User's Manual
Table Of Contents
- Welcome to the Product Guide!
- Legal Information
- Obtaining Documentation
- Documentation Feedback
- Cisco Product Security Overview
- Obtaining Technical Assistance
- Obtaining Additional Publications and Information
- FCC Statements for Cisco 1000 Series Lightweight Access Points
- Industry Canada Required User Information for Cisco 1000 Series Lightweight Access Points
- FCC Statements for Cisco 4100 Series Wireless LAN Controllers
- FCC Statements for Cisco 2000 Series Wireless LAN Controllers
- Safety Considerations
- OVERVIEWS
- About the Cisco Structured Wireless-Aware Network
- Single-Cisco Wireless LAN Controller Deployments
- Multiple-Cisco Wireless LAN Controller Deployments
- About the Operating System Software
- About Operating System Security
- About Cisco SWAN Wired Security
- Layer 2 and Layer 3 LWAPP Operation
- About Radio Resource Management (RRM)
- About the Master Cisco Wireless LAN Controller
- About the Primary, Secondary, and Tertiary Cisco Wireless LAN Controllers
- About Client Roaming
- About Client Location
- About External DHCP Servers
- About Controller Mobility Groups
- About Cisco SWAN Wired Connections
- About Cisco SWAN WLANs
- About Access Control Lists
- About Identity Networking
- About File Transfers
- About Power Over Ethernet
- Pico Cell Functionality
- Intrusion Detection Service (IDS)
- About Cisco Wireless LAN Controllers
- About Cisco 2000 Series Wireless LAN Controllers
- Cisco 4100 Series Wireless LAN Controllers
- Cisco Wireless LAN Controller Features
- Cisco 2000 Series Wireless LAN Controller Model Numbers
- Cisco 4100 Series Wireless LAN Controller Model Numbers
- Appliance Mode
- About Distribution System Ports
- About the Management Interface
- About the AP-Manager Interface
- About Operator-Defined Interfaces
- About the Virtual Interface
- About the Service Port
- About the Service-Port Interface
- About the Startup Wizard
- About Cisco Wireless LAN Controller Memory
- Cisco Wireless LAN Controller Failover Protection
- Cisco Wireless LAN Controller Automatic Time Setting
- Cisco Wireless LAN Controller Time Zones
- Network Connection to Cisco Wireless LAN Controllers
- VPN/Enhanced Security Module
- About Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points
- About Cisco 1030 IEEE 802.11a/b/g Remote Edge Lightweight Access Points
- About Cisco 1000 Series Lightweight Access Point Models
- About Cisco 1000 Series Lightweight Access Point External and Internal Antennas
- About Cisco 1000 Series Lightweight Access Point LEDs
- About Cisco 1000 Series Lightweight Access Point Connectors
- About Cisco 1000 Series Lightweight Access Point Power Requirements
- About Cisco 1000 Series Lightweight Access Point External Power Supply
- About Cisco 1000 Series Lightweight Access Point Mounting Options
- About Cisco 1000 Series Lightweight Access Point Physical Security
- About Cisco 1000 Series Lightweight Access Point Monitor Mode
- About Rogue Access Points
- About the Cisco Wireless Control System
- About the Web User Interface
- About the Command Line Interface
- About the Cisco Structured Wireless-Aware Network
- SOLUTIONS
- Operating System Security
- Converting a Cisco SWAN from Layer 2 to Layer 3 Mode
- Converting a Cisco SWAN from Layer 3 to Layer 2 Mode
- Configuring a Firewall for Cisco WCS
- Configuring the System for SpectraLink NetLink Telephones
- Using Management over Wireless
- Configuring a WLAN for a DHCP Server
- Customizing the Web Auth Login Screen
- Configuring Identity Networking for Operating System 2.2
- TASKS
- Using the Cisco SWAN CLI
- Configuring Cisco Wireless LAN Controllers
- Collecting Cisco Wireless LAN Controller Parameters
- Configuring System Parameters
- Configuring Cisco Wireless LAN Controller Interfaces
- Creating Access Control Lists
- Configuring WLANs
- Configuring Controller Mobility Groups
- Configuring RADIUS
- Configuring SNMP
- Configuring Other Ports and Parameters
- Adding SSL to the Web User Interface
- Transferring Files To and From a Cisco Wireless LAN Controller
- Updating the Operating System Software
- Using the Startup Wizard
- Adding SSL to the Web User Interface
- Adding SSL to the 802.11 Interface
- Saving Configurations
- Clearing Configurations
- Erasing the Cisco Wireless LAN Controller Configuration
- Resetting the Cisco Wireless LAN Controller
- Using the Cisco Wireless Control System
- Starting and Stopping Windows Cisco WCS
- Starting and Stopping Linux Cisco WCS
- Starting and Stopping the Cisco WCS Web Interface
- Using Cisco WCS
- Checking the Cisco SWAN Network Summary
- Adding a Cisco Wireless LAN Controller to Cisco WCS
- Creating an RF Calibration Model
- Adding a Campus Map to the Cisco WCS Database
- Adding a Building to a Campus
- Adding a Standalone Building to the Cisco WCS Database
- Adding an Outdoor Area to a Campus
- Adding Floor Plans to a Campus Building
- Adding Floor Plans to a Standalone Building
- Adding APs to Floor Plan and Outdoor Area Maps
- Monitoring Predicted Coverage (RSSI)
- Monitoring Channels on Floor Map
- Monitoring Transmit Power Levels on a Floor Map
- Monitoring Coverage Holes on a Floor Map
- Monitoring Users on a Floor Map
- Monitoring Clients From a Floor Map
- Troubleshooting with Cisco WCS
- Detecting and Locating Rogue Access Points
- Acknowledging Rogue APs
- Locating Clients
- Finding Coverage Holes
- Pinging a Network Device from a Cisco Wireless LAN Controller
- Viewing Current Cisco Wireless LAN Controller Status and Configurations
- Viewing Cisco WCS Statistics Reports
- Updating OS Software from Cisco WCS
- Managing Cisco WCS and Database
- Installing Cisco WCS
- Updating Windows Cisco WCS
- Updating Linux Cisco WCS
- Reinitializing the Windows Cisco WCS Database
- Reinitializing the Linux Cisco WCS Database
- Administering Cisco WCS Users and Passwords
- Using the Web User Interface
- Troubleshooting Tips
- REFERENCES
3/11/05 Access Control Lists
OL-7426-02
If Management over Wireless is enabled across the Cisco SWAN, the Network operator can manage the
System across the enabled WLAN using CLI and Telnet (Command Line Interface), http/https (Web
User Interface), and SNMP (Cisco Wireless Control System).
To configure the Cisco SWAN WLANs, refer to Configuring WLANs.
About Access Control ListsAccess Control Lists
The Operating System allows you to define up to 64 Access Control Lists (ACLs), similar to standard
firewall Access Control Lists. Each ACL can have up to 64 Rules (filters).
Operators can use ACLs to control client access to multiple VPN servers within a given WLAN. If all the
clients on a WLAN must access a single VPN server, use the IPSec/VPN Gateway Passthrough setting in
IPSec Passthrough
, WLANs > Edit or Configure <IPaddr> > WLAN > Add From Template section.
After they are defined, the ACLs can be applied to the Management Interface
, the AP-Manager Inter-
face, or any of the Operator-Defined Interfaces.
Refer to Access Control Lists > New
in the Web User Interface Online Help or Creating Access Control
Lists in the Configuring the Cisco Wireless LAN Controllers sections for instructions on how to configure
the Access Control Lists.
About Identity NetworkingIdentity Networking
Cisco Wireless LAN Controllers can have the following parameters applied to all clients associating with
a particular WLAN: QoS, global or Interface-specific DHCP server, Layer 2 and Layer 3 Security Policies,
and default Interface (which includes physical port, VLAN and ACL assignments).
However, the Cisco Wireless LAN Controller can also have individual clients (MAC addresses) override
the preset WLAN parameters by using MAC Filtering or by Allowing AAA Override parameters. This
configuration can be used, for example, to have all company clients log into the corporate WLAN, and
then have clients connect using different QoS, DHCP server, Layer 2 and Layer 3 Security Policies, and
Interface (which includes physical port, VLAN and ACL assignments) settings on a per-MAC Address
basis.
When Network operators configure MAC Filtering for a client, they can assign a different VLAN to the
MAC Address, which can be used to have OS automatically reroute the client to the Management
Interface or any of the Operator-Defined Interfaces, each of which have their own VLAN, ACL, DHCP
server, and physical port assignments. This MAC Filtering can be used as a coarse version of AAA
Override, and normally takes precedence over any AAA (RADIUS or other) Override.
However, when Allow AAA Override
is enabled, the RADIUS (or other AAA) server can alternatively be
configured to return QoS and ACL on a per-MAC Address basis. Allow AAA Override gives the AAA
Override precedence over the MAC Filtering parameters set in the Cisco Wireless LAN Controller; if
there are no AAA Overrides available for a given MAC Address, the OS uses the MAC Filtering parame-
ters already in the Cisco Wireless LAN Controller. This AAA (RADIUS or other) Override can be used as
a finer version of AAA Override, but only takes precedence over MAC Filtering when Allow AAA Override
is enabled.
Note that in all cases, the Override parameters (Operator-Defined Interface and QoS, for example)
must already be defined in the Cisco Wireless LAN Controller configuration.
In all cases, the OS will use QoS and ACL provided by the AAA server or MAC Filtering regardless of the
Layer 2 and/or Layer 3 authentication used.
Also note that the OS will only move clients from the default Cisco SWAN WLAN VLAN to a different
VLAN when configured for MAC filtering, 802.1X, and/or WPA Layer 2 authentication.
To configure the Cisco SWAN WLANs, refer to Configuring WLANs.