: ...IB SNMPv2 MIB SNMPv2 SMI SNMPv2 TC Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP Step 1 Use FTP to access the server ftp cisco com Step 2 Log in with the username anonymous Step 3 Enter your e mail username when prompted for the password Step 4 At the ftp prompt change directories to pub mibs v1 or pub mibs v2 Step 5 Use the get MIB_filename command to o...

Page 157: ...S Release 12 3 on Cisco com Go to this URL http www cisco com univercd cc td doc product software ios123 123sup 123sems 123semv1 emgove r1 htm SEVERITY is a single digit code from 0 to 7 that reflects the severity of the condition The lower the number the more serious the situation Table D 1 lists the severity levels MNEMONIC is a code that uniquely identifies the error message Variable informatio...

Page 158: ... it means that an Association received an event that it did not expect while in this state Recommended Action The system can continue but may lose the Association that generates this error Copy the message exactly as it appears and report it to your technical service representative Event Message DOT11 6 ASSOC Interface interface Station char mac SSID ssid Authentication Type auth_type Key Manageme...

Page 159: ...xplanation After scanning for an unused frequency the unit selected the displayed frequency Recommended Action None Error Message DOT11 4 NO_VALID_INFRA_SSID No infrastructure SSID configured interface not started Explanation No infrastructure SSID was configured and the indicated interface was not started Recommended Action Add at least one infrastructure SSID to the radio configuration Error Mes...

Page 160: ...face interface Radio transmit power out of range Explanation The transmitter power level is outside the normal range on the indicated radio interface Recommended Action Remove unit from the network and service Error Message DOT11 3 RADIO_RF_LO Interface interface Radio cannot lock RF freq Explanation The radio phase lock loop PLL circuit is unable to lock the correct frequency on the indicated int...

Page 161: ... DFS_TRIGGERED DFS triggered on frequency frequency MHz Explanation DFS has detected RADAR signals on the indicated frequency Recommended Action None The channel will be placed on the non occupancy list for 30 minutes and a new channel will be selected Error Message DOT11 4 DFS_STORE_FAIL DFS could not store the frequency statistics Explanation A failure occurred writing the DFS statistics to flas...

Page 162: ... or not ready when trying to flash new firmware into the indicated interface Loading the identified firmware file has been delayed Recommended Action Make sure the network is up and ready before attempting to reflash the new firmware Error Message DOT11 2 FLASH_UNKNOWN_RADIO Interface interface has an unknown radio Explanation The radio type could not be determined when the user attempted to flash...

Page 163: ...e access point firmware to the previous version Error Message DOT11 2 RADIO_HW_RESET Radio subsystem is undergoing hardware reset to recover from problem Explanation An unrecoverable error occurred that could not be resolved by a soft reset Recommended Action None Error Message DOT11 4 MAXRETRIES Packet to client chars mac reached max retries int remove the client Explanation A packet sent to the ...

Page 164: ...ialize the radio subsystem Recommended Action Reload the system Error Message DOT11 4 UPLINK_NO_ID__PWD Interface interface no username password supplied for uplink authentication Explanation The user failed to enter a username and or password Recommended Action Enter the username and or password and try again Error Message DOT11 4 NO_IE_CFG No IEs configured for characters ssid index Explanation ...

Page 165: ...Error Message DOT11 2 RADIO_FAILED Interface interface failed chars Explanation The radio driver found a severe error and is shutting down Recommended Action Shut no shut the interface If that fails reboot router Error Message DOT11 4 FLASH_RADIO_DONE Interface interface flashing radio firmware completed Explanation The indicated interface radio firmware flash is complete and the radio will be res...

Page 166: ...o that it is oriented 90 degrees to the body of the access point Error Message DOT11 3 RF_LOOPBACK_FAILURE Interface interface Radio failed to pass RF loopback test Explanation Radio loopback test failed for the interface indicated Recommended Action None Error Message DOT11 3 RF_LOOPBACK__FREQ_FAILURE Interface interface failed to pass RF loopback test Explanation Radio loopback test failed at a ...

Page 167: ...KIP ciphers are disassociated and cannot reassociate until the hold time ends At the end of the hold time the interface operates normally Recommended Action MIC failures usually indicate an active attack on your network Search for and remove potential rogue devices from your wireless LAN If this is a false alarm and the interface should not be on hold this long use the countermeasure tkip hold tim...

Page 168: ...ocal RADIUS server Error Message RADSRV 4 NAS_KEYMIS NAS shared key mismatch Explanation The local RADIUS server received an authentication request but the message signature indicates that the shared key text does not match Recommended Action Correct the shared key configuration on either the NAS or on the local RADIUS server Error Message RADSRV 4 BLOCKED Client blocked due to repeated failed aut...

Page 169: ...54 Mbps LANs operating in the 2 4 GHz frequency band 802 3af The IEEE standard that specifies a mechanism for Power over Ethernet PoE The standard provides the capability to deliver both power and data over standard Ethernet cabling A access point A wireless LAN data transceiver that uses radio waves to connect a wired network with wireless stations ad hoc network A wireless network composed of st...

Page 170: ...ther factors client A radio device that uses the services of an Access Point to communicate wirelessly with other devices on a local area network CSMA Carrier sense multiple access A wireless LAN media access method specified by the IEEE 802 11 specification D data rates The range of data transmission rates supported by a device Data rates are measured in megabits per second Mbps dBi A ratio of de...

Page 171: ... the physical layer used F file server A repository for files so that a local area network can share files mail and programs firmware Software that is programmed on a memory chip G gateway A device that connects two otherwise incompatible networks together GHz Gigahertz One billion cycles per second A unit of measure for frequency I IEEE Institute of Electrical and Electronic Engineers A professio...

Page 172: ... primarily circular antenna radiation pattern Orthogonal Frequency Division Multiplex OFDM A modulation technique used by IEEE 802 11a compliant wireless LANs for transmission at 6 9 12 18 24 36 48 and 54 Mbps P packet A basic message unit for communication across a network A packet usually includes routing information data and sometimes error detection information Q Quadruple Phase Shift Keying A...

Page 173: ...ired in order to gain benefits such as improved interference tolerance and unlicensed operation SSID Service Set Identifier also referred to as Radio Network Name A unique identifier used to identify a radio network and which stations must use to be able to communicate with each other or to an access point The SSID can be any alphanumeric entry up to a maximum of 32 characters T transmit power The...

Page 174: ...ted Access WPA is a standards based interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems It is derived from and will be forward compatible with the upcoming IEEE 802 11i standard WPA leverages TKIP Temporal Key Integrity Protocol for data protection and 802 1X for authenticated key management ...

Page 175: ... login 7 SSID 2 authentication client command 3 authentication server configuring access point as local server 2 described 4 EAP 4 3 authentication types Network EAP 4 open 2 shared key 3 authenticator 1 authorization with RADIUS 11 B backoff 28 backup authenticator local 1 bandwidth 14 beacon dtim period command 27 beacon period command 27 bit flip attack 23 blocking communication between clients...

Page 176: ...ands station role 3 Complementary Code Keying CCK See CCK countermeasure tkip hold time command 16 CSID format selecting 13 D Data Beacon Rate 26 data rate setting 10 data retries 27 default configuration RADIUS 4 delivery traffic indication message DTIM 26 DFS 19 diversity 22 documentation Cisco 1800 series routers 13 Cisco 800 series routers 13 Cisco High Speed WAN Interface Card 12 Cisco IOS so...

Page 177: ...ure device 4 infrastructure ssid command 4 inter client communication blocking 25 interface dot11radio command 1 2 IOS software locating documentation 13 ISO designators for protocols 1 J jitter 2 K key features 1 3 L latency 2 LEAP described 4 LEAP authentication local authentication 1 setting on client and access point 16 Light Extensible Authentication Protocol See LEAP limiting client power le...

Page 178: ...11e parameter 3 QoS configuration guidelines 5 described 4 overview 2 quality of service See QoS R radio activity 29 congestion 14 interface 2 preamble 21 RADIUS attributes CSID format selecting 13 sent by the access point 18 vendor proprietary 15 vendor specific 14 WISPr 16 configuring access point as local server 2 accounting 12 authentication 7 authorization 11 communication global 5 13 communi...

Page 179: ...mand 5 slot time short command 28 SNMP FTP MIB files 2 snooping helper IGMP 6 spaces in an SSID 5 speed command 11 SSID 2 guest mode 2 multiple SSIDs 1 support 3 using spaces in 5 VLAN 2 ssid command 3 9 5 static WEP with open authentication setting on client and access point 16 with shared key authentication setting on client and access point 16 station role command 3 switchport protected command...

Page 180: ...Index IN 6 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 world mode command 21 WPA 6 WPA migration mode 12 wpa psk command 13 ...

Page 181: ...Index IN 7 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 ...

Page 182: ...Index IN 8 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 ...

Page 183: ...Index IN 9 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 ...

Page 184: ...Index IN 10 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 ...

Page 185: ...Index IN 11 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 ...

Page 186: ...Index IN 12 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 ...

Page 187: ...Index IN 13 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 ...

Page 188: ...Index IN 14 Cisco Wireless ISR and HWIC Access Point Configuration Guide OL 6415 04 ...

Reviews:

No comments

Related manuals for HWIC

Brand: Panasonic Pages: 18

Brand: Panasonic Pages: 29

Brand: sauter Pages: 8

Thunderbolt 3/USB-C I/ O CARD

Brand: Logicube Pages: 5

Brand: PRO-NETS Pages: 72

Brand: Aruba Pages: 15

Aruba 318 Series

Brand: Hewlett Packard Enterprise Pages: 2

Brand: Linksys Pages: 44

Brand: Linksys Pages: 544

Brand: StarHub Pages: 41

Brand: Ruckus Wireless Pages: 58

Brand: Zte Pages: 29

Brand: SUNDRAY Pages: 20

Brand: Nox Medical Pages: 36

tm-g5240 - T-mobile Hotspot Wireless

Brand: T-Mobile Pages: 95

Brand: High-Flying Pages: 18

Brand: VTel Wireless Pages: 2

Brand: Westermo Pages: 21

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands