manualshive.com logo in svg

Allen-Bradley 1783-WAPAK9, Руководство пользователя

Поделиться
Скачать
Allen-Bradley 1783-WAPAK9 Скачать руководство пользователя страница 85

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

85

Stratix 5100 Device Manager Parameter Definitions

Chapter 4

Security Configuration Settings on the Easy Setup Page

You can configure a limited number of security parameters for the Stratix 5100 
WAP. There are four choices:

No Security

WEP Key

EAP Authentication

WPA

Use the Security page to review and configure the security settings for the access 
point. 

You can configure security also by 
using CLI, see 

Security CLI 

Configuration Examples on 
page 184

.

Table 12 - Security Types on Easy Set-up Security Setup Page

Security Type

Description

Security Features Enabled

No Security

This is the least secure option. Use this option only for SSIDs used in a public 
space and assign it to a VLAN that restricts access to your network.

None.

WEP Key

This option is more secure than no security. However, static WEP keys are 
vulnerable to attack. If you configure this setting, consider limiting association 
to the wireless device based on MAC address
See 

Using MAC Address ACLs to Block or Allow Client Association to the Access 

Point on page 485

 or, if your network does not have a RADIUS server, consider 

using an access point as a local authentication server, see 

Configuring a Local 

Authenticator on page 320

.

Mandatory WEP. Client devices cannot associate by using this SSID without 
a WEP key that matches the wireless device key.

EAP Authentication

This option enables 802.1X authentication, for example, LEAP, PEAP, EAP-TLS, 
EAP-FAST, EAP-TTLS, EAP-GTC, EAP-SIM, and other 802.1X/EAP based products)
This setting uses mandatory encryption, WEP, open authenti EAP, 
network EAP authentication, no key management, RADIUS server 
authentication port 1645.
You are required to enter the IP address and shared secret for an authentication 
server on your network (server authentication port 1645). Because 802.1X 
authentication provides dynamic encryption keys, you don’t need to enter a 
WEP key.

Mandatory 802.1X authentication. Client devices that associate by using 
this SSID must perform 802.1X authentication.
If radio clients are configured to authenticate by using EAP-FAST, open 
authentication with EAP can also be configured. If you do not configure 
open authentication with EAP, the following GUI warning message 
appears:

WARNING:

 Network EAP is used for LEAP authentication only. If radio 

clients are configured to authenticate by using EAP-FAST, Open 
Authentication with EAP can also be configured.
If you are using CLI, this warning message appears:
SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST, AUTH 
OPEN with EAP must be configured.

WPA

Wi-Fi Protected Access (WPA) permits wireless access to users authenticated 
against a database through the services of an authentication server, then 
encrypts their IP traffic with stronger algorithms than those used in WEP.
This setting uses encryption ciphers, TKIP, open authenti EAP, network 
EAP authentication, key management WPA mandatory, and RADIUS server 
authentication port 1645.
As with EAP authentication, you must enter the IP address and shared secret for 
an authentication server on your network (server authentication port 1645).

Mandatory WPA authentication. Client devices that associate by using this 
SSID must be WPA-capable.
If radio clients are configured to authenticate by using EAP-FAST, open 
authentication with EAP must be configured. If you don’t configure open 
authentication with EAP, the following GUI warning message appears: 

WARNING: 

Network EAP is used only for LEAP authentication. If radio 

clients are configured to authenticate by using EAP-FAST, Open 
Authentication with EAP must be configured.
If you are using CLI, this warning message appears:
SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST, AUTH 
OPEN with EAP must be configured.

Содержание 1783-WAPAK9

Страница 1: ...Stratix 5100 Wireless Access Point Workgroup Bridge Catalog Numbers 1783 WAPAK9 1783 WAPEK9 1783 WAPCK9 1783 WAPZK9 User Manual...

Страница 2: ...ual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations Labels may als...

Страница 3: ...reless AccessPoint WorkgroupBridge Ports and Connections 32 Stratix 5100 WAP Specifications 32 Ethernet Cable Recommendation 32 External Antennas 33 Antenna Cable Extensions Recommendation 33 Preparin...

Страница 4: ...k 61 Using VLANs 63 Configuring Security 64 Easy Set up Page Security Types 65 Easy Setup Network Configuration Security Limitations 66 Create an SSID from the Security Menu 66 Enabling HTTPS for Secu...

Страница 5: ...l RADIUS Server 129 Advanced Security 132 Services Page 135 Telnet SSH 135 Hot Standby Page 137 CDP Page 138 DNS Page 140 Filters Page 141 MAC Address Filters Page 142 IP Filters Page 144 Ethertype Fi...

Страница 6: ...6 Example 3 EAP Authentication 188 Example 4 WPA 191 Assign an IP Address by Using CLI 193 Using a Terminal Application Session to Access CLI 194 Configuring the 802 1X Supplicant 194 Creating a Crede...

Страница 7: ...the Authentication Cache and Profile 221 Configuring the Access Point to Provide DHCP Service 225 Setting up the DHCP Server 225 Monitoring and Maintaining the DHCP Server Access Point 227 Show Comma...

Страница 8: ...260 Blocking Channels from DFS Selection 261 Setting the 802 11n Guard Interval 262 Configuring Location based Services 263 Understanding Location Based Services 263 Configuring LBS on Access Points...

Страница 9: ...ion for an SSID 291 Guidelines for Using IP Redirection 292 Configuring IP Redirection 292 Including an SSID in an SSIDL IE 293 NAC Support for MBSSID 294 Configuring NAC for MBSSID 297 Chapter9 Confi...

Страница 10: ...enerating PACs Manually 336 Configuring an Authority ID 337 Configuring Server Keys 337 Possible PAC Failures Caused by Access Point Clock 338 Limiting the Local Authenticator to One Authentication Ty...

Страница 11: ...nd WirelessIntrusionDetectionServices Understanding WDS 375 Role of the WDS Device 376 Role of Access Points by Using the WDS Device 377 Understanding Fast Secure Roaming 377 Understanding Radio Manag...

Страница 12: ...gin Authentication 414 Defining AAA Server Groups 416 Configuring RADIUS Authorization for User Privileged Access and Network Services 418 Configuring Packet of Disconnect 419 Starting RADIUS Accounti...

Страница 13: ...455 Chapter16 ConfiguringQoS Understanding QoS for Wireless LANs 457 QoS for Wireless LANs Versus QoS on Wired LANs 458 Impact of QoS on a Wireless LAN 458 Precedence of QoS Settings 459 Configure QoS...

Страница 14: ...P Server Hosts 514 Configuring SNMP Server Users 514 Configuring Trap Managers and Enabling Traps 514 Setting the Agent Contact and Location Information 516 Using the snmp server view Command 517 SNMP...

Страница 15: ...m Message Logging 548 Default System Message Logging Configuration 549 Disabling and Enabling Message Logging 549 Setting the Message Display Destination Device 551 Enabling and Disabling Timestamps o...

Страница 16: ...ns 581 Software Auto Upgrade Messages 582 Association Management Messages 583 Unzip Messages 583 System Log Messages 584 802 11 Subsystem Messages 584 Inter Access Point Protocol Messages 589 Local Au...

Страница 17: ...use with the access point It does not provide detailed information about these commands For detailed information about these commands see the Cisco IOS Command Line Configuration Guide 15 3 This user...

Страница 18: ...MIC CMIC TKIP CKIP and broadcast key rotation Chapter 12 Configuring Authentication Types Describes how to configure authentication types onthe access point Client devices use these authentication met...

Страница 19: ...LI Reference Manual Using the Cisco IOS Command Line Interface Configuration Guide 15 3 Provides comprehensive information about using the Cisco IOS Command Line Interface Cisco IOS Security Command R...

Страница 20: ...ode and links to software service packs You can also visit our Support Center at https rockwellautomation custhelp com for software updates support chats and forums technical information FAQs and to s...

Страница 21: ...5100 WAP is a wireless LAN transceiver Wi Fi certified and compliant in 802 11a b g n 802 11b 802 11g pre 802 11n The Stratix 5100 WAP offers dual band radios 2 4 GHz and 5 GHz with integrated and ex...

Страница 22: ...ultaneous single band or dual band radios Wi Fi Standards 802 11 a b g n 3TX transmit x 4RX receive 3 spatial streams 450 Mbps PHY rate Throughput forwarding and filtering performance scan to meet 3 s...

Страница 23: ...Management Options You can use the wireless device management system through the following interfaces A web browser interface that you use through a web browser See Stratix 5100 Device Manager Config...

Страница 24: ...sometimes concerned when a client device stays associated to a distant access point instead of roaming to a closer access point However if a client signal to a distant access point remains strong and...

Страница 25: ...ese roles require specific configurations Root Access Point An access point connected directly to a wired LAN provides a connection point for wireless users If more than one access point is connected...

Страница 26: ...le an access point establishes a wireless link with a non root bridge Traffic is passed over the link to the wired LAN Access points in root and non root bridge roles can be configured to accept assoc...

Страница 27: ...client and provides a network connection for the devices connected to its Ethernet port For example if you need to provide wireless connectivity for a group of network printers you can connect the pr...

Страница 28: ...unit The access point is not attached to a wired LAN it functions as a hub linking all stations together The access point serves as the focal point for communication increasing the communication range...

Страница 29: ...ation Support on the back cover of this manual Items Shipped with the WAP The following items are included with the WAP Item Description Stratix 5100 Wireless Access Point Workgroup Bridge 1783 WAPAK9...

Страница 30: ...30 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 1 Getting Started with the Stratix 5100 WAP Notes...

Страница 31: ...nt Damage to the WAP 36 Ports and Connections 36 Install the WAP 37 IDF Closets telecommunications or other electrical equipment 37 Very High Altitudes 38 Common or Distributed Antenna System DAS 38 G...

Страница 32: ...Ethernet port 4 Console port 5 Mounting bracket pins 32472 M 1 3 4 5 2 Table 1 Stratix 5100 Wireless Access Point Workgroup Bridge Specifications Category Specification Dimensions LxWxD 22 04 x 22 04...

Страница 33: ...ralow loss ULL cables that have the same characteristics as Times Microwave LMR 400 and LMR 600 When drilling holes for cable allow for the size of connector drill bit typically15 8750 mm 5 8 in Cisco...

Страница 34: ...Hz dual band radios in a 3 x 4 MIMO configuration with three spatial streams The radios and antennas support frequency bands 2400 2500 MHz and 5150 5850 MHz through a common dual band RF interface The...

Страница 35: ...y range 2400 2500 MHz Nominal input impedance 50 VSWR Less than 2 1 Peak Gain 2 4 GHz 2 dBi Peak Gain 5 GHz 4 dBi Elevation plane 3dB beam width 2 4 GHz 63 Elevation plane 3dB beam width 5 GHz 39 Conn...

Страница 36: ...you use the Stratix 5100 Wireless Access Point Workgroup Bridge you must configure it using the console cable See Connect to the Stratix 5100 WAP Access Point Locally on page 54 and Configure the Stra...

Страница 37: ...this manual Other items you need to install the unit ESD preventive cord and wrist strap Ethernet cable Power supply Mounting screws Grounding wire IDF Closets telecommunications or other electrical...

Страница 38: ...ed for deployments on distributed antenna systems DAS Rockwell Automation does not certify endorse or provide RF support for Wi Fi deployments over any DAS The DAS vendor and systems integrator are so...

Страница 39: ...nt as possible 2 Connect a user supplied ground wire to the building grounding point The minimum length of the wire is 2 5mm2 14 AWG assuming a circuit length of 25 ft 30 5 cm Consult your local elect...

Страница 40: ...r 121T The cable access cover on the mounting bracket covers the cable bay area including the power port Ethernet port console port and the mode button to prevent the installation or removal of the ca...

Страница 41: ...ght or left to secure the security cable lock to the access point 5 Remove the key Mounting the Access Point The Stratix 5100 WAP comes with a low profile access point mounting bracket AIR AP BRACKET...

Страница 42: ...nother access hole Table 3 Mounting Bracket Description 1 Wall mount locations 4 Cable access cover 2 Grounding post 5 Security hasp 3 Access point attachment slots TIP Mark all four locations of the...

Страница 43: ...thernet and power cables to the access point 11 Align the access point feet with the large part of the keyhole mounting slots on the mounting plate 12 When positioned correctly the cable access cover...

Страница 44: ...ypes of devices at the same time under heavy use load 4 Characterize each system independently to see whether degradation exists Mounting an Access Point on a Hard Ceiling or a Wall This procedure des...

Страница 45: ...Ethernet cable building ground wire and power cables 1 Wall mount locations 4 Cable access cover 2 Grounding post 5 Security hasp 3 Access point attachment slots TIP Mark all four locations of the wal...

Страница 46: ...s with indents down over the pilot holes 7 Insert a fastener into each mounting hole and tighten 8 Connect the Ethernet and power cables to the access point 9 Align the access point feet with the larg...

Страница 47: ...he power cord attached into the WAP 3 Plug the power cord into the outlet 4 Observe the access point status indicators See Access Point Status Indicators on page 48 for descriptions of the status indi...

Страница 48: ...ator The status indicators communicate various WAP conditions Table 4 Status Indicator Descriptions Message Type Status Indicator Description Boot loader status sequence Blinking green DRAM memory tes...

Страница 49: ...through green red and off Discovery join process in progress Rapidly cycling through blue green and red Access point location command invoked Blinking red Ethernetlink not operational Boot loader war...

Страница 50: ...ager For instructions on how to configure the Wireless Access Point Workgroup Bridge by using Straitx 5100 Device Manager software see Stratix 5100 Device Manager Configuration Startup on page 51 TIP...

Страница 51: ...x 5100 WAP 53 Obtain and Assign an IP Address 54 Connect to the Stratix 5100 WAP Access Point Locally 54 Default Radio Settings 54 Reset the WAP to Default Settings 55 Logging into the Access Point 57...

Страница 52: ...ger Configure a VLAN Assign the SSID and Broadcast SSID Determine VLAN to SSID mappings Assign maximum reach Determine maximum throughput Configure Light Extensible Authentication Protocol LEAP includ...

Страница 53: ...SNMP is in use If you use IPSU to find the wireless device IP address the access point MAC address The MAC address can be found on the label on the bottom of the access point such as 00164625854c Logi...

Страница 54: ...nnect the console cable RJ 45 to the WAP 2 Connect the other end of the console cable DB 9 to the serial port on the computer 3 Set up a terminal emulator to communicate with the access point Use the...

Страница 55: ...nt 3 Hold MODE until the status indicator turns amber approximately 20 30 seconds and release the button All access point settings return to factory defaults Reset to Default Settings by Using the GUI...

Страница 56: ...ware The System Software screen appears 6 Click System Configuration The System Configuration screen appears 7 Click Reset to Defaults to reset all settings including the IP address to factory default...

Страница 57: ...at the top of any page in the web browser interface to display online help Click the printer icon to print the page you are on The help page appears in a new browser page use the select a topic pull...

Страница 58: ...pter 3 Stratix 5100 Device Manager Configuration Startup The Summary Status page appears Your page can be different depending on the access point model you are using Figure 18 Summary Status Page 6 Cl...

Страница 59: ...ddress assignment IP Address Use this setting to assignor change the wireless device IP address If DHCP is enabled for your network leave this field blank IP Subnet Mask Enter the IP subnet mask provi...

Страница 60: ...is not connected to the wired LAN Root Bridge Establishes a link with a non root bridge Non root Bridge In this mode the device establishes a link with a root bridge Workgroup Bridge Specifiesthatthe...

Страница 61: ...you must go to the radio settings page to enable the radio 1 From the top menu click Network The Network Summary page appears 2 Click Network Interface 3 Click Summary Aironet Extensions Choose Enabl...

Страница 62: ...tion 1783 UM006A EN P May 2014 Chapter 3 Stratix 5100 Device Manager Configuration Startup The Network Interfaces Summary page appears 4 Click the radio you want to configure The Radio Status page app...

Страница 63: ...page However if you don t use VLANs on your wireless LAN the security options that you can assign to SSIDs are limited because on the Easy Setup page encryption settings and authentication types are...

Страница 64: ...configure security settings to prevent unauthorized access to your network Because it is a radio device the access point can communicate beyond the physical boundaries of your work site Just as you u...

Страница 65: ...need to enter a WEP key Mandatory 802 1X authentication Client devices that associate by using this SSID must perform 802 1X authentication If radio clients are configuredto authenticate by using EAP...

Страница 66: ...guration Examples on page 184 for information on how to create an SSID by using CLI Command Line Interface 1 From the top menu click Security 2 From the left menu click SSID Manager Table 8 Easy Setup...

Страница 67: ...a useful option for an SSID used by guests or by client devices in a public space If you do not broadcast the SSID client devices cannot associate to the access point unless their SSIDs match this SSI...

Страница 68: ...onal Assign the SSID to a VLAN a Click Define VLANS b Select NEW c Enter a VLAN number 1 4094 d Choose a radio and click Apply You cannot assign an SSID to an existing VLAN 6 Optional Check the Native...

Страница 69: ...he access point If you lose the connection change the URL in your browser address line from http ip_address to https ip_address and log into the access point again When you enable HTTPS most browsers...

Страница 70: ...tion of the system name and the domain name For example if your system name is ap1100 and your domain name is company com the FQDN is ap1100 company com 6 Enter the FQDN on your DNS server This way th...

Страница 71: ...check box and click Apply 9 Enter a domain name and click Apply A warning page appears stating that you need to use HTTPS to browse to the access point The page also instructs you to change the URL t...

Страница 72: ...t the access point security certificate is valid but is not from a known source However you can accept the certificate with confidence because the site in question is your own access point Figure 24 C...

Страница 73: ...d page 13 Click Next The Certificate Storage Area dialog box appears and asks where do you want to store the certificate We recommend that you use the default storage area on your system Figure 27 Cer...

Страница 74: ...gain CLI Configuration Example This example shows the CLI commands that are equivalent to the steps listed in Enabling HTTPS for Secure Browsing on page 69 In this example the access point system name...

Страница 75: ...ete the certificate Follow these steps to delete the certificate 1 Browse to the Services HTTP page 2 Uncheck the Enable Secure HTTPS Browsing check box to disable HTTPS 3 Click Delete Certificate 4 R...

Страница 76: ...76 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 3 Stratix 5100 Device Manager Configuration Startup Notes...

Страница 77: ...tup Page 85 Network Page 86 Network Interface Summary Page 87 Network Interface IP Address Page 90 Network Interface Radio0 802 11n 2 GHz and Radio1 802 11n 5 GHz Status 95 Network Interface Radio Set...

Страница 78: ...Parameter Definitions QoS Policies Page 149 Stream Page 154 SNMP Page 155 SNTP Page 158 ARP Caching Page 161 Band Select Page 162 Management Page 164 Software Page 166 Software Upgrade HTTP Page 167 S...

Страница 79: ...ick Apply Table 9 Stratix 5100 Device Manager System Management Tab Descriptions Item Description Home TheEasySetuppageprovidesthewirelessdevicestatuspagewithinformationon the number of radio devices...

Страница 80: ...ge on page 166 for details Event Log Creates the wireless device event log and provides links to configuration pages where you can select events to be in traps set event severity levels and set notifi...

Страница 81: ...nge the system name the wireless device resets the radios causing associated client devices to disassociate and quickly reassociate Server Protocol Choose the item that matches the network method of I...

Страница 82: ...address for example FE80 E690 69FF FEAE 66D0 X X X X X 0 128 Username The username want to use for this WAP Password The password you want to use for this WAP SNMP Community To use Simplified Network...

Страница 83: ...tting VLAN If you use VLANs on your wireless LAN and assign SSIDs to VLANs you can create multiple SSIDsusinganyofthefoursecuritysettingsontheExpressSecuritypage However ifyoudo not use VLANs on your...

Страница 84: ...her radio interface is automatically disabled UniversalWorkgroup Bridge Provides the means for the Stratix 5100 WAP to be configured as workgroup bridges WGBs and to associate with non Cisco access po...

Страница 85: ...on your network server authentication port 1645 Because 802 1X authentication provides dynamic encryption keys you don t need to enter a WEP key Mandatory 802 1X authentication Client devices that as...

Страница 86: ...lities If you select Enable it is best to switch back to the Disable default before leaving the page because the time to discover the network can greatly increase the system load Figure 34 Network Map...

Страница 87: ...this device Software Version The software version currently running on your device Radio Specifies whether the radio is 802 11a or 802 11b Channel Specifies what channel the radio is using Age hrs Sp...

Страница 88: ...interface and helps locate network problems Total Packets Input The total number of error free packets received by the system Total Bytes Input The total number of error free bytes received by the sys...

Страница 89: ...e parent access point was restarted The operator changed the assigned parent Better parent found The number of times the repeater switched to a new parent access point because the signal from the curr...

Страница 90: ...configure the access point as a DHCP server it assigns IP addresses to devices on its subnet The devices communicate with other devices on the subnet but not beyond it If data needs to be passed beyo...

Страница 91: ...ftware Status Indicates whether the interface has been enabled or disabled by the operator Hardware Status Indicates whether the line protocol for the interface is up or down Maximum Rate The rate set...

Страница 92: ...eroftimesthereceiverhardwarewasunabletosendreceiveddatatoa hardware buffer because the input rate exceeded the receiver s ability to process the data Ignored Packets The number of received packets ign...

Страница 93: ...sults from an overextended LAN where the Ethernet or transceiver cable is too long where too many cascadedmulti port transceiversare used or where more than two repeaters are used between stations Las...

Страница 94: ...and Full Important Do not modify Requested Duplex while using inline power Changing these settings while using inline power can cause the device to reboot Requested Speed Auto 1000 Mbps 100 Mbps 10 M...

Страница 95: ...ransmission Aironet Extensions If compatibility with non Cisco Aironet products is required deselect Aironet Extensions Disablingthisoptionlimitsseveraladvancedfeaturesoftheaccesspoint such as load ba...

Страница 96: ...umber of bytes including data and MAC encapsulation received by the system Transmit Statistics 5 min Output Rate bits sec The average number of bits transmitted per second in the last 5 minutes 5 min...

Страница 97: ...ber of Kilobytes Sent and Received by the server Unicast Packets Received Sent Number of Unicast Packets Received Sent in point to point communication Unicast Packets Sent To Host By Host Number of Un...

Страница 98: ...em or because they were not encrypted Retries Number of attempts to send a packet Buffer full Messagethatissenttothesendingdevicetosuspendtransmissionuntilthe data in the buffers has been processed Pa...

Страница 99: ...Table 20 Radio0 802 11n 2 GHz and Radio1 802 11n 5 GHz Settings Description Parameter Description Operating Mode This value indicates whether or not the radio supports multiple protocols as in 802 11...

Страница 100: ...Disabled Down Role in Radio Network This is where you choose a role in the radio network The choices are access point repeater root bridge non root bridge install workgroup bridge scanner spectrum For...

Страница 101: ...rface Settings Page continued Table 21 Radio0 802 11n 2 GHz and Radio1 802 11n 5 GHz Settings Description Parameter Description Data Rates Default Best Range Best Throughput 1 0 2 0 5 5 11 0 6 0 9 0 1...

Страница 102: ...nly Selected Channels Channel Width 20 MHz Table 21 Radio0 802 11n 2 GHz and Radio1 802 11n 5 GHz Settings Description Continued Parameter Description Table 22 Radio0 802 11n 2 GHz and Radio1 802 11n...

Страница 103: ...am Metric Enable Disable Aironet Extension Enable Disable Ethernet Encapsulation Transform RFC1042 802 1H Reliable Multicast to WGB Enable Disable Public Secure Packet Forwarding Enable Disable Beacon...

Страница 104: ...ge is where you can view what is associated with clients and infrastructure clients Figure 43 Association Page Table 24 Association Page Parameter Descriptions Parameter Description SSID Name Device T...

Страница 105: ...address is a unique identifier assigned to the network interface by the manufacturer If you click the MAC Address link it takes you to the Association Station View Client screen The MAC addresses that...

Страница 106: ...e Parameter Descriptions Parameter Description Participate in SWAN Infrastructure Enable Disable WDS Discovery Auto Discovery Specified Discovery IP Address Username Participate username Password Part...

Страница 107: ...WDS Fast Secure Roaming Radio Management and Wireless Intrusion Detection Services on page 375 for detailed configuration information Figure 45 WDS Wireless Domain Service Status Page This page provi...

Страница 108: ...etwork interface by the manufacturer IP Address IP address of the client repeater State Displays the state of the client repeater as either Registered or not SSID Specifies the SSIDtied to the VLAN VL...

Страница 109: ...to act as the main WDS and lower priorities to backup WDSs If your main WDS fails the backup with the highest priority becomes the active WDS Use Local MAC List for Client Authentication Checkthistoau...

Страница 110: ...e group name Group Sever Priorities Set the priority of servers used forinfrastructure and clientauthentications Define Servers ClickDefineServerstomovetotheSecurity ServerManagerpagewhereyoucan confi...

Страница 111: ...other security pages Figure 48 Security Summary Page Links on the Security Summary Page Description Administrators Link to Admin Access seeAdmin Access Pageon page 113 Service Set Identifiers SSIDs Li...

Страница 112: ...ifies which radio is being used BSSID Guest Mode Specifies the BSSID Guest mode attached to this SSID Open Shared Network EAP Specifies the method of authentication being used Open enables any device...

Страница 113: ...arameter Descriptions Parameter Description Administrator Authenticated by Default Authentication Global Password Local User List Only Individual Passwords Authentication Server Only Authentication Se...

Страница 114: ...arameter Definitions Encryption Manager Page You use Wired Equivalent Privacy WEP to encrypt radio signals sent by the bridge and decrypt radio signals received by the bridge This page enables you to...

Страница 115: ...Because cipher suites provide the protection of communication while also allowing the use of authenticated key management we recommend that you enable encryption by using the encryption mode cipher co...

Страница 116: ...logically segmented byfunctions project teams or applications rather than ona physical or geographical basis For example all workstations and servers used by a particular workgroup team can be connec...

Страница 117: ...n Server Only option on the Advanced Security page In the case of Authentication Server Only option MAC Authentication Servers must be set in this page or in the Server Manager page EAP Authentication...

Страница 118: ...redirect only packets addressed to specific ports the access point redirects those packets from clients using the SSID and drops all other packets from clients using the SSID IP Address Enter the IP...

Страница 119: ...ructure SSID Whentheaccesspointisinrepeatermode thisSSIDisusedtoassociatewithaparentaccesspoint Checkthecheckboxbythepull downmenu if you want to force infrastructure devices to associate only to this...

Страница 120: ...ter 4 Stratix 5100 Device Manager Parameter Definitions Server Manager Page The Server Manager page is where you to enter the authentication settings The RADIUS TACACS server on the your network uses...

Страница 121: ...number your RADIUS TACACS server uses for authentication The port setting for the Cisco RADIUS server the Access Control Server ACS is 1645 and the port setting for many RADIUS servers is 1812 Check y...

Страница 122: ...about the servers you are using and the global locations of those servers Table 34 Server Manager Global Properties Parameter Descriptions Parameter Description Accounting Update Interval optional 1 2...

Страница 123: ...n ID Format Default Example 0000 4096 3e4a IETF Example 00 00 40 96 3e 4a Unformatted Example 000040963e4a RADIUS Service Type Attributes Login Framed RADIUS WISPr Attributes optional ISO County Code...

Страница 124: ...uce unique challenges to the traditional authenticator client relationship First access points can be placed in public places inviting the possibility that they could be unplugged and their network co...

Страница 125: ...ndthe network authentication device negotiate to agree upon an authentication method supportedbybothdevicestocompleteauthentication Anauthenticationmethods profile is usedtorestrict thetypesof authent...

Страница 126: ...inviting the possibility that they could be unplugged and their network connection used by an outsider Second when a repeater access point is incorporated into a wireless network the repeater access...

Страница 127: ...ntication methodsprofile and assign it to the relevant SSIDs or FastEthernet interface The restriction may be required to prevent the network authentication server and the access point from negotiatin...

Страница 128: ...access points in the network It ensures that the MIC IE is present when the originator is configured to transmit MFP frames and matches the content of the management frame If it receives any frame tha...

Страница 129: ...US Server feature on an access point Figure 53 Local RADIUS Server Statistics Page Table 38 Local RADIUS Server Statistics Page Parameter Descriptions Parameter Description Blocks The number of times...

Страница 130: ...ntication Protocols EAP Fast LEAP MAC Network Access Server AAA Clients Current Network Access Servers Network Access Server IP Address Shared Secret Individual Users Current Users Username Text or NT...

Страница 131: ...ys Primary Key optional 32 Hex characters Generate Random Secondary Key optional 32 Hex characters Copy from primary PAC Content Authority Info optional Authority ID optional 32 Hex characters Automat...

Страница 132: ...the Authentication Server Only option Authentication Server if not found in Local List Choose Authentication Server if not found in Local List if you want to try MAC authentication list first and then...

Страница 133: ...eauthentication Enable Reauthentication with Interval 1 65555 s Enable Reauthentication with Interval given by Authentication Server Radio0 802 11N2 4 GHz Authentication TKIP MIC Failure Holdoff Time...

Страница 134: ...Parameter Definitions Figure 58 Associated Access list Page Table 43 Association Access List Page Parameter Descriptions Parameter Description Filter client association with MAC address access list S...

Страница 135: ...Manager Parameter Definitions Chapter 4 Services Page The summary provides a list of the main services that are currently enabled or disabled You can click any of the links to go to that page and chan...

Страница 136: ...Telnet security Secure shell enables a strong encryption to be used with the Cisco IOS software authentication Secure Shell Enable or Disable Select Enabled if you want to enable the secure shell SSH...

Страница 137: ...displays This field displays the current status of the hot standby and is updated by pressing Refresh MAC Address for Monitored Radio0 802 11N2 4 GHz MAC Address for Monitored 802 11a b or g Radio HH...

Страница 138: ...s2000 Use the CDP page to adjust the device s CDP settings Figure 62 CDP Page Table 46 CDP Page Parameter Descriptions Parameter Description Cisco Discovery Protocol CDP Select Disabled to disable CDP...

Страница 139: ...IB athttp www cisco com public mibs v1 CISCO CDP MIB V1SMI my CDP Neighbors Table This section displays the type of device that is discovered Specifically it displays these values Device ID The config...

Страница 140: ...ou need to make sure that the DNS Server has a record of the WAP For more information about using a DNS see Enabling HTTPS for Secure Browsing on page 69 Figure 63 DNS Page Table 47 DNS Page Parameter...

Страница 141: ...pe Filters pages are not applied until they are enabled on this Apply Filters page Apply filters with caution Misconfigured filters can lock you out of the access point If this happens the recovery me...

Страница 142: ...ter Index Name the filter with a number from 700 799 The number you assign creates an access control list ACL for the filter Add MAC Address Type a destination MAC address withthe periods separating t...

Страница 143: ...s default action must be opposite of the action for at least one of the addresses in the filter For example if you enter several addresses and you select Block as the action for all of them you must...

Страница 144: ...all addresses except those you specify You can create filters that contain elements of one two or all three IP filtering methods You can apply the filters you create to either or both the Ethernet an...

Страница 145: ...ype the mask for the destination IP address Enter the mask with periods separating the three groups of four characters for example 112 334 556 778 If you enter 255 255 255 255 as the mask the access p...

Страница 146: ...d in the Create Edit Filter Index menu To edit an existing filter select the filter number from the Create Edit Filter Index menu Filter Index Name the filter with a number from 200 299 The number you...

Страница 147: ...The certificate is based on your current System Name and Domain Name The certificate is presented to the browser on each subsequent access to establish an SSI connection The certificate can be install...

Страница 148: ...setting provided by your System Administrator The default is 80 HTTPS Port This setting determines what port your device provides secure SSL web access Use the port setting provided by your system ad...

Страница 149: ...on Create Edit Policies If you are entering a new policy make sure NEW the default is selected in the Create Edit Policy menu To edit an existing policy select the policy name from the Create Edit Pol...

Страница 150: ...n Filter If you have filters set up you can assign a priority to packets that match the selected filter FromtheFilterpull downmenu selectthefilteryouwanttoincludeinthepolicy For example youcould assig...

Страница 151: ...each access category enter the minimum contention page value Channel access is prioritized by assigning smaller contention page values to a higher prioritytraffic class If achannelis busy or atransmis...

Страница 152: ...this button the following changes are made The values of Access Category Definition are changed for optimized voice The packet handling for user priority 5 and 6 are changed to low latency See Servic...

Страница 153: ...SS Load IE version is used IGMP Snooping Snooping Helper When Internet Group Membership Protocol IGMP snooping is enabled on a switch and a client roams from one access point to another the client s m...

Страница 154: ...riority Select the userprioritytousefor stream services Foreachuserpriority listed use the pull down menu to choose either Reliable or Low Latency for the packet handling descriptor Then determine the...

Страница 155: ...Express Setup page the community associates using read only or read write capabilities Figure 72 SNMP Page Table 57 SNMP Page Parameter Description Parameter Description SimpleNetworkManagement Proto...

Страница 156: ...Object Identifier Afteryouchooseacommunitystringto edit intheCurrentCommunityStrings list theObjectIdentifiervalueforthatparticularcommunitystringisdisplayed oryou can enter a new object identifier f...

Страница 157: ...t 802 11 Event Traps Enables traps for client authentication failure client deauthentication and client disassociation Encryption Key Trap Enables traps on any change in the WEP encryption key setting...

Страница 158: ...status Time Server optional If your network has a default time server enter the server s IP address or host name Time Settings GMT Offset The GMT Offset pull down menu lists the world s time zones rel...

Страница 159: ...or network equipment such as bridges and routers connected by a single bridging domain The bridging domain is supported on various pieces of network equipment for example LAN switches that operate bri...

Страница 160: ...sign the SSID to it VLAN ID Specifies the virtual Ethernet LAN identification number tied to the SSID You can assign a name to a VLAN in addition to its numerical ID VLAN Name optional You can assign...

Страница 161: ...eceives an ARP request for an IP address not in the cache the access point drops the request and does not forward it Figure 76 ARP Caching Page Table 61 ARP Caching Page Parameter Descriptions Paramet...

Страница 162: ...Band selection works by regulating probe responses to clients It makes 5 GHz channels more attractive to clients by delaying probe responses to clients on 2 4 GHz channels You can enable band selectio...

Страница 163: ...nd clients The default value is 60 seconds After this time elapses clients become new and are subject to probe response suppression Expire Suppression 10 2000 s Sets the expiration time for pruning pr...

Страница 164: ...you want to login to a network that allows guest access they are brought to a web page that states the Terms and Conditions of using the Wifi Once the guests accept the terms and Enter the password i...

Страница 165: ...web users the first time they access the Wireless Network if Web Authentication is turned on SSID Figure 79 Webauth Login Page Table 64 Webauth Login Page Parameter Descriptions Parameter Description...

Страница 166: ...ion Product Model Number The model number of the access point Top Assembly Serial Number The serial number of the access point System Software Filename The software that was installed on the system Sy...

Страница 167: ...meter Description System Software Filename The software that is installed on the system System Software Version The version of Cisco IOS software that is running on the access point Bootloader Version...

Страница 168: ...ame The software that is installed on the system System Software Version The version of Cisco IOS software that is running on the access point Bootloader Version The version of bootloader that is inst...

Страница 169: ...Startup Configuration File Browse to the location where you stored the config txt file you saved using the Current Startup Configuration File feature Click Load to upload the new file to any access po...

Страница 170: ...ditionindicatesthatthePSEis unable to provide sufficient power or that the power injector has not been configured properly See System Power Settings for instructions on how to correct this Power Sourc...

Страница 171: ...he Event log In CLI this command is show logging Table 69 Event Log Page Parameter Descriptions Parameter Description Start Display at Index Enter the event where you want the event log to begin Max N...

Страница 172: ...time zone The system clock must be set for this time stamp to work Severity This table lists the severity of events Description Gives a description of the error event The radio MAC address appears in...

Страница 173: ...evel whether you want the event displayed on the event log by placing a check mark in the check box Events displayed on the event log are available on the event log page Notify via SNMP Syslog Trap De...

Страница 174: ...ime The time of day the event occurred in UTC time recorded as Month dd hh mm ss usecand3 lettertimezone UTC Thesystemclockmustbe set for this time stamp to work Local Time The time of day the event o...

Страница 175: ...ds are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands that show the current configuration status and clear commands that clear count...

Страница 176: ...ogout or quit Use this mode to Change terminal settings Perform basic tests Display system information Privileged EXEC Whileinuser EXECmode enter the enable command ap Enter disable to exit Use this m...

Страница 177: ...the keyword no to enable a disabled feature again or enable a feature that is disabled by default Configuration commands can also have a default form The default form of a command returns the command...

Страница 178: ...ne configuration mode enter this command to configure the number of command lines the wireless device records for all sessions on a particular line ap config line history size number of lines The rang...

Страница 179: ...d in privileged EXEC mode ap terminal editing To reconfigure a specific line to have enhanced editing mode enter this command in line configuration mode ap config line editing To globally disable enha...

Страница 180: ...t 10items that youhave deleted or cut If you press Esc Y more than ten times you cycle to the first buffer entry Delete entries ifyoumake amistake or change your mind Delete or Backspace Erase the cha...

Страница 181: ...sign shows that the line has been scrolled to the left Each time the cursor reaches the end of the line the line is again shifted ten spaces to the left ap config access list 101 permit tcp 131 108 2...

Страница 182: ...ocol is up Vlan10 is up line protocol is down GigabitEthernet0 1 is up line protocol is down GigabitEthernet0 2 is up line protocol is up Accessing CLI You can open the wireless device CLI by using Te...

Страница 183: ...ting up the wireless device for SSH access Reset Default Settings by Using CLI If you want to reset the access point to its default settings and maintain a static IP address use this command write era...

Страница 184: ...contains these example configurations Example 1 No Security This example shows part of the configuration that results from using the Security page to create an SSID called no_security_ssid including...

Страница 185: ...basic 24 0 36 0 48 0 54 0 rts threshold 2312 station role root interface Dot11Radio1 1 10 encapsulation dot1Q 10 native no ip route cache bridge group 1 bridge group 1 subscriber loop control bridge...

Страница 186: ...o ip address no ip route cache encryption vlan 20 key 3 size 128bit 7 FFD518A21653687A4251AEE1230C transmit key encryption vlan 20 mode wep mandatory speed basic 1 0 basic 2 0 basic 5 5 basic 11 0 rts...

Страница 187: ...54 0 rts threshold 2312 station role root bridge group 1 bridge group 1 subscriber loop control bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast floodin...

Страница 188: ...o ip route cache encryption vlan 30 mode wep mandatory ssid eap_ssid speed basic 1 0 basic 2 0 basic 5 5 basic 11 0 rts threshold 2312 station role root bridge group 1 bridge group 1 subscriber loop c...

Страница 189: ...ory ssid eap_ssid speed basic 6 0 9 0 basic 12 0 18 0 basic 24 0 36 0 48 0 54 0 rts threshold 2312 station role root bridge group 1 bridge group 1 subscriber loop control bridge group 1 block unknown...

Страница 190: ...oup 30 source learning bridge group 30 spanning disabled interface BVI1 ip address 10 91 104 91 255 255 255 192 no ip route cache ip http server ip http help path http www cisco com warp public 779 sm...

Страница 191: ...etwork eap eap_methods authentication key management wpa aaa new model aaa group server radius rad_eap server 10 91 104 92 auth port 1645 acct port 1646 aaa group server radius rad_mac aaa group serve...

Страница 192: ...ridge group 1 bridge group 1 subscriber loop control bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding bridge group 1 spanning disabled interface...

Страница 193: ...for the wireless device Ethernet and radio ports the network uses the BVI When you assign an IP address to the wireless device by using CLI you must assign the address to the BVI Beginning in privileg...

Страница 194: ...nnect Configuring the 802 1X Supplicant Traditionally the dot1x authenticator client relationship has always been a network device and a personal computer client respectively as it was the personal co...

Страница 195: ...unencrypted password for the credentials 0 an unencrypted password follows 7 a hidden password follows Hidden passwords are used when applying a previously saved configuration LINE an unencrypted cle...

Страница 196: ...d port 1 Enter global configuration mode configure terminal 2 Enter the interface configuration mode for the access point Fast Ethernet port You can also use interface fa0 to enter the fast Ethernet c...

Страница 197: ...annot contain the or character The characters TAB and trailing spaces are invalid characters for SSIDs dot11 ssid ssid 3 Enter the name of a preconfigured credentials profile dot1x credentials profile...

Страница 198: ...198 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 5 Configure the Stratix 5100 WAP Using the Command Line Interface Notes...

Страница 199: ...Point Access with RADIUS 208 Controlling Access Point Access with TACACS 215 Configuring Ethernet Speed and Duplex Settings 218 Configuring the Access Point for Wireless Network Management 219 Config...

Страница 200: ...show boot or show boot mode button commands in the privileged EXEC mode The status does not appear in the running configuration The following shows a typical response to the show boot and show boot mo...

Страница 201: ...ch username and password pair The default username is blank and the default password is wirelessap Usernames and passwords are case sensitive For more information in CLI see the Configuring Username a...

Страница 202: ...wirelessap For password specify a string from 1 25 alphanumeric characters The string cannot start with a number is case sensitive and allows spaces but ignores leading spaces It can contain the quest...

Страница 203: ...end 5 Verify your entries show running config 6 Optional Save your entries in the configuration file copy running config startup config The enable password is not encrypted and can be read in the wir...

Страница 204: ...minal 2 Define a new password or change an existing password for access to privileged EXEC mode enable password level level password encryption type encrypted password or enable secret level level pas...

Страница 205: ...d and console and virtual terminal line passwords To remove a password and level use the no enable password level level or no enable secret level level global configuration command To disable password...

Страница 206: ...e The password must be from 1 25 characters can contain embedded spaces and must be the last option specified in the username command 3 Enable local password checking at login time Authentication is b...

Страница 207: ...guration mode configure terminal 2 Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line fo...

Страница 208: ...configure AP config enable password level 14 SecretPswd14 Logging Into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and...

Страница 209: ...protocols to be used for authentication thus ensuring a back up system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that metho...

Страница 210: ...n page 410 4 Enter line configuration mode and apply the authentication list line console tty vty line number ending line number 5 Apply the authentication list to a line or set of lines If you specif...

Страница 211: ...optional auth port and acct port keywords Beginning in privileged EXEC mode follow these steps to define the AAA server group and associate a particular RADIUS server with it 1 Enter global configura...

Страница 212: ...rver in the AAA server group Each server in the group must be previously defined in Step 2 server ip address 6 Return to privileged EXEC mode end 7 Verify your entries show running config 8 Optional S...

Страница 213: ...g sg radius exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the wirele...

Страница 214: ...Configure the wireless device for user RADIUS authorization to determine if the user has privileged EXEC access The exec keyword can return user profile information such as autocommand information aa...

Страница 215: ...e a named list of authentication methods and then apply that list to various interfaces The method list defines the types of authentication that is performed and the sequence that they are performed i...

Страница 216: ...creating For method1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only if the previous method returns an error not if it fails Choose...

Страница 217: ...n the local user database or on the security server to configure the user session The user is granted access to a requested service only if the information in the user profile allows it You can use th...

Страница 218: ...e Ethernet port speed and duplex settings We recommend that you use auto the default setting for both the speed and duplex settings on the wireless device Ethernet port When the wireless device receiv...

Страница 219: ...full half 5 Return to privileged EXEC mode end 6 Verify your entries show running config 7 Optional Save your entries in the configuration file copy running config startup config Configuring the Acces...

Страница 220: ...EXEC shell by checking the local database aaa authorization exec local 5 Configure user AAA authorization for all service requests that are network related aaa authorization network local 6 Enter the...

Страница 221: ...To disable authorization use the no aaa authorization network exec method1 global configuration command Configuring the Authentication Cache and Profile The authentication cache and profile feature al...

Страница 222: ...ip subnet zero aaa new model aaa group server radius rad_eap server 192 168 134 229 auth port 1645 acct port 1646 aaa group server radius rad_mac server 192 168 134 229 auth port 1645 acct port 1646...

Страница 223: ...1 subscriber loop control bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding bridge group 1 spanning disabled interface Dot11Radio1 no ip address...

Страница 224: ...2 168 133 231 key 7 105E080A16001D1908 tacacs server directed request radius server attribute 32 include in access req format h radius server host 192 168 134 229 auth port 1645 acct port 1646 key 7 1...

Страница 225: ...gning to DHCP clients You must specify the IP addresses that the DHCP Server must not assign to clients Optional To enter a range of excluded addresses enter the address at the low end of the range fo...

Страница 226: ...ddress is required however you can specify up to eight addresses in one command line default router address address2 address 8 7 Return to privileged EXEC mode end 8 Verify your entries show running c...

Страница 227: ...address Providesalistofalladdressconflictsrecordedbyaspecific DHCP Server Enter the wireless device IP address to show conflicts recorded by the wireless device show ip dhcp database url Provides rec...

Страница 228: ...orts both SSH versions If you don t specify the version number the access point defaults to version 2 SSH provides more security for remote connections than Telnet by providing strong encryption when...

Страница 229: ...ts beacon the wireless device includes an information element to alert client devices that they can safely ignore broadcast messages to increase battery life Optional ARP Caching If a client device is...

Страница 230: ...other systems SNTP typically provides time within 100 milliseconds of the accurate time but it does not provide the complex filtering and statistical mechanisms of NTP You can configure SNTP to reque...

Страница 231: ...e remains accurate until the next system restart We recommend that you use manual configuration only as a last resort If you have an outside source that the wireless device can synchronize to you don...

Страница 232: ...urposes Until the clock is authoritative and the authoritative flag is set the flag prevents peers from synchronizing to the clock when the peers time is invalid The symbol that precedes the show cloc...

Страница 233: ...e follow these steps to configure summer time daylight saving time in areas where it starts and ends on a particular day of the week each year 1 Enter global configuration mode configure terminal 2 Co...

Страница 234: ...00 last Sunday October 2 00 Beginning in privileged EXEC mode follow these steps if summer time in your area does not follow a recurring pattern configure the exact date and time of the next summer t...

Страница 235: ...01 2 00 Defining HTTP Access By default 80 is used for HTTP access and port 443 is used for HTTPS access These values can be customized by the user Follow these steps to define the HTTP access 1 From...

Страница 236: ...nt devices disassociate and quickly reassociate You can enter up to 63 characters for the system name However when the wireless device identifies itself to client devices it uses only the first 15 cha...

Страница 237: ...ds a cache or database of names mapped to IP addresses To map domain names to IP addresses you must first identify the host names specify the name server that is present on your network and enable the...

Страница 238: ...bal Internet naming scheme DNS ip domain lookup 4 Return to privileged EXEC mode end 5 Verify your entries show running config Optional Save your entries in the configuration file copy running config...

Страница 239: ...Access Chapter 6 Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command When DNS is configured on the wireless device the sh...

Страница 240: ...240 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 6 Administering the WAP Access Notes...

Страница 241: ...ing Short Radio Preambles 265 Configuring Transmit and Receive Antennas 266 Enabling and Disabling Gratuitous Probe Response 267 Disabling and Enabling Aironet Extensions 268 Configuring the Ethernet...

Страница 242: ...z radio is radio 1 4 Assign the SSID you created in Step 2 to the appropriate radio interface ssid ssid 5 Enable the radio port no shutdown 6 Return to privileged EXEC mode end 7 Optional Save your en...

Страница 243: ...t radio connectivity Shutdown The wireless access point workgroup bridge shuts down its radio and disassociates all client devices Beginning in privileged EXEC mode follow these steps to set the wirel...

Страница 244: ...less device can either shut down its radio port or become a repeater access point associated to any nearby root access point station role non root bridge wireless clients repeater root access point ap...

Страница 245: ...sabling the Ethernet client causing the universal workgroup bridge to associate with an access point by using its own BVI address Configuring Dual radio Fallback The dual radio fallback features lets...

Страница 246: ...ss points you must use the following command in the radio interface configuration mode station role root access point fallback shutdown Fast Ethernet Tracking You can configure the access point for fa...

Страница 247: ...nt always attempts to transmit at the highest data rate set to Basic also called Require on the browser based interface If there are obstacles or interference the wireless access point steps down to t...

Страница 248: ...ty of the client to connect to the access point Typically the trade off is between throughput and range When the signal degrades possibly due to distance from the access point the rates renegotiate do...

Страница 249: ...oal then multicasts can be transmitted at a low data rate If support for high data rate multicasts is required then shrink the cell size and to disable all lower data rates Depending on your specific...

Страница 250: ...rates to basic on the 802 11b 2 4 GHz radio enter the following basic 1 0 basic 2 0 basic 5 5 and basic 11 0 To set these data rates to basic on the 802 11g 2 4 GHz radio enter the following basic 1...

Страница 251: ...it provides for potentially greater throughput High throughput data rates are a function of MCS bandwidth and guard interval 802 11 a b and g radios use 20 MHz channel widths This table shows the pote...

Страница 252: ...id 1250test speed basic 1 0 2 0 5 5 11 0 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 m0 m1 m2 m3 m4 m8 m9 m10 m11 m12 m13 m14 m15 11 52 108 57 7 9 120 12 78 162 86 2 3 180 13 104 216 115 5 9 240 14 117 243...

Страница 253: ...radio or the 5 GHz radio to one of the power levels allowed in your regulatory domain power local These options are available for the 802 11b 2 4 GHz radio in mW 1 5 20 30 50 100 maximum These option...

Страница 254: ...he wireless access point sends the maximum power level setting to the client Beginning in privileged EXEC mode follow these steps to specify a maximum allowed power setting on all client devices that...

Страница 255: ...client power command to disable the maximum power level for associated clients Aironet extensions must be enabled to limit the power level on associated client devices Aironet extensions are enabled b...

Страница 256: ...put clients use the control channel Beacons can be sent only on this channel The second 20 Mhz channel is called the extension channel 40 Mhz stations use this channel and the control channel simultan...

Страница 257: ...t use DFS When a DFS enabled 5 GHz radio operates on one of the 15 channels listed in Table 84 on page 258 the access point automatically uses DFS to set the operating frequency When DFS is enabled th...

Страница 258: ...bility Check CAC The CAC is a 60 second scan for the presence of radar signals on the channel The following sample messages are displayed on the access point console showing the beginning and end of t...

Страница 259: ...s that apply to DFS Confirming that DFS is Enabled Use the show controllers dot11radio1 command to confirm that DFS is enabled The command also includes indications that uniform spreading is required...

Страница 260: ...0 136 5700 140 5745 149 5765 153 5785 157 5805 161 May only be selected by Dynamic Frequency Selection DFS Listen Frequencies 5170 34 5190 38 5210 42 5230 46 5180 36 5200 40 5220 4 4 5240 48 5260 52 5...

Страница 261: ...mber frequency can only be used by Dynamic Frequency Selection DFS channel number dfs band 1 5 4 Return to the privileged EXEC mode end 5 Verify your entries show running config 6 Optional Save your e...

Страница 262: ...shows how to unblock frequencies 5 150 5 350 for DFS ap config if no dfs band 1 2 block This example shows how to unblock all frequencies for DFS ap config if no dfs band block Setting the 802 11n Gua...

Страница 263: ...et it measures the received signal strength indication RSSI and creates a UDP packet that contains the RSSI value and the time that the location packet was received The access point forwards the UDP p...

Страница 264: ...point accepts short location packets from the tag In short packets the LBS information is missing from the tag packet frame body and the packet indicates the tag transmit channel extended This is the...

Страница 265: ...ort A short preamble improves throughput performance Cisco Aironet Wireless LAN Client Adapters support short preambles Early models of Cisco Aironet s Wireless LAN Adapter PC4800 and PC4800A require...

Страница 266: ...on Description Gain Sets the resultant antenna gain in dB Diversity This default setting tells the wireless access point to use the antenna that receives the best signal If the wireless access point h...

Страница 267: ...us Probe Response GPR aids in conserving battery power in dual mode phones that support cellular and WLAN modes of operation GPR is available on 5 GHz radios and is disabled by default You can configu...

Страница 268: ...form of the command to disable the GPR feature Disabling and Enabling Aironet Extensions By default the wireless access point uses Stratix 802 11 extensions to detect the capabilities of Cisco Aironet...

Страница 269: ...he wireless access point the wireless access point sends the maximum allowed power level setting to the client Disabling Aironet extensions disables the features listed above but it sometimes improves...

Страница 270: ...02 11n 2 4 GHz radio is radio 0 The 802 11n 5 GHz radio is radio 1 interface dot11radio 0 1 3 Set the encapsulation transformation method to RFC 1042 rfc1042 the default setting or 802 1h dot1h payloa...

Страница 271: ...devices you increase performance but reduce reliability A Cisco Aironet Workgroup Bridge provides a wireless LAN connection for up to eight Ethernet enabled devices This feature is not supported on th...

Страница 272: ...ging and IBM Networking Configuration Guide You can also enable and disable PSPF by using the web browser interface The PSPF setting is on the Radio Settings pages PSPF is disabled by default Beginnin...

Страница 273: ...port 6 Optional Save your entries in the configuration file copy running config startup config To disable protected port use the no switchport protected interface configuration command For detailed in...

Страница 274: ...access point issues a request to send RTS before sending the packet A low RTS Threshold setting can be useful in areas where many client devices are associating with the wireless access point or in ar...

Страница 275: ...configuration mode for the radio interface The 2 4 GHz radio and the 2 4 GHz 802 11n radio is 0 The 5 GHz radio and the 5 GHz 802 11n radio is 1 interface dot11radio 0 1 3 Set the maximum data retries...

Страница 276: ...an increase throughput on the 802 11g 2 4 GHz radio by enabling short slot time Reducing the slot time from the standard 20 microseconds to the 9 microsecond short slot time decreases the overall back...

Страница 277: ...ts Configuring ClientLink Cisco ClientLink referred to as Beam Forming is an intelligent beamforming technology that directs the RF signal to 802 11a g devices to improve performance by 65 improve cov...

Страница 278: ...ckets This example shows how to begin debugging of the radio system log AP debug dot11 syslog This example shows how to stop debugging of all radio related events AP no debug dot11 events Table 85 Syn...

Страница 279: ...o each SSID VLAN Client authentication method Maximum number of client associations by using the SSID RADIUS accounting for traffic by using the SSID Guest mode Repeater mode including authentication...

Страница 280: ...at the interface level on CLI but the SSIDs are stored in global mode Storing all SSIDs in global mode makes sure that the SSID configuration remains correct when you upgrade to release later than Cis...

Страница 281: ...interface Table 87 Example SSID Configuration Converted to Global Mode after Upgrade SSID Configuration in 12 2 15 JA SSID Configuration after Upgrade to 12 3 7 JA interface dot11Radio 0 ssid engineer...

Страница 282: ...TAB and trailing spaces are invalid characters for SSIDs dot11 ssid ssid string 3 Optional Set an authentication username and password that the access point uses to authenticate to the network when i...

Страница 283: ...radio If multiple SSIDs are configured on the radio you must use the infrastructure ssid command to specify the SSID the non root bridge uses to connect to the root bridge However from 12 4 21a JA1 a...

Страница 284: ...onfig ssid exit AP config interface dot11radio 0 AP config if ssid batman AP config if end Viewing SSIDs Configured Globally Use this command to view configuration details for SSIDs that are configure...

Страница 285: ...authorized SSIDs that clients must use on your RADIUS authentication server The SSID authorization process consists of these steps 1 A client device associates to the access point by using any SSID co...

Страница 286: ...can have zero or more SSID VSAs per client In this example the following AV pair adds the SSID batman to the list of allowed SSIDs for a user cisco avpair ssid batman For instructions on configuring t...

Страница 287: ...orts multiple basic SSIDs if the results include this line Number of supported simultaneous BSSID on radio_interface 8 Guidelines for Using Multiple BSSIDs Keep these guidelines in mind when configuri...

Страница 288: ...figuring Multiple BSSIDs Follow these steps to configure multiple BSSIDs 1 Click Security The Security summary page appears If you use CLI instead of the GUI refer to CLI commands listed in the CLI Co...

Страница 289: ...are supported on SSIDs 8 Optional In the Multiple BSSID Beacon Settings section select the Set SSID as Guest Mode check box to include the SSID in beacons 9 Optional To increase the battery life for...

Страница 290: ...ce d0 ap config if mbssid ap config if exit ap config dot11 ssid visitor ap config ssid mbssid guest mode dtim period 75 ap config ssid exit ap config interface d0 ap config if ssid visitor You can al...

Страница 291: ...rect only packets directed to specific TCP or UDP ports as defined in an access control list When you configure the access point to redirect only packets addressed to specific ports the access point r...

Страница 292: ...is 0 The 5 GHz radio and the 5 GHz 802 11n radio is 1 interface dot11radio 0 1 3 Enter configuration mode for a specific SSID ssid ssid string 4 Enter IP redirect configuration mode for the IP addres...

Страница 293: ...onfig interface bvi1 AP config if ssid ip redirection host 10 91 104 91 access group redirect acl in AP config if ssid end Including an SSID in an SSIDL IE The access point beacon can advertise only o...

Страница 294: ...tisement wps Use the no form of the command to disable SSIDL IEs NAC Support for MBSSID Networks must be protected from security threats such as viruses worms and spyware These security threats disrup...

Страница 295: ...er When an infected client associates with an access point and sends its state to the RADIUS server the RADIUS server puts it into one of the quarantine VLANs based on its health This VLAN is sent in...

Страница 296: ...ssociated Data corresponding to the all the back up VLANs are sent and received by using the BSSID that is assigned to the SSID Therefore all clients healthy and unhealthy listening to the BSSID corre...

Страница 297: ...authentication 3 Configure the local profiles on the ACS server for posture validation 4 Configure the client and access point to let the client to successful authenticate by using EAP FAST 5 Verify t...

Страница 298: ...basic 1 0 basic 2 0 basic 5 5 6 0 9 0 basic 11 0 12 0 18 0 24 0 36 0 48 0 54 0 station role root interface Dot11Radio0 100 encapsulation dot1Q 100 native no ip route cache bridge group 1 bridge group...

Страница 299: ...FastEthernet0 100 encapsulation dot1Q 100 native no ip route cache bridge group 1 no bridge group 1 source learning bridge group 1 spanning disabled interface FastEthernet0 102 encapsulation dot1Q 10...

Страница 300: ...300 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 8 Configuring Multiple SSIDs Notes...

Страница 301: ...structure devices such as wireless access points and switches send and receive spanning tree frames called bridge protocol data units BPDUs at regular intervals The devices don t forward these frames...

Страница 302: ...oint maintains a separate spanning tree instance for each active VLAN configured on it A bridge ID consisting of the bridge priority and the access point s MAC address is associated with each instance...

Страница 303: ...ated access point If a access point receives a configuration BPDU that contains inferior information that is currently stored for that port it discards the BPDU If the access point is a designated acc...

Страница 304: ...s point priority value you change the probability that the access point is elected as the root access point Configuring a higher value decreases the probability a lower value increases the probability...

Страница 305: ...imes and at different places in the network When an interface transitions directly from nonparticipation in the spanning tree topology to the forwarding state it can create temporary data loops Interf...

Страница 306: ...he forwarding or blocking state When the spanning tree algorithm places a Layer 2 interface in the forwarding state this process occurs 1 The interface is in the listening state while spanning tree wa...

Страница 307: ...frames received on the port Does not learn addresses Receives BPDUs Listening State The listening state is the first state an interface enters after the blocking state The interface enters this state...

Страница 308: ...ed State An interface in the disabled state does not participate in frame forwarding or in the spanning tree An interface in the disabled state is nonoperational A disabled interface performs as follo...

Страница 309: ...to configure STP on the access point 1 Enter global configuration mode configure terminal 2 Enter interface configuration mode for radio or Ethernet interfaces or sub interfaces The 2 4 GHz radio and...

Страница 310: ...nd 9 Verify your entries show spanning tree bridge 10 Optional Save your entries in the configuration file copy running config startup config STP Configuration Examples These configuration examples sh...

Страница 311: ...ation role root no cdp enable infrastructure client bridge group 1 interface FastEthernet0 no ip address no ip route cache duplex auto speed auto bridge group 1 interface BVI1 ip address 1 4 64 23 255...

Страница 312: ...t zero bridge irb interface Dot11Radio0 no ip address no ip route cache ssid tsunami authentication open guest mode speed basic 6 0 9 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role no...

Страница 313: ...shows the configuration of a root bridge with VLANs configured with STP enabled hostname master bridge hq ip subnet zero ip ssh time out 120 ip ssh authentication retries 3 bridge irb interface Dot11R...

Страница 314: ...encapsulation dot1Q 2 no ip route cache no cdp enable bridge group 2 interface Dot11Radio0 3 encapsulation dot1Q 3 no ip route cache bridge group 3 bridge group 3 path cost 500 interface FastEthernet...

Страница 315: ...y 1 4 0 1 bridge 1 protocol ieee bridge 1 route ip bridge 1 priority 9000 bridge 2 protocol ieee bridge 2 priority 10000 bridge 3 protocol ieee bridge 3 priority 3100 line con 0 exec timeout 0 0 line...

Страница 316: ...18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role non root no cdp enable interface Dot11Radio0 1 encapsulation dot1Q 1 native no ip route cache no cdp enable bridge group 1 interface Dot11Radio...

Страница 317: ...2 encapsulation dot1Q 2 no ip route cache bridge group 2 interface FastEthernet0 3 encapsulation dot1Q 3 no ip route cache bridge group 3 bridge group 3 path cost 400 interface BVI1 ip address 1 4 64...

Страница 318: ...1 Commands for Displaying Spanning tree Status Command Description show spanning tree Information on your network s spanning tree show spanning tree blocked ports List of blocked ports on this bridge...

Страница 319: ...ntirely local To provide local authentication service or back up authentication service in case of a WAN link or a server failure you can configure an access point to act as a local authentication ser...

Страница 320: ...al authenticator 1 On the local authenticator create a list of access points authorized to use the authenticator to authenticate client devices Each access point that uses the local authenticator is a...

Страница 321: ...nd is MAC authentication co existing with EAP authentication This mode enables a combination of MAC address authentication and EAP for authenticating the device or user The first step in either method...

Страница 322: ...From the Security menu click Advanced Security 3 Click the MAC Address Authentication tab to move to the MAC Address Authentication page 4 Select Local List Only for the MAC Address Authenticated by...

Страница 323: ...4 Otherwise skip to step 7 4 Select NEW from the Current SSID List 5 Provide the SSID name in the SSID text field 6 At the VLAN list select the VLAN to be used for this SSID Select NONE if VLANs are n...

Страница 324: ...nt Server List pull down menu select the server to be used for MAC authentication If you need to create a new server continue to step 4Step 4 Otherwise skip to step 11 4 Select NEW from the Current Se...

Страница 325: ...ver Timeout field specify the number of seconds an access point waits for a reply to a TACACS request before resending the request 15 In the RADIUS Server Timeout field specify the number of seconds a...

Страница 326: ...ist if you want to use the RADIUS server in conjunction with a local list 5 Click Apply in the MAC Address Authentication section Then complete Step 6 through Step 9 Otherwise choose Authentication Se...

Страница 327: ...elect NEW from the Current SSID List 5 Provide the SSID name in the SSID text field 6 From the VLAN pull down list select the VLAN to be used for this SSID Select NONE if VLANs are not enabled You can...

Страница 328: ...Apply Now that encryption is configured you must add a RADIUS or TACACS server Complete the following steps to add the RADIUS server 1 Click Security 2 From the Security menu click Server Manager 3 I...

Страница 329: ...e accounting updates are performed in the Accounting Updates Interval field 14 In the TACACS Server Timeout field specify the number of seconds an access point waits for a reply to a TACACS request be...

Страница 330: ...2 From the Security menu click Advanced Security 3 Click the Timers tab to go to the page where EAP authentication is specified 4 Choose one of the options that enable reauthentication These interval...

Страница 331: ...he local authenticator access point as a NAS Repeat this step to add each access point that uses the local authenticator nas ip address key shared key 5 Optional Enter user group configuration mode an...

Страница 332: ...it group configuration mode and return to authenticator configuration mode exit 11 Enter the LEAP and EAP FAST users allowed to authenticate by using the local authenticator You must enter a username...

Страница 333: ...d batman AP config radsrv group ssid robin AP config radsrv group reauthentication time 1800 AP config radsrv group block count 2 time 600 AP config radsrv group group cashiers AP config radsrv group...

Страница 334: ...S server The order of access point attempts to use the servers matches the order that you entered the servers in the access point configuration If you are configuring the access point to use RADIUS fo...

Страница 335: ...second server as dead 3 It tries and succeeds by using the local authenticator If another client device needs to authenticate during the 10 minute dead time interval the access point skips the first...

Страница 336: ...d where the PACs are valid after they have expired By default PACs are valid for 2 days one day default period plus one day grace period You can also apply the expiration of time and the grace period...

Страница 337: ...ring an Authority ID All EAP FAST authenticators are identified by an authority identity AID The local authenticator sends its AID to an authenticating client and the client checks its database for a...

Страница 338: ...clock to both generate PACs and to determine whether PACs are valid However relying on the access point clock can lead to PAC failures If your local authenticator access point receives its time settin...

Страница 339: ...no authentication eapfast AP config radsrv no authentication mac Unblocking Locked Usernames You can unblock usernames before the lockout time expires or when the lockout time is set to infinite In P...

Страница 340: ...to provision success the number of PACs generated automatically Auto provision failure the number of PACs not generated because of an invalid handshake packet or invalid username or password PAC refre...

Страница 341: ...to failed client authentications Use the eapfast option to display error messages related to EAP FAST authentication Use the sub options to select specific debugging information encryption information...

Страница 342: ...342 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 10 Configure an Access Point as a Local Authenticator Notes...

Страница 343: ...e access point and client devices to keep the communication private Both the access point and client devices use the same WEP key to encrypt and unencrypt radio signals WEP keys encrypt both unicast a...

Страница 344: ...gned to achieve the best possible security on legacy hardware built to run WEP TKIP adds four enhancements to WEP A per packet key mixing function to defeat weak key attacks A new IV sequencing discip...

Страница 345: ...ce dot11radio 0 1 3 Create a WEP key and set up its properties Optional Select the VLAN to create a key Name the key slot where the WEP key resides You can assign up to four WEP keys for each VLAN Ent...

Страница 346: ...y Restriction CCKM or WPA authenticated key management Cannot configure a WEP key in key slot 1 LEAP or EAP authentication Cannot configure a WEP key in key slot 4 Cipher suite with 40 bit WEP Cannot...

Страница 347: ...idelines for selecting a cipher suite that matches the type of authenticated key management you configure 4 Optional Select the VLAN that you want enabled for WEP and WEP features 5 Set the cipher opt...

Страница 348: ...er TKIP not TKIP WEP 128 or TKIP WEP 40 for an SSID the SSID must use WPA or CCKM key management Client authentication fails on an SSID that uses the cipher TKIP without enabling WPA or CCKM key manag...

Страница 349: ...and the 2 4 GHz 802 11n radio is 0 The 5 GHz radio and the 5 GHz 802 11n radio is 1 interface dot11radio 0 1 Table 94 Cipher Suites Compatible with WPA and CCKM Authenticated Key Management Types Com...

Страница 350: ...tes a dynamic group key when the last non key management static WEP client disassociates and it distributes the statically configured WEP key when the first non key management static WEP client authen...

Страница 351: ...types that rely on an authentication server on your network The access point uses several authentication mechanisms or types and can use more than one at the same time Topic Page Understanding Authent...

Страница 352: ...red key authentication the access point sends an unencrypted challenge text string to any device attempting to communicate with the access point The device requesting authentication encrypts the chall...

Страница 353: ...key and sends it to the client When you enable EAP on your access points and client devices authentication to the network occurs in the sequence shown in this figure Figure 93 Sequence for EAP Authent...

Страница 354: ...keys for all communication during the remainder of the session There is more than one type of EAP authentication but the access point behaves the same way for each type it relays authentication messa...

Страница 355: ...cation fails EAP authentication takes place See the Assigning Authentication Types to an SSID on page 359 for instructions on setting up this combination of authentications TIP If MAC authenticated cl...

Страница 356: ...ccess point and the reassociation process is reduced to a two packet exchange between the roaming client and the new access point Roaming clients reassociate so quickly that there is no perceptible de...

Страница 357: ...ise master key PMK By using WPA the server generates the PMK dynamically and passes it to the access point When using WPA PSK however you configure a pre shared key on both the client and the access p...

Страница 358: ...ni PCI and PC cardbus card driver version 3 7 Aironet Client Utility ACU version 6 2 Client firmware version 5 30 13 88965 Client and server authenticate to each other generating an EAP master key Cli...

Страница 359: ...ent version 2 1 Supported Platform Operating Systems LEAP with CKIP This security combination requires 12 2 11 JA or later No pages 95 98 Me NT 2000 XP pages CE Mac OS X Linux DOS LEAP with CCKM and C...

Страница 360: ...st name a Optional Set the SSID s authentication type to open with MAC address authentication The access point forces all client devices to perform MAC address authentication before they are allowed t...

Страница 361: ...le RADIUS server the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key However the access point does not force all...

Страница 362: ...n mode for the SSID s VLAN to one of the cipher suite options To enable both CCKM and WPA you must set the encryption mode to a cipher suite that includes TKIP See the Configuring Cipher Suites and WE...

Страница 363: ...ient device types to associate to the access point by using the same SSID WPA clients capable of TKIP and authenticated key management 802 1X 2001 clients such as legacy LEAP clients and clients by us...

Страница 364: ...fig interface dot11radio 0 ap1200 config if ssid migrate ap1200 config ssid end Configuring Additional WPA Settings Use two optional settings to configure a pre shared key on the access point and adju...

Страница 365: ...EP key when the first non key management static WEP client authenticates In WPA migration mode this feature significantly improves the security of key management capable clients when there are no stat...

Страница 366: ...sk ascii batmobile65 ap config interface dot11radio 0 ap config ssid ssid batman ap config if exit ap config broadcast key vlan 87 membership termination capability change Configuring MAC Authenticati...

Страница 367: ...ac authen filter cache address 5 Clear all entries in the cache Include client MAC addresses to clear specific clients from the cache clear dot11 aaa mac authen filter cache address 6 Return to privil...

Страница 368: ...response seconds local The RADIUS server can be configured to send a different timeout value that overrides the one that is configured Enter the local keyword to configure the access point to ignore...

Страница 369: ...o reset the values to default settings TIP If you configure both MAC address authentication and EAP authentication for an SSID the server sends the Session Timeout attribute for both MAC and EAP authe...

Страница 370: ...te a command or set its defaults Use the show eap registrations method command to view the currently available registered EAP methods Use the show eap sessions command to view existing EAP sessions Se...

Страница 371: ...t1x eap profile profile 4 Exit the interface configuration mode end Applying an EAP Profile to an Uplink SSID This operation typically applies to repeater access points Beginning in the privileged exe...

Страница 372: ...s and WEP on the access point TIP Some non Cisco Aironet client adapters don t perform 802 1X authentication to the access point unless you configure Open authentication with EAP To allow both Cisco A...

Страница 373: ...SID To allow both WPA and non WPA clients to use the SSID enable optional WPA 802 1X authentication and CCKM Enable LEAP Choose a cipher suite and enable Network EAP and CCKM for the SSID Toallowboth8...

Страница 374: ...l encryption and enable EAP and Open authentication for the SSID If using pages XP to configure card Choose Enable network access control by using IEEE 802 1X and SIM Authentication as the EAP Type Se...

Страница 375: ...s Module WLSM An access point configured as the WDS device supports up to 60 participating access points an Integrated Services Router ISR configured as the WDS devices supports up to 100 participatin...

Страница 376: ...lace Authenticates all access points in the subnet and establishes a secure communication channel with each of them Collects radio data from access points in the subnet aggregates the data and forward...

Страница 377: ...t to access point throughout the installation Some applications running on client devices require fast reassociation when they roam to a different access point Voice applications for example require s...

Страница 378: ...che of credentials for CCKM capable client devices on your wireless LAN When a CCKM capable client roams from one access point to another the client sends a reassociation request to the new access poi...

Страница 379: ...sw cscowork ps3915 tsd_products_support_series_home html Understanding Layer 3 Mobility When you use a WLSM as the WDS device on your network you can install access points anywhere in a large Layer 3...

Страница 380: ...8 ns337 networking_solutions_package html CiscoWorks Wireless LAN Solution Engine WLSE CiscoSecure ACS AAA Server Catalyst 6500 Wireless Domain Services WDS on the Wireless LAN Solutions Module WLSM C...

Страница 381: ...nt frames over the radio to overwhelm access points that have to process the frames As part of the WIDS feature set access points in scanning mode and root access points monitor radio signals and dete...

Страница 382: ...not configure a WDS access point to return fall back to repeater mode in case of Ethernet failure You cannot configure a Cisco 350 series access point as your main WDS device However you can configur...

Страница 383: ...re the rest of your access points to use the WDS device 3 Configure the authentication server on your network to authenticate the WDS device and the access points that use the WDS device This figure s...

Страница 384: ...WDS access point to fall back to repeater mode in case of Ethernet failure When WDS is enabled the WDS access point performs and tracks all authentications Therefore you must configure EAP security s...

Страница 385: ...o to the WDS WNM Summary page 3 On the WDS WNM Summary page click General Setup to go to the WDS WNM General Setup page The WDS WNM General Setup page appears Figure 102 WDS WNM General Setup Page 4 C...

Страница 386: ...f you don t check this check box the WDS device uses the server specified for MAC address authentication on the Server Groups page to authenticate clients based on MAC addresses 7 Optional If you use...

Страница 387: ...ame in the Server Group Name field 2 From the Priority 1 pull down menu choose the primary server If a server that you need to add to the group does not appear in the Priority pull down menus click De...

Страница 388: ...group does not appear in the Priority pull down menus click Define Servers to browse to the Server Manager page Configure the server there and then return to the WDS Server Groups page 8 Optional Choo...

Страница 389: ...ig wlccp wds priority 200 interface bvi1 AP config wlccp authentication server infrastructure infra_devices AP config wlccp authentication server client any client_devices AP config wlccp auth ssid fr...

Страница 390: ...Wireless Services AP Page 3 Click Enable for the Participate in SWAN Infrastructure setting 4 Optional If you use a WLSM switch module as the WDS device on your network choose Specified Discovery and...

Страница 391: ...7 wes7win8 AP config end In this example the access point is enabled to interact with the WDS device and it authenticates to your authentication server by using APWestWing as its username and wes7win8...

Страница 392: ...IP address of the client device MN authenticator show wlccp wds ap mn detail mac addr mac address On the WDS device use only this command to display cached information about access points and client d...

Страница 393: ...ess point ISR or switch configured as a local authenticator Cisco Aironet client devices or Cisco compatible client devices that comply with Cisco Compatible Extensions CCX version 2 or later For inst...

Страница 394: ...ing the access points on your wireless LAN must be configured to participate in WDS and they must allow CCKM authenticated key management for at least one SSID Follow these steps to configure CCKM for...

Страница 395: ...our access point contains multiple radio interfaces select the interfaces that the SSID applies to b Under Authentication Settings choose Network EAP When you enable CCKM you must enable Network EAP a...

Страница 396: ...g end In this example the SSID fastroam is configured to support Network EAP and CCKM the CKIP CMIC cipher suite is enabled on the 2 4 GHz radio interface and the SSID fastroam is enabled on the 2 4 G...

Страница 397: ...MFP access point for Simple Network Transfer Protocol SNTP Overview Client MFP encrypts class 3 management frames sent between access points and CCXv5 capable client stations so that both AP and clie...

Страница 398: ...optional for a particular SSID To configure Client MFP as required you must configure the SSID with key management WPA version 2 mandatory If the key management is not WPAv2 mandatory an error message...

Страница 399: ...rticular SSID 1 Enter global configuration mode configure terminal 2 Configures the access point as an MFP generator When enabled the access point protects the management frames it transmits by adding...

Страница 400: ...ectors dot11 ids mfp distributor 3 Return to the privileged EXEC mode end 4 Optional Save your entries in the configuration file copy running config startup config Configuring Radio Management When yo...

Страница 401: ...Intrusion Detection Services Chapter 13 2 Click WDS 3 Check Use this AP as Wireless Domain Services and Configure Wireless Network Manager 4 In the Wireless Network Manager IP Address field enter the...

Страница 402: ...onfigured to participate in WDS and in radio management Follow the steps in the Configuring Access Points to Use the WDS Device on page 390 and in the Configuring Radio Management on page 400 to confi...

Страница 403: ...vity However in monitor mode the access point monitors only the channel that is configured Beginning in privileged EXEC mode follow these steps to configure the access point to capture and forward 802...

Страница 404: ...nt IP address 10 91 107 19 Endpoint port 2000 Frame Truncation Length 535 bytes Dot11Radio 1 WLAN Monitoring Disabled WLAN Monitor Statistics Total No of frames rx by DOT11 driver 58475 Total No of Do...

Страница 405: ...ough authentication requests to impact your network In monitor mode the access point tracks the rate that 802 1X clients attempt to authenticate through the access point If your network is attacked th...

Страница 406: ...etween client and SUP Because of the WLSM failure the control traffic going between the access point and the WLSM is disrupted as shown in Figure 108 on page 406 This prevents the access points from a...

Страница 407: ...running RADIUS server software from Cisco Secure Access Control Server version 3 0 Livingston Merit Microsoft or another software provider For more information refer to the RADIUS server documentation...

Страница 408: ...data to be sent at the start and end of services showing the amount of resources such as time packets bytes and so forth used during the session An Internet service provider can use a freeware based...

Страница 409: ...server When mutual authentication is complete the RADIUS server and the client determine a WEP key that is unique to the client and provides the client with the appropriate level of network access th...

Страница 410: ...user You can use method lists to designate one or more security protocols to be used thus ensuring a back up system if the initial method fails The software uses the first method listed to authentica...

Страница 411: ...use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the access point The timeout retransmission and encryption key...

Страница 412: ...onding or responding slowly The range is 1 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optio...

Страница 413: ...hostname ip address global configuration command This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting AP config radius server host...

Страница 414: ...to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process continues until there is successful communication with a list...

Страница 415: ...e console tty vty line number ending line number 5 Apply the authentication list to a line or set of lines If you specify default use the default list created with the aaa authentication login command...

Страница 416: ...ts IP address or identify multiple host instances or entries by using the optional authport and acct port keywords Beginning in privileged EXEC mode follow these steps to define the AAA server group a...

Страница 417: ...IUS server in the AAA server group Each server in the group must be previously defined in Step 2 server ip address 6 Return to privileged EXEC mode end 7 Verify your entries show running config 8 Opti...

Страница 418: ...services available to a user When AAA authorization is enabled the access point uses information retrieved from the user s profile that is in the local user database or on the security server to confi...

Страница 419: ...onfig 6 Optional Save your entries in the configuration file copy running config startup config To disable authorization use the no aaa authorization network exec method1 global configuration command...

Страница 420: ...listens for PoD requests The default value is 1700 auth type This parameter is not supported for 802 11 sessions clients Optional Up to four RADIUS servers can be nominated as clients If this configur...

Страница 421: ...S security server in the form of accounting records Each accounting record contains accounting attribute value AV pairs and is stored on the security server This data can then be analyzed for network...

Страница 422: ...Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode follow these steps to configure global communication settings between the access point and all RADIUS servers 1 Enter glob...

Страница 423: ...ribute for authentication radius server attribute 32 include in access req format h 7 Return to privileged EXEC mode end 8 Verify your settings show running config 9 Optional Save your entries in the...

Страница 424: ...tory attributes and the asterisk for optional attributes This lets a full set of features available for TACACS authorization to also be used for RADIUS For example the following AV pair activates Cisc...

Страница 425: ...cess point and the RADIUS server some vendors have extended the RADIUS attribute set in a unique way Cisco IOS software supports a subset of vendor proprietary RADIUS attributes As mentioned earlier t...

Страница 426: ...DIUS Attributes The Wi Fi Alliance s WISPr Best Current Practices for Wireless Internet Service Provider WISP Roaming document lists RADIUS attributes that access points must send with RADIUS accounti...

Страница 427: ...ter the location name in this format hotspot_operator_name location snmp server location location 3 Specify ISO and ITU country and area codes that the access point includes in accounting and authenti...

Страница 428: ...and RADIUS Attributes Sent by the Access Point Table 99 on page 428 through Table 101 on page 429 identify the attributes sent by an access point to a client in access request access accept and accoun...

Страница 429: ...a VLAN override number 65 Tunnel Medium Type1 79 EAP Message 80 Message Authenticator 81 Tunnel Private Group ID1 VSA attribute 26 LEAP session key VSA attribute 26 Auth Algo Type VSA attribute 26 SS...

Страница 430: ...Packets 48 Acct Output Packets 61 NAS Port Type VSA attribute 26 SSID VSA attribute 26 NAS Location VSA attribute 26 VLAN ID VSA attribute 26 Connect Progress VSA attribute 26 Cisco NAS Port VSA attr...

Страница 431: ...ted to the access point TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or pages NT workstation Access and configure a TACACS server before configuring TACA...

Страница 432: ...CS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track administrator...

Страница 433: ...oint to support TACACS you must identify the host or hosts maintaining the TACACS daemon and define the method lists for TACACS authentication You can optionally define method lists for TACACS authori...

Страница 434: ...CS server and optionally set the encryption key 1 Enter global configuration mode configure terminal 2 Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to cr...

Страница 435: ...ethod list defines the types of authentication and the sequence performed it must be applied to a specific interface before any of the defined authentication methods are performed The only exception i...

Страница 436: ...the previous method returns an error not if it fails Choose one of these methods line Use the line password for authentication You must define a line password before you can use this authentication m...

Страница 437: ...leged EXEC Access and Network Services AAA authorization limits the services available to an administrator When AAA authorization is enabled the access point uses information retrieved from the admini...

Страница 438: ...your entries in the configuration file copy running config startup config To disable authorization use the no aaa authorization network exec method1 global configuration command Starting TACACS Accoun...

Страница 439: ...at the end aaa accounting exec start stop tacacs 4 Return to privileged EXEC mode end 5 Verify your entries show running config 6 Optional Save your entries in the configuration file copy running conf...

Страница 440: ...440 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 14 Configuring RADIUS and TACACS Servers Notes...

Страница 441: ...than physically unplugging and moving devices or wires A VLAN can be thought of as a broadcast domain that exists within a defined set of switches A VLAN consists of a number of end systems either hos...

Страница 442: ...ed on the access point As a result the Ethernet switch connects to the access point and generates a warning message There is no loss of function on both the access point and the switch However the swi...

Страница 443: ...detailed information pertaining to VLAN design and configuration Cisco IOS Switching Services Configuration Guide Cisco Internetwork Design Guide Cisco Internetworking Technology Handbook Cisco Intern...

Страница 444: ...can support up to 16 VLANs You can assign only one SSID to a VLAN You can use the VLAN feature to deploy wireless devices with greater efficiency and flexibility For example one access point can now...

Страница 445: ...etailed instructions on assigning authentication types to SSIDs see Configuring Authentication Types on page 351 For instructions on assigning other settings to SSIDs see Configuring Multiple SSIDs on...

Страница 446: ...adio interface Optional Designate the VLAN as the native VLAN On many networks the native VLAN is VLAN 1 encapsulation dot1q vlan id native 8 Return to global configuration mode exit 9 Enter interface...

Страница 447: ...interface fastEthernet0 1 ap1200Router config subif encapsulation dot1q 1 native ap1200Router config subif exit ap1200Router config end Assigning Names to VLANs You can assign a name to a VLAN in add...

Страница 448: ...me and ID pairs configured on the access point Using a RADIUS Server to Assign Users to VLANs You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN...

Страница 449: ...y Group Assignment You can configure a RADIUS server to dynamically assign mobility groups to users or user groups This eliminates the need to configure multiple SSIDs on the access point Instead you...

Страница 450: ...of access are available through VLANs configured on the wired network Management access Highest level of access users can access all internal drives and files departmental databases top level financi...

Страница 451: ...te to the access point they automatically belong to the correct VLAN Complete these steps to support the VLANs in this example 1 Configure or confirm the configuration of these VLANs on one of the swi...

Страница 452: ...native ap1200Router config subif exit You don t need to configure a bridge group on the subinterface that youset upas the nativeVLAN This bridge group is moved to thenative subinterface automatically...

Страница 453: ...onfiguring VLANs Chapter 15 no bridge group 2 unicast flooding bridge group 2 spanning disabled When you configure a bridge group on the FastEthernet interface these commands are set automatically no...

Страница 454: ...LAN and all untagged frames are implicitly associated with this default VLAN ID Configure one of your VLANs to be configured as the native Complete these steps to configure the VLAN 1 From the Service...

Страница 455: ...e Encryption Manager page appears 3 Choose the VLAN you are configuring from the Set Encryption Mode and Keys for VLAN pull down list 4 In the Encryption Mode section determine what encryption if any...

Страница 456: ...456 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 15 Configuring VLANs...

Страница 457: ...ss point you can select specific network traffic prioritize it and use congestion management and congestion avoidance techniques to provide preferential treatment Implementing QoS in your wireless LAN...

Страница 458: ...pectralink phones by using the class map IP protocol clause with the protocol value set to 119 To contrast the wireless LAN QoS implementation with the QoS implementation on other Cisco network device...

Страница 459: ...based on the Layer 2 class of service value for each packet The access point applies QoS policies in this order Packetsalreadyclassified When the access point receives packets from a QoS enabled swit...

Страница 460: ...t Implementing QoS in your wireless LAN makes network performance more predictable and bandwidth utilization more effective When you configure QoS you create QoS policies and apply the policies to the...

Страница 461: ...y 4 Type a name for the QoS policy in the Policy Name entry field The name can contain up to 25 alphanumeric characters Do not include spaces in the policy name If the packets you need to prioritize c...

Страница 462: ...l 7 7 Click Add beside the Class of Service menu for IP Precedence The classification appears in the Classifications field To delete a classification select it and click Delete beside the Classificati...

Страница 463: ...vice that you want the access point to apply to Spectralink phone packets The access point matches Spectralink phone packets with your class of service selection 10 Click Add beside the Class of Servi...

Страница 464: ...example shows how to enable IEEE 802 11 phone support with the legacy QBSS Load element AP config dot11 phone This example shows how to enable IEEE 802 11 phone support with the standard IEEE 802 11e...

Страница 465: ...ty retries without signalling a replay on the receiving station For access classes that are configured to allow it transmitters that are qualified to transmit through the normal backoff procedure are...

Страница 466: ...helps control the allocation of bandwidth If you have plenty of bandwidth on your wireless LAN you do not need to configure QoS The ampdu command is available for the 802 11n radio interfaces Aggregat...

Страница 467: ...recedence classification from the IP Precedence pull down menu The classifications include these choices Routine 0 Priority 1 Immediate 2 Flash 3 Flash Override 4 Critic CCP 5 Internet Control 6 Netwo...

Страница 468: ...sification from the IP DSCP pull down menu The classifications include these choices Best Effort Assured Forwarding Class 1 Low Assured Forwarding Class 1 Medium Assured Forwarding Class 1 High Assure...

Страница 469: ...oint a link to the Apply Filters page appears instead of the Filter pull down menu For example you could assign a high priority to a MAC address filter that includes the MAC addresses of IP phones 15...

Страница 470: ...d on the access point pull down menus for each VLANs virtual ports appear in this section If VLANs are not configured on the access point pull down menus for each interface appear 19 Click Apply at th...

Страница 471: ...mapping is enabled by default To disable it browse to the QoS Policies Advanced page select No for Map Ethernet Packets with CoS 5 to CoS 6 and click Apply WiFiMultimedia WMM By using the Admission C...

Страница 472: ...d The values listed in this table are to the power of 2 The access point computes Contention page values with this equation CW 2 X minus 1 where X is the value from Table 107 on page 472 IMPORTANT Rat...

Страница 473: ...HY rate in the ADDTS request against the nominal rates defined by the CLI command traffic stream If they don t match the access point rejects the ADDTS request If you choose Optimized Voice Settings s...

Страница 474: ...n an access point s radio For a list of Cisco IOS commands for configuring admission control by using CLI see the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges Guide 1 Click...

Страница 475: ...sionControl You can use two CLI commands to display information to help you troubleshoot admission control problems To display current admission control settings on radio 0 enter the following command...

Страница 476: ...476 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 16 Configuring QoS Notes...

Страница 477: ...access from the wired LAN IP address and MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific IP or MAC addresses You can cre...

Страница 478: ...I 2 Use the console port or Telnet to access the ACL through the Ethernet interface or the wireless interface 3 Enter global configuration mode 4 Create a Time Range For this example Test AP config ti...

Страница 479: ...e BVI interfaces as long as a separate ACL is used for the BVI interface CLIConfigurationExample This example shows the CLI commands that are equivalent to the steps listed in the Using MAC Address AC...

Страница 480: ...NMP filter on the access point s radio port prevents wireless client devices from using SNMP with the access point but does not block SNMP access from the wired LAN IP address and MAC address filters...

Страница 481: ...these steps to create a MAC address filter 1 From the top navigation menu click Services 2 From the Services menu click Filters to move to the Services Filters Apply Filters page 3 On the Apply Filte...

Страница 482: ...482 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 17 Configuring Filters...

Страница 483: ...Add MAC Address field Enter the address with periods separating the three groups of four characters for example 0040 9612 3456 6 Use the Mask entry field to indicate how many bits from left to right...

Страница 484: ...step 8 to add addresses to the filter 10 From the Default Action menu choose Forward All or Block All The default action of the filter must be the opposite of the action for at least one of the addres...

Страница 485: ...can use MAC address ACLs to block or allow association to the access point Instead of filtering traffic across an interface you use the ACL to filter associations to the access point radio Follow thes...

Страница 486: ...oose Forward from the Action menu Select Block for addresses that you want to prevent from associating Select Block All from the Default Action menu 2 From the main menu click Security This figure sho...

Страница 487: ...n Publication 1783 UM006A EN P May 2014 487 Configuring Filters Chapter 17 4 Click Association Access List tab Figure 117 Association Access List Page 5 Select your MAC address ACL from the pull down...

Страница 488: ...addresses except those you specify You can create filters that contain elements of one two or all three IP filtering methods You can apply the filters you create to either or both the Ethernet and ra...

Страница 489: ...Rockwell Automation Publication 1783 UM006A EN P May 2014 489 Configuring Filters Chapter 17...

Страница 490: ...action for all of them you must choose Forward All as the filter s default action Filteran IPaddress Follow these steps to filter an IP Address 1 Enter an address in the Destination Address and Sourc...

Страница 491: ...1 through step 3 to add addresses to the filter If you do not need to add IP protocol or IP port elements to the filter click Apply 5 From the IP Protocol pull down menu select one of the common proto...

Страница 492: ...the access point FilteraTCPorUDPPortNumber Follow these steps to filter a TCP or UDP port number 1 From the TCP Port or UDP Port pull down menus select one of the common port protocols or select Cust...

Страница 493: ...ss point s Ethernet and radio ports and IP address filters allow or prevent the forwarding of unicast and multicast packets either sent from or addressed to specific IP addresses You can create a filt...

Страница 494: ...edit an existing filter select the filter name 2 Enter a descriptive name for the new filter in the Filter Name field 3 From the Default Action pull down select Forward all or Block all The filter s d...

Страница 495: ...an IP protocol select one of the common protocols from the IP Protocol pull down menu or select the Custom radio button and enter the number of an existing ACL in the Custom field Enter an ACL number...

Страница 496: ...ers page Figure 119 Apply Filters Page 16 From one of the IP pull down menu select the filter name You can apply the filter to either or both the Ethernet and radio ports and to either or both incomin...

Страница 497: ...create an Ethertype filter 1 Follow the link path to the Ethertype Filters page 2 If you are creating a new filter make sure NEW the default is selected in the Create Edit Filter Index menu To edit a...

Страница 498: ...or Block All The filter s default action must be the opposite of the action for at least one of the Ethertypes in the filter For example if you enter several Ethertypes and you choose Block as the act...

Страница 499: ...oint radio port when the radio is associated to another wireless infrastructure device such as an access point or a bridge CDP is sent on the lowest VLAN number configured on the access point When mor...

Страница 500: ...ure terminal 2 Optional Specify the amount of time you want a receiving device to hold the information sent by the device before discarding it The range is from 10 255 s the default is 180 s cdp holdt...

Страница 501: ...teps to disable the CDP device discovery capability 1 Enter global configuration mode configure terminal 2 Disable CDP no cdp run 3 Return to Privileged EXEC mode end Beginning in privileged EXEC mode...

Страница 502: ...entries in the configuration file copy running config startup config Beginning in privileged EXEC mode follow these steps to enable CDP on an interface 1 Enter global configuration mode configure term...

Страница 503: ...as frequency of transmissions and the holdtime for packets being sent show cdp entry entry name protocol version Display information about a specific neighbor You can enter an asterisk to display all...

Страница 504: ...ilities Trans Bridge Switch Interface GigabitEthernet0 1 Port ID outgoing port FastEthernet0 10 Holdtime 141 sec Version Cisco Internetwork Operating System Software IOS tm C3500XL Software C3500XL C3...

Страница 505: ...is administratively down line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0 4 is up line protocol is down Encapsulation ARPA Sending...

Страница 506: ...tch H Host I IGMP r Repeater Device ID Local Interface Holdtme Capability Platform Port ID Perdido2 Gig 0 6 125 R S I WS C3550 1Gig 0 6 Perdido2 Gig 0 5 125 R S I WS C3550 1Gig 0 5 AP show cdp traffic...

Страница 507: ...ent information base MIB reside on the access point To configure SNMP on the access point you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose valu...

Страница 508: ...and SNMPv2 are stored and transferred as plain text without encryption In the SNMPv3 security model SNMP users authenticate and join a user group Access to system data is restricted based on the grou...

Страница 509: ...event has occurred on the agent Examples of trap conditions include but are not limited to when a port or module goes up or down when spanning tree topology changes occur and when authentication failu...

Страница 510: ...les to set device variables and to poll devices on the network for specific information The results of a poll can be displayed as a graph and analyzed to troubleshoot internet working problems increas...

Страница 511: ...se the SNMP community string to define the relationship between the SNMP manager and the agent The community string acts like a password to permit access to the agent on the access point Optionally yo...

Страница 512: ...ement stations to retrieve and modify MIB objects By default the community string permits read only access to all objects snmp server community string access list number view mib view ro rw 3 Optional...

Страница 513: ...for that community to the null string don t enter a value for the community string To remove a specific community string use the no snmp server community string global configuration command This examp...

Страница 514: ...at the access point generates when certain events occur By default no trap manager is defined and no traps are issued Access points running this Cisco IOS release can have an unlimited number of trap...

Страница 515: ...ersion 1 the default is not available with informs Version 3 has three security levels auth Specifies authentication of packets without encryption noauth Specifies no authentication and no encryption...

Страница 516: ...act and Location Information Beginning in privileged EXEC mode follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the config...

Страница 517: ...hows how to assign the strings open and ieee to SNMP to allow read write access for both and to specify that open is the community string for queries on non IEEE802dot11 MIB objects and ieee is the co...

Страница 518: ...ds for the host cisco com AP config snmp server enable traps entity AP config snmp server host cisco com restricted entity This example shows how to enable the access point to send all traps to the ho...

Страница 519: ...snmp server user fred admin v3 encrypted auth md5 abc789 priv des56 key99 Displaying SNMP Status To display SNMP input and output statistics including the number of illegal community string entries er...

Страница 520: ...520 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 19 Configuring SNMP Notes...

Страница 521: ...the wired LAN The data is sent through the route that provides the best performance for the client When you configure an access point as a repeater the access point s Ethernet port does not forward t...

Страница 522: ...oint to which repeaters are associated The infrastructure SSID must be assigned to the native VLAN If more than one VLAN is created on an access point or wireless bridge an infrastructure SSID cannot...

Страница 523: ...int match the data rates on the parent access point For instructions on configuring data rates see Configuring Radio Data Rates on page 247 Repeater access points support only the native VLAN You cann...

Страница 524: ...s SSID unless you also enter the optional keyword The infrastructure SSID must be assigned to the native VLAN If more than one VLAN is created on an access point or wireless bridge an infrastructure S...

Страница 525: ...erminal AP config interface dot11radio 0 AP config if ssid chicago AP config ssid infrastructure ssid AP config ssid exit AP config if station role repeater AP config if dot11 extensions aironet AP co...

Страница 526: ...p the repeater check the status indicators on top of the repeater access point If your repeater is functioning correctly the status indicators on the repeater and the root access point behave like thi...

Страница 527: ...ged Exec mode follow these instructions to set up the repeater as a LEAP client 1 Enter global configuration mode configure terminal 2 Enter interface configuration mode for the radio interface The 2...

Страница 528: ...onal 7 Return to privileged EXEC mode end 8 Optional Save your entries in the configuration file copy running config startup config Setting Up a Repeater as a WPA Client WPA key management uses a comb...

Страница 529: ...h both the Ethernet and the radio ports If the monitored access point fails to respond the standby access point comes online and takes the monitored access point s place in the network Except for the...

Страница 530: ...red access point Default IP Subnet Mask Default Gateway Data rates WEP settings Authentication types and authentication servers If the monitored access point goes offline and the standby access point...

Страница 531: ...e monitored access point and is functioning as a repeater access point IAPP AP is operating in repeater mode The standby access point has taken over for the monitored access point and is functioning a...

Страница 532: ...he standby unit to use the BSSID s new MAC address Hot standby is not supported on the BR1410 configured for AP mode iapp standby mac address 3 Enter interface configuration mode for the radio interfa...

Страница 533: ...ioned The default timeout is 20 seconds Increase the standby timeout setting if the bridged path between the standby and monitored access points can be lost for periods greater than 20 seconds during...

Страница 534: ...access point is not configured for standby mode IAPP AP is in standby mode The access point is in standby mode IAPP AP is operating in active mode The standby access point has taken over for the moni...

Страница 535: ...as a workgroup bridge the other radio interface remains up If multiple BSSIDs are configured on a root access point that is designated as the parent of a workgroup bridge the parent MAC address can ch...

Страница 536: ...and Workgroup Bridge Mode This figure shows an access point in workgroup bridge mode Figure 123 Access Point in Workgroup Bridge Mode Access Point Root Unit 121646 Wired LAN ETHERNE T SPEED 1 5 2 6 3...

Страница 537: ...ucture SSID The performance cost of reliable multicast delivery duplication of each multicast packet sent to each workgroup bridge limits the number of infrastructure devices including workgroup bridg...

Страница 538: ...set of limited channels to reduce the hand off delay when the workgroup bridge roams from one access point to another By limiting the number of channels the workgroup bridge scans only to those requir...

Страница 539: ...the mobile station ignore neighbor list command to disable processing of CCX neighbor list reports This command is effective if the workgroup bridge is configured only for limited scanning channel sca...

Страница 540: ...sending to the WLC In the downstream direction while forwarding the packet to the switch connecting the wired client the WLC sends the packet to WGB without the 802 1q tag and WGB adds a 4 byte 802 1q...

Страница 541: ...ured on the parent access point the MAC address for the parent can change if a BSSID on the parent is added or deleted Optional You can also enter a timeout value in seconds that determines how long t...

Страница 542: ...ronment You can configure an access point to operate as a workgroup bridge so that it can provide wireless connectivity to a lightweight access point on behalf of clients that are connected by Etherne...

Страница 543: ...in client mode default value are supported Those in infrastructure mode are not supported Perform one of the following to enable client mode on the workgroup bridge On the workgroup bridge access poi...

Страница 544: ...after the workgroup bridge has roamed to another controller for example to a foreign controller the wired client s IP address appears only on the anchor controller not on the foreign controller When...

Страница 545: ...y that the workgroup bridge is associated to an access point enter this command on the workgroup bridge show dot11 association If a wired client does not send traffic for an extended period of time th...

Страница 546: ...nicast frame Cisco IOS Releases 15 2 2 JA and later provide VideoStream support for wired devices connected to workgroup bridges For access points running release 15 2 2 JA and later the workgroup bri...

Страница 547: ...ges to the console When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are interspersed with prompts or o...

Страница 548: ...mmand service sequence numbers service timestamps log datetime service timestamps log datetime localtime msec show timezone or service timestamps log uptime This table describes the elements of syslog...

Страница 549: ...System Message Logging Configuration This table shows the default system message logging configuration Disabling and Enabling Message Logging Message logging is enabled by default It must be enabled...

Страница 550: ...bling the logging process can slow down the access point because a process must wait until the messages are written to the console before continuing When the logging process is disabled messages are d...

Страница 551: ...ost to be used as the syslog server To build a list of syslog servers that receive logging messages enter this command more than once For complete syslog server configuration steps see the Configuring...

Страница 552: ...severity level number type global configuration command Enabling and Disabling Timestamps on Log Messages By default log messages are not timestamped Beginning in privileged EXEC mode follow these st...

Страница 553: ...ages Because there is a chance that more than one log message can have the same timestamp you can display messages with sequence numbers so that you can unambiguously refer to a single message By defa...

Страница 554: ...debugging messages and numerically lower levels see Table 115 on page 555 logging console level 3 Limit messages logged to the terminal lines By default the terminal receives debugging messages and n...

Страница 555: ...e typically used only by the Technical Assistance Center TAC Interface up or down transitions and system restart messages displayed at the notifications level This message is only for information acce...

Страница 556: ...traps are not enabled Beginning in privileged EXEC mode follow these steps to change the level and history table size defaults 1 Enter global configuration mode configure terminal 2 Change the default...

Страница 557: ...imit You can enable a limit on the number of messages that the access point logs per second You can enable the limit for all messages or for messages sent to the console and you can specify that messa...

Страница 558: ...syslog level see Table 115 on page 555 for information on the severity levels The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field The file...

Страница 559: ...that receive logging messages enter this command more than once logging host 3 Limit messages logged to the syslog servers Be default syslog servers receive informational messages and lower logging t...

Страница 560: ...formation about the fields in this display see publication Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference To display the logging history f...

Страница 561: ...point workgroup bridge See Access Point Status Indicators on page 48 for detailed descriptions Checking Basic Settings Mismatched basic settings are the most common causes of lost connectivity with wi...

Страница 562: ...r radio clients are using EAP FAST authentication you must configure open authentication with EAP If you don t configure open authentication with EAP a warning message appears If you are using CLI the...

Страница 563: ...to delete the current configuration and return all wireless device settings to the factory defaults by using the web browser interface 1 Open your Internet browser You must use Microsoft Internet Exp...

Страница 564: ...eturn all wireless device settings to the factory defaults by using CLI commands 1 Open CLI by using a Telnet session or a connect to the wireless device by using the console port 2 Restart the wirele...

Страница 565: ...d to restart the wireless device ap reset Are you sure you want to reset the system y n y System resetting using eeprom values WRDTR CLKTR 0x80000800 0x80000000 RQDC RFDC 0x80000033 0x000001cb ddr ini...

Страница 566: ...y using CLI through a Telnet or console port connection Using the HTTP Interface You can also use the Web browser interface to reload the wireless device image file The Web browser interface supports...

Страница 567: ...Click Upload Using the TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the wireless device image file Follow the instructions below to use a TFTP server 1...

Страница 568: ...6 Click the TFTP Upgrade tab 7 Enter the IP address for the TFTP server in the TFTP Server field 8 Enter the file name for the image file in the Upload New System Image Tar File field If the file is l...

Страница 569: ...9w7 mx v122_13_ja 20031010 c350 k9w7 mx v122_13_ja 20031010 4 When the ap command prompt appears enter the set command to assign an IP address subnet mask and default gateway to the wireless device Yo...

Страница 570: ...ing c350 k9w7 mx 122 13 JA1 html level1 cookies js 5027 bytes extracting c350 k9w7 mx 122 13 JA1 html level1 forms js 15704 bytes extracting c350 k9w7 mx 122 13 JA1 html level1 sitewide js 14621 bytes...

Страница 571: ...command Your entry can look like this example ap set BOOT flash c350 k9w7 mx 122 13 JA1 c350 k9w7 mx 122 13 JA1 9 Enter the set command to check your bootloader entries ap set BOOT flash c350 k9w7 mx...

Страница 572: ...572 Rockwell Automation Publication 1783 UM006A EN P May 2014 Chapter 21 Troubleshooting Notes...

Страница 573: ...the numeric designator for each protocol Topic Page Ethertype Protocols 573 IP Protocols 574 IP Port Protocols 574 Table 1 Ethertype Protocols Protocol Additional Identifier ISODesignator ARP 0x0806 R...

Страница 574: ...e Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP 12 CHAOS 16 User Datagram Protocol UDP 17 XNS IDP IDP 22 ISO TP4 TP4...

Страница 575: ...finger 79 Hypertext Transport Protocol HTTP www 80 ttylink link 87 Kerberos v5 Kerberos krb5 88 supdup 95 hostname hostnames 101 TSAP iso tsap 102 CSO Name Server cso ns csnet ns 105 Remote Telnet rt...

Страница 576: ...way Protocol BGP 179 Prospero 191 Internet Relay Chap IRC 194 SNMP Unix Multiplexer smux 199 AppleTalk Routing at rtmp 201 AppleTalk name binding at nbp 202 AppleTalk echo at echo 204 AppleTalk Zone I...

Страница 577: ...Appendix A SUP server supfilesrv 871 swat for SAMBA swat 901 SUP debugging supfiledbg 1127 ingreslock 1524 Prospero non priveleged prospero np 1525 RADIUS 1812 Concurrent Versions System CVS 2401 Cis...

Страница 578: ...578 Rockwell Automation Publication 1783 UM006A EN P May 2014 Appendix A Protocol Filters Notes...

Страница 579: ...BRIDGE MIB P BRIDGE MIB CISCO DOT11 LBS MIB CISCO DOT11 IF MIB CISCO WLAN VLAN MIB CISCO IETF DOT11 QOS MIB CISCO IETF DOT11 QOS EXT MIB CISCO DOT11 ASSOCIATION MIB CISCO L2 DEV MONITORING MIB CISCO...

Страница 580: ...g FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP 1 Use FTP to access the server ftp cisco com 2 Log in with the username anonymous 3 Enter your e mail username whe...

Страница 581: ...591 LWAPP Error Messages 592 Sensor Messages 592 SNMP Error Messages 593 SSH Error Messages 593 Table 1 Conventions for System Error Messages Message Component Description Example Error identifier A...

Страница 582: ...URE s Auto upgrade of the software failed Auto upgrade of the software failed Restarttheunit Ifthemessageappears again copy the error message exactly as it appears and report it to your technical supp...

Страница 583: ...d interface and indicated station can be mismatched Check the encryption configuration of this interface and the failingstation to verify thatthe configurations match DOT11 4 DIVER_USED Interface s Mc...

Страница 584: ...not started Add at least one infrastructure SSID to the radio configuration DOT11 4 VERSION_UPGRADE Interface d upgrading radio firmware When starting the indicated interface the access point found t...

Страница 585: ...n the device IF 4 MISPLACED_VLAN_TAG Detected a misplaced VLAN tag on source Interface Dropping packet Received an 802 1Q VLAN tag was detected on the indicated interface that could not be parsedcorre...

Страница 586: ...o A radio management request discovered that the interface either does not exist or is not a radio interface None DOT11 3 POWERS_INVALID Interface s no valid power levels available The radio driver fo...

Страница 587: ...Packet to client mac reached max retries remove the client Apacket sent to theclient has not been successfully delivered many times and the max retries limit has been reached The client is deleted fro...

Страница 588: ...indicates an active attack on your network the interface is put on hold for the indicated time During this holdtime stationsbyusingTKIPciphersaredisassociated and cannot reassociate until the hold tim...

Страница 589: ...adio interfaces None DOT11 6 ROGUE_AP Rogue AP e reported Reason s A station has reported a potential rogue access point for the indicated reason None Message Explanation Recommended Action RADSRV 4 N...

Страница 590: ...servers are marked dead Configuring dead time for 10 minutes means that the server cannot be used for 10 minutes You can disable this command if you want thislogtodisappear Actuallythismessageis not r...

Страница 591: ...files have a rcore extension The files can be deleted because they simply show that the radio went down atsomepoint The rcorefilescanbelistedon CLI session and appear similar to this r15_5705_AB50_A8...

Страница 592: ...ease verify that the router fans are operating and that the room cooling and air conditioning are functioning This condition could cause the system to fail to operate properly SENSOR 3 TEMP_NORMAL s t...

Страница 593: ...representative SNMP_MGR 3 MISSINGHOSTIPV6 Cannot locate information on SNMP informs host Unrecognized format P A table entry for the mentioned SNMP informs destination cannot be found As a result inf...

Страница 594: ...594 Rockwell Automation Publication 1783 UM006A EN P May 2014 Appendix C Error and Event Messages Notes...

Страница 595: ...s point A wireless LAN data transceiver that uses radio waves to connect a wired network with wireless stations ad hoc network A wireless network composed of stations without Access Points antenna gai...

Страница 596: ...gain The greater the dBi value the higher the gain and the more acute the angle of coverage DHCP Dynamic host configuration protocol A protocol available with many operating systems that automaticall...

Страница 597: ...IP address for example 255 255 255 0 isotropic An antenna that radiates its signal in a spherical pattern MAC Media Access Control address A unique 48 bit number used in Ethernet data packets to ident...

Страница 598: ...eferred to as Radio Network Name A unique identifier used to identify a radio network and which stations must use to be able to communicate with each other or to an access point The SSID can be any al...

Страница 599: ...integrated template based configuration tool for added configuration ease and improved productivity WNM Wireless Network Manager workstation A computing device with an installed client adapter WPA Wi...

Страница 600: ...600 Rockwell Automation Publication 1783 UM006A EN P May 2014 Glossary Notes...

Страница 601: ...s point 428 vendor proprietary 425 vendor specific 424 authentication 183 local mode with AAA 220 RADIUS key 411 login 209 414 SSID 279 TACACS defined 432 key 434 login 215 435 authentication client c...

Страница 602: ...key 366 cdp enable 502 clear 175 countermeasure tkip hold time 369 debug 547 default form 177 del 565 dot11 aaa mac authen filter cache 366 dot11 extension aironet 269 dot11 interface number carrier...

Страница 603: ...s DNS 237 dot11 aaa mac authen filter cache command 366 dot11 extension aironet command 269 dot11 interface number carrier busy command 277 dot1x reauth period command 368 DTIM 273 dual band radios 21...

Страница 604: ...276 FTP accessing MIB files 580 G gain 266 get bulk request operation 509 get next request operation 509 510 get request operation 509 510 get response operation 509 Gigabit Ethernet port 32 global co...

Страница 605: ...gement frames 397 Management Frame Protection 2 configuring 398 maximum data retries 275 maximum reach 52 Maximum RTS Retries 274 MCS rates 251 252 Media Access Control MAC address 54 Message Integrit...

Страница 606: ...oning packets 263 power client command 255 power connection 32 power injector 49 power level on client devices 254 radio 269 power save client device 273 preferential treatment of traffic See QoS pre...

Страница 607: ...nts 521 request to send RTS 274 restricting access overview 201 passwords and privilege levels 201 RADIUS 407 TACACS 215 RFC 1042 270 1157 SNMPv1 508 1901 SNMPv2C 508 1902 to 1907 SNMPv2 508 roaming f...

Страница 608: ...nt and access point 373 statistics CDP 503 status indicator blinking blue 49 blinking green 48 blue 48 cycling through green red and off 49 green 48 red 49 STP BPDU message exchange 302 designated por...

Страница 609: ...oubleshooting 561 error messages CLI 178 system message logging 547 with CiscoWorks 510 U unauthorized access 201 universal workgroup bridge 60 UNIX syslog servers daemon configuration 558 facilities...

Страница 610: ...610 Rockwell Automation Publication 1783 UM006A EN P May 2014 Index Notes...

Страница 611: ......

Страница 612: ...Customer Support for initial help in getting your product up and running New Product Satisfaction Return Rockwell Automation tests all of its products to help ensure that they are fully operational wh...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды