manualshive.com logo in svg

Cisco Aironet 1200 Series, Руководство по настройке программного обеспечения, Страница: 124 / 284

Поделиться
Скачать
Cisco Aironet 1200 Series Скачать руководство пользователя страница 124

 

Chapter 4      Security Setup

Security Overview

4-6

Cisco Aironet 1200 Series Access Point Software Configuration Guide

OL-2159-03

When mutual authentication is complete, the RADIUS server and the client 
determine a WEP key that is unique to the client and provides the client with 
the appropriate level of network access, thereby approximating the level of 
security in a wired switched segment to an individual desktop. The client 
loads this key and prepares to use it for the logon session. 

During the logon session, the RADIUS server encrypts and sends the WEP 
key, called a 

session key

, over the wired LAN to the access point. The access 

point encrypts its broadcast key with the session key and sends the encrypted 
broadcast key to the client, which uses the session key to decrypt it. The client 
and access point activate WEP and use the session and broadcast WEP keys 
for all communications during the remainder of the session.

There is more than one type of EAP authentication, but the access point 
behaves the same way for each type: it relays authentication messages from 
the wireless client device to the RADIUS server and from the RADIUS server 
to the wireless client device. See the 

“Setting Up EAP Authentication” 

section on page 4-20

 for instructions on setting up EAP on the access point.

Note

If you use EAP authentication, you can select open or shared key 
authentication, but you don’t have to. EAP authentication controls 
authentication both to your access point and to your network. 

MAC address—The access point relays the wireless client device’s MAC 
address to a RADIUS server on your network, and the server checks the 
address against a list of allowed MAC addresses. If you don’t have a RADIUS 
server on your network, you can create the list of allowed MAC addresses on 
the access point’s Address Filters page. Devices with MAC addresses not on 
the list are not allowed to authenticate. Intruders can create counterfeit MAC 
addresses, so MAC-based authentication is less secure than EAP 
authentication. However, MAC-based authentication provides an alternate 
authentication method for client devices that do not have EAP capability. See 
the 

“Setting Up MAC-Based Authentication” section on page 4-29

 for 

instructions on enabling MAC-based authentication.

Figure 4-3

 shows the authentication sequence for MAC-based authentication.

Содержание Aironet 1200 Series

Страница 1: ...West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco Aironet 1200 Series Access Point Software Configuration Guide Software Release 11 50T August 2002 Text Part Number OL 2159 03 ...

Страница 2: ...TATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Cisco Aironet 1200 Series Access Point Software Configuration Guide Copyright 2002 Cisco Systems Inc All rights reserved CCIP the Cisco Arrow logo the Cisco Powered Network mark the Cisco Systems Verified logo Cisco...

Страница 3: ...CD ROM xvi Ordering Documentation xvi Documentation Feedback xvii Obtaining Technical Assistance xvii Cisco com xvii Technical Assistance Center xviii Cisco TAC Web Site xviii Cisco TAC Escalation Center xix C H A P T E R 1 Overview 1 1 Key Features 1 2 Management Options 1 2 Roaming Client Devices 1 3 Network Configuration Examples 1 3 Root Unit on a Wired LAN 1 3 Repeater Unit that Extends Wirel...

Страница 4: ... the Serial Cable 2 6 Setting Up the Terminal Emulator 2 7 Changing Settings with the CLI 2 7 Selecting Pages and Settings 2 9 Applying Changes to the Configuration 2 9 Using a Telnet Session 2 9 Using SNMP 2 10 Supported MIBs 2 10 C H A P T E R 3 Configuration 3 1 Basic Settings 3 2 Entering Basic Settings 3 3 System Name 3 3 MAC Address 3 3 Configuration Server Protocol 3 4 Default IP Address 3 ...

Страница 5: ...mation 3 31 Settings on the AP Radio Advanced Page 3 32 Ethernet Configuration 3 41 Entering Identity Information 3 41 Settings on the Ethernet Identification Page 3 42 Entering Ethernet Hardware Information 3 43 Settings on the Ethernet Hardware Page 3 44 Entering Advanced Configuration Information 3 46 Settings on the Ethernet Advanced Page 3 46 Server Setup 3 48 Entering Time Server Settings 3 ...

Страница 6: ... 68 Settings on the Association Table Advanced Page 3 69 Event Notification Setup 3 71 Event Display Setup Page 3 71 Settings on the Event Display Setup Page 3 72 Event Handling Setup Page 3 74 Settings on the Event Handling Setup Page 3 76 Event Notifications Setup Page 3 78 Settings on the Event Notifications Setup Page 3 79 C H A P T E R 4 Security Setup 4 1 Security Overview 4 2 Levels of Secu...

Страница 7: ... Client 4 27 Setting Up MAC Based Authentication 4 29 Enabling MAC Based Authentication on the Access Point 4 29 Authenticating Client Devices Using MAC Addresses or EAP 4 34 Enabling MAC Based Authentication in Cisco Secure ACS 4 35 Summary of Settings for Authentication Types 4 37 Setting Up Backup Authentication Servers 4 40 Setting Up Administrator Authorization 4 41 Creating a List of Authori...

Страница 8: ...tions 6 1 Updating Firmware 6 2 Updating with the Browser from a Local Drive 6 2 Full Update of the Firmware Components 6 3 Selective Update of the Firmware Components 6 4 Updating from a File Server 6 5 Full Update of the Firmware Components 6 5 Selective Update of the Firmware Components 6 7 Distributing Firmware 6 8 Distributing a Configuration 6 9 Limiting Distributions 6 11 Downloading Upload...

Страница 9: ...ings on the Console Telnet Page 7 5 C H A P T E R 8 Special Configurations 8 1 Setting Up a Repeater Access Point 8 1 Using Hot Standby Mode 8 5 C H A P T E R 9 Diagnostics and Troubleshooting 9 1 Using Diagnostic Pages 9 2 Radio Diagnostics Page 9 2 Antenna Alignment Test 9 3 Carrier Test 9 5 Network Ports Page 9 7 Identifying Information and Status 9 8 Data Received 9 8 Data Transmitted 9 9 Ethe...

Страница 10: ...0 vxdiag_tcpstatshow 9 31 vxdiag_udpstatshow 9 32 Tracing Packets 9 33 Reserving Access Point Memory for a Packet Trace Log File 9 33 Tracing Packets for Specific Devices 9 34 Tracing Packets for Ethernet and Radio Ports 9 35 Viewing Packet Trace Data 9 36 Packets Stored in a Log File 9 36 Packets Displayed on the CLI 9 37 Checking the Top Panel Indicators 9 37 Finding an Access Point by Blinking ...

Страница 11: ... Contents A P P E N D I X A Channels Power Levels and Antenna Gains A 1 Channels A 2 Channels for IEEE 802 11a A 2 Channels for IEEE 802 11b A 3 Maximum Power Levels and Antenna Gains A 4 For IEEE 802 11a A 4 For IEEE 802 11b A 5 A P P E N D I X B Protocol Filter Lists B 1 I N D E X ...

Страница 12: ...Contents xii Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Страница 13: ...e familiar with some of the concepts and terminology of Ethernet and wireless local area networking The scope of this guide is to provide the information you need to configure an access point use the access point management system to browse to other devices on a wireless network and troubleshoot problems with the access point that might arise Organization This guide is organized into the following...

Страница 14: ...m Chapter 8 Special Configurations describes how to set up the access point in network roles other than as a root unit on a wired LAN such as in repeater or Hot Standby mode Chapter 9 Diagnostics and Troubleshooting describes how to identify and resolve some of the problems that might arise when you configure an access point running this software release Appendix A Channels Power Levels and Antenn...

Страница 15: ...d performance characteristics and how to mount the access point on a wall ceiling or desktop The Cisco Aironet 1200 Series Access Point Hardware Installation Guide also contains regulatory information for the device Cisco Secure Access Control Server for Windows 2000 NT Servers Version 2 6 User Guide provides complete instructions for using Cisco Secure ACS including steps for configuring Cisco Se...

Страница 16: ...e Documentation CD ROM is updated monthly and may be more current than printed documentation The CD ROM package is available as a single unit or through an annual subscription Ordering Documentation You can order Cisco documentation in these ways Registered Cisco com users Cisco direct customers can order Cisco product documentation from the Networking Products MarketPlace http www cisco com cgi b...

Страница 17: ...Cisco com as a starting point for all technical assistance Customers and partners can obtain online documentation troubleshooting tips and sample configurations from online tools by using the Cisco Technical Assistance Center TAC Web Site Cisco com registered users have complete access to the technical support resources on the Cisco TAC Web Site Cisco com Cisco com is the foundation of a suite of ...

Страница 18: ...ion or assistance concerning Cisco product capabilities product installation or basic product configuration Priority level 3 P3 Your network performance is degraded Network functionality is noticeably impaired but most business operations continue Priority level 2 P2 Your production network is severely degraded affecting significant aspects of business operations No workaround is available Priorit...

Страница 19: ...e Internet access we recommend that you open P3 and P4 cases through the Cisco TAC Web Site Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues These classifications are assigned when severe network degradation significantly impacts business operations When you contact the TAC Escalation Center with a P1 or P2 problem a Cisco TAC engine...

Страница 20: ...Preface Obtaining Technical Assistance xx Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Страница 21: ...t can contain two radios a 2 4 GHz radio in an internal mini PCI slot and a 5 GHz radio module in an external modified cardbus slot The access point supports one radio of each type but it does not support two 2 4 GHz or two 5 GHz radios You can configure the radios separately using different settings on each radio The access point uses a browser based management system but you can also configure t...

Страница 22: ...y Features section on page 4 3 for more information on additional WEP protection Use EAP to Authenticate Repeater Access Points Set up repeater access points to authenticate to your network like other wireless client devices After you provide a network username and password for the repeater it authenticates to your network using LEAP Cisco s wireless authentication method and receives and uses dyn...

Страница 23: ...or closer access points the extra radio traffic would slow throughput on the wireless LAN Network Configuration Examples This section describes the access point s role in three common wireless network configurations The access point s default configuration is as a root unit connected to a wired LAN or as the central unit in an all wireless network The repeater role requires a specific configuratio...

Страница 24: ... the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN The data is sent through the route that provides the best performance for the client You can set up either of the radios in your access point as a repeater but one radio must be set up as a root unit Figure 1 2 shows an access point acting as a repeater Consult the Setting Up a Repeater Ac...

Страница 25: ...In an all wireless network an access point acts as a stand alone root unit The access point is not attached to a wired LAN it functions as a hub linking all stations together The access point serves as the focal point for communications increasing the communication range of wireless users Figure 1 3 shows an access point in an all wireless network Access Point Root Unit Access Point Repeater 66000...

Страница 26: ...erview Network Configuration Examples 1 6 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 Figure 1 3 Access Point as Central Unit in All Wireless Network Access Point Root Unit 65998 ...

Страница 27: ...mand line interface through a terminal emulator or a Telnet session or a Simple Network Management Protocol SNMP application The access point s management system web pages are organized the same way for the web browser and command line interfaces The examples in this manual show the web browser interface This chapter contains the following sections Using the Web Browser Interface page 2 2 Using th...

Страница 28: ...gement system See the Quick Start Guide Cisco Aironet 1200 Series Access Points for instructions on assigning an IP address to the access point Follow these steps to begin using the web browser interface Step 1 Start the browser Step 2 Enter the access point s IP address in the browser Location field Netscape Communicator or Address field Internet Explorer and press Enter If the access point has n...

Страница 29: ...e Network Displays the Network Ports page Associations Displays the Association Table page which provides a list of all devices on the wireless network and links to the devices Setup Displays the Setup page which contains links to the management pages with configuration settings Logs Displays the Event Log page which lists system events and their severity levels Help Displays the online help for t...

Страница 30: ...rnet browser must have Java enabled to use the map windows To display the sub pages for each main page click the bullet next to a main page link Microsoft Internet Explorer or click expand next to a main page link Netscape Communicator In Figure 2 1 the sub pages for the Network Ports page are expanded Figure 2 1 Map Window with Network Ports Pages Expanded The Network Map window appears when you ...

Страница 31: ...home page if available Some devices such as PC Card clients might not have home pages Click show clients to display all the wireless client devices on your network The client names appear under the access point or bridge with which they are associated If clients are displayed click hide clients to display only non client devices Using the Command Line Interface You can use a command line interface...

Страница 32: ...mulator connection 9600 baud 8 data bits no parity 1 stop bit and no flow control Use the Console Telnet Setup page to adjust the console and Telnet connection settings See the Console and Telnet Setup section on page 7 5 for details on the Console Telnet Setup page Connecting the Serial Cable Connect a DB 9 to RJ 45 serial cable to the COM port on a computer and to the RJ 45 serial port on the ac...

Страница 33: ...int If the access point has not been configured before the Express Setup page appears as the home page If the access point is already configured the Summary Status page appears as the home page Changing Settings with the CLI The CLI pages use consistent techniques to present and save configuration information Table 2 2 lists the functions that appear on most CLI pages Table 2 2 Common Functions on...

Страница 34: ...n page 9 20 for information on the CLI diagnostic commands Figure 2 4 shows a CLI page example Figure 2 4 CLI Page Example bottom Jumps to the bottom of a long page such as Event Log When you are at the bottom of a page this function becomes top down Moves down one page length 24 lines on a long page such as Event Log When you are at the bottom of a long page this function becomes up Table 2 2 Com...

Страница 35: ...re is on by default so changes you make to any page are applied automatically when you move to another management page To apply changes and stay on the current page type apply and press Enter Using a Telnet Session Follow these steps to browse to the CLI pages with Telnet Step 1 On your computer s Start menu select Programs Accessories Telnet If Telnet is not listed in your Accessories menu select...

Страница 36: ...xpress Setup page in the access point management system Step 3 Enter an SNMP community name in the SNMP Admin Community field and click OK or Apply Step 4 Follow this link path to reach the SNMP Setup page a On the Summary Status page click Setup b On the Setup page click SNMP in the Services section of the page Use the SNMP Setup page to enter detailed SNMP settings such as the SNMP trap destinat...

Страница 37: ...ciscoCdpMIB 1 3 6 1 4 1 9 23 To download this MIB browse to http www cisco com public sw center netmgmt cmtk mibs shtml and click SNMP v1 MIBs Scroll down the list of files and select CISCO CDP MIB V1SMI my Cisco Aironet Access Point MIB AWCVX MIB my Supported branch awcVx 1 3 6 1 4 1 522 3 You can download the latest release of the access point MIB at the following URL http www cisco com public s...

Страница 38: ...Chapter 2 Using the Management Interfaces Using SNMP 2 12 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Страница 39: ...e provides links to all the pages containing access point settings This chapter contains the following sections Basic Settings page 3 2 Filter Setup page 3 9 Radio Configuration page 3 19 Ethernet Configuration page 3 41 Server Setup page 3 48 Routing Setup page 3 61 Association Table Display Setup page 3 64 Event Notification Setup page 3 71 Note See Chapter 4 Security Setup for information on se...

Страница 40: ...ss point quickly with a simple configuration or change or update a basic setting you can enter all the access point s essential settings for basic operation on the Express Setup page The page contains radio settings for both the 2 4 GHz internal radio and the 5 GHz external radio module You can configure the radios separately using different settings on each radio Figure 3 1 shows the Express Setu...

Страница 41: ...dio Service Set ID SSID Role in Radio Network Radio Network Optimization Optimize Radio Network For Radio Network Compatibility Ensure Compatibility With SNMP Admin Community System Name The system name appears in the titles of the management system pages and in the access point s Association Table page The system name is not an essential setting but it helps identify the access point on your netw...

Страница 42: ...or predetermined periods of time Default IP Address Use this setting to assign or change the access point s IP address If DHCP or BOOTP is not enabled for your network the IP address you enter in this field is the access point s IP address If DHCP or BOOTP is enabled this field provides the IP address only if no server responds with an IP address for the access point Default IP Subnet Mask Enter a...

Страница 43: ... twice on the page once for the internal radio and once for the external radio module You can use the same setting or different settings for each radio Role in Radio Network Use this pull down menu to select the role of the access point on your network This setting appears twice on the page once for the internal radio and once for the external radio module You can use the same setting or different...

Страница 44: ...3 Configuration Basic Settings 3 6 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 Figure 3 2 Root Unit Access Points Access Point Root Unit Access Point Root Unit 65999 Wired LAN ...

Страница 45: ... data between a client and another access point or repeater One or both access point radios can be set up as repeaters Figure 3 3 shows an access point operating as a repeater in a network Note Non Cisco client devices might have difficulty communicating with repeater access points Figure 3 3 Repeater Access Point Access Point Root Unit Access Point Repeater 66000 Wired LAN ...

Страница 46: ...the access point but might reduce the access point s range Range Maximizes the access point s range but might reduce throughput Custom The access point uses the settings you enter on the AP Radio Hardware page Click Custom to go to the AP Radio Hardware page Radio Network Compatibility Ensure Compatibility With You use this setting to automatically configure the access point to be compatible with ...

Страница 47: ...llowing sections Protocol Filtering page 3 9 MAC Address Filtering page 3 14 Protocol Filtering Protocol filters prevent or allow the use of specific protocols through the access point You can set up individual protocol filters or sets of filters You can filter protocols for wireless client devices users on the wired LAN or both For example an SNMP filter on the access point s radio port prevents ...

Страница 48: ...AP Radio row under Network Ports The left side of the Protocol Filters page contains links to the Ethertype Filters the IP Protocol Filters and the IP Port Filters pages These links also appear on the main Setup page under Associations Use the Protocol Filters pages to assign protocols to a filter set Table B 1 Table B 2 and Table B 3 in Appendix B list the protocols available on each page Creatin...

Страница 49: ...p 4 Enter an identification number in the Set ID entry field if you want to assign a specific SNMP identifier to the filter set If you don t enter an ID an SNMP identifier will be assigned to the set automatically starting with 1 for the first filter set and incrementing by one for each additional set Step 5 Click Add New The Filter Set page appears Figure 3 6 shows the Filter Set page Figure 3 6 ...

Страница 50: ...ve settings default to 3 seconds for multicast packets and 5 seconds for unicast packets Step 8 Type the name or the ISO numeric designator for the protocol you want to add in the Special Cases entry field and click Add New For example to add Telnet to an IP port filter set type telnet or 23 The Protocol Filter Set page appears Figure 3 7 shows the Protocol Filter Set page Figure 3 7 Protocol Filt...

Страница 51: ...e with the priority you select for the protocol For example if you select interactiveVoice as the priority and enter high time to live values voice packets will stay in the access point buffer longer than necessary causing delivery of stale useless packets Step 12 Select Alert yes to send an alert to the event log when a user transmits or receives the protocol through the access point Step 13 Clic...

Страница 52: ...ort pull down menu Step 4 Click OK The filter set is enabled MAC Address Filtering MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses You can create a filter that passes traffic to all MAC addresses except those you specify or you can create a filter that blocks traffic to all MAC addresses except those you ...

Страница 53: ...p 2 On the Setup page click Address Filters under Associations Creating a MAC Address Filter Follow these steps to create a MAC address filter Step 1 Follow the link path to the Address Filters page Step 2 Type a destination MAC address in the New MAC Address Filter Dest MAC Address field You can type the address with colons separating the character pairs 00 40 96 12 34 56 for example or without a...

Страница 54: ... it and click Remove Tip You can create a list of allowed MAC addresses on an authentication server on your network Consult the Setting Up MAC Based Authentication section on page 4 29 for instructions on using MAC based authentication If you intend to list allowed MAC addresses on an authentication server select yes for the Look up MAC Address on Authentication Server if not in Existing Filter Li...

Страница 55: ...lter The access point discards all unicast traffic except packets sent to the MAC addresses listed as allowed on the Address Filters page Select Allowed from the pull down menu for Default Unicast Address Filter if you want to allow traffic to all MAC addresses except those listed as disallowed on the Address Filters page Unicast packets are addressed to just one device on the network Multicast pa...

Страница 56: ...Note The Ethernet Advanced page contains the Default Unicast and Multicast Address Filter settings for the Ethernet port These settings work as described above but you should use extra caution changing the settings on the Ethernet Advanced page because they can lock you out of your access point To reach the Ethernet Advanced page click Advanced in the Ethernet row of the Network Ports section at t...

Страница 57: ...ccess point internal and module radio ports See the Entering Radio Hardware Information section on page 3 22 for instructions on using the AP Radio Hardware pages AP Radio Advanced pages Contain settings for the operational status of the access point s internal and module radio ports You can also use these pages to make temporary changes in port status to help with troubleshooting network problems...

Страница 58: ...is link path to reach the AP Radio Identification page 1 On the Summary Status page click Setup 2 On the Setup page click Identification in on eof the AP Radio rows under Network Ports Settings on the AP Radio Identification Page The AP Radio Identification pages contain the following settings Primary Port Settings Default IP Address Default IP Subnet Mask Service Set ID SSID LEAP User Name LEAP P...

Страница 59: ...t the primary port settings MAC and IP addresses for the radio port Select no to use different MAC and IP addresses for the radio port Access points acting as root units adopt the primary port settings for the radio port When you put an access point in standby mode however you select no for this setting Some advanced wireless bridge configurations also require different identity settings for the r...

Страница 60: ...tup page LEAP User Name Use this field if the radio is set up as a repeater and authenticates to the network using LEAP When the radio authenticates using LEAP the access point sends this user name to the authentication server Follow the steps in the Setting up a Repeater Access Point as a LEAP Client section on page 4 27 to set up the radio as a LEAP client LEAP Password Use this field if the rad...

Страница 61: ...odule Follow this link path to reach the AP Radio Hardware pages 1 On the Summary Status page click Setup 2 On the Setup page click Hardware in one of the AP Radio rows under Network Ports Settings on the AP Radio Hardware Page The AP Radio Hardware page contains the following settings Service Set ID SSID Allow Broadcast SSID to Associate Enable World Mode Data Rates Transmit Power ...

Страница 62: ...etween multiple wireless networks in the same vicinity The SSID can be any alphanumeric entry up to 32 characters long You can also enter this setting on the Express Setup and AP Radio Identification pages Allow Broadcast SSID to Associate You use this setting to choose whether devices that do not specify an SSID devices that are broadcasting in search of an access point to associate with are allo...

Страница 63: ... lists three options Basic Allows transmission at this rate for all packets both unicast and multicast At least one of the access point s data rates must be set to Basic Yes The access point transmits only unicast packets at this rate multicast packets are sent at one of the data rates set to Basic No The access point does not transmit data at this rate You can use the Data Rate settings to set up...

Страница 64: ... 0 data rates are set to yes on the radio module 6 0 12 0 and 24 0 are set to basic and 9 0 18 0 36 0 48 0 and 54 0 are set to yes Transmit Power This setting determines the power level of radio transmission The default power setting is the highest transmit power allowed in your regulatory domain Note Government regulations define the highest allowable power level for radio devices This setting mu...

Страница 65: ...ccess point and not each other Enter a setting ranging from 0 to 2339 bytes Max RTS Retries The maximum number of times the access point issues an RTS before stopping the attempt to send the packet through the radio Enter a value from 1 to 128 Max Data Retries The maximum number of attempts the access point makes to send a packet before giving up and dropping the packet Beacon Period The amount of...

Страница 66: ...an set up multiple access points in the same vicinity without causing interference The radio module operates on eight channels from 5180 to 5320 MHz Each channel on the radio module covers 20 MHz and the bandwidth for the channels overlaps slightly For best performance use channels that are not adjacent 44 and 46 for example for radios that are close to each other Note Too many access points in th...

Страница 67: ... access point s regulatory domain Click the Search check boxes beside the channels to include channels in the scan for less congested channels All the channels are included in the scan by default Receive Antenna and Transmit Antenna Pull down menus for the receive and transmit antennas offer three options Diversity This default setting tells the access point to use the antenna that receives the be...

Страница 68: ...eft connector you should use this setting for both receive and transmit When you look at the access point s back panel the left antenna is on the left Note The access point receives and transmits using one antenna at a time so you cannot increase range by installing high gain antennas on both connectors and pointing one north and one south When the access point used the north pointing antenna it w...

Страница 69: ...n special configuration settings for the access point radios The internal radio and the radio module both have an AP Radio Advanced page Both pages contain the same settings but the Advanced page for the external radio module does not contain the Radio Modulation and Radio Preamble settings Figure 3 15 shows the AP Radio Advanced page for the internal radio Figure 3 15 AP Radio Advanced Page for I...

Страница 70: ...anced pages contain the following settings Requested Status Packet Forwarding Default Multicast Address Filters Maximum Multicast Packets Second Radio Cell Role Maximum Number of Associations Use Aironet Extensions Classify Workgroup Bridges as Network Infrastructure Require Use of Radio Firmware x xx Ethernet Encapsulation Transform Enhanced MIC verification for WEP Temporal Key Integrity Protoco...

Страница 71: ...rwarding Four other states are possible Unknown The state cannot be determined Disabled Forwarding capabilities are disabled Blocking The port is blocking transmission This is the state when no stations are associated Broken This state reports radio failure Default Multicast Address Filters MAC address filters allow or disallow the forwarding of multicast packets sent to specific MAC addresses You...

Страница 72: ...s setting determines how the radio interacts with other wireless devices The menu contains the following options Root A wireless LAN transceiver that connects an Ethernet network with wireless client stations or with another Ethernet network Use this setting if the access point is connected to the wired LAN Repeater Non Root A wireless LAN transceiver that transfers data between a client and anoth...

Страница 73: ...nt is set up as a repeater or if it communicates with a repeater The extensions also improve the access point s ability to understand the capabilities of Cisco Aironet client devices associated with the access point Classify Workgroup Bridges as Network Infrastructure Select no to allow more than 20 Cisco Aironet Workgroup Bridges to associate to the access point The default setting yes limits the...

Страница 74: ...group Bridge Software Configuration Guide for a description of workgroup bridges Require Use of Radio Firmware x xx This setting affects the firmware upgrade process when you load new firmware for the access point Select yes to force the radio firmware to be upgraded to a firmware version compatible with the current version of the management system Select no to exempt the current radio firmware fr...

Страница 75: ...n the AP Radio Advanced page is set to yes and WEP is enabled and set to full encryption Note When you enable MIC only MIC capable client devices can communicate with the access point Temporal Key Integrity Protocol This setting enables the temporal key integrity protocol TKIP also known as WEP key hashing which defends against an attack on WEP in which the intruder uses the unencrypted initializa...

Страница 76: ... a new broadcast WEP key to all associated client devices every 15 minutes To disable broadcast WEP key rotation enter 0 Note When you enable broadcast key rotation only wireless client devices using LEAP or EAP TLS authentication can use the access point Client devices using static WEP with open shared key or EAP MD5 authentication cannot use the access point when you enable broadcast key rotatio...

Страница 77: ...cess point discards all traffic except packets sent to the MAC addresses listed as allowed on the Address Filters page or on your authentication server Select Disallowed for each authentication type that also uses MAC based authentication Note If you plan to discard traffic to all MAC addresses except those you specify the Disallowed setting be sure to enter your own MAC address as allowed on the ...

Страница 78: ...ndard published by the Institute of Electrical and Electronics Engineers IEEE Standards Association MOK This modulation was used before the IEEE finished the high speed 802 11 standard and may still be in use in older wireless networks Note This setting does not appear on the AP Radio Advanced page for the radio module Radio Preamble The radio preamble is a section of data at the head of a packet ...

Страница 79: ...et port Ethernet Hardware Contains the setting for the access point s Ethernet port connection speed Ethernet Advanced Contains settings for the operational status of the access point s Ethernet port You can also use this page to make temporary changes in port status to help with troubleshooting network problems Ethernet Port Lists key information on the access point s Ethernet port Entering Ident...

Страница 80: ... port adopts or assumes the identity of the primary port Primary Port The primary port determines the access point s MAC and IP addresses Ordinarily the access point s primary port is the Ethernet port so this setting is usually set to yes Select yes to set the Ethernet port as the primary port Select no to set the radio port as the primary port Adopt Primary Port Identity Select yes to adopt the ...

Страница 81: ...nter an IP subnet mask to identify the subnetwork so the IP address can be recognized on the LAN If DHCP or BOOTP is not enabled this field is the subnet mask If DHCP or BOOTP is enabled this field provides the subnet mask only if no server responds to the access point s request The current IP subnet mask displayed under the setting shows the IP subnet mask currently assigned to the access point T...

Страница 82: ...connection speed and duplex setting used by the port The option you select must match the actual connector type speed and duplex settings used to link the port with the wired network The default setting Auto is best for most networks because the best connection speed and duplex setting are automatically negotiated between the wired LAN and the access point If you use a setting other than Auto make...

Страница 83: ...nt 10 Base T Half Duplex Ethernet network connector for 10 Mbps transmission speed over twisted pair wire and operating in half duplex mode 10 Base T Full Duplex Ethernet network connector for 10 Mbps transmission speed over twisted pair wire and operating in full duplex mode 100 Base T Half Duplex Ethernet network connector for 100 Mbps transmission speed over twisted pair wire and operating in h...

Страница 84: ...this link path to reach the Ethernet Advanced page 1 On the Summary Status page click Setup 2 On the Setup page click Advanced in the Ethernet row under Network Ports Settings on the Ethernet Advanced Page The Ethernet Advanced page contains the following settings Requested Status Packet Forwarding Default Unicast and Multicast Address Filters Maximum Multicast Packets Second Requested Status This...

Страница 85: ... Broken This state reports an Ethernet port failure Default Unicast and Multicast Address Filters MAC address filters allow or disallow the forwarding of unicast and multicast packets sent to specific MAC addresses You can create a filter that passes traffic to all MAC addresses except those you specify or you can create a filter that blocks traffic to all MAC addresses except those you specify Re...

Страница 86: ...Packets Second Use this setting to control the number of multicast packets that can pass through the Ethernet port each second If you enter 0 the access point passes an unlimited number of multicast packets If you enter a number other than 0 the device passes only that number of multicast packets per second Server Setup This section describes how to configure the server to support access point fea...

Страница 87: ...ows the Time Server Setup page Figure 3 19 Time Server Setup Page Follow this link path to reach the Time Server Setup page 1 On the Summary Status page click Setup 2 On the Setup page click Time Server under Services Settings on the Time Server Setup Page The Time Server Setup page contains the following settings Simple Network Time Protocol Default Time Server GMT Offset hr Use Daylight Savings ...

Страница 88: ...CP or BOOTP server can override the default time server GMT Offset hr The GMT Offset pull down menu lists the world s time zones relative to Greenwich Mean Time GMT Select the time zone in which the access point operates Use Daylight Savings Time Select yes or no to have the access point automatically adjust to Daylight Savings Time Manually Set Date and Time Enter the current date and time in the...

Страница 89: ...servers for automatic assignment of IP addresses Figure 3 20 shows the Boot Server Setup page Figure 3 20 Boot Server Setup Page Follow this link path to reach the Boot Server Setup page 1 On the Summary Status page click Setup 2 On the Setup page click Boot Server under Services Settings on the Boot Server Setup Page The Boot Server Setup page contains the following settings Configuration Server ...

Страница 90: ...Boot Protocol in which IP addresses are hard coded based on MAC addresses DHCP With Dynamic Host Configuration Protocol IP addresses are leased for a period of time You can set the lease duration with the settings on this page Use Previous Configuration Server Settings Select yes to have the access point save the boot server s most recent response The access point uses the most recent settings if ...

Страница 91: ...ll zeroes appear it means that no file server is set up to provide an ini file BOOTP Server Timeout sec This setting specifies the length of time the access point waits to receive a response from a single BOOTP server Enter the number of seconds the access point should wait This setting applies only when you select BOOTP from the Configuration Server Protocol pull down menu DHCP Multiple Offer Tim...

Страница 92: ...field the setting under DHCP Client Identifier Type on the Boot Server Setup page select Other Non Hardware Table 3 1 lists the options in the DHCP Client Identifier Type pull down menu Table 3 1 Options in the DHCP Client Identifier Type Menu Option Definition Ethernet 10Mb This is the default setting Use this setting if you do not need your DHCP server to send responses based on the class identi...

Страница 93: ...ecimal characters include the numbers 0 through 9 and the letters A through F DHCP Class Identifier Your DHCP server can be set up to send responses according to the group to which a device belongs Use this field to enter the access point s group name The DHCP server uses the group name to determine the response to send to the access point The access point s DHCP class identifier is a vendor class...

Страница 94: ...nly through the console and Telnet interfaces HTTP Port This setting determines the port through which your access point provides web access Your System Administrator should be able to recommend a port setting Default Help Root URL This entry tells the access point where to look for the Help files The Help button on each management system page opens a new browser window displaying help for that pa...

Страница 95: ...eless LAN If you use this location enter the full directory URL Your entry might look like this file drive letter folder or subdirectory wireless help Extra Web Page File If you need to create an alternative to the access point s management system you can create HTML pages and load them into the access point You use this entry field to specify the filename for your HTML page stored on the file ser...

Страница 96: ...etwork s Domain Name System DNS server Figure 3 22 shows the Name Server Setup page Figure 3 22 The Name Server Setup Page Follow this link path to reach the Name Server Setup page On the Summary Status page click Setup On the Setup page click Name Server under Services Settings on the Name Server Setup Page The Name Server Setup page contains the following settings Domain Name System Default Doma...

Страница 97: ...Boot Server Setup page you have DHCP or BOOTP set as the Configuration Server Protocol but you selected No for the setting Use previous Configuration Server settings when no server responds Domain Name Servers Enter the IP addresses of up to three domain name servers on your network The Current lines to the right of the entry fields list the servers the access point is currently using which may be...

Страница 98: ...non browser file transfers are governed by the settings on this page Figure 3 23 shows the FTP Setup page Figure 3 23 The FTP Setup Page Follow this link path to reach the FTP Setup page On the Summary Status page click Setup On the Setup page click FTP under Services Settings on the FTP Setup Page The FTP Setup page contains the following settings File Transfer Protocol Default File Server FTP Di...

Страница 99: ...er directory that contains the firmware image files FTP User Name Enter the username assigned to your FTP server You don t need to enter a name in this field if you select TFTP as the file transfer protocol FTP User Password Enter the password associated with the file server s username You don t need to enter a password in this field if you select TFTP as the file transfer protocol Routing Setup Y...

Страница 100: ...ng Setup page 1 On the Summary Status page click Setup 2 On the Setup page click Routing under Services Entering Routing Settings The Routing Setup page contains the following settings Default Gateway New Network Route Settings Installed Network Routes list Default Gateway Enter the IP address of your network s default gateway in this entry field The entry 255 255 255 255 indicates no gateway ...

Страница 101: ...lick Add To remove a route from the list highlight the route and click Remove The three entry fields include Dest Network Enter the IP address of the destination network Gateway Enter the IP address of the gateway used to reach the destination network Subnet Mask Enter the subnet mask associated with the destination network Installed Network Routes list The list of installed routes provides the de...

Страница 102: ...ociation Table Filters Page Follow this link path to reach the Association Table Filters page 1 On the Summary Status page click Setup 2 On the Setup page click Display Defaults under Associations You can also reach the Association Table Filters page through the additional display filters link on the Association Table page When you reach the page through the additional display filters link four bu...

Страница 103: ...Association Table Filters page contains the following settings Stations to Show Fields to Show Packets To From Station Bytes To From Station Primary Sort Secondary Sort Stations to Show Select the station types that you want to be displayed in the Association Table If you select all station types all stations of these types appear in the access point s Association Table Fields to Show The fields y...

Страница 104: ...work Packets To From Station Use these settings to display packet volume information in the Association Table Select Total to display the total number of packets to and from each station on the network Select Alert to display the number of alert packets to and from each station on the network for which you have activated alert monitoring Select the Alert checkbox on a device s Station page to acti...

Страница 105: ...03 Chapter 3 Configuration Association Table Display Setup Primary Sort This setting determines the information that appears in the first column in the Association Table Secondary Sort This setting determines the information that appears in the second column in the Association Table ...

Страница 106: ...tal number of devices the access point can list in the Association Table and the amount of time the access point continues to track each device class when a device is inactive Figure 3 26 shows the Association Table Advanced page Figure 3 26 Association Table Advanced Page Follow this link path to reach the Association Table Advanced page 1 On the Summary Status page click Setup 2 On the Setup pag...

Страница 107: ...pears on the Event Handling Setup page You can choose from four Severity Levels Fatal Severity Level System Protocol Port Fatal level events indicate an event that prevents operation of the port or device For operation to resume the port or device usually must be reset Fatal level events appear in red in the Event Log Alert Severity Level System Protocol Port External Alert level messages indicate...

Страница 108: ...s point memory When you disable extended statistics you conserve memory and the access point can include more devices in the Association Table Block ALL Inter Client Communications PSPF Publicly Secure Packet Forwarding PSPF prevents client devices associated to an access point from inadvertently sharing files with other client devices on the wireless network It provides Internet access to client ...

Страница 109: ...alerts warnings and normal activity Event Display Setup Page You use the Event Display Setup page to determine how time should be displayed on the Event Log In addition you can determine what severity level is significant enough to display an event Figure 3 27 shows the Event Display Setup page Figure 3 27 The Event Display Setup Page Follow this link path to reach the Event Display Setup page 1 O...

Страница 110: ...ct wall clock time the events are displayed in a YY MM DD HH MM SS format If time has not been set on the access point either manually or by a time server the time display appears as uptime regardless of this selection How should Event Elapsed non wall clock Time be displayed Choose to display event time since the last boot up of the access point or the time that has elapsed since the event occurr...

Страница 111: ...ion to resume the port or device usually must be reset System refers to the access point as a whole Protocol refers to a specific communications protocol in use such as HTTP or IP Port refers to the access point s Ethernet or radio network interface System alert Protocol alert Port alert External alert The Alert settings indicate events of which an administrator specifically requested to be inform...

Страница 112: ...tings indicate that a failure has occurred System refers to the access point as a whole Protocol refers to a specific communications protocol in use such as HTTP or IP Port refers to the access point s Ethernet or radio network interface External refers to a device on the network other than the access point System information Protocol information Port information External information The Informati...

Страница 113: ...on Guide OL 2159 03 Chapter 3 Configuration Event Notification Setup displaying them on the console or notify someone of the occurrence after displaying and recording the event Figure 3 28 shows the Event Handling Setup page Figure 3 28 The Event Handling Setup Page ...

Страница 114: ...uffer Disposition of Events The event settings control how events are handled by the access point counted displayed in the log recorded or announced in a notification The settings are color coded red for fatal errors magenta for alerts blue for warnings and green for information You select an option from each setting s pull down menu Each option includes and builds upon the previous option Count T...

Страница 115: ...ions on your network After you reserve space for the trace buffer browse to a device s Station page and select the Alert checkboxes in the To Station and From Station columns See the Browsing to Network Devices section on page 5 2 for instructions on opening a device s Station page Download Detailed Event Trace Buffer Use these links to view Headers Only or All Data in the detailed trace buffer Th...

Страница 116: ...NMP server or a Syslog system Note For event notifications to be sent to an external destination the events must be set to Notify on the Event Handling Setup page See the Event Handling Setup Page section on page 3 74 for a description of the settings on the Event Handling Setup page Figure 3 29 shows the Event Notifications Setup page Figure 3 29 Event Notifications Setup Page Follow this link pa...

Страница 117: ...r Should Notify Disposition Events generate SNMP Traps Select yes to send event notifications to an SNMP server Note For notifications to be sent to an SNMP server SNMP must be enabled on the SNMP Setup page and you must set an SNMP trap destination and an SNMP trap community SNMP Trap Destination Type the IP address or the host name of the server running the SNMP Management software This setting ...

Страница 118: ...ning Syslog The Network Default Syslog Destination line under the syslog destination address field lists the syslog destination address provided by the DHCP or BOOTP server This default syslog destination is only used if the syslog destination address field is blank Syslog Facility Number Type the Syslog Facility number for the notifications The default setting is 16 which corresponds to the Local...

Страница 119: ...following sections Security Overview page 4 2 Setting Up WEP page 4 9 Enabling Additional WEP Security Features page 4 14 Setting Up Open or Shared Key Authentication page 4 19 Setting Up EAP Authentication page 4 20 Setting Up MAC Based Authentication page 4 29 Summary of Settings for Authentication Types page 4 37 Setting Up Backup Authentication Servers page 4 40 Setting Up Administrator Author...

Страница 120: ...or any wireless network and you should enable all the security features available on your network Figure 4 1 shows possible levels of security on Cisco Aironet wireless networking equipment from no security on the left to highest security on the right The highest level of security EAP authentication interacts with a Remote Authentication Dial In User Service RADIUS server on your network to provid...

Страница 121: ...cryption on your wireless network WEP encryption scrambles the communication between the access point and client devices to keep the communication private Both the access point and client devices use the same WEP key to encrypt and unencrypt radio signals WEP keys encrypt both unicast and multicast messages Unicast messages are addressed to just one device on the network Multicast messages are add...

Страница 122: ...ct Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports wireless client devices that are not Cisco devices or that cannot be upgraded to the latest firmware for Cisco client devices See the Enabling Broadcast WEP Key Rotation section on page 4 18 for instructions on enabling broadcast key rotation Network Authentication Types Before a wireless client device can ...

Страница 123: ...ion of the user supplied password to generate a response to the challenge and sends that response to the RADIUS server Using information from its user database the RADIUS server creates its own response and compares that to the response from the client When the RADIUS server authenticates the client the process repeats in reverse and the client authenticates the RADIUS server Access point or bridg...

Страница 124: ...s from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device See the Setting Up EAP Authentication section on page 4 20 for instructions on setting up EAP on the access point Note If you use EAP authentication you can select open or shared key authentication but you don t have to EAP authentication controls authentication both to your access point...

Страница 125: ...r network Figure 4 4 shows the authentication sequence between a device trying to authenticate and an access point using open authentication In this example the device s WEP key does not match the access point s key so it can authenticate but not pass data Figure 4 4 Sequence for Open Authentication Shared key Cisco provides shared key authentication to comply with the IEEE 802 11b standard Howeve...

Страница 126: ...r on your network Figure 4 5 shows the authentication sequence between a device trying to authenticate and an access point using shared key authentication In this example the device s WEP key matches the access point s key so it can authenticate and communicate Figure 4 5 Sequence for Shared Key Authentication Combining MAC Based EAP and Open Authentication You can set up the access point to authe...

Страница 127: ...ized to view and adjust the access point settings unauthorized users are locked out See the Setting Up Administrator Authorization section on page 4 41 for instructions on using the user manager Setting Up WEP Use the AP Radio Data Encryption pages to set up WEP You also use the AP Radio Data Encryption pages to select authentication types for the access point The internal radio and the radio modu...

Страница 128: ...Encryption page 1 On the Summary Status page click Setup 2 On the Setup page click Security 3 On the Security Setup page click Radio Data Encryption WEP for the internal radio or the radio module Follow these steps to set up WEP keys and enable WEP Step 1 Follow the link path to the AP Radio Data Encryption page Step 2 Before you can enable WEP you must enter a WEP key in at least one of the Encry...

Страница 129: ...ou must select key 1 as the transmit key The access point uses the WEP key you enter in key slot 1 to encrypt multicast data signals it sends to EAP enabled client devices If you enable broadcast key rotation however you can select key 1 or key 2 as the transmit key or you can enable WEP without entering any keys Step 3 Use the Key Size pull down menu to select 40 bit or 128 bit encryption for eac...

Страница 130: ...ient device associated to the access point must use the same key in its slot 1 and the key in the client s slot 1 must be selected as the transmit key The characters you type for the key contents appear only when you type them After you click Apply or OK you cannot view the key contents Select Not set from the Key Size pull down menu to clear a key Step 5 Select Optional or Full Encryption from th...

Страница 131: ...tion Guide for instructions on configuring Cisco Aironet client devices Full Encryption Client devices must use WEP when communicating with the access point Devices not using WEP are not allowed to communicate Note You must select Full Encryption to enable Message Integrity Check MIC See the Enabling Message Integrity Check MIC section on page 4 14 for instructions on setting up MIC Step 6 Click O...

Страница 132: ...grity Protocol TKIP Enabling Broadcast WEP Key Rotation Enabling Message Integrity Check MIC MIC prevents attacks on encrypted packets called bit flip attacks During a bit flip attack an intruder intercepts an encrypted message alters it slightly and retransmits it and the receiver accepts the retransmitted message as legitimate The MIC implemented on both the access point and all associated clien...

Страница 133: ...anced page must be set to yes the default setting Note Enabling MIC on the internal radio module might reduce throughput for that radio by as much as 30 Use the AP Radio Advanced page to enable MIC Both the internal radio and the radio module have an AP Radio Advanced page Both pages contain the same settings Figure 4 7 shows the AP Radio Advanced page for the internal radio Figure 4 7 AP Radio Ad...

Страница 134: ...if the MIC enabled access point uses the key in slot 1 as the transmit key a client device associated to the access point must use the same key in its slot 1 and the key in the client s slot 1 must be selected as the transmit key Step 2 Browse to the AP Radio Advanced page for the internal radio or the radio module Step 3 Select MMH from the Enhanced MIC verification for WEP pull down menu Step 4 ...

Страница 135: ...g prevents intruders from calculating the static broadcast key so you do not need to rotate the broadcast key Follow these steps to enable TKIP Step 1 Follow the steps in the Setting Up WEP section on page 4 9 to set up and enable WEP Select either optional or full encryption for the WEP level Step 2 Follow this link path to browse to the AP Radio Advanced page a On the Summary Status page click S...

Страница 136: ...n cannot use the access point when you enable broadcast key rotation Note If you enable Broadcast Key Rotation on one of the radios in a dual radio access point Broadcast Key Rotation is automatically enabled on the other radio Tip You might not need to enable broadcast key rotation if you enable TKIP You can use both key rotation and key hashing but these features provide similar protection Follo...

Страница 137: ...ule both have an AP Radio Data Encryption page Both pages contain the same settings Figure 4 6 shows the AP Radio Data Encryption page for the internal radio Follow these steps to select Open or Shared Key authentication Step 1 Follow the instructions in the Setting Up WEP section on page 4 9 to set up and enable WEP You must enable WEP to use shared key authentication but you do not have to enabl...

Страница 138: ...authentication messages between the RADIUS server on your network and the authenticating client device This section provides instructions for Enabling EAP on the Access Point Enabling EAP in Cisco Secure ACS Setting up a Repeater Access Point as a LEAP Client Enabling EAP on the Access Point You use the Authenticator Configuration page and the AP Radio Data Encryption pages to set up and enable EA...

Страница 139: ...up page click Authentication Server Follow these steps to enable EAP on the access point Step 1 Follow the link path to the Authenticator Configuration page You can configure up to four servers for authentication services so you can set up backup authenticators If you set up more than one server for the same service the server first in the list is the primary server for that service and the others...

Страница 140: ...ct this option if LEAP enabled client devices that associate with this access point use radio firmware versions 4 13 4 16 or 4 23 Draft 10 Select this option if client devices that associate with this access point use Microsoft Windows XP authentication or if LEAP enabled client devices that associate with this access point use radio firmware version 4 25 or later Note Functionality in Draft 10 is...

Страница 141: ...point should wait before authentication fails If the server does not respond within this time the access point tries to contact the next authentication server in the list if one is specified Other backup servers are used in list order when the previous server times out Step 7 Select EAP Authentication under the server The EAP Authentication checkbox designates the server as an authenticator for an...

Страница 142: ...t packets sent between the access point and the client device will not be encrypted To maintain secure communications use WEP at all times Step 12 Enter a WEP key in slot 1 of the Encryption Key fields The access point uses this key for multicast data signals signals sent from the access point to several client devices at once This key does not need to be set on client devices Step 13 Select 128 b...

Страница 143: ...ecure ACS operates with Windows NT 4 0 Server and Windows 2000 Server Note You must use ACS version 2 6 or later to set up the access point in ACS Follow these steps to include the access point as a Network Access Server NAS in Cisco Secure ACS Step 1 On the ACS main menu click Network Configuration Step 2 Click Add New Access Server Step 3 In the Network Access Server Hostname entry field type th...

Страница 144: ... issues a new dynamic WEP key for authenticated client devices Note If you enable TKIP on the access point you do not need to set up a session based WEP key timeout You can use both TKIP and a session key timeout but these features provide redundant protection You should consider several factors when determining the best session key timeout value for your wireless network Consult Product Bulletin ...

Страница 145: ...ess client devices After you provide a network username and password for the repeater radio it authenticates to your network using LEAP Cisco s wireless authentication method and receives and uses dynamic WEP keys See the Setting Up a Repeater Access Point section on page 8 1 for instructions on setting up a repeater access point Follow these steps to enable LEAP authentication on a repeater radio...

Страница 146: ...in the LEAP Password entry field Step 5 Click OK Step 6 Follow the steps in the Enabling EAP on the Access Point section on page 4 20 to enable Network EAP on the repeater access point The next time the repeater reboots it performs LEAP authentication and associates to the root access point Note If the repeater access point fails to authenticate because the root access point or the RADIUS server i...

Страница 147: ...t management system or on a server used for MAC based authentication and you can enable MAC based authentication on one or both of the access point radios This section provides instructions for Enabling MAC Based Authentication on the Access Point Authenticating Client Devices Using MAC Addresses or EAP Enabling MAC Based Authentication in Cisco Secure ACS Enabling MAC Based Authentication on the ...

Страница 148: ...ype a MAC address in the Dest MAC Address field You can type the address with colons separating the character pairs 00 40 96 12 34 56 for example or without any intervening characters 004096123456 for example Make sure the Allowed option is selected under the Dest MAC Address field Step 3 Click Add The MAC address appears in the Existing MAC Address Filters list The MAC address remains in the mana...

Страница 149: ...icate Step 5 Click Apply to save the list of MAC addresses in the access point management system Step 6 Click the Authentication Server link to go to the Authenticator Configuration page Figure 4 11 shows the Authenticator Configuration page Figure 4 11 Authenticator Configuration Page You can configure up to four servers for authentication services so you can set up backup authenticators If you s...

Страница 150: ...n server if one is specified Step 11 Select MAC Address Authentication under the server If you set up a backup authentication server select MAC Address Authentication under the backup server also Step 12 Click OK You return automatically to the Setup page Step 13 Create a list of allowed MAC addresses for your authentication server Enter the MAC addresses of all allowed clients as users in the ser...

Страница 151: ...t Address Filter for each authentication type requiring MAC based authentication For example if the radio is configured for both open and Network EAP authentication you could set Default Unicast Address Filter under Open to Disallowed but leave Default Unicast Address Filter under Network EAP set to Allowed This configuration forces client devices using open authentication to authenticate using MA...

Страница 152: ... up one or both access point radios to authenticate client devices using a combination of MAC based and EAP authentication When you enable this feature client devices that associate to the access point using open authentication first attempt MAC authentication If MAC authentication succeeds the client device joins the network if the client is also using EAP authentication it attempts to authentica...

Страница 153: ...f the client is also using EAP authentication it attempts to authenticate using EAP c If MAC authentication fails for the client the access point allows the client to attempt to authenticate using EAP authentication The client cannot join the network until EAP authentication succeeds Enabling MAC Based Authentication in Cisco Secure ACS Cisco Secure Access Control Server for Windows NT 2000 Server...

Страница 154: ...tep 4 Enter the MAC address in the CHAP MS CHAP ARAP Password and Confirm Password entry fields Step 5 Select the Separate CHAP MS CHAP ARAP checkbox Step 6 Click Submit Repeat these steps for each MAC address you want to add to the list of allowed MAC addresses MAC addresses that you enter in the authentication server s list appear in the access point s address filter list when the client device ...

Страница 155: ...3 Select an 802 1x protocol draft that matches the protocol draft used by client devices that associate with the access point Enter the name or IP address type port shared secret and timeout value for your RADIUS server Select the EAP checkbox under the server On the AP Radio Data Encryption page for the internal radio or the radio module shown in Figure 4 6 Select the Network EAP checkbox Enter a...

Страница 156: ...Note Selecting Require EAP blocks non EAP client devices from using the access point Enter a WEP key in key slot 1 and select 128 bit from the key size pull down menu EAP TLS EAP MD5 and static WEP under 802 11 Open The access point does not support this combination of authentication types When you select Require EAP on the Authenticator Configuration page to authenticate clients using EAP TLS and...

Страница 157: ...the same server for both EAP authentication and MAC based authentication On the AP Radio Advanced page for the internal radio or the radio module shown in Figure 4 12 Select Disallowed from the pull down menu for Default Unicast Address Filter for each authentication type requiring MAC based authentication MAC based and EAP TLS and EAP MD5 Enter the settings for the EAP authentication types you ne...

Страница 158: ...he entry field groups under the completed entry fields for your primary server a Enter the name or IP address of the backup server in the Server Name IP entry field b Enter the port number the server uses for authentication The default setting 1812 is the port setting for Cisco s RADIUS server the Cisco Secure Access Control Server ACS and for many other RADIUS servers Check your server s product ...

Страница 159: ...protects the access point management system from unauthorized access Use the access point s user management pages to define a list of users who are authorized to view and change the access point management system Use the Security Setup page to reach the user management pages Figure 4 14 shows the Security Setup page Note Creating a list of users authorized to view and change the access point manag...

Страница 160: ...age 1 On the Summary Status page click Setup 2 On the Setup page click Security Creating a List of Authorized Management System Users Follow these steps to create a list of users authorized to view and change the access point management system Step 1 Follow the link path to the Security Setup page Step 2 On the Security Setup page click User Information Figure 4 15 shows the User Information page ...

Страница 161: ...er also automatically receives Admin capability SNMP Designates the username as an SNMP community name SNMP management stations can use this SNMP community name to perform SNMP operations The User Manager does not have to be enabled for SNMP communities to operate correctly Note Selecting the SNMP checkbox does not grant SNMP write capability to the user it only designates the username as an SNMP ...

Страница 162: ...ick the browser s Back button to return to the Security Setup page On the Security Setup page click User Manager The User Manager Setup page appears Figure 4 17 shows the User Manager Setup page Figure 4 17 User Manager Setup Page Step 8 Select User Manager Enabled to restrict use of the access point management system to users in the user list Note You must define a full administrator user a user ...

Страница 163: ...r 4 Security Setup Setting Up Administrator Authorization Protect Legal Credit Page Select yes to restrict access to the Legal Credits page to users in the user list Select no to allow any user to view the Legal Credits page Step 9 Click OK You return automatically to the Security Setup page ...

Страница 164: ...Chapter 4 Security Setup Setting Up Administrator Authorization 4 46 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Страница 165: ...o Discovery Protocol with your wireless networking equipment how to assign a specific network port to a MAC address and how to enable wireless network accounting This chapter contains the following sections Using the Association Table page 5 2 Using the Network Map Window page 5 11 Using Cisco Discovery Protocol page 5 13 Assigning Network Ports page 5 15 Enabling Wireless Network Accounting page ...

Страница 166: ...iation Table page in the command line interface Browsing to Network Devices To browse to a device s browser based interface click the device s IP address in the IP Addr column The home page of the device s management system appears Cisco Aironet access points bridges and workgroup bridges have browser based interfaces and many servers and printers have them also If the device does not have a brows...

Страница 167: ...mns of information that appear in the Association Table and the order in which devices are listed For more information on customizing the Association Table display read the Association Table Display Setup section on page 3 64 Using Station Pages Click a device s MAC address in the Association Table s MAC Addr column to display a Station page for the device Station pages provide an overview of a ne...

Страница 168: ...Chapter 5 Network Management Using the Association Table 5 4 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 Figure 5 2 Station Page 209 165 201 5 ...

Страница 169: ... have them also State Displays the operational state of the wireless station Possible states include Assoc The station is associated with an access point Client stations associated with this access point will also show an Association Identifier AID value that is an index into a table of stations associated with this access point Maximum AID count is 2007 Unauth The station is not authenticated wit...

Страница 170: ...his box if you want detailed packet trace information captured for the Association Table page This option is only available to users with Administrator capability Packets OK Reports the number of good packets coming to the station Total Bytes OK Reports the number of good bytes coming to the station Total Errors Reports the total number of packet errors coming to the station Max Retry Pkts Reports...

Страница 171: ...ate and signal quality information appears on Station pages for client devices On Station pages for access points this area shows network information such as system uptime Parent Displays the system name of the device to which the client bridge or repeater is associated The entry self indicates that the device is associated with this access point Current Rate Reports the current data transmission ...

Страница 172: ...he access point presumes the client device has been turned off See the Settings on the Association Table Advanced Page section on page 3 69 for information on setting timeouts for each device class Communication Over Interface The network port over which the access point or bridge is communicating with the device Echo Packets The link test sequence number it lists the total number of link test pac...

Страница 173: ...ng runs using the values in the Number of Pkts and Pkt Size fields and a ping window appears listing the test results To run the ping again click Test Again Figure 5 3 shows a ping window Figure 5 3 Ping Window Performing a Link Test Follow these steps to perform a link test between the access point and the device described on the Station page Step 1 To customize the size and number of packets sen...

Страница 174: ...ults To run the test again click Test Again To run a continuous link test click Continuous Test Figure 5 4 shows a link test results window Figure 5 4 Link Test Results Window Clearing and Updating Statistics Use the Clear Stats and Refresh buttons to clear and update the Station page statistics Clear Stats Clears all packet octet and error counts and resets the counters to 0 Refresh Updates the c...

Страница 175: ... client to break its current association re evaluate the currently associated access point and determine which of the surrounding access points has the best signal quality to associate with Using the Network Map Window To open the Network Map window click Map at the top of any management system page See the Navigating Using the Map Windows section on page 2 4 for information about the Map page Whe...

Страница 176: ...e access point s local information for that device Click Go beside the device name to open a new browser window displaying that device s home page if available Some devices such as PC card clients do not have browser based interfaces Click show clients to display all the wireless client devices on your network The client names appear under the access point or bridge with which they are associated ...

Страница 177: ...multicast address and each device monitors the messages sent by other devices Information in CDP packets is used in network management software such as CiscoWorks2000 Use the CDP Setup page to adjust the access point s CDP settings CDP is enabled by default Figure 5 6 shows the CDP Setup page Figure 5 6 CDP Setup Page Follow this link path to reach the CDP Setup page 1 On the Summary Status page c...

Страница 178: ...lways be greater than the value in the Packets sent every field Packets sent every The number of seconds between each CDP packet the access point sends The default value is 60 This value should always be less than the packet hold time Individual Port Enable Ethernet When selected the access point sends CDP packets through its Ethernet port and monitors the Ethernet for CDP packets from other devic...

Страница 179: ... Network Ports Assigning Network Ports Use the Port Assignments page to assign a specific network port to a repeater access point or to a non root bridge When you assign specific ports your network topology remains constant even when devices reboot Figure 5 7 shows the Port Assignments page Figure 5 7 Port Assignments Page ...

Страница 180: ... address of the device to which you want to assign the port in the port s Station entry field When you click Apply or OK the port is reserved for that MAC address Enabling Wireless Network Accounting You can enable accounting on the access point to send network accounting information about wireless client devices to a RADIUS server on your network Cisco Secure ACS writes accounting records to a lo...

Страница 181: ... Setup page click Accounting under Services Settings on the Accounting Setup Page The Accounting Setup page contains these settings Enable accounting Select Enabled to turn on accounting for your wireless network Enable delaying to report stop Select this option to delay sending a stop report to the server when a client device disassociates from the access point The delay reduces accounting activi...

Страница 182: ...ng server in the list if one is specified The access point uses backup servers in list order when the previous server times out Enable Update Click the Enable Update checkbox to enable accounting update messages for wireless clients With updates enabled the access point sends an accounting start message when a wireless client associates to the access point sends updates at regular intervals while ...

Страница 183: ...ice disassociates from the access point and the access point sends an ACCT_UPDATE frame to the server periodically while the authenticated client device is associated to the access point Acct Session ID A unique accounting identifier for each connection activity that is bounded by ACCT_START and ACCT_STOP The access point sends this attribute to the server with all three status types User Name The...

Страница 184: ... The number of octets sent on the wireless network through the access point since the client device associated to the access point The access point sends this attribute only with the ACCT_STOP and ACCT_UPDATE status types Acct Input Packets The number of packets received on the wireless network through the access point since the client device associated to the access point The access point sends t...

Страница 185: ...ed and the time that the attribute was sent to the server The access point sends this attribute to the server with all three status types RADIUS_IPADR The IP address of the access point sending the accounting information The access point sends this attribute to the server with all three status types Table 5 1 Accounting Attributes the Access Point Sends to the Accounting Server continued Attribute...

Страница 186: ...Chapter 5 Network Management Enabling Wireless Network Accounting 5 22 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Страница 187: ...her access points how to distribute the access point s configuration to other access points and how to download upload and reset the access point configuration You use the Cisco Services Setup page as a starting point for all these activities This chapter contains the following sections Updating Firmware page 6 2 Distributing Firmware page 6 8 Distributing a Configuration page 6 9 Downloading Uplo...

Страница 188: ...p Page Follow this link path in the browser interface to reach the Cisco Services Setup page 1 On the Summary Status page click Setup 2 On the Setup page click Cisco Services Setup Updating with the Browser from a Local Drive When you update the firmware with your browser you browse to your hard drive or to a mapped network drive for the new firmware You can update the four firmware components the...

Страница 189: ...components through the browser Step 1 If you know the exact path and filename of the new firmware image file type it in the New File for All Firmware entry field If you aren t sure of the exact path to the new firmware image file click Browse next to the New File entry field When the File Upload window appears go to the directory that contains the firmware image file and select the file Click Open...

Страница 190: ...e Through Browser Page Follow these steps to update one of the firmware components through the browser Step 1 If you know the exact path and filename of the new firmware component type it in the New File for component entry field If you aren t sure of the exact path to the new component click Browse next to the component s New File entry field When the File Upload window appears go to the director...

Страница 191: ...t to update all the components at once but in some situations you might want to update them individually Full Update of the Firmware Components To update all the firmware components at the same time click From File Server on the Fully Update Firmware line on the Cisco Services Setup page The Update All Firmware From File Server page appears Figure 6 4 shows the Update All Firmware From File Server...

Страница 192: ...e server where the access point should look for FTP files c In the FTP Directory entry field enter the directory on the server where FTP files are located d In the FTP User Name entry field enter the user name assigned to the FTP server If you selected TFTP you can leave this field blank e In the FTP Password entry field enter the password associated with the user name If you selected TFTP you can...

Страница 193: ...ely Update Firmware line on the Cisco Services Setup page The Update Firmware From File Server page appears Figure 6 6 shows the Update Firmware From File Server page Figure 6 6 Update Firmware From File Server Page To update one of the three firmware components from the file server follow the steps listed in the Full Update of the Firmware Components section on page 6 5 but in Step 3 type the fil...

Страница 194: ...es Have their web servers enabled for external browsing see the Entering Web Server Settings and Setting Up Access Point Help section on page 3 55 Have the same HTTP port setting as the distributing access point the HTTP port setting is on the Web Server Setup page Have a Default Gateway setting other than the default setting which is 255 255 255 255 the Default Gateway setting is on the Express S...

Страница 195: ...ents individually select no for Distribute All Firmware and click the checkboxes for the components you want to distribute Step 3 Click Start The access point s firmware is distributed to the access points on your network To cancel the distribution click Abort When the distribution is complete the access points that received the firmware automatically reboot Distributing a Configuration Use the Di...

Страница 196: ...tain in their User Lists a user with the same user name password and capabilities as the user performing the distribution the person logged in on the distributing access point Figure 6 8 Distribute Configuration Page Follow this link path in the browser interface to reach the Distribute Configuration page 1 On the Summary Status page click Setup 2 On the Setup page click Cisco Services Setup 3 On ...

Страница 197: ...t systems An access point accepts distributed firmware and configurations only if its user manager contains a user with the same user name password and capabilities as the user performing the distribution the person logged in on the distributing access point Follow these steps to limit distributions Step 1 On the distributing access point browse to the Security Setup page and create a new user and...

Страница 198: ...a local drive upload a configuration from a local drive or file server and reset the configuration to default settings You can also use the System Configuration Setup page to restart the access point Figure 6 9 shows the System Configuration Setup page Figure 6 9 System Configuration Setup Page Follow this link path in the browser interface to reach the System Configuration Setup page 1 On the Sum...

Страница 199: ...ave the current non default configuration including the access point s IP address click Download Non Default System Configuration To save the current default and non default configuration including the access point s IP address click Download All System Configuration If your web browser is Netscape Communicator use your right mouse button to click the download configuration links and select Save l...

Страница 200: ...click Browse next to the entry field When the File Upload window appears go to the directory that contains the configuration file and select the file Click Open Step 3 When the filename appears in the Additional System Configuration File entry field click Browser Update Now The configuration file is loaded and applied in the access point Uploading from a File Server Follow these steps to upload a ...

Страница 201: ...s c In the FTP Directory entry field enter the directory on the server where FTP files are located d In the FTP User Name entry field enter the user name assigned to the FTP server If you selected TFTP you can leave this field blank e In the FTP Password entry field enter the password associated with the user name If you selected TFTP you can leave this field blank f Click OK You return automatica...

Страница 202: ...e reset the configuration to defaults Reset System Factory Defaults Except IP Identity this button returns all access point settings to their factory defaults except The access point s IP address subnet mask default gateway and boot protocol The users in the User Manager list The SNMP Administrator Community name Reset All System Factory Defaults this button returns all access point settings to th...

Страница 203: ...m Factory Defaults to reset the configuration to the default settings including the IP identity Note If you reset the access point s IP identity you might lose your browser connection to the access point Restarting the Access Point Use the System Configuration Setup page to restart the access point Click Warm Restart System Now to perform a warm restart of the access point A warm restart reboots t...

Страница 204: ...Chapter 6 Managing Firmware and Configurations Downloading Uploading and Resetting the Configuration 6 18 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Страница 205: ...iguration Guide OL 2159 03 7 Management System Setup This chapter explains how to set up your access point to use SNMP Telnet or the console port to manage the access point This chapter contains the following sections SNMP Setup page 7 2 Console and Telnet Setup page 7 5 ...

Страница 206: ...he SNMP Setup page Figure 7 1 SNMP Setup Page Follow this link path to reach the SNMP Setup page 1 On the Summary Status page click Setup 2 On the Setup page click SNMP in the Services section of the page Settings on the SNMP Setup Page The SNMP Setup page contains the following settings Simple Network Management Protocol SNMP Select Enabled to use SNMP with the access point System Description The...

Страница 207: ...ress of the SNMP management station If your network uses DNS enter a host name that resolves into an IP address SNMP Trap Community The SNMP community name required by the trap destination before it records traps sent by the access point The Browse Management Information Base MIB link at the bottom of the SNMP Setup page leads to the Database Query page Using the Database Query Page Use the Databa...

Страница 208: ...ck Get to find an object s value Set Click Set to assign a value to an object Reset Click Reset to return the page to default settings Changing Settings with the Database Query Page Follow these steps to change an access point setting from the Database Query page Step 1 Type the object identifier OID in the OID field You can use the integer or ASCII version of the OID If you use the integer versio...

Страница 209: ...onsole Telnet Setup page 1 On the Summary Status page click Setup 2 On the Setup page click Console Telnet in the Services section of the page Settings on the Console Telnet Page The Console Telnet Setup page contains the following settings Baud Rate The rate of data transmission expressed in bits per second Select a baud rate from 110 to 115 200 depending on the capability of the computer you use...

Страница 210: ...ed setting is ANSI which offers graphic features such as reverse video buttons and underlined links Not all terminal emulators support ANSI so the default setting is Teletype Columns Defines the width of the terminal emulator display within the range of 64 characters to 132 characters Adjust the value to get the optimum display for your terminal emulator Lines Defines the height of the terminal em...

Страница 211: ...er contains the following sections Setting Up a Repeater Access Point page 8 1 Using Hot Standby Mode page 8 5 Setting Up a Repeater Access Point A repeater access point is not connected to the wired LAN it is placed within radio range of an access point connected to the wired LAN to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication Note Non Cisco c...

Страница 212: ...ll configure the access point through the Ethernet port using a crossover cable when the repeater link is disactivated Figure 8 1 shows an access point acting as a repeater Figure 8 1 Access Point as Repeater You can set up a chain of several repeater access points but throughput for client devices at the end of the repeater chain will be quite low Because each repeater must receive and then re tr...

Страница 213: ... label on the bottom of the access point Step 3 The repeater access point will need to duplicate some of the root access point s settings If the root access point has been completely configured browse to the root access point and write down the following settings so you can refer to them when you set up the repeater access point SSID for the root radio found on the Express Setup page Default IP Su...

Страница 214: ... access point s Summary Status page If the repeater access point has never been configured before the Express Setup page will appear instead of the Summary Status page Step 9 On the Express Setup page enter the same SSID that is set on the root access point Note Step 10 and Step 11 describe assigning a static IP address subnet mask and gateway to the repeater However you can rely on your DHCP serv...

Страница 215: ...evices associated to it The repeater s status LED is steady for 7 8 of a second and off for 1 8 of a second when it is associated to the root access point but has no client devices associated to it The repeater access point should also appear as associated to the root access point in the root access point s Association Table Using Hot Standby Mode Hot Standby mode designates an access point as a b...

Страница 216: ...ent devices associated to the standby access point lose their connections during the hot standby setup process Follow these steps to enable Hot Standby mode Step 1 On the standby access point duplicate the settings that are entered on the monitored access point Critical settings include SSID found on the Express Setup page Default IP Subnet Mask also on the Express Setup page Default Gateway also ...

Страница 217: ...nitored AP entry field Step 7 Enter the number of seconds between each query the standby access point sends to the monitored access point Step 8 Enter the number of seconds the standby access point should wait for a response from the monitored access point before it assumes that the monitored access point has malfunctioned Step 9 Click Start Hot Standby Mode The standby access point becomes a clie...

Страница 218: ...Chapter 8 Special Configurations Using Hot Standby Mode 8 8 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 ...

Страница 219: ...sic problems with the access point For the most up to date detailed troubleshooting information refer to the Cisco TAC website at http www cisco com tac Select Wireless LAN under Top Issues Sections in this chapter include Using Diagnostic Pages page 9 2 Using Command Line Diagnostics page 9 20 Tracing Packets page 9 33 Checking the Top Panel Indicators page 9 37 Checking Basic Settings page 9 40 ...

Страница 220: ...page is described in the sections below Radio Diagnostics Page Use the Radio Diagnostics page to test antenna alignment between two wireless networking devices and to examine the radio spectrum in which the access point operates The antenna alignment test helps you find the best alignment for a repeater access point s directional antenna and the carrier test helps you determine which radio frequen...

Страница 221: ...onstantly updated display in the Alignment Test window as you adjust the antenna You can run the antenna alignment test only on access points configured with the following Role in Radio Network settings Repeater Access Point Site Survey Client To run the antenna alignment test on a root access point change the Role in Radio Network setting on the Express Setup page Choose the number of seconds you...

Страница 222: ... to see the relevant data If results for several devices were displayed it would be difficult to focus on the device with which you were trying to align the access point s antenna Each data sample is listed in the data columns The columns provide the following information ID The sequence number of the data sample The most recent sample appears at the top of the column Name The system name of each ...

Страница 223: ...st measures the amount of radio activity on each frequency available to the access point s internal radio The access point does not perform the carrier test for the radio module Use the carrier test to determine the best frequency for the access point to use When you conduct a carrier test make sure all wireless networking devices within range of the access point are operating to make the test res...

Страница 224: ...ed is labeled on the top left of the graph In this example the highest percentage used for any frequency is 77 The access point s available frequencies are listed vertically across the bottom of the graph from 2412 to 2462 GHz The access point s channel 1 is 2412 GHz channel 2 is 2417 GHz and so on up to channel 11 which is 2462 GHz The bar graph on the right side of the window displays the amount...

Страница 225: ...age example Figure 9 4 Network Ports Page Click the Network link at the top of any main management system page to reach the Network Ports page or click Network Ports on the Summary Status home page The Network Diagnostics link at the top of the Network Ports page leads to the Cisco Network Diagnostics page where you can select diagnostic tests The Network Ports table is divided into three sections...

Страница 226: ...econd IP Addr The IP address for the port When the access point is set up in standby mode the Ethernet and radio ports use different IP addresses Use the AP Radio Identification page to assign an IP address to the radio port that is different from the Ethernet IP address See the Settings on the AP Radio Identification Page section on page 3 20 for details on the AP Radio Identification page MAC Me...

Страница 227: ...kets transmitted in point to point communication Multicast pkts The number of packets transmitted that were sent as a transmission to a set of nodes Total bytes Total number of bytes transmitted from the port Errors The number of packets determined to be in error Discards The number of packets discarded by the access point due to errors or network congestion Forwarded pkts The number of packets tr...

Страница 228: ...lowing sections Configuration Information The top row of the Configuration section of the table contains a Set Properties link that leads to the Ethernet Hardware page Status of fec0 Fast Ethernet Controller is part of Motorola s naming convention for the Ethernet device used by the access point This field displays one of the three possible operating states for the port The added term primary iden...

Страница 229: ...tal Errors Total number of packets determined to be in error Discarded Packets Packets discarded due to errors or network congestion Forwardable Packets Packets received by the port that were acceptable or passable through the filters Filtered Packets Packets that were stopped or screened by the filters set up on the port Packet CRC Errors Cyclic redundancy check CRC errors that were detected in a...

Страница 230: ...errors or network congestion Forwarded Packets The number of packets transmitted by the port that were acceptable or passable through the filters Max Retry Packets Packets which failed after being retried several times Total Collisions The number of packet collisions that occurred through this port Late Collisions Packet errors that were likely caused by overlong wiring problems Could also indicat...

Страница 231: ...ch row in the table is explained below Configuration Information The top row of the Configuration section of the table contains a Set Properties link that leads to the AP Radio Hardware page See the Entering Radio Hardware Information section on page 3 22 for details on the AP Radio Hardware page Status of awc0 awc0 Aironet Wireless Communications is part of Cisco Aironet s naming convention for t...

Страница 232: ...on with client devices Transmit Power mW The power level of radio transmission You can reduce the transmit power to conserve power or reduce interference Click Set Properties to display the AP Radio Hardware page where you can change this setting Receive Statistics Unicast Packets The number of packets received in point to point communication Multicast Packets The number of packets received that w...

Страница 233: ...ion with the MMH algorithm specifically due to sequence number and duplicate packet errors MIC Auth Errors Total number of packets received over this radio since system startup that failed MIC validation with the MMH algorithm specifically due to cryptographic key mismatch errors Transmit Statistics Unicast Packets The number of packets transmitted in point to point communication Multicast Packets...

Страница 234: ... calculation with the MMH algorithm before being submitted for transmission over this radio since system startup Display Options Figure 9 6 shows the basic AP Radio Port page Three display options provide more details on the port configuration and operating statistics The basic page provides all the information needed to monitor and administer the port in normal operation You might need the other ...

Страница 235: ...in management system page to reach the Event Log page Display Settings Use the entry fields and the buttons at the top of the page to control the event list Fields and buttons include Index Specifies the first event to display in the event list The most recent event is 0 earlier events are numbered sequentially To apply your entry click Apply New Number of Events Specifies the number of events dis...

Страница 236: ...ential error condition Alert magenta Indicates that an event occurred which was pre selected as something to be recorded in the log A typical example of an alert would be a packet error condition The Station page provides check boxes that activate reporting of packet errors to and from the station as alerts in the event log FATAL red An event which prevents operation of the port or device For oper...

Страница 237: ...hooting Using Diagnostic Pages Event Log Summary Page The Event Log Summary page lists the total number of events that occurred at each severity level Figure 9 8 shows an Event Log Summary page example Figure 9 8 Event Log Summary Page Click the Severity heading on the Event Log page to reach the Event Log Summary page ...

Страница 238: ...iption of that command s results Table 9 1 CLI Diagnostic Commands Command Information Displayed eap_diag1_on authentication progress for client devices authenticating through the access point eap_diag2_on packet contents of each authentication step for client devices authenticating through the access point vxdiag_arpshow the ARP table vxdiag_checkstack task stack on the access point vxdiag_hostsh...

Страница 239: ...rt menu select Programs Accessories Telnet If Telnet is not listed in your Accessories menu select Start Run enter Telnet in the entry field and press Enter Step 2 When the Telnet window appears click Connect and select Remote System Note In Windows 2000 the Telnet window does not contain pull down menus To start the Telnet session in Windows 2000 enter open followed by the access point s IP addre...

Страница 240: ...ket for client Yakima RADIUS Received session timeout request of 60 seconds RADIUS Sending EAPOL packet to client RADIUS ACCEPT for Yakima RADIUS Found Cisco key RADIUS Sending EAPOL multicast key RADIUS Sending EAPOL session key parameters EAP Key set for client Yakima The EAP and RADIUS prefixes show which system process is handling the communication Follow the steps in the Entering Diagnostic C...

Страница 241: ...mware dk RFC rfc rfc2865 html as well as on many other websites The IEEE s 802 1x authentication standard helps define the content of packets sent between client devices and the access point and is available to IEEE members at http www ieee org Follow the steps in the Entering Diagnostic Commands section on page 9 21 to open the CLI and enter the eap_diag2_on command vxdiag_arpshow Use the vxdiag_...

Страница 242: ... in the Entering Diagnostic Commands section on page 9 21 to open the CLI and enter the vxdiag_arpshow command 0x8 Host or net is unreachable 0x10 Created dynamically by redirect 0x20 Modified dynamically by redirect 0x40 Message confirmed 0x80 Subnet mask is present 0x100 Generate new routes on use 0x200 External daemon resolves name 0x400 Generated by ARP 0x800 Manually added static 0x1000 Just ...

Страница 243: ...InTas 0x000002e858 98fb88 16368 1416 2376 13992 These are the descriptions of the information in each column Name name of the task Entry entry point the top level function of the task TID task identifier the task control block Size stack size in bytes CUR current number of bytes of stack in use High highest number of bytes of stack which have been in use Margin the difference between the stack siz...

Страница 244: ...nostic Commands section on page 9 21 to open the CLI and enter the vxdiag_hostshow command vxdiag_i Use the vxdiag_i command to display a list of current tasks on the access point A portion of the access point s task list display might look like this example NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY tExcTask 1a1fd0 fd4e80 0 PEND 1d9aac fd4da0 3006b 0 tSysIntegri1b188 a3b1c0 0 SUSPEND 1c06ac a3ae...

Страница 245: ...curs Ready The task is ready to run Delay The task issued a delay command and will not run until the delay time elapses PC program counter a memory address of the task SP stack pointer another memory address of the task ERRNO error number the latest error reported by any function called by the task Delay delay interval in system clock ticks 1 52 second that must elapse before the task runs Follow ...

Страница 246: ...th IP length less than the IP header length Infragments number of packets received that were fragmented Fragdropped number of fragmented packets received that were dropped Fragtimeout number of fragmented packets received that timed out Forward number of packets forwarded Cantforward number of packets received for an unreachable destination Redirectsent number of packets forwarded in the same subn...

Страница 247: ... described in bytes blocks the memory for each status described in contiguous blocks indicates the level of fragmentation in the access point s memory avg block the average block size simply put the number in the bytes column divided by the number in the blocks column max block the maximum contiguous memory block available Follow the steps in the Entering Diagnostic Commands section on page 9 21 t...

Страница 248: ...cription Aironet 802 11 Bridge Driver Protocol AWC Packet Router Type 257 Recv 0x5ad0c Shutdown 0x5fbd0 Protocol AWC DDP Protocol Type 34605 Recv 0x6986c Shutdown 0x6a728 Device rptr Unit 2 Follow the steps in the Entering Diagnostic Commands section on page 9 21 to open the CLI and enter the vxdiag_muxshow command vxdiag_routeshow Use the vxdiag_routeshow command to display current routing inform...

Страница 249: ...nd to display Transmission Control Protocol TCP statistics for the access point The TCP statistics might look like this example TCP 3370 packets sent 1576 data packets 714752 bytes 3 data packets 1613 bytes retransmitted 1252 ack only packets 1 delayed 0 URG only packet 1 window probe packet 0 window update packet 538 control packets 3327 packets received 1564 acks for 710621 bytes 23 duplicate ac...

Страница 250: ...opped by keepalive 63 pcb cache lookups failed Follow the steps in the Entering Diagnostic Commands section on page 9 21 to open the CLI and enter the vxdiag_tcpstatshow command vxdiag_udpstatshow Use the vxdiag_udpstatshow command to display User Datagram Protocol UDP statistics for the access point The UDP statistics might look like this example UDP 9244 total packets 9227 input packets 17 outpu...

Страница 251: ... trace log file Use the instructions in the Tracing Packets for Specific Devices section on page 9 34 and the Tracing Packets for Ethernet and Radio Ports section on page 9 35 to select devices and ports to be traced Follow these steps to reserve access point memory for a packet trace log file Step 1 Use the Event Handling Setup page to enter instructions for the size of the packets you want to mo...

Страница 252: ...ant to trace packets and click the device s MAC address The device s Station page appears Step 3 On the device s Station page click the alert checkbox in the To Station header to trace packets sent to the device Click the alert checkbox in the From Station header to trace packets the device sends Note Copying packets into access point memory slows the access point s performance When you finish tra...

Страница 253: ...thernet in the yellow header row To trace packets sent or received through the access point s radio port click AP Radio in the yellow header row The Ethernet Port or AP Radio Port page appears Step 3 Click the alert checkbox in the Receive header to trace packets received through the Ethernet or radio port Click the alert checkbox in the Transmit header to trace packets sent through the Ethernet o...

Страница 254: ...ted packet information Step 3 A File Download window appears asking if you want to save the access point name _trace log file or open it Choose to save or open the file and click OK A portion of the Headers Only packet trace file might look like this example Beginning of AP_North Detailed Trace Log 04 46 14 17174 384615 Station Alert 00 01 64 43 ef 41Aironet 40 6f e6Aironet 40 6f e6 0x0000 04 47 3...

Страница 255: ...0 00 00 00 00 00 J o dC A _ o T JCOOL IBM W2K 04 47 37 83 326923 Station Alert 00 01 64 43 ef 41 Aironet 00 40 96 40 6f e6 Aironet 00 40 96 36 14 5a 0x0000 00 4a 40 81 00 40 96 36 14 5a 00 01 64 43 ef 41 01 7f 00 04 5f 00 00 40 96 40 6f e6 00 00 00 00 00 00 00 00 00 00 0a 54 8b a4 00 00 44 57 49 4c 4c 2d 49 42 4d 2d 57 32 4b 00 00 00 00 00 00 00 00 00 J 6 Z dC A _ o T JCOOL IBM W2K End of AP_North...

Страница 256: ...h any wireless devices Steady green indicates that the access point is associated with a wireless client For repeater access points blinking 50 on 50 off indicates the repeater is not associated with the root access point blinking 7 8 on 1 8 off indicates that the repeater is associated with the root access point but no client devices are associated with the repeater steady green indicates that th...

Страница 257: ...are associated check the unit s SSID and WEP settings Operational Steady green Blinking green Transmitting receiving radio packets Blinking green Steady green Transmitting receiving packets Steady green Blinking amber Maximum retries or buffer full occurred on one of the radios Error warning Blinking amber Steady green Transmit receive errors Blinking red Ethernet cable is disconnected 340 series ...

Страница 258: ... Step 4 To make the indicators stop blinking and return to normal operation select Disabled for the Locate unit by flashing LEDs option and click Apply Checking Basic Settings Mismatched basic settings are the most common causes of lost connectivity with wireless clients If the access point does not communicate with client devices check the following settings SSID Wireless clients attempting to as...

Страница 259: ... 802 1x Protocol Drafts Note This section applies to wireless networks set up to use LEAP If you do not use LEAP on your wireless network you can skip this section Wireless client devices use Extensible Authentication Protocol EAP to log onto a network and generate a dynamic client specific WEP key for the current logon session If your wireless network uses WEP without EAP client devices use the s...

Страница 260: ...ow these steps to set the draft for your access point Step 1 Browse to the Authenticator Configuration page in the access point management system a On the Summary Status page click Setup b On the Setup page click Security c On the Security Setup page click Authentication Server PC PCI cards 4 23 x PC PCI cards 4 25 and later x WGB34x 352 8 58 x WGB34x 352 8 61 or later x AP34x 35x 11 05 and earlie...

Страница 261: ...n 4 25 or later Functionality in Draft 10 is equivalent to the functionality in Draft 11 the ratified draft of the 802 1X standard Step 3 Click Apply or OK to apply the setting The access point reboots Resetting to the Default Configuration If you forget the password that allows you to configure the access point you might need to completely reset the configuration Follow the steps below to delete ...

Страница 262: ...o parity 1 stop bit and No flow control Step 6 Click OK and press Enter Step 7 When the Summary Status screen appears reboot the access point by unplugging the power connector and then plugging it back in Step 8 When the access point reboots and the Summary Status screen reappears type resetall and press Enter Step 9 Type yes and press Enter to confirm the command Note The resetall command is vali...

Страница 263: ...evels and Antenna Gains This appendix lists the IEEE 802 11a and IEEE 802 11b channels supported by the world s regulatory domains as well as the maximum power levels and antenna gains allowed per domain The following topics are covered in this appendix Channels page A 2 Maximum Power Levels and Antenna Gains page A 4 ...

Страница 264: ...el are listed in Table A 1 Note All channel sets are restricted to indoor usage except the Americas A which allows for indoor and outdoor use on channels 52 through 64 in the United States Table A 1 Channels for IEEE 802 11a Channel Identifier Frequency in MHz Regulatory Domains Americas A Japan J Singapore S Taiwan T 34 5170 X 36 5180 X X 38 5190 X 40 5200 X X 42 5210 X 44 5220 X X 46 5230 X 48 5...

Страница 265: ... channels 1 through 8 are for indoor use only while channels 9 through 11 can be used indoors and outdoors Users are responsible for ensuring that the channel set configuration complies with the regulatory standards of Mexico Table A 2 Channels for IEEE 802 11b Channel Identifier Frequency in MHz Regulatory Domains Americas A EMEA E Israel I China C Japan J 1 2412 X X X X 2 2417 X X X X 3 2422 X X...

Страница 266: ... and Antenna Gains For IEEE 802 11a An improper combination of power level and antenna gain can result in equivalent isotropic radiated power EIRP above the amount allowed per regulatory domain Table A 3 indicates the maximum power levels and antenna gains allowed for each IEEE 802 11a regulatory domain Table A 3 Maximum Power Levels Per Antenna Gain for IEEE 802 11a Regulatory Domain Maximum Powe...

Страница 267: ...sotropic radiated power EIRP above the amount allowed per regulatory domain Table A 4 indicates the maximum power levels and antenna gains allowed for each IEEE 802 11b regulatory domain Table A 4 Maximum Power Levels Per Antenna Gain for IEEE 802 11b Regulatory Domain Antenna Gain dBi Maximum Power Level mW Americas A 4 watts EIRP maximum 0 100 2 2 100 5 2 100 6 100 8 5 100 12 100 13 5 100 21 20 ...

Страница 268: ...Israel I 100 mW EIRP maximum 0 100 2 2 50 5 2 30 6 30 8 5 5 12 5 13 5 5 21 1 China C 10 mW EIRP maximum 0 5 2 2 5 5 2 n a 6 n a 8 5 n a 12 n a 13 5 n a 21 n a Japan J 10 mW MHz EIRP maximum 0 50 2 2 30 5 2 30 6 30 8 5 n a 12 n a 13 5 5 21 n a Table A 4 Maximum Power Levels Per Antenna Gain for IEEE 802 11b continued Regulatory Domain Antenna Gain dBi Maximum Power Level mW ...

Страница 269: ...Protocols on the Ethertype Filters Page Table B 2 Protocols on the IP Protocol Filters Page Table B 3 Protocols on the IP Port Protocol Filters Page In each table the Protocol column lists the protocol name and the Additional Identifier column lists other names for the same protocol You can type either name in the Special Cases field on the Filter Set page to select the protocol Table B 3 also lis...

Страница 270: ...x0800 Berkeley Trailer Negotiation 0x1000 LAN Test 0x0708 X 25 Level3 X 25 0x0805 Banyan 0x0BAD CDP 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump Load 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802 2 0x00E0 IPX 802 3 0x00FF Novell IPX old 0x8137 Novell IPX new IPX 0x8138 EAPOL old 0x8180 EAPOL new 0x888E Telxon TXP TXP 0x8729 Aironet DDP DDP 0x87...

Страница 271: ... Identifier ISO Designator dummy 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP 12 CHAOS 16 User Datagram Protocol UDP 17 XNS IDP IDP 22 ISO TP4 TP4 29 ISO CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw 255 ...

Страница 272: ...pmux 1 echo 7 discard 9 9 systat 11 11 daytime 13 13 netstat 15 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp data 20 FTP Control 21 ftp 21 Secure Shell 22 ssh 22 Telnet 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Location Protocol RLP 39 IEN 116 Name Server name 42 whois nicname 43 43 Domain Name Server DNS domai...

Страница 273: ...iso tsap 102 CSO Name Server cso ns csnet ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111 tap ident authentication auth 113 sftp 115 uucp path 117 Network News Transfer Protocol Network News readnews nntp 119 USENET News Transfer Protocol Network News readnews nntp 119 Network Time Protocol ntp 123 Table B 3 Protocols on the IP Port P...

Страница 274: ... ISO CMIP Management Over IP CMIP Management Over IP cmip man CMOT 163 ISO CMIP Agent Over IP cmip agent 164 X Display Manager Control Protocol xdmcp 177 NeXTStep Window Server NeXTStep 178 Border Gateway Protocol BGP 179 Prospero 191 Internet Relay Chap IRC 194 SNMP Unix Multiplexer smux 199 AppleTalk Routing at rtmp 201 AppleTalk name binding at nbp 202 AppleTalk echo at echo 204 AppleTalk Zone ...

Страница 275: ...526 courier RPC 530 conference chat 531 netnews 532 netwall wall 533 UUCP Daemon UUCP uucpd 540 Kerberos rlogin klogin 543 Kerberos rsh kshell 544 rfs_server remotefs 556 Kerberos kadmin kerberos adm 749 network dictionary webster 765 SUP server supfilesrv 871 swat for SAMBA swat 901 SUP debugging supfiledbg 1127 ingreslock 1524 Prospero non priveleged prospero np 1525 RADIUS 1812 Table B 3 Protoc...

Страница 276: ...0 Series Access Point Software Configuration Guide OL 2159 03 Concurrent Versions System CVS 2401 Cisco IAPP 2887 Radio Free Ethernet RFE 5002 Table B 3 Protocols on the IP Port Protocol Filters Page continued Protocol Additional Identifier ISO Designator ...

Страница 277: ...maximum number of 3 34 associations allowed more than 20 workgroup bridges 3 35 Association table Association Table Advanced page 3 68 Association Table page 5 2 Station page 5 3 authentication server Authentication Server Setup page 4 21 backup servers 4 40 EAP 4 5 port setting 4 23 shared secret 4 23 authentication types combining MAC based and EAP 4 34 LEAP 4 24 Network EAP 4 4 open 4 7 shared ...

Страница 278: ...d 9 25 Cisco Discovery Protocol MIB 2 11 Cisco Secure ACS enabling EAP 4 25 setting session based WEP key timeout 4 26 classify workgroup bridges as network infrastructure 3 35 CLI auto apply 2 9 common functions 2 7 diagnostics 9 20 terminal emulator settings 2 6 client devices browsing to 5 2 deauthenticating 5 11 disassociating 5 11 EAP settings 4 24 in network map 2 5 Station page information ...

Страница 279: ... Require EAP setting 4 23 setting up in Cisco Secure ACS 4 25 setting up on the access point 4 20 setting WEP key timeout 4 26 EIRP maximum A 5 to A 6 encryption See WEP ensure compatibility with 3 8 Ethernet configuration advanced settings 3 46 hardware settings 3 43 identity settings 3 41 speed 3 44 Ethernet encapsulation type 3 36 Ethernet indicator 9 38 Ethernet Port page 9 9 Event Log page 9 ...

Страница 280: ...y features 1 2 key hashing WEP 4 16 Kilomicroseconds in beacon period 3 27 L LEAP enabling on a repeater access point 4 27 with Network EAP setting 4 19 LED indicators Ethernet 9 38 locate unit by flashing LEDs 9 40 radio traffic 9 38 status 9 38 limiting distributions 6 11 link test 5 8 load balancing 3 35 locate unit by flashing LEDs 9 40 logs 9 17 M MAC address 3 3 MAC address filters 3 14 MAC ...

Страница 281: ...ndow 2 5 Network Ports page 9 7 O OK button 2 3 optimize radio network for 3 8 P packet tracing 9 33 parity 2 7 password reset 9 43 pings 5 8 ports assigning to MAC addresses 5 15 power level maximum A 5 to A 6 power level setting 3 26 preamble 3 40 primary port 3 21 protocol filters enabling filters 3 14 forward or block 3 12 list of available protocols B 1 priorities 3 12 time to live setting 3 ...

Страница 282: ...ict searched channels 3 29 roaming 1 3 role in radio network 3 5 root unit 3 5 routing setup 3 61 RTS retries and threshold 3 27 S search for less congested channel restrict searched channels 3 29 security Cisco Secure ACS 4 25 overview 4 2 Security Setup page 4 42 user manager 4 41 serial number radio 3 21 serial number system 3 42 server setup boot server 3 51 FTP 3 60 name server 3 58 routing 3...

Страница 283: ...3 50 TKIP 4 16 top panel indicators 9 37 tracing packets 9 33 transmit antenna 3 29 transmit power 3 26 U unicast packets filtering 3 39 updating firmware 6 2 user management capabilities 4 43 creating list of authorized users 4 42 user information 4 42 V vendor class identifier 3 55 W warm restart 6 17 Web based interface common buttons 2 3 compatible browsers 2 2 Web server 3 55 WEP broadcast ke...

Страница 284: ...Index IN 8 Cisco Aironet 1200 Series Access Point Software Configuration Guide OL 2159 03 workgroup bridges allowing more than 20 to associate 3 35 World mode 3 25 ...

Отзывы:

Нет отзывов