Cisco IOS Software Configuration Guide for Cisco Aironet Access Points Cisco IOS Releases 15.2(2)JA, 12.4(25d)JA, and 12.3(8)JEE August 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Audience Purpose i-xix i-xx Organization i-xx Conventions i-xxi Related Publications i-xxiv Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER 1 Overview 1-1 Features 1-2 Features Introduced in This Release Management Options Roaming Client Devices 1-2 1-3 1-4 Network Configuration Examples 1-4 Root Access Point 1-4 Repeater Access Point 1-5 Bridges 1-5 Workgroup Bridge 1-6 Central Unit in an All-Wireless Network CHAPTER 2 i-xxiv Using the Web-Bro
Contents Getting Help 3-3 Abbreviating Commands 3-3 Using no and default Forms of Commands Understanding CLI Messages 3-4 3-4 Using Command History 3-4 Changing the Command History Buffer Size 3-5 Recalling Commands 3-5 Disabling the Command History Feature 3-5 Using Editing Features 3-6 Enabling and Disabling Editing Features 3-6 Editing Commands Through Keystrokes 3-6 Editing Command Lines that Wrap 3-7 Searching and Filtering Output of show and more Commands Accessing the CLI 3-9 Opening the CLI
Contents Using the Express Security Page 4-20 CLI Configuration Examples 4-21 Configuring System Power Settings for 1040, 1130, 1140, 1240, 1250, and 1260 Series Access Points 4-26 Using the AC Power Adapter 4-26 Using a Switch Capable of IEEE 802.3af Power Negotiation 4-26 Using a Switch That Does Not Support IEEE 802.3af Power Negotiation 4-27 Using a Power Injector 4-27 dot11 extension power native Command 4-27 Support for 802.11n Performance on 1250 Series Access Points with Standard 802.
Contents Default TACACS+ Configuration 5-15 Configuring TACACS+ Login Authentication 5-15 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Displaying the TACACS+ Configuration 5-17 Configuring Ethernet Speed and Duplex Settings 5-18 Configuring the Access Point for Wireless Network Management 5-18 Configuring the Access Point for Local Authentication and Authorization Configuring the Authentication Cache and Profile Configuring Client ARP Caching 5-26 Understanding Cli
Contents Default Banner Configuration 5-35 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 5-37 5-35 Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode 5-37 Migrating to Japan W52 Domain 5-37 Verifying the Migration 5-39 Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging CLI Command 5-40 CHAPTER 6 Configuring Radio Settings 5-39 6-1 Enabling the Radio Interface 6-2 Configuring the Role in Radio Network 6-2 Universal Workgroup
Contents Configuring Transmit and Receive Antennas 6-26 Enabling and Disabling Gratuitous Probe Response Disabling and Enabling Aironet Extensions 6-27 6-28 Configuring the Ethernet Encapsulation Transformation Method Enabling and Disabling Reliable Multicast to Workgroup Bridges Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports 6-31 Configuring the Beacon Period and the DTIM Configure RTS Threshold and Retries 6-29 6-30 6-32 6-32 Configuring the Maximum Data Retr
Contents CLI Configuration Example 7-10 Displaying Configured BSSIDs 7-10 Assigning IP Redirection for an SSID 7-11 Guidelines for Using IP Redirection 7-12 Configuring IP Redirection 7-12 Including an SSID in an SSIDL IE 7-13 NAC Support for MBSSID 7-13 Configuring NAC for MBSSID CHAPTER 8 7-16 Configuring Spanning Tree Protocol 8-1 Understanding Spanning Tree Protocol 8-2 STP Overview 8-2 1300 and 350 Series Bridge Interoperability 8-3 Access Point/Bridge Protocol Data Units 8-3 Election of the S
Contents Configuring Other Access Points to Use the Local Authenticator 9-6 Configuring EAP-FAST Settings 9-7 Configuring PAC Settings 9-7 Configuring an Authority ID 9-8 Configuring Server Keys 9-8 Possible PAC Failures Caused by Access Point Clock 9-8 Limiting the Local Authenticator to One Authentication Type 9-9 Unblocking Locked Usernames 9-9 Viewing Local Authenticator Statistics 9-9 Using Debug Messages 9-10 CHAPTER 10 Configuring Cipher Suites and WEP 10-1 Understanding Cipher Suites and WEP
Contents CHAPTER 12 Applying an EAP Profile to the Fast Ethernet Interface Applying an EAP Profile to an Uplink SSID 11-19 11-18 Matching Access Point and Client Device Authentication Types 11-19 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services 12-1 Understanding WDS 12-2 Role of the WDS Device 12-2 Role of Access Points Using the WDS Device Understanding Fast Secure Roaming Understanding Radio Management Understanding Layer 3 Mobility 12-3 12-3 12-5
Contents Configuring Access Points to Participate in WIDS 12-29 Configuring the Access Point for Scanner Mode 12-29 Configuring the Access Point for Monitor Mode 12-29 Displaying Monitor Mode Statistics 12-30 Configuring Monitor Mode Limits 12-31 Configuring an Authentication Failure Limit 12-31 Configuring WLSM Failover 12-31 Resilient Tunnel Recovery 12-31 Active/Standby WLSM Failover 12-32 CHAPTER 13 Configuring RADIUS and TACACS+ Servers 13-1 Configuring and Enabling RADIUS 13-1 Understanding RADI
Contents CHAPTER 14 Configuring VLANs 14-1 Understanding VLANs 14-2 Related Documents 14-3 Incorporating Wireless Devices into VLANs 14-4 Configuring VLANs 14-4 Configuring a VLAN 14-5 Assigning Names to VLANs 14-7 Guidelines for Using VLAN Names 14-7 Creating a VLAN Name 14-8 Using a RADIUS Server to Assign Users to VLANs 14-8 Using a RADIUS Server for Dynamic Mobility Group Assignment Viewing VLANs Configured on the Access Point 14-9 VLAN Configuration Example CHAPTER 15 Configuring QoS 14-9 1
Contents Configuring Filters Using the CLI 16-2 Configuring Filters Using the Web-Browser Interface 16-3 Configuring and Enabling MAC Address Filters 16-3 Creating a MAC Address Filter 16-4 Using MAC Address ACLs to Block or Allow Client Association to the Access Point Creating a Time-Based ACL 16-8 ACL Logging 16-9 CLI Configuration Example 16-9 Configuring and Enabling IP Filters 16-9 Creating an IP Filter 16-11 Configuring and Enabling Ethertype Filters 16-12 Creating an Ethertype Filter 16-13 CHAPTE
Contents SNMP Examples 18-10 Displaying SNMP Status CHAPTER 19 18-12 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Repeater Access Points Configuring a Repeater Access Point Default Configuration 19-4 Guidelines for Repeaters 19-4 Setting Up a Repeater 19-5 19-2 19-3 Aligning Antennas 19-6 Verifying Repeater Operation 19-6 Setting Up a Repeater As a LEAP Client Setting Up a Repeater As a WPA Client Understanding Hot Standby 19-1 19-7 19-8 19-9 Configurin
Contents Deleting Files 20-5 Creating, Displaying, and Extracting tar Files 20-5 Creating a tar File 20-5 Displaying the Contents of a tar File 20-6 Extracting a tar File 20-7 Displaying the Contents of a File 20-7 Working with Configuration Files 20-7 Guidelines for Creating and Using Configuration Files 20-8 Configuration File Types and Location 20-9 Creating a Configuration File by Using a Text Editor 20-9 Copying Configuration Files by Using TFTP 20-9 Preparing to Download or Upload a Configuration Fil
Contents Browser HTTP Interface 20-32 Browser TFTP Interface 20-33 CHAPTER 21 Configuring System Message Logging 21-1 Understanding System Message Logging 21-2 Configuring System Message Logging 21-2 System Log Message Format 21-2 Default System Message Logging Configuration 21-3 Disabling and Enabling Message Logging 21-4 Setting the Message Display Destination Device 21-5 Enabling and Disabling Timestamps on Log Messages 21-6 Enabling and Disabling Sequence Numbers in Log Messages 21-6 Defining th
Contents Using the CLI 22-25 Reloading the Access Point Image 22-26 Using the MODE button 22-27 Using the Web Browser Interface 22-27 Browser HTTP Interface 22-28 Browser TFTP Interface 22-28 Using the CLI 22-29 Obtaining the Access Point Image File 22-30 Obtaining TFTP Server Software 22-31 Image Recovery on the 1520 Access Point APPENDIX A Protocol Filters APPENDIX B Supported MIBs MIB List A-1 B-1 B-1 Using FTP to Access the MIB Files APPENDIX C 22-31 Error and Event Messages Conventions
Preface Revised: August 30, 2012 OL-21881-03 Audience This guide is for the networking professional who installs and manages Cisco Aironet Access Points. To use this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of wireless local area networks. The guide covers Cisco IOS Releases 15.2(2)JA, 12.4(25d)JA, and 12.3(8)JEE. Cisco IOS Releases 15.2(2)JA and 12.
Preface Purpose Purpose This guide provides the information you need to install and configure your access point. This guide provides procedures for using the Cisco IOS software commands that have been created or changed for use with the access point. It does not provide detailed information about these commands. For detailed information about these commands, refer to the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges for this release.
Preface Conventions Chapter 12, “Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services,” describes how to configure the access point to participate in WDS, to allow fast reassociation of roaming client services, and to participate in radio management.
Preface Conventions Interactive examples use these conventions: • Terminal sessions and system displays are in screen font. • Information you enter is in boldface screen font. • Nonprinting characters, such as passwords or tabs, are in angle brackets (< >). Notes, cautions, and timesavers use these conventions and symbols: Tip Means the following will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information.
Preface Conventions Warnung Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der Warnhinweise).
Preface Related Publications Related Publications These documents provide complete information about the access point: • Getting Started Guide: Cisco Aironet 1040 Series Access Points • Getting Started Guide: Cisco Aironet 1260 Series Access Points • Release Notes for Cisco Aironet Access Points and Bridges for Cisco IOS Release 12.4(24d)JA and 12.
C H A P T E R 1 Overview Cisco Aironet Access Points (hereafter called access points) provide a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, Cisco Aironet access points are Wi-Fi certified, 802.11a-compliant, 802.11b-compliant, 802.11g-compliant, and 802.11n-compliant wireless LAN transceivers.
Chapter 1 Overview Features • The 1300 series outdoor access point/bridge uses an integrated antenna and can be configured to use external, dual-diversity antennas. • The 2600 series access point contains dual-band radios (2.4 GHz and 5 GHz) with integrated and external antenna options. The access points support full inter-operability with leading 802.11n clients, and support a mixed deployment with other access points and controllers.
Chapter 1 Overview Features Table 1-2 New Cisco IOS Software Features for Cisco IOS Release 15.
Chapter 1 Overview Management Options Management Options You can use the wireless device management system through the following interfaces: • The Cisco IOS command-line interface (CLI), which you use through a console port or Telnet session. Use the interface dot11radio global configuration command to place the wireless device into the radio configuration mode. Most of the examples in this manual are taken from the CLI.
Chapter 1 Overview Network Configuration Examples Figure 1-1 Access Points as Root Units on a Wired LAN Access point 135445 Access point Repeater Access Point An access point can be configured as a stand-alone repeater to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. The repeater forwards traffic between wireless users and the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN.
Chapter 1 Overview Network Configuration Examples Bridges The 1140, 1200, 1240, and 1250 series access points and the 1300 access point/bridge can be configured as root or non-root bridges. In this role, an access point establishes a wireless link with a non-root bridge. Traffic is passed over the link to the wired LAN. Access points in root and non-root bridge roles can be configured to accept associations from clients. Figure 1-3 shows an access point configured as a root bridge with clients.
Chapter 1 Overview Network Configuration Examples you can connect the printers to a hub or to a switch, connect the hub or switch to the access point Ethernet port, and configure the access point as a workgroup bridge. The workgroup bridge associates to an access point on your network. If your access point has multiple radios, either radio can function in workgroup bridge mode. When you configure one radio interface as a workgroup bridge, the other radio interface is automatically disabled.
Chapter 1 Overview Network Configuration Examples Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 1-8 OL-21881-03
CH A P T E R 2 Using the Web-Browser Interface This chapter describes the web-browser interface that you can use to configure the wireless device.
Chapter 2 Using the Web-Browser Interface Using the Web-Browser Interface for the First Time Using the Web-Browser Interface for the First Time Use the wireless device IP address to browse to the management system. See the “Logging into the Access Point” section on page 4-3 for instructions on assigning an IP address to the wireless device. Follow these steps to begin using the web-browser interface: Step 1 Start the browser.
Chapter 2 Using the Web-Browser Interface Using the Management Pages in the Web-Browser Interface Using Action Buttons Table 2-1 lists the page links and buttons that appear on most management pages.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Character Restrictions in Entry Fields Because the 1200 series access point uses Cisco IOS software, there are certain characters that you cannot use in the entry fields on the web-browser interface. You cannot use these characters in entry fields: “ ] + / Tab Trailing space Enabling HTTPS for Secure Browsing You can protect communication with the access point web-browser interface by enabling HTTPS.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-2 Express Setup Page Step 3 Enter a name for the access point in the System Name field and click Apply. Step 4 Browse to the Services – DNS page. Figure 2-3 shows the Services – DNS page.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-3 Services – DNS Page Step 5 Select Enable for Domain Name System. Step 6 In the Domain Name field, enter your company domain name. At Cisco Systems, for example, the domain name is cisco.com. Step 7 Enter at least one IP address for your DNS server in the Name Server IP Addresses entry fields. Step 8 Click Apply. The access point FQDN is a combination of the system name and the domain name.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Step 10 Browse to the Services: HTTP Web Server page. Figure 2-4 shows the HTTP Web Server page: Figure 2-4 Services: HTTP Web Server Page Step 11 Select the Enable Secure (HTTPS) Browsing check box and click Apply. Step 12 Enter a domain name and click Apply. Note Although you can enable both standard HTTP and HTTPS, We recommend that you enable one or the other.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Step 14 Another warning window appears stating that the access point security certificate is valid but is not from a known source. However, you can accept the certificate with confidence because the site in question is your own access point. Figure 2-6 shows the certificate warning window: Figure 2-6 Step 15 Certificate Warning Window Click View Certificate to accept the certificate before proceeding.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-7 Step 16 Certificate Window On the Certificate window, click Install Certificate. The Microsoft Windows Certificate Import Wizard appears. Figure 2-8 shows the Certificate Import Wizard window.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-8 Step 17 Click Next. The next window asks where you want to store the certificate. We recommend that you use the default storage area on your system. Figure 2-9 shows the window that asks about the certificate storage area. Figure 2-9 Step 18 Certificate Import Wizard Window Certificate Storage Area Window Click Next to accept the default storage area.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-10 Step 19 Click Finish. Windows displays a final security warning. Figure 2-11 shows the security warning. Figure 2-11 Step 20 Certificate Completion Window Certificate Security Warning Click Yes. Windows displays another window stating that the installation is successful. Figure 2-12 shows the completion window.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Figure 2-12 Import Successful Window Step 21 Click OK. Step 22 On the Certificate window shown in Figure 2-7, which is still displayed, click OK. Step 23 On the Security Alert window shown in Figure 2-6, click Yes. Step 24 The access point login window appears and you must log into the access point again. The default user name is Cisco (case-sensitive) and the default password is Cisco (case-sensitive).
Chapter 2 Using the Web-Browser Interface Using Online Help Using Online Help Click the help icon at the top of any page in the web-browser interface to display online help. Figure 2-13 shows the help and print icons. Figure 2-13 Help and Print Icons When a help page appears in a new browser window, use the Select a topic drop-down menu to display the help index or instructions for common configuration tasks, such as configuring VLANs.
Chapter 2 Using the Web-Browser Interface Disabling the Web-Browser Interface Table 2-2 shows an example help location and Help Root URL for an 1100 series access point. Table 2-2 Step 5 Example Help Root URL and Help Location Files Unzipped at This Location Default Help Root URL Actual Location of Help Files //myserver/myhelp //myserver/myhelp/123-02.JA/1100 http://myserver/myhelp Click Apply.
CH A P T E R 3 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure the wireless device.
Chapter 3 Using the Command-Line Interface Cisco IOS Command Modes Cisco IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode. When you start a session on the wireless device, you begin in user mode, often called user EXEC mode. A subset of the Cisco IOS commands are available in user EXEC mode.
Chapter 3 Using the Command-Line Interface Getting Help Getting Help You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 3-2. Table 3-2 Help Summary Command Purpose help Obtains a brief description of the help system in any command mode. abbreviated-command-entry? Obtains a list of commands that begin with a particular character string.
Chapter 3 Using the Command-Line Interface Using no and default Forms of Commands Using no and default Forms of Commands Most configuration commands also have a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default.
Chapter 3 Using the Command-Line Interface Using Command History Changing the Command History Buffer Size By default, the wireless device records ten command lines in its history buffer. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the wireless device records during the current terminal session: ap# terminal history [size number-of-lines] The range is from 0 to 256.
Chapter 3 Using the Command-Line Interface Using Editing Features Using Editing Features This section describes the editing features that can help you manipulate the command line. It contains these sections: • Enabling and Disabling Editing Features, page 3-6 • Editing Commands Through Keystrokes, page 3-6 • Editing Command Lines that Wrap, page 3-7 Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it.
Chapter 3 Using the Command-Line Interface Using Editing Features Table 3-5 Editing Commands Through Keystrokes (continued) Keystroke1 Capability Purpose Delete entries if you make a mistake Delete or Backspace or change your mind. Ctrl-D Capitalize or lowercase words or capitalize a set of letters. Erase the character to the left of the cursor. Delete the character at the cursor. Ctrl-K Delete all characters from the cursor to the end of the command line.
Chapter 3 Using the Command-Line Interface Searching and Filtering Output of show and more Commands In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left.
Chapter 3 Using the Command-Line Interface Accessing the CLI Accessing the CLI You can open the wireless device CLI using Telnet or Secure Shell (SSH). Opening the CLI with Telnet Follow these steps to open the CLI with Telnet. These steps are for a PC running Microsoft Windows with a Telnet terminal application. Check your PC operating instructions for detailed instructions for your operating system. Step 1 Select Start > Programs > Accessories > Telnet.
Chapter 3 Using the Command-Line Interface Accessing the CLI Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 3-10 OL-21881-03
CH A P T E R 4 Configuring the Access Point for the First Time This chapter describes how to configure basic settings on the wireless device for the first time. The contents of this chapter are similar to the instructions in the quick start guide that shipped with the wireless device.
Chapter 4 Configuring the Access Point for the First Time Before You Start • A system name for the wireless device • The case-sensitive wireless service set identifier (SSID) for your radio network • If not connected to a DHCP server, a unique IP address for the wireless device (such as 172.17.255.
Chapter 4 Configuring the Access Point for the First Time Logging into the Access Point Step 7 Click the Reset to Defaults button to reset all settings, including the IP address, to factory defaults. To reset all settings except the IP address to defaults, click the Reset to Defaults (Except IP) button. Resetting to Default Settings Using the CLI Caution You should never delete any of the system files prior to resetting defaults or reloading software.
Chapter 4 Configuring the Access Point for the First Time Obtaining and Assigning an IP Address Note • Telnet (if the AP is configured with an IP address) • console port Not all models of Cisco Aironet Access Points have the console port. If the access point does not have a console port, use either the GUI or the Telnet for access. For information on logging into the AP through the GUI, refer to Using the Web-Browser Interface for the First Time, page 2-2.
Chapter 4 Configuring the Access Point for the First Time Connecting to the 1100 Series Access Point Locally Default IP Address Behavior When you connect a 1040, 1130AG, 1140, 1200, 1240, 1250, 1260, 2600 access point, or 1300 series access point/bridge with a default configuration to your LAN, the access point requests an IP address from your DHCP server and, if it does not receive an address, continues to send requests indefinitely.
Chapter 4 Configuring the Access Point for the First Time Connecting to the 1130 Series Access Point Locally Note When you connect your PC to the access point or reconnect your PC to the wired LAN, you might need to release and renew the IP address on the PC. On most PCs, you can perform a release and renew by rebooting your PC or by entering ipconfig /release and ipconfig /renew commands in a command prompt window. Consult your PC operating instructions for detailed instructions.
Chapter 4 Configuring the Access Point for the First Time Connecting to the 1300 Series Access Point/Bridge Locally Step 3 When connected, press enter or type en to access the command prompt. Pressing enter takes you to the user exec mode. Entering en prompts you for a password, then takes you to the privileged exec mode. The default password is Cisco and is case-sensitive. Note When your configuration changes are completed, you must remove the serial cable from the access point.
Chapter 4 Configuring the Access Point for the First Time Default Radio Settings Default Radio Settings Beginning with Cisco IOS Release 12.3(8)JA, access point radios are disabled and no default SSID is assigned. This was done in order to prevent unauthorized users to access a customer wireless network through an access point having a default SSID and no security settings. You must create an SSID before you can enable the access point radio interfaces.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Figure 4-1 Step 5 Summary Status Page Click Express Setup. The Express Setup screen appears. Figure 4-2 and Figure 4-3 shows the Express Setup page for the 1100 series access points. Your pages may differ depending on the access point model you are using.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Note Figure 4-2 Express Setup Page for 1100 Series Access Points Figure 4-3 Express Setup Page for 1130, 1200, and 1240 Series Access Points Figure 4-3 shows the Express Setup page for an 1130 series access point. The 1200 series is similar, but does not support the universal workgroup bridge role.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Figure 4-4 Express Setup Page for 1040, 1140, 1260 and 1260 Series Access Points Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-21881-03 4-11
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Figure 4-5 Step 6 Express Setup Page for the 1300 Series Access Point/Bridge Enter the configuration settings you obtained from your system administrator. The configurable settings include: • • Host Name— The host name, while not an essential setting, helps identify the wireless device on your network. The host name appears in the titles of the management system pages.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings • Note IP Address—Use this setting to assign or change the wireless device IP address. If DHCP is enabled for your network, leave this field blank. If the wireless device IP address changes while you are configuring the wireless device using the web-browser interface or a Telnet session over the wired LAN, you lose your connection to the wireless device.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings • Optimize Radio Network for—Use this setting to select either preconfigured settings for the wireless device radio or customized settings for the wireless device radio. – Throughput—Maximizes the data volume handled by the wireless device, but might reduce its range. – Range—Maximizes the wireless device range but might reduce throughput. – Default—Sets the default values for the access point.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Table 4-1 Default Settings on the Express Setup Page (continued) Setting Default IP Subnet Mask Assigned by DHCP by default; if DHCP is disabled, the default setting is 255.255.255.224 Default Gateway Assigned by DHCP by default; if DHCP is disabled, the default setting is 0.0.0.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Configuring Basic Security Settings After you assign basic settings to the wireless device, you must configure security settings to prevent unauthorized access to your network. Because it is a radio device, the wireless device can communicate beyond the physical boundaries of your worksite.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Understanding Express Security Settings The SSIDs that you create using the Express security page appear in the SSID table at the bottom of the page. You can create up to 16 SSIDs on the wireless device. On dual-radio wireless devices, the SSIDs that you create are enabled on both radio interfaces. In Cisco IOS Release 12.4(23c)JA and 12.xxx, there is no default SSID.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Express Security Types Table 4-2 describes the four security types that you can assign to an SSID. Table 4-2 Security Types on Express Security Setup Page Security Type Description Security Features Enabled No Security This is the least secure option. You None. should use this option only for SSIDs used in a public space and assign it to a VLAN that restricts access to your network.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Table 4-2 Security Types on Express Security Setup Page (continued) Security Type Description Security Features Enabled EAP Authentication This option enables 802.1X authentication (such as LEAP, PEAP, EAP-TLS, EAP-FAST, EAP-TTLS, EAP-GTC, EAP-SIM, and other 802.1X/EAP based products) Mandatory 802.1X authentication. Client devices that associate using this SSID must perform 802.1X authentication.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Express Security Limitations Because the Express Security page is designed for simple configuration of basic security, the options available are a subset of the wireless device security capabilities. Keep these limitations in mind when using the Express Security page: • If the No VLAN option is selected, the static WEP key can be configured once. If you select Enable VLAN, the static WEP key should be disabled.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings CLI Configuration Examples The examples in this section show the CLI commands that are equivalent to creating SSIDs using each security type on the Express Security page.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 20 key 3 size 128bit 7 FFD518A21653687A4251AEE1230C transmit-key encryption vlan 20 mode wep mandatory ! speed basic-1.0 basic-2.0 basic-5.5 basic-11.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings Example: EAP Authentication This example shows part of the configuration that results from using the Express Security page to create an SSID called eap_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 30: Note The following warning message appears if your radio clients are using EAP-FAST and you do not include open authentication with EAP as part of the configuration: SSID CONFIG WARNIN
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings ! interface Dot11Radio0/1.
Chapter 4 Configuring the Access Point for the First Time Configuring Basic Security Settings aaa new-model ! ! aaa group server radius rad_eap server 10.91.104.
Chapter 4 Configuring System Power Settings for 1040, 1130, 1140, 1240, 1250, and 1260 Series Access Points Configuring the Access Point for the First Time bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.
Chapter 4 Configuring the Access Point for the First Time Configuring System Power Settings for 1040, 1130, 1140, 1240, 1250, and 1260 Series Access Points Using a Switch That Does Not Support IEEE 802.3af Power Negotiation If you use a switch to provide Power over Ethernet (PoE) to the 1040, 1130, or 1140 access point, and the switch does not support the IEEE 802.3af power negotiation standard, select Pre-Standard Compatibility on the System Software: System Configuration page.
Chapter 4 Configuring the Access Point for the First Time Assigning an IP Address Using the CLI Table 4-3 Inline Power Options based on Access Point Radio Configuration Maximum Transmit Power (dBm)1 Data Rate Number of Transmitters Cyclic Shift Diversity (CSD) 802.3af Mode (15.4W) Enhanced PoE Power Optimized Mode (16.8 W) Enhanced PoE Mode (20 W) 802.11b 1 N/A 20 20 20 802.11g 1 N/A 17 17 17 2.4 GHz 802.
Chapter 4 Configuring the Access Point for the First Time Using a Telnet Session to Access the CLI Using a Telnet Session to Access the CLI Follow these steps to access the CLI by using a Telnet session. These steps are for a PC running Microsoft Windows with a Telnet terminal application. Check your PC operating instructions for detailed instructions for your operating system. Step 1 Select Start > Programs > Accessories > Telnet.
Chapter 4 Configuring the Access Point for the First Time Configuring the 802.1X Supplicant Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot1x credentials profile Creates a dot1x credentials profile and enters the dot1x credentials configuration submode. Step 3 anonymous-id description (Optional)—Enter the anonymous identity to be used.
Chapter 4 Configuring the Access Point for the First Time Configuring the 802.1X Supplicant Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface fastethernet 0 Enter the interface configuration mode for the access point Fast Ethernet port. Note You can also use interface fa0 to enter the fast Ethernet configuration mode. Step 3 dot1x credentials profile name] Enter the name of a previously created credentials profile.
Chapter 4 Configuring the Access Point for the First Time Configuring the 802.1X Supplicant repeater-ap#config terminal Enter configuration commands, one per line. End with CTRL-Z. repeater-ap(config-if)#dot11 ssid testap1 repeater-ap(config-ssid)#dot1x credentials test repeater-ap(config-ssid)#end repeater-ap(config) Creating and Applying EAP Method Profiles You can optionally configure an EAP method list to enable the supplicant to recognize a particular EAP method.
CH A P T E R 5 Administering the Access Point This chapter describes how to administer the wireless device.
Chapter 5 Administering the Access Point Disabling the Mode Button Disabling the Mode Button You can disable the mode button on access points having a console port by using the [no] boot mode-button command. This command prevents password recovery and is used to prevent unauthorized users from gaining access to the access point CLI. Caution This command disables password recovery.
Chapter 5 Administering the Access Point Preventing Unauthorized Access to Your Access Point Preventing Unauthorized Access to Your Access Point You can prevent unauthorized users from reconfiguring the wireless device and viewing configuration information. Typically, you want network administrators to have access to the wireless device while you restrict access to users who connect through a terminal or workstation from within the local network.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Table 5-1 shows the default password and privilege level configuration. Table 5-1 Default Password and Privilege Levels Feature Default Setting Username and password Default username is Cisco and the default password is Cisco. Enable password and privilege level Default password is Cisco. The default is level 15 (privileged EXEC level).
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The enable password is not encrypted and can be read in the wireless device configuration file. This example shows how to change the enable password to l1u2c3k4y5.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. You must have at least one username configured and you must have login local set to open a Telnet session to the wireless device.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Step 3 Command Purpose enable password level level password Specify the enable password for the privilege level. • For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. • For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS RADIUS provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.3.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Defining AAA Server Groups You can configure the wireless device to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
Chapter 5 Administering the Access Point Controlling Access Point Access with TACACS+ Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command. Displaying the RADIUS Configuration To display the RADIUS configuration, use the show running-config privileged EXEC command.
Chapter 5 Administering the Access Point Controlling Access Point Access with TACACS+ authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.
Chapter 5 Administering the Access Point Controlling Access Point Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 5 Administering the Access Point Configuring Ethernet Speed and Duplex Settings Configuring Ethernet Speed and Duplex Settings You can assign the wireless device Ethernet port speed and duplex settings. We recommend that you use auto, the default setting, for both the speed and duplex settings on the wireless device Ethernet port. When the wireless device receives inline power from a switch, any change in the speed or duplex settings that resets the Ethernet link reboots the wireless device.
Chapter 5 Administering the Access Point Configuring the Access Point for Local Authentication and Authorization Configuring the Access Point for Local Authentication and Authorization You can configure AAA to operate without a server by configuring the wireless device to implement AAA in local mode. The wireless device then handles authentication and authorization. No accounting is available in this configuration. Note You can configure the wireless device as a local authenticator for 802.
Chapter 5 Administering the Access Point Configuring the Authentication Cache and Profile To disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Chapter 5 Administering the Access Point Configuring the Authentication Cache and Profile ! aaa group server tacacs+ tac_admin server 192.168.133.
Chapter 5 Administering the Access Point Configuring the Access Point to Provide DHCP Service ! ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! tacacs-server host 192.168.133.231 key 7 105E080A16001D1908 tacacs-server directed-request radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.134.
Chapter 5 Administering the Access Point Configuring the Access Point to Provide DHCP Service Note When you configure the access point as a DHCP server, it assigns IP addresses to devices on its subnet. The devices communicate with other devices on the subnet but not beyond it. If data needs to be passed beyond the subnet, you must assign a default router. The IP address of the default router should be on the same subnet as the access point configured as the DHCP server.
Chapter 5 Administering the Access Point Configuring the Access Point to Provide DHCP Service Use the no form of these commands to return to default settings. This example shows how to configure the wireless device as a DHCP server, exclude a range of IP address, and assign a default router: AP# configure terminal AP(config)# ip dhcp excluded-address 172.16.1.1 172.16.1.20 AP(config)# ip dhcp pool wishbone AP(dhcp-config)# network 172.16.1.0 255.255.255.
Chapter 5 Administering the Access Point Configuring the Access Point for Secure Shell Clear Commands In privileged Exec mode, use the commands in Table 5-3 to clear DHCP server variables. Table 5-3 Clear Commands for DHCP Server Command Purpose clear ip dhcp binding { address | * } Deletes an automatic address binding from the DHCP database. Specifying the address argument clears the automatic binding for a specific (client) IP address. Specifying an asterisk (*) clears all automatic bindings.
Chapter 5 Administering the Access Point Configuring Client ARP Caching Note The SSH feature in this software release does not support IP Security (IPsec). Configuring SSH Before configuring SSH, download the crypto software image from Cisco.com. For more information, refer to the release notes for this release. For information about configuring SSH and displaying SSH settings, refer to Part 5, “Other Security Features” in the Cisco IOS Security Configuration Guide for Release 12.
Chapter 5 Administering the Access Point Managing the System Time and Date Configuring ARP Caching Beginning in privileged EXEC mode, follow these steps to configure the wireless device to maintain an ARP cache for associated clients: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot11 arp-cache [ optional ] Enable ARP caching on the wireless device.
Chapter 5 Administering the Access Point Managing the System Time and Date http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter0918 6a00800ca66f.html#1001131 If multiple servers are at the same stratum, a configured server is preferred over a broadcast server. If multiple servers pass both tests, the first one to send a time packet is selected.
Chapter 5 Administering the Access Point Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats: or • For hh:mm:ss, specify the time in hours (24-hour format), minutes, and seconds. The time specified is relative to the configured time zone. • For day, specify the day by date in the month.
Chapter 5 Administering the Access Point Managing the System Time and Date Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. the wireless device keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set. • For zone, enter the name of the time zone to be displayed when standard time is in effect. The default is UTC.
Chapter 5 Administering the Access Point Managing the System Time and Date Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time.
Chapter 5 Administering the Access Point Defining HTTP Access Defining HTTP Access By default, 80 is used for HTTP access, and port 443 is used for HTTPS access. These values can be customized by the user. Follow these steps to define the HTTP access. Step 1 From the access point GUI, click Services > HTTP. The Service: HTTP-Web server window appears. Step 2 On this window, enter the desired HTTP and HTTPS port number. If not values are entered in the port number fields, the default values are used.
Chapter 5 Administering the Access Point Configuring a System Name and Prompt Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 hostname name Manually configure a system name. The default setting is ap. Note When you change the system name, the wireless device radios reset, and associated client devices disassociate and quickly reassociate. Note You can enter up to 63 characters for the system name.
Chapter 5 Administering the Access Point Configuring a System Name and Prompt Table 5-5 Default DNS Configuration Feature Default Setting DNS enable state Disabled. DNS default domain name None configured. DNS servers No name server addresses are configured. Setting Up DNS Beginning in privileged EXEC mode, follow these steps to set up the wireless device to use the DNS: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 5 Administering the Access Point Creating a Banner To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command. To disable DNS on the wireless device, use the no ip domain-lookup global configuration command. Displaying the DNS Configuration To display the DNS configuration information, use the show running-config privileged EXEC command.
Chapter 5 Administering the Access Point Creating a Banner Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day. For c, enter the delimiting character of your choice, such as a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text.
Chapter 5 Administering the Access Point Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode Configuring a Login Banner You can configure a login banner to appear on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 5 Administering the Access Point Migrating to Japan W52 Domain The following interface global configuration mode CLI command is used to migrate an access point 802.11a radio to the W52 domain: dot11 migrate j52 w52 After displaying appropriate warnings and entering y, the migration process starts and completes after the access reboots twice. The firmware initialization code reads and initializes the regulatory domain when the radio hardware is reset.
Chapter 5 Administering the Access Point Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging Verifying the Migration Use the show controllers command to confirm the migration as shown in this typical example: ap#show controllers dot11Radio 1 ! interface Dot11Radio1 Radio AIR-AP1242A, Base Address 0013.5f0e.d1e0, BBlock version 0.00, Software version 5.95.
Chapter 5 Administering the Access Point Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging In a typical scenario, multiple VLAN support permits users to set up point-to-multipoint bridge links with remote sites, with each remote site on a separate VLAN. This configuration provides the user to separate and control traffic to each site. Rate limiting ensures that no remote site consumes more than a specified amount of the entire link band width.
CH A P T E R 6 Configuring Radio Settings This chapter describes how to configure radio settings for the wireless device. This chapter includes these sections: • Enabling the Radio Interface, page 6-2 • Configuring the Role in Radio Network, page 6-2 • Point-to-point and Multi Point bridging support for 802.
Chapter 6 Configuring Radio Settings Enabling the Radio Interface Enabling the Radio Interface The wireless device radios are disabled by default. Note Beginning with Cisco IOS Release 12.3(8)JA there is no SSID. You must create an SSID before you can enable the radio interface. Beginning in privileged EXEC mode, follow these steps to enable the access point radio: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot11 ssid ssid Enter the SSID.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Table 6-1 Device Role in Radio Network Configuration (continued) AP 1100 AP 1130 AP 1140 AP 1200 AP 1240 AP 1250 AP 1260 1300 AP/BR Non-root bridge with wireless X clients – – X X X X X X Workgroup bridge X X X X X X X X X Universal workgroup bridge1 X — — X X X X X X Scanner X X X X X X X X X Role in Radio Network AP 1040 1.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Step 3 Command Purpose station-role Set the wireless device role. non-root {bridge | wireless-clients} • Set the role to non-root bridge with or without wireless clients, repeater access point, root access point or bridge, scanner, or workgroup bridge. • Bridge modes are available only on the 1040, 1140, 1200 1240, 1250, and 1260 series access points.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Note When you enable the role in the radio network as a Bridge/workgroup bridge and enable the interface using the no shut command, the physical status and the software status of the interface will be up only if the the device on the other end access point or bridge is up. Otherwise, only the physical status of the device will be up.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network • Note Outdoor MIMO bridging using external antennas has not been fully tested and is not fully supported with this release. In point-to-multipoint bridging, WGB is not recommended with the root bridge. WGB should be associated to the root AP in point-to-multipoint bridging setup.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Radio Tracking You can configure the access point to track or monitor the status of one of its radios. It the tracked radio goes down or is disabled, the access point shuts down the other radio. If the tracked radio comes up, the access point enables the other radio.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates Bridge Features Not Supported The following features are not supported when a 1200 or 1240 series access point is configured as a bridge: • Clear Channel Assessment (CCA) • Interoperability with 1400 series bridge • Concatenation • Install mode • EtherChannel and PageP configuration on switch Configuring Radio Data Rates You use the data rate settings to choose the data rates the wireless device uses for data transmission.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates to be made based on resources available to the wireless project, type of traffic the users will be passing, service level desired, and as always, the quality of the RF environment.When you enter throughput for the data rate setting, the wireless device sets all four data rates to basic. Note When a wireless network has a mixed environment of 802.11b clients and 802.11g clients, make sure that data rates 1, 2, 5.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates Step 3 Command Purpose speed Set each data rate to basic or enabled, or enter range to optimize range or throughput to optimize throughput. 802.11b, 2.4-GHz radio: {[1.0] [11.0] [2.0] [5.5] [basic-1.0] [basic-11.0] [basic-2.0] [basic-5.5] | range | throughput} • Enter 1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, and 54.0 to set these data rates to enabled on the 802.11g, 2.4-GHz radio. 802.11g, 2.4-GHz radio: {[1.
Chapter 6 Configuring Radio Settings Configuring MCS Rates Command Purpose speed (continued) On the 802.11n 2.4-GHz radio, the default option sets rates 1.0, 2.0, 5.5, and 11.0 to enabled. On the 802.11n 5-GHz radio, the default option sets rates to 6.0, 12.0, and 24.0 to enabled. The default MCS rate setting for both 802.11n radios is 0–15. Step 4 end Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Return to privileged EXEC mode.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Table 6-2 MCS Index Data Rates Based on MCS Settings, Guard Interval, and Channel Width (continued) Guard Interval = 800ns Guard Interval = 400ns 20-MHz Channel Width Data Rate (Mbps) 40-MHz Channel Width Data Rate (Mbps) 20-MHz Channel Width Data Rate (Mbps) 40-MHz Channel Width Data Rate (Mbps) 2 19.5 40.5 21 2/3 45 3 26 54 28 8/9 60 4 39 81 43 1/3 90 5 52 109 57 5/9 120 6 58.5 121.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Step 2 Click Technical Support & Documentation. A small window appears containing a list of technical support links. Step 3 Click Technical Support & Documentation. The Technical Support and Documentation page appears. Step 4 In the Documentation & Tools section, choose Wireless. The Wireless Support Resources page appears. Step 5 In the Wireless LAN Access section, choose the device you are working with.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Step 3 Command Purpose power local Set the transmit power for the 802.11b, 2.4-GHz radio or the 5-GHz radio to one of the power levels allowed in your regulatory domain. These options are available for the 802.11b, 2.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Limiting the Power Level for Associated Client Devices You can also limit the power level on client devices that associate to the wireless device. When a client device associates to the wireless device, the wireless device sends the maximum power level setting to the client. Note Cisco AVVID documentation uses the term Dynamic Power Control (DTPC) to refer to limiting the power level on associated client devices.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the client power command to disable the maximum power level for associated clients. Note Aironet extensions must be enabled to limit the power level on associated client devices. Aironet extensions are enabled by default.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Because they change frequently, channel settings are not included in this document. For up-to-date information on channel settings for your access point or bridge, see the Channels and Maximum Power Settings for Cisco Aironet Autonomous Access Points and Bridges. This document is available on cisco.com at the following URL: http://cisco.com/en/US/products/ps6521/tsd_products_support_install_and_upgrade.html 802.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Dynamic Frequency Selection Access points with 5-GHz radios configured at the factory for use in the United States, Europe, Singapore, Korea, Japan, Israel, and Taiwan now comply with regulations that require radio devices to use Dynamic Frequency Selection (DFS) to detect radar signals and avoid interfering with them. When an access points detects a radar on a certain channel, it avoids using that channel for 30 minutes.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings If radar is detected on a manually configured DFS channel, the channel will be changed automatically and will not return to the configured channel. Prior to transmitting on any channels listed in Table 6-4, the access point radio performs a Channel Availability Check (CAC). The CAC is a 60 second scan for the presence of radar signals on the channel.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Confirming that DFS is Enabled Use the show controllers dot11radio1 command to confirm that DFS is enabled. The command also includes indications that uniform spreading is required and channels that are in the non-occupancy period due to radar detection. This example shows a line from the output for the show controller command for a channel on which DFS is enabled.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Command Step 3 Purpose channel {number | dfs} | dfs band <1 For number, enter one of the following channels: 36, 40, 44, 48, - 4> 149, 153, 157, 161, 5180, 5200, 5220, 5240, 5745, 5765, 5785, or 5805. This channel list varies depending on the radio. Enter dfs and one of the following frequency bands to use dynamic frequency selection on the selected channel: 1—5.150 to 5.250 GHz 2—5.250 to 5.350 Ghz 3—5.470 to 5.725 GHz 4—5.
Chapter 6 Configuring Radio Settings Configuring Location-Based Services This example shows how to unblock all frequencies for DFS: ap(config-if)# no dfs band block Setting the 802.11n Guard Interval The 802.11n guard interval is the period in nanoseconds between packets. Two settings are available: short (400ns) and long (800ns). Beginning in privileged EXEC mode, follow these steps to set the 802.11n guard interval. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 6 Configuring Radio Settings Configuring Location-Based Services Figure 6-2 Basic LBS Network Configuration LBS access point WLSE LBS location server LBS access point 127867 LBS access point The access points that you configure for LBS should be in the same vicinity. If only one or two access points report messages from a tag, the location server can report that the location of the tag is somewhere in the coverage area of the two reporting access points.
Chapter 6 Configuring Radio Settings Enabling and Disabling World Mode Command Purpose Step 6 channel-match (Optional) Specifies that the LBS packet sent by the tag must match the radio channel on which the access point receives the packet. If the channel used by the tag and the channel used by the access point do not match, the access point drops the packet. Channel match is enabled by default.
Chapter 6 Configuring Radio Settings Disabling and Enabling Short Radio Preambles Step 3 Command Purpose world-mode dot11d country_code code { both | indoor | outdoor } world-mode roaming | legacy Enable world mode. • Enter the dot11d option to enable 802.11d world mode. – When you enter the dot11d option, you must enter a two-character ISO country code (for example, the ISO country code for the United States is US). You can find a list of ISO country codes at the ISO website.
Chapter 6 Configuring Radio Settings Configuring Transmit and Receive Antennas Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Short preambles are enabled by default. Use the preamble-short command to enable short preambles if they are disabled. Configuring Transmit and Receive Antennas You can select the antenna the wireless device uses to receive and transmit data.
Chapter 6 Configuring Radio Settings Enabling and Disabling Gratuitous Probe Response Step 4 Step 5 Command Purpose antenna receive {diversity | left | middle | right} Set the receive antenna to diversity, left, middle, right, or all. antenna transmit {diversity | left | right} Note For best performance with two antennas, leave the receive antenna setting at the default setting, diversity. For one antenna, attach the antenna on the right and set the antenna for right.
Chapter 6 Configuring Radio Settings Disabling and Enabling Aironet Extensions (config-if)# probe-response gratuitous speed 12.0 (config-if)# probe-response gratuitous period 30 speed 12.0 Use the no form of the command to disable the GPR feature. Disabling and Enabling Aironet Extensions By default, the wireless device uses Cisco Aironet 802.
Chapter 6 Configuring Radio Settings Configuring the Ethernet Encapsulation Transformation Method Configuring the Ethernet Encapsulation Transformation Method When the wireless device receives data packets that are not 802.3 packets, the wireless device must format the packets to 802.3 using an encapsulation transformation method. These are the two transformation methods: • 802.1H—This method provides good performance for Cisco Aironet wireless products.
Chapter 6 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding Note This feature is best suited for use with stationary workgroup bridges. Mobile workgroup bridges might encounter spots in the wireless device's coverage area where they do not receive multicast packets and lose communication with the wireless device even though they are still associated to it. A Cisco Aironet Workgroup Bridge provides a wireless LAN connection for up to eight Ethernet-enabled devices.
Chapter 6 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding PSPF is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable PSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio {0 | 1} Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. The 802.11n 2.4-GHz radio is radio 0 The 802.11n 5-GHz radio is radio 1.
Chapter 6 Configuring Radio Settings Configuring the Beacon Period and the DTIM Configuring the Beacon Period and the DTIM The beacon period is the amount of time between access point beacons in Kilomicroseconds. One Kµsec equals 1,024 microseconds. The Data Beacon Rate, always a multiple of the beacon period, determines how often the beacon contains a delivery traffic indication message (DTIM). The DTIM tells power-save client devices that a packet is waiting for them.
Chapter 6 Configuring Radio Settings Configuring the Maximum Data Retries Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the command to reset the RTS settings to defaults. Configuring the Maximum Data Retries The maximum data retries setting determines the number of attempts the wireless device makes to send a packet before giving up and dropping the packet.
Chapter 6 Configuring Radio Settings Enabling Short Slot Time for 802.11g Radios Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the command to reset the setting to defaults. Enabling Short Slot Time for 802.11g Radios You can increase throughput on the 802.11g, 2.4-GHz radio by enabling short slot time.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics The Stream page appears. Step 4 Click the tab for the radio to configure. Step 5 For both CoS 5 (Video) and CoS 6 (Voice) user priorities, choose Low Latency from the Packet Handling drop-down menu and enter a value for maximum retries for packet discard in the corresponding field. The default value for maximum retries is 3 for the Low Latency setting (Figure 6-3).
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Viewing Voice Reports You can use a browser to access voice reports listing VoWLAN metrics stored on a WLSE. You can view reports for access point groups and for individual access points. To view voice reports, follow these steps: Step 1 Log in to a WLSE. Step 2 Click the Reports tab. Step 3 Click Voice. Step 4 From the Report Name drop-down menu, choose AP Group Metrics Summary: Current.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics • To view a graph of voice bandwidth in use during the last hour, choose Bandwidth In Use (% Allowed) from the Report Name drop-down menu. • To view graphs of voice streams in progress, choose Voice Streams In Progress from the Report Name drop-down menu. • To view a graph of rejected voice streams, choose Rejected Voice Streams from the Report Name drop-down menu. Figure 6-5 is an example of a voice queuing delay graph.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-6 Voice Streaming Progress Viewing Wireless Client Reports In addition to viewing voice reports from an access point perspective, you can view them from a client perspective. For every client, the WLSE displays the access points the client associated with and the WoLAN metrics that were recorded. To view voice reports for wireless clients, follow these steps: Step 1 Log in to a WLSE. Step 2 Click the Reports tab.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-7 Wireless Client Metrics Viewing Voice Fault Summary The Faults > Voice Summary page in WLSE displays a summary of the faults detected with the following voice fault types: • Excessive Voice Bandwidth (CAC) • Degraded Voice QOS (TSM) To view a summary of voice faults, follow these steps: Step 1 Log in to a WLSE. Step 2 Click the Faults tab. Step 3 Click Voice Summary.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-8 Voice Fault Summary Configuring Voice QoS Settings You can use WLSE Faults > Voice QoS Settings screen to define the voice QoS thresholds for the following parameters: • Downstream Delay with U-ASPD not used • Downstream Delay with U-ASPD used • Upstream Delay • Downstream Packet Loss Rate • Upstream Packet Loss Rate • Roaming Time To view a summary of voice faults, follow these steps: Step 1 Log in to a WLSE.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-9 Voice QoS Settings Configuring Voice Fault Settings You can use WLSE Faults > Manage Fault Settings screen to enable fault generation and specify the priority of the faults generated. To configure fault settings, follow these steps: Step 1 Log in to a WLSE. Step 2 Click the Faults tab. Step 3 Click Manage Fault Settings.
Chapter 6 Configuring Radio Settings Configuring ClientLink Configuring ClientLink Cisco ClientLink (referred to as Beam Forming) is an intelligent beamforming technology that directs the RF signal to 802.11a/g devices to improve performance by 65%, improve coverage by up to 27% percent, and reduce coverage holes. Cisco ClientLink helps extend the useful life of existing 802.11a/g devices in mixed-client networks. It is beneficial for organizations that move to 802.
Chapter 6 Configuring Radio Settings Debugging Radio Functions Syntax Description network-map Activates debugging of radio association management network map syslog Activates debugging of radio system log virtual interface Activates debugging of radio virtual interfaces This example shows how to begin debugging of all radio-related events: AP# debug dot11 events This example shows how to begin debugging of radio packets: AP# debug dot11 packets This example shows how to begin debugging of the ra
Chapter 6 Configuring Radio Settings Debugging Radio Functions Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 6-44 OL-21881-03
CH A P T E R 7 Configuring Multiple SSIDs This chapter describes how to configure and manage multiple service set identifiers (SSIDs) on the access point.
Chapter 7 Configuring Multiple SSIDs Understanding Multiple SSIDs Understanding Multiple SSIDs The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or sub-network can use the same SSIDs. SSIDs are case sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSIDs.
Chapter 7 Configuring Multiple SSIDs Understanding Multiple SSIDs Table 7-1 SSID Configuration Methods Supported in Cisco IOS Releases (continued) Cisco IOS Release Supported SSID Configuration Method 12.3(4)JA and 12.3(7)JA Both interface-level and global; all SSIDs saved in global mode post-12.3(4)JA Global only Cisco IOS Release 12.3(10b)JA supports configuration of SSID parameters at the interface level on the CLI, but the SSIDs are stored in global mode.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Configuring Multiple SSIDs These sections contain configuration information for multiple SSIDs: Note • Default SSID Configuration, page 7-4 • Creating an SSID Globally, page 7-4 • Using a RADIUS Server to Restrict SSIDs, page 7-7 In Cisco IOS Release 12.3(4)JA and later, you configure SSIDs globally and then apply them to a specific radio interface.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Command Purpose Step 3 authentication client username username password password (Optional) Set an authentication username and password that the access point uses to authenticate to the network when in repeater mode. Set the username and password on the SSID that the repeater access point uses to associate to a root access point, or with another repeater. Step 4 accounting list-name (Optional) Enable RADIUS accounting for this SSID.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Note You use the ssid command authentication options to configure an authentication type for each SSID. See Chapter 9, “Configuring an Access Point as a Local Authenticator,” for instructions on configuring authentication types. Note When you enable guest SSID mode for the 802.11g radio it applies to the 802.11b radio as well since 802.11b and 802.11g operate in the same 2.4Ghz band.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs ssid buffalo vlan 7 authentication open However, this sample output from a show dot11 associations privileged EXEC command shows the spaces in the SSIDs: SSID [buffalo] : SSID [buffalo ] : SSID [buffalo ] : Note This command shows only the first 15 characters of the SSID. Use the show dot11 associations client command to see SSIDs having more than 15 characters.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs Configuring Multiple Basic SSIDs Access point 802.11a, 802.11g, and 802.11n radios support up to 8 basic SSIDs (BSSIDs), which are similar to MAC addresses. You use multiple BSSIDs to assign a unique DTIM setting for each SSID and to broadcast more than one SSID in beacons.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs Figure 7-1 Global SSID Manager Page Step 2 Enter the SSID name in the SSID field. Step 3 Use the VLAN drop-down menu to select the VLAN to which the SSID is assigned. Step 4 Select the radio interfaces on which the SSID is enabled. The SSID remains inactive until you enable it for a radio interface. Step 5 Enter a Network ID for the SSID in the Network ID field.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs Step 7 (Optional) In the Multiple BSSID Beacon Settings section, select the Set SSID as Guest Mode check box to include the SSID in beacons. Step 8 (Optional) To increase the battery life for power-save clients that use this SSID, select the Set Data Beacon Rate (DTIM) check box and enter a beacon rate for the SSID.
Chapter 7 Configuring Multiple SSIDs Assigning IP Redirection for an SSID Assigning IP Redirection for an SSID When you configure IP redirection for an SSID, the access point redirects all packets sent from client devices associated to that SSID to a specific IP address. IP redirection is used mainly on wireless LANs serving handheld devices that use a central software application and are statically configured to communicate with a specific IP address.
Chapter 7 Configuring Multiple SSIDs Assigning IP Redirection for an SSID Guidelines for Using IP Redirection Keep these guidelines in mind when using IP redirection: • The access point does not redirect broadcast, unicast, or multicast BOOTP/DHCP packets received from client devices. • Existing ACL filters for incoming packets take precedence over IP redirection.
Chapter 7 Configuring Multiple SSIDs Including an SSID in an SSIDL IE This example shows how to configure IP redirection only for packets sent to the specific TCP and UDP ports specified in an ACL applied to the BVI1 interface. When the access point receives packets from client devices associated using the SSID robin, it redirects packets sent to the specified ports and discards all other packets: AP# configure terminal AP(config)# interface bvi1 AP(config-if-ssid)# ip redirection host 10.91.104.
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID NAC is designed specifically to help ensure that all wired and wireless endpoint devices (such as PCs, laptops, servers, and PDAs) accessing network resources are adequately protected from security threats. NAC allows organizations to analyze and control all devices coming into the network.
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID A new keyword, backup, is added to the existing vlan | under dot11 ssid as described below: vlan | [backup |, |, | Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-21881-03 7-15
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID Configuring NAC for MBSSID Note This feature supports only Layer 2 mobility within VLANs. Layer 3 mobility using network ID is not supported in this feature. Note Before you attempt to enable NAC for MBSSID on your access points, you should first have NAC working properly. Figure 3 shows a typical network setup.
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID authentication open authentication network-eap eap_methods ! dot11 ssid mktg vlan mktg-normal backup mktg-infected1, mktg-infected2, authentication open authentication network-eap eap_methods ! interface Dot11Radio0 ! encryption vlan engg-normal key 1 size 40bit 7 482CC74122FD encryption vlan engg-normal mode ciphers wep40 ! encryption vlan mktg-normal key 1 size 40bit 7 9C3A6F2CBFBC encryption vlan mktg-normal mode ciphers wep40 ! ssid engg ! ss
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 7-18 OL-21881-03
CH A P T E R 8 Configuring Spanning Tree Protocol This chapter descibes how to configure Spanning Tree Protocol (STP) on your access point. This chapter contains these sections: • Understanding Spanning Tree Protocol, page 8-2 • Configuring STP Features, page 8-8 • Displaying Spanning-Tree Status, page 8-14 Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Access Points and Bridges for this release.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol Understanding Spanning Tree Protocol This section describes how spanning-tree features work.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol The access point maintains a separate spanning-tree instance for each active VLAN configured on it. A bridge ID, consisting of the bridge priority and the access point MAC address, is associated with each instance. For each VLAN, the access point with the lowest access point ID becomes the spanning-tree root for that VLAN.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol When a access point receives a configuration BPDU that contains superior information (lower access point ID, lower path cost, and so forth), it stores the information for that port. If this BPDU is received on the root port of the access point, the access point also forwards it with an updated message to all attached LANs for which it is the designated access point.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol Spanning-Tree Timers Table 8-1 describes the timers that affect the entire spanning-tree performance. Table 8-1 Spanning-Tree Timers Variable Description Hello timer Determines how often the access point broadcasts hello messages to other access points. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol it can create temporary data loops. Interfaces must wait for new topology information to propagate through the LAN before starting to forward frames. They must allow the frame lifetime to expire for forwarded frames that have used the old topology. Each interface on a access point using spanning tree exists in one of these states: • Blocking—The interface does not participate in frame forwarding.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol 2. While spanning tree waits the forward-delay timer to expire, it moves the interface to the learning state and resets the forward-delay timer. 3. In the learning state, the interface continues to block frame forwarding as the access point learns end-station location information for the forwarding database. 4.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features Forwarding State An interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state. An interface in the forwarding state performs as follows: • Receives and forwards frames received on the port • Learns addresses • Receives BPDUs Disabled State An interface in the disabled state does not participate in frame forwarding or in the spanning tree.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features Table 8-2 Default STP Values When STP is Enabled (continued) Setting Default Value Ethernet port priority 128 Radio port path cost 33 Radio port priority 128 The radio and Ethernet interfaces and the native VLAN on the access point are assigned to bridge group 1 by default.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features STP Configuration Examples These configuration examples show how to enable STP on root and non-root access points with and without VLANs: • Root Bridge Without VLANs, page 8-10 • Non-Root Bridge Without VLANs, page 8-11 • Root Bridge with VLANs, page 8-11 • Non-Root Bridge with VLANs, page 8-13 Root Bridge Without VLANs This example shows the configuration of a root bridge with no VLANs configured and with STP enabled: hostname
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features Non-Root Bridge Without VLANs This example shows the configuration of a non-root bridge with no VLANs configured with STP enabled: hostname client-bridge-north ip subnet-zero ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ssid tsunami authentication open guest-mode ! speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features ! interface Dot11Radio0 no ip address no ip route-cache ! ssid vlan1 vlan 1 infrastructure-ssid authentication open ! speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312 station-role root no cdp enable infrastructure-client ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 ! interface Dot11Radio0.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features bridge 2 priority 10000 bridge 3 protocol ieee bridge 3 priority 3100 ! line con 0 exec-timeout 0 0 line vty 5 15 ! end Non-Root Bridge with VLANs This example shows the configuration of a non-root bridge with VLANs configured with STP enabled: hostname client-bridge-remote ! ip subnet-zero ! ip ssh time-out 120 ip ssh authentication-retries 3 ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ssid vlan1 vlan 1 auth
Chapter 8 Configuring Spanning Tree Protocol Displaying Spanning-Tree Status encapsulation dot1Q 1 native no ip route-cache bridge-group 1 ! interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 2 ! interface FastEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 bridge-group 3 path-cost 400 ! interface BVI1 ip address 1.4.64.24 255.255.0.
CH A P T E R 9 Configuring an Access Point as a Local Authenticator This chapter describes how to configure the access point as a local authenticator to serve as a stand-alone authenticator for a small wireless LAN or to provide backup authentication service. As a local authenticator, the access point performs LEAP, EAP-FAST, and MAC-based authentication for up to 50 client devices.
Chapter 9 Configuring an Access Point as a Local Authenticator Understanding Local Authentication Understanding Local Authentication Many small wireless LANs that could be made more secure with 802.1x authentication do not have access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely on RADIUS servers housed in a distant location to authenticate client devices, and the authentication traffic must cross a WAN link.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Guidelines for Local Authenticators Follow these guidelines when configuring an access point as a local authenticator: • Use an access point that does not serve a large number of client devices. When the access point acts as an authenticator, performance might degrade for associated client devices. • Secure the access point physically to protect its configuration.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Command Purpose Step 3 radius-server local Enable the access point as a local authenticator and enter configuration mode for the authenticator. Step 4 nas ip-address key shared-key Add an access point to the list of units that use the local authenticator. Enter the access point’s IP address and the shared key used to authenticate communication between the local authenticator and other access points.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Step 11 Command Purpose user username { password | nthash } password [ group group-name ] [mac-auth-only] Enter the LEAP and EAP-FAST users allowed to authenticate using the local authenticator. You must enter a username and password for each user.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator AP(config-radsrv)# AP(config-radsrv)# AP(config-radsrv)# AP(config-radsrv)# AP(config-radsrv)# user user user user end 00095125d02b password 00095125d02b group cashiers 00079431f04a password 00079431f04a group cashiers carl password 272165 group managers vic password lid178 group managers Configuring Other Access Points to Use the Local Authenticator You add the local authenticator to the list of servers o
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Each time the access point tries to use the main servers while they are down, the client device trying to authenticate might report an authentication timeout. The client device retries and succeeds when the main servers time out and the access point tries the local authenticator. You can extend the timeout value on Cisco client devices to accommodate expected server timeouts.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator In this example, the local authenticator generates a PAC for the username joe, password-protects the file with the password bingo, sets the PAC to expire in 10 days, and writes the PAC file to the TFTP server at 10.0.0.5: AP# radius local-server pac-generate tftp://10.0.0.5 joe password bingo expiry 10 Configuring an Authority ID All EAP-FAST authenticators are identified by an authority identity (AID).
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Limiting the Local Authenticator to One Authentication Type By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication for client devices. However, you can limit the local authenticator to perform only one or two authentication types.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator The second section lists stats for each access point (NAS) authorized to use the local authenticator.
CH A P T E R 10 Configuring Cipher Suites and WEP This chapter describes how to configure the cipher suites required to use Wi-Fi Protected Access (WPA) and Cisco Centralized Key Management (CCKM) authenticated key management, Wired Equivalent Privacy (WEP), WEP features including AES, Message Integrity Check (MIC), Temporal Key Integrity Protocol (TKIP), and broadcast key rotation.
Chapter 10 Configuring Cipher Suites and WEP Understanding Cipher Suites and WEP Understanding Cipher Suites and WEP This section describes how WEP and cipher suites protect traffic on your wireless LAN. Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's radio transmissions.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP • TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is designed to achieve the best possible security on legacy hardware built to run WEP.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Beginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio and the 2.4-GHz 802.11n radio is 0. The 5-GHz radio and the 5-GHz 802.11n radio is 1.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP WEP Key Restrictions Table 10-1 lists WEP key restrictions based on your security configuration.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Note If you enable MIC but you use static WEP (you do not enable any type of EAP authentication), both the access point and any devices with which it communicates must use the same WEP key for transmitting data.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Step 3 Command Purpose encryption [vlan vlan-id] mode ciphers {[aes | aes-ccm | ckip | tkip]} {[wep128 | wep40]} Enable a cipher suite containing the WEP protection you need. Table 10-3 lists guidelines for selecting a cipher suite that matches the type of authenticated key management you configure. • (Optional) Select the VLAN for which you want to enable WEP and WEP features. • Set the cipher options and WEP level.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Table 10-3 Cipher Suites Compatible with WPA and CCKM Authenticated Key Management Types CCKM WPA Compatible Cipher Suites • encryption mode ciphers wep128 • encryption mode ciphers wep40 • encryption mode ciphers ckip • encryption mode ciphers cmic • encryption mode ciphers ckip-cmic • encryption mode ciphers tkip • encryption mode aes • encryption mode ciphers tkip • encryption mode ciphers tkip wep128
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Beginning in privileged EXEC mode, follow these steps to enable broadcast key rotation: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio and the 2.4-GHz 802.11n radio is 0. The 5-GHz radio and the 5-GHz 802.11n radio is 1.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 10-10 OL-21881-03
CH A P T E R 11 Configuring Authentication Types This chapter describes how to configure authentication types on the access point.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Understanding Authentication Types This section describes the authentication types that you can configure on the access point. The authentication types are tied to the SSIDs that you configure for the access point. If you want to serve different types of client devices with the same access point, you can configure multiple SSIDs. See Chapter 7, “Configuring Multiple SSIDs.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-1 Sequence for Open Authentication Access point or bridge with WEP key = 123 Client device with WEP key = 321 1. Authentication request 2. Authentication response 3. Association request 4. Association response 5. WEP data frame to wired network 54583 6. Key mismatch, frame discarded Shared Key Authentication to the Access Point Cisco provides shared key authentication to comply with the IEEE 802.11b standard.
Chapter 11 Configuring Authentication Types Understanding Authentication Types EAP Authentication to the Network This authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key.
Chapter 11 Configuring Authentication Types Understanding Authentication Types There is more than one type of EAP authentication, but the access point behaves the same way for each type: it relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID” section on page 11-10 for instructions on setting up EAP on the access point.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-4 Sequence for MAC-Based Authentication Wired LAN Client device Access point or bridge Server 1. Authentication request 2. Authentication success 65584 3. Association request 4. Association response (block traffic from client) 5. Authentication request 6. Success 7.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-5 shows the reassociation process using CCKM.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-6 shows the WPA key management process. Figure 11-6 WPA Key Management Process Wired LAN Client device Access point Authentication server Client and server authenticate to each other, generating an EAP master key Server uses the EAP master key to generate a pairwise master key (PMK) to protect communication between the client and the access point. (However, if the client is using 802.
Chapter 11 Configuring Authentication Types Understanding Authentication Types To support the security combinations in Table 11-1, your Cisco Aironet access points and Cisco Aironet client devices must run the following software and firmware versions: • Cisco IOS Release 12.2(13)JA or later on access points • Install Wizard version 1.2 for 340, 350, and CB20A client devices, which includes these components: – PC, LM, and PCI card driver version 8.4 – Mini PCI and PC-cardbus card driver version 3.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Note When you configure TKIP-only cipher encryption (not TKIP + WEP 128 or TKIP + WEP 40) on any radio interface or VLAN, every SSID on that radio or VLAN must be set to use WPA or CCKM key management. If you configure TKIP on a radio or VLAN but you do not configure key management on the SSIDs, client authentication fails on the SSIDs.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Command Step 3 Purpose authentication open (Optional) Set the authentication type to open for this SSID. [mac-address list-name [alternate]] Open authentication allows any device to authenticate and then [[optional] eap list-name] attempt to communicate with the access point. • (Optional) Set the SSID’s authentication type to open with MAC address authentication.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Step 5 Command Purpose authentication network-eap list-name [mac-address list-name] (Optional) Set the authentication type for the SSID to Network-EAP. Using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the SSID commands to disable the SSID or to disable SSID features. This example sets the authentication type for the SSID batman to Network-EAP with CCKM authenticated key management.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Configuring Additional WPA Settings Use two optional settings to configure a pre-shared key on the access point and adjust the frequency of group key updates. Setting a Pre-Shared Key To support WPA on a wireless LAN where 802.1X-based authentication is not available, you must configure a pre-shared key on the access point. You can enter the pre-shared key as ASCII or hexadecimal characters.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Command Purpose Step 6 exit Return to privileged EXEC mode. Step 7 broadcast-key [ vlan vlan-id ] { change seconds } [ membership-termination ] [ capability-change ] Use the broadcast key rotation command to configure additional updates of the WPA group key. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring Authentication Types Configuring Authentication Types This example shows how to enable MAC authentication caching with a one-hour timeout: ap# configure terminal ap(config)# dot11 aaa mac-authen filter-cache timeout 3600 ap(config)# end Use the no form of the dot11 aaa mac-authen filter-cache command to disable MAC authentication caching.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Step 5 Command Purpose dot1x reauth-period { seconds | server } Enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate. Enter the server keyword to configure the access point to use the reauthentication period specified by the authentication server. If you use this option, configure your authentication server with RADIUS attribute 27, Session-Timeout.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Creating an EAP Method Profile Beginning in privileged exec mode, follow these steps to define a new EAP profile: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 eap profile profile name Enter a name for the profile Step 3 description (Optional)—Enter a description for the EAP profile Step 4 method fast Enter an allowed EAP method or methods.
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Applying an EAP Profile to an Uplink SSID This operation typically applies to repeater access points. Beginning in the privileged exec mode, follow these steps to apply an EAP profile to the uplink SSID. Command Purpose Step 1 configure terminal Enter the global configuration mode. Step 2 interface dot11radio {0 | 1} Enter interface configuration mode for the radio interface. The 2.
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types f Table 11-2 Client and Access Point Security Settings Security Feature Client Setting Access Point Setting Static WEP with open authentication Create a WEP key and enable Use Static WEP Keys and Open Authentication Set up and enable WEP and enable Open Authentication for the SSID Static WEP with shared key Create a WEP key and enable Use authentication Static WEP Keys and Shared Key Authenti
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 11-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting 802.1X authentication and CCKM Enable LEAP Select a cipher suite and enable Network-EAP and CCKM for the SSID Note 802.1X authentication and WPA Enable any 802.
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 11-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting If using ACU to configure card Create a WEP key, enable Host Based EAP, and enable Use Static WEP Keys in ACU and select Enable network access control using IEEE 802.
CH A P T E R 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services This chapter describes how to configure your access points for wireless domain services (WDS), fast, secure roaming of client devices, radio management, and wireless intrusion detection services (WIDS).
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Understanding WDS Understanding WDS When you configure Wireless Domain Services on your network, access points on your wireless LAN use the WDS device (either an access point, an Integrated Services Router, or a switch configured as the WDS device) to provide fast, secure roaming for client devices and to participate in radio management.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding Fast Secure Roaming Table 12-1 Participating Access Points Supported by WDS Devices (continued) Unit Configured as WDS Device Participating Access Points Supported Integrated Services Router (ISR) 100 (depending on ISR platform) WLSM-equipped switch 600 Role of Access Points Using the WDS Device The access points on your wireless LAN interact with the WDS device in these activ
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Understanding Fast Secure Roaming Figure 12-1 Client Authentication Using a RADIUS Server Wired LAN Access point or bridge Client device RADIUS Server 1. Authentication request 2. Identity request (relay to server) (relay to client) 4. Authentication challenge 5. Authentication response (relay to server) (relay to client) 6. Authentication success 7.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding Radio Management device. The WDS device forwards the client’s credentials to the new access point, and the new access point sends the reassociation response to the client. Only two packets pass between the client and the new access point, greatly shortening the reassociation time. The client also uses the reassociation response to generate the unicast key.
Chapter 12 Understanding Wireless Intrusion Detection Services Figure 12-3 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Required Components for Layer 3 Mobility CiscoWorks Wireless LAN Solution Engine (WLSE) Catalyst 6500 Wireless Domain Services (WDS) on the Wireless LAN Solutions Module (WLSM) CiscoSecure ACS AAA Server 117993 Infrastructure access points (registered with WDS) Click this link to browse to the information pages for the Cisco Structured Wi
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS access points. The WLSE examines the BRIDGE MIB of each CDP-discovered switch to determine if they contain any of the target MAC addresses. If CDP finds any of the MAC addresses, WLSE suppresses the corresponding switch port number. • Excessive management frame detection—Excessive management frames indicate an attack on your wireless LAN.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS • Configuring the Authentication Server to Support WDS, page 12-15 • Configuring WDS Only Mode, page 12-19 • Viewing WDS Information, page 12-20 • Using Debug Messages, page 12-21 Guidelines for WDS Follow these guidelines when configuring WDS: • A WDS access point that also serves client devices supports up to 30 participating access points, but a WDS access point with radios disa
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Figure 12-4 shows the required configuration for each device that participates in WDS.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS On the access point that you want to configure as your primary WDS access point, follow these steps to configure the access point as the main WDS candidate: Step 1 Browse to the Wireless Services Summary page. Figure 12-5 shows the Wireless Services Summary page. Figure 12-5 Wireless Services Summary Page Step 2 Click WDS to browse to the WDS/WNM Summary page.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Step 5 In the Wireless Domain Services Priority field, enter a priority number from 1 to 255 to set the priority of this WDS candidate. The WDS access point candidate with the highest number in the priority field becomes the acting WDS access point.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Figure 12-7 WDS Server Groups Page Step 10 Create a group of servers to be used for 802.1x authentication for the infrastructure devices (access points) that use the WDS access point. Enter a group name in the Server Group Name field. Step 11 Select the primary server from the Priority 1 drop-down menu.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Step 14 Configure the list of servers to be used for 802.1x authentication for client devices. You can specify a separate list for clients using a certain type of authentication, such as EAP, LEAP, PEAP, or MAC-based, or specify a list for client devices using any type of authentication. Enter a group name for the server or servers in the Server Group Name field.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Configuring Access Points to use the WDS Device Follow these steps to configure an access point to authenticate through the WDS device and participate in WDS: Note To participate in WDS, infrastructure access points should run the same version of IOS as the one that WDS runs. Step 1 Browse to the Wireless Services Summary page.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS The access points that you configure to interact with the WDS automatically perform these steps: • Discover and track the current WDS device and relay WDS advertisements to the wireless LAN. • Authenticate with the WDS device and establish a secure communication channel to the WDS device. • Register associated client devices with the WDS device.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Figure 12-9 Step 2 Network Configuration Page Click Add Entry under the AAA Clients table. The Add AAA Client page appears. Figure 12-10 shows the Add AAA Client page.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Figure 12-10 Add AAA Client Page Step 3 In the AAA Client Hostname field, enter the name of the WDS device. Step 4 In the AAA Client IP Address field, enter the IP address of the WDS device. Step 5 In the Key field, enter exactly the same password that is configured on the WDS device. Step 6 From the Authenticate Using drop-down menu, select RADIUS (Cisco Aironet).
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Step 9 Click User Setup to browse to the User Setup page. You must use the User Setup page to create entries for the access points that use the WDS device. Figure 12-11 shows the User Setup page. Figure 12-11 User Setup Page Step 10 Enter the name of the access point in the User field. Step 11 Click Add/Edit. Step 12 Scroll down to the User Setup box.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Step 13 Select CiscoSecure Database from the Password Authentication drop-down menu. Step 14 In the Password and Confirm Password fields, enter exactly the same password that you entered on the access point on the Wireless Services AP page. Step 15 Click Submit. Step 16 Repeat Step 10 through Step 15 for each access point that uses the WDS device.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Viewing WDS Information On the web-browser interface, browse to the Wireless Services Summary page to view a summary of WDS status.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Fast Secure Roaming Using Debug Messages In privileged exec mode, use these debug commands to control the display of debug messages for devices interacting with the WDS device: Command Description debug wlccp ap {mn | wds-discovery | state} Use this command to turn on display of debug messages related to client devices (mn), the WDS discovery process, and access point authentication
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Fast Secure Roaming Configuring Access Points to Support Fast Secure Roaming To support fast, secure roaming, the access points on your wireless LAN must be configured to participate in WDS and they must allow CCKM authenticated key management for at least one SSID. Follow these steps to configure CCKM for an SSID: Step 1 Browse to the Encryption Manager page on the access point GUI.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Fast Secure Roaming Figure 12-15 Step 6 Global SSID Manager Page On the SSID that supports CCKM, select these settings: b. If your access point contains multiple radio interfaces, select the interfaces on which the SSID applies. c. Select Network EAP under Authentication Settings. When you enable CCKM, you must enable Network EAP as the authentication type.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Management Frame Protection Step 7 d. Select Mandatory or Optional under Authenticated Key Management. If you select Mandatory, only clients that support CCKM can associate using the SSID. If you select Optional, both CCKM clients and clients that do not support CCKM can associate using the SSID. e. Check the CCKM check box. Click Apply.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Management Frame Protection Infrastructure MFP provides Infrastructure support. Infrastructure MFP utilizes a message integrity check (MIC) across broadcast and directed management frames which can assist in detection of rogue devices and denial of service attacks. Client MFP provides client support.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Management Frame Protection Client MFP can be configured as either required or optional for a particular SSID. To configure Client MFP as required, you must configure the SSID with key management WPA version 2 mandatory. If the key management is not WPAv2 mandatory, an error message is displayed and your CLI command is rejected.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Radio Management Command Description Step 4 sntp server server IP address Enter the name or ip address of the SNTP server. Step 5 end Return to the privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Radio Management Step 2 Click WDS to browse to the General Setup page. Step 3 On the WDS/WNM Summary page, click Settings to browse to the General Setup page. Figure 12-17 shows the General Setup page. Figure 12-17 WDS/WNM General Setup Page Step 4 Check the Configure Wireless Network Manager check box.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Access Points to Participate in WIDS Configuring Access Points to Participate in WIDS To participate in WIDS, access points must be configured to participate in WDS and in radio management.
Chapter 12 Configuring Access Points to Participate in WIDS Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Beginning in privileged EXEC mode, follow these steps to configure the access point to capture and forward 802.11 frames: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio {0 | 1} Enter interface configuration mode for the radio interface. The 2.4-GHz radio and the 2.4-GHz 802.11n radio is 0.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WLSM Failover Configuring Monitor Mode Limits You can configure threshold values that the access point uses in monitor mode. When a threshold value is exceeded, the access point logs the information or sends an alert. Configuring an Authentication Failure Limit Setting an authentication failure limit protects your network against a denial-of-service attack called EAPOL flooding.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WLSM Failover the active tunnels, which keeps data traffic going between client and SUP. But because of the WLSM failure, the control traffic going between the access point and the WLSM is disrupted (as shown in Figure 12-18), which prevents the access points from accepting new client connections until the WLSM software is back online.
CH A P T E R 13 Configuring RADIUS and TACACS+ Servers This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), that provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS and TACACS+ are facilitated through AAA and can be enabled only through AAA commands.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco devices and send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Figure 13-1 Sequence for EAP Authentication Wired LAN Client device Access point or bridge RADIUS Server 1. Authentication request 3. Username (relay to server) (relay to client) 4. Authentication challenge 5. Authentication response (relay to server) (relay to client) 6. Authentication success 7. Authentication challenge (relay to server) (relay to client) 8. Authentication response 9.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Defining AAA Server Groups You can configure the access point to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network-related service requests.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Note When WDS is configured, PoD requests should be directed to the WDS. The WDS forwards the disassociation request to the parent access point and then purges the session from its own internal tables. Note PoD is supported on the Cisco CNS Access Registrar (CAR) RADIUS server, but not on the Cisco Secure ACS Server, v4.0 and earlier.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa accounting network start-stop radius Enable RADIUS accounting for all network-related service requests. Step 3 ip radius source-interface bvi1 Configure the access point to send its BVI IP address in the NAS_IP_ADDRESS attribute for accounting records.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the access point and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the access point and all RADIUS servers.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS This example shows how to set up two main servers and a local authenticator with a server deadtime of 10 minutes: AP(config)# aaa new-model AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654 AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654 AP(config)# radius-server host 10.91.6.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server vsa send [accounting | authentication] Enable the access point to recognize and use VSAs as defined by RADIUS IETF attribute 26. • (Optional) Use the accounting keyword to limit the set of recognized vendor-specific attributes to only accounting attributes.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server key string Specify the shared secret text string used between the access point and the vendor-proprietary RADIUS server. The access point and the RADIUS server use this text string to encrypt passwords and exchange responses. Note The key is a text string that must match the encryption key used on the RADIUS server.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify WISPr RADIUS attributes on the access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server location location Specify the WISPr location-name attribute.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS RADIUS Attributes Sent by the Access Point Table 13-2 through Table 13-6 identify the attributes sent by an access point to a client in access-request, access-accept, and accounting-request packets.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Table 13-4 Attributes Sent in Accounting-Request (start) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 44 Acct-Session-Id 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NAS-Location VSA (attribute 26) Cisco-NAS-Port VSA (attribute 26) Interface Table 13-5 Attributes Sent in Accounting-Request (update) Packets Attr
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Table 13-6 Note Attributes Sent in Accounting-Request (stop) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 42 Acct-Input-Octets 43 Acct-Output-Octets 44 Acct-Session-Id 46 Acct-Session-Time 47 Acct-Input-Packets 48 Acct-Output-Packets 49 Acct-Terminate-Cause 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NA
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Configuring and Enabling TACACS+ This section contains this configuration information: • Understanding TACACS+, page 13-23 • TACACS+ Operation, page 13-24 • Configuring TACACS+, page 13-24 • Displaying the TACACS+ Configuration, page 13-29 Understanding TACACS+ TACACS+ is a security application that provides centralized validation of users attempting to gain access to your access point.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ TACACS+ Operation When an administrator attempts a simple ASCII login by authenticating to an access point using TACACS+, this process occurs: 1. When the connection is established, the access point contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the administrator. The administrator enters a username, and the access point then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 13-25 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 13-25 • Configuring TACACS+ Login Authentication, page 13-26 • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 13-27 • Starting TACACS+ Accounting, page 13-28 Default TACACS+ Configuration TACACS+ and
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Step 5 Command Purpose server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ The aaa authorization exec tacacs+ local command sets these authorization parameters: Note • Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+. • Use the local database if authentication was not performed by using TACACS+. Authorization is bypassed for authenticated administrators who log in through the CLI even if authorization has been configured.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global configuration command. Displaying the TACACS+ Configuration To display TACACS+ server statistics, use the show tacacs privileged EXEC command.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 13-30 OL-21881-03
CH A P T E R 14 Configuring VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN.
Chapter 14 Configuring VLANs Understanding VLANs Understanding VLANs A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams.
Chapter 14 Configuring VLANs Understanding VLANs Figure 14-1 LAN and VLAN Segmentation with Wireless Devices VLAN Segmentation Traditional LAN Segmentation VLAN 1 VLAN 2 VLAN 3 LAN 1 Catalyst VLAN switch Shared hub Floor 3 LAN 2 Catalyst VLAN switch Shared hub Floor 2 LAN 3 Floor 1 Catalyst VLAN switch Trunk port SSID 1 = VLAN 1 SSID 2 = VLAN 2 SSID 3 = VLAN 3 52 Shared hub Related Documents These documents provide more detailed information pertaining to VLAN design and configuration: •
Chapter 14 Configuring VLANs Configuring VLANs Incorporating Wireless Devices into VLANs The basic wireless components of a VLAN consist of an access point and a client associated to it using wireless technology. The access point is physically connected through a trunk port to the network VLAN switch on which the VLAN is configured. The physical connection to the VLAN switch is through the access point’s Ethernet port.
Chapter 14 Configuring VLANs Configuring VLANs Configuring a VLAN Note When you configure VLANs on access points, the native VLAN must be VLAN1. In a single architecture, client traffic received by the access point is tunneled through an IP-GRE tunnel, which is established on the access point’s Ethernet interface native VLAN. Because of the IP-GRE tunnel, some users may configure another switch port as VLAN1. This misconfiguration causes errors on the switch port.
Chapter 14 Configuring VLANs Configuring VLANs Step 3 Command Purpose ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive. The SSID can consist of up to 32 alphanumeric, case-sensitive, characters.
Chapter 14 Configuring VLANs Configuring VLANs Command Purpose Step 11 end Return to privileged EXEC mode. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 14 Configuring VLANs Configuring VLANs Creating a VLAN Name Beginning in privileged EXEC mode, follow these steps to assign a name to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot11 vlan-name name vlan vlan-id Assign a VLAN name to a VLAN ID. The name can contain up to 32 ASCII characters. Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 14 Configuring VLANs Configuring VLANs Using a RADIUS Server for Dynamic Mobility Group Assignment You can configure a RADIUS server to dynamically assign mobility groups to users or user groups. This eliminates the need to configure multiple SSIDs on the access point. Instead, you need to configure only one SSID per access point. When users associate to the SSID, the access point passes their login information to WLSM, which passes the information to the RADIUS server.
Chapter 14 Configuring VLANs VLAN Configuration Example Virtual-Dot11Radio0 Protocols Configured: Address: Bridging Bridge Group 1 Bridging Bridge Group 1 Bridging Bridge Group 1 Virtual LAN ID: Received: 201688 201688 201688 Transmitted: 0 0 0 Received: Transmitted: 2 (IEEE 802.1Q Encapsulation) vLAN Trunk Interfaces: FastEthernet0.2 Virtual-Dot11Radio0.2 Protocols Configured: Dot11Radio0.
Chapter 14 Configuring VLANs VLAN Configuration Example 4. Configure VLAN 1, the Management VLAN, on both the fastEthernet and dot11radio interfaces on the access point. You should make this VLAN the native VLAN. 5. Configure VLANs 2 and 3 on both the fastEthernet and dot11radio interfaces on the access point. 6. Configure the client devices. Table 14-2 shows the commands needed to configure the three VLANs in this example.
Chapter 14 Configuring VLANs VLAN Configuration Example Table 14-3 shows the results of the configuration commands in Table 14-2. Use the show running command to display the running configuration on the access point. Table 14-3 Results of Example Configuration Commands VLAN 1 Interfaces VLAN 2 Interfaces VLAN 3 Interfaces interface Dot11Radio0.
CH A P T E R 15 Configuring QoS This chapter describes how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 15 Configuring QoS Understanding QoS for Wireless LANs Understanding QoS for Wireless LANs Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 15 Configuring QoS Understanding QoS for Wireless LANs QoS on the wireless LAN focuses on downstream prioritization from the access point. Figure 15-1 shows the upstream and downstream traffic flow. Figure 15-1 Upstream and Downstream Traffic Flow Radio downstream Ethernet downstream Client device Radio upstream Access point Ethernet upstream 81732 Wired LAN • The radio downstream flow is traffic transmitted out the access point radio to a wireless client device.
Chapter 15 Configuring QoS Understanding QoS for Wireless LANs Note This release continues to support existing 7920 wireless phone firmware. Do not attempt to use the new standard (IEEE 802.11e draft 13) QBSS Load IE with the 7920 Wireless Phone until new phone firmware is available for you to upgrade your phones. This example shows how to enable IEEE 802.11 phone support with the legacy QBSS Load element: AP(config)# dot11 phone This example shows how to enable IEEE 802.
Chapter 15 Configuring QoS Configuring QoS Configuring QoS QoS is disabled by default (however, the radio interface always honors tagged 802.1P packets even when you have not configured a QoS policy). This section describes how to configure QoS on your access point.
Chapter 15 Configuring QoS Configuring QoS Figure 15-2 Step 3 QoS Policies Page With selected in the Create/Edit Policy field, type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters. Do not include spaces in the policy name. Note You can also select two preconfigured QoS policies: WMM and Spectralink. When you select either of these, a set of default classifications are automatically populated in the Classification field.
Chapter 15 Configuring QoS Configuring QoS Step 4 Step 5 If the packets that you need to prioritize contain IP precedence information in the IP header TOS field, select an IP precedence classification from the IP Precedence drop-down menu.
Chapter 15 Configuring QoS Configuring QoS • Class Selector 1 • Class Selector 2 • Class Selector 3 • Class Selector 4 • Class Selector 5 • Class Selector 6 • Class Selector 7 • Expedited Forwarding Step 8 Use the Apply Class of Service drop-down menu to select the class of service that the access point will apply to packets of the type that you selected from the IP DSCP menu. The access point matches your IP DSCP selection with your class of service selection.
Chapter 15 Configuring QoS Configuring QoS Step 19 Click the Apply button at the bottom of the page to apply the policies to the access point ports. The QoS Policies Advanced Page The QoS Policies Advanced page (Figure 15-3) Figure 15-3 QoS Policies - Advanced Page Select Enable or and click Apply to give top priority to all voice packets.
Chapter 15 Configuring QoS Configuring QoS IGMP Snooping When Internet Group Membership Protocol (IGMP) snooping is enabled on a switch and a client roams from one access point to another, the clients’ multicast session is dropped. When the access points’ IGMP snooping helper is enabled, the access point sends a general query to the wireless LAN, prompting the client to send in an IGMP membership report.
Chapter 15 Configuring QoS Configuring QoS Table 15-1 Default QoS Radio Access Categories Class of Service Min Contention Window Max Contention Window Fixed Slot Time Local Local Local Cell Cell Cell Transmit Opportunity Admission Control Local Local Background 4 10 6 0 Best Effort 4 10 2 0 Video <100ms Latency 3 2 1 3008 Voice <100ms Latency 2 3 1 1504 Cell Cell Figure 15-4 shows the Radio Access Categories page.
Chapter 15 Configuring QoS Configuring QoS Note In this release, clients are blocked from using an access category when you select Enable for Admission Control. Configuring Nominal Rates When an access point receives an ADDTS (add traffic stream) request from a WMM client, it checks the nominal rate or minimum PHY rate in the ADDTS request against the nominal rates defined by the CLI command traffic-stream. If they do not match, the access point rejects the ADDTS request.
Chapter 15 Configuring QoS Configuring QoS Step 3 Enter the maximum percentage of the channel to be used for voice in the Max Channel Capacity (%) field. Step 4 Enter the maximum percentage of the channel to use for roaming calls in the Roam Channel Capacity (%) field. The percentage of the channel used by roaming calls up to the value specified in this field is deducted from the value you specified in the Max Channel Capacity (%) field.
Chapter 15 Configuring QoS QoS Configuration Examples QoS Configuration Examples These sections describe two common uses for QoS: • Giving Priority to Voice Traffic, page 15-14 • Giving Priority to Video Traffic, page 15-15 Giving Priority to Voice Traffic This section demonstrates how you can apply a QoS policy to your wireless networks’ voice VLAN to give priority to wireless phone traffic.
Chapter 15 Configuring QoS QoS Configuration Examples Figure 15-5 QoS Policies Page for Voice Example The network administrator also enables the QoS element for wireless phones setting on the QoS Policies - Advanced page. This setting gives priority to all voice traffic regardless of VLAN. Giving Priority to Video Traffic This section demonstrates how you could apply a QoS policy to a VLAN on your network dedicated to video traffic.
Chapter 15 Configuring QoS QoS Configuration Examples Figure 15-6 QoS Policies Page for Video Example Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 15-16 OL-21881-03
CH A P T E R 16 Configuring Filters This chapter describes how to configure and manage MAC address, IP, and Ethertype filters on the access point using the web-browser interface.
Chapter 16 Configuring Filters Understanding Filters Understanding Filters Protocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. You can set up individual protocol filters or sets of filters. You can filter protocols for wireless client devices, users on the wired LAN, or both.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Configuring Filters Using the Web-Browser Interface This section describes how to configure and enable filters using the web-browser interface. You complete two steps to configure and enable a filter: 1. Name and configure the filter using the filter setup pages. 2. Enable the filter using the Apply Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-1 MAC Address Filters Page Follow this link path to reach the Address Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the MAC Address Filters tab at the top of the page. Creating a MAC Address Filter Follow these steps to create a MAC address filter: Step 1 Follow the link path to the MAC Address Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 5 Use the Mask entry field to indicate how many bits, from left to right, the filter checks against the MAC address. For example, to require an exact match with the MAC address (to check all bits) enter 0000.0000.0000. To check only the first 4 bytes, enter 0.0.FFFF. Step 6 Select Forward or Block from the Action menu. Step 7 Click Add. The MAC address appears in the Filters Classes field.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface If clients are not filtered immediately, click Reload on the System Configuration page to restart the access point. To reach the System Configuration page, click System Software on the task menu and then click System Configuration. Note Client devices with blocked MAC addresses cannot send or receive data through the access point, but they might remain in the Association Table as unauthenticated client devices.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 3 Click Advanced Security to browse to the Advanced Security: MAC Address Authentication page. Figure 16-4 shows the MAC Address Authentication page. Figure 16-4 Step 4 Click the Association Access List tab to browse to the Association Access List page. Figure 16-5 shows the Association Access List page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 6 Click Apply. Creating a Time-Based ACL Time-based ACLs are ACLs that can be enabled or disabled for a specific period of time. This capability provides robustness and the flexibility to define access control policies that either permit or deny certain kinds of traffic.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface ACL Logging ACL logging is not supported on the bridging interfaces of AP platforms. When applied on bridging interface, it will work as if configured without “log” option and logging would not take effect. However, ACL logging will work well for the BVI interfaces as long as a separate ACL is used for the BVI interface.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-6 IP Filters Page Follow this link path to reach the IP Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the IP Filters tab at the top of the page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Creating an IP Filter Follow these steps to create an IP filter: Step 1 Follow the link path to the IP Filters page. Step 2 If you are creating a new filter, make sure (the default) is selected in the Create/Edit Filter Index menu. To edit an existing filter, select the filter name from the Create/Edit Filter Index menu. Step 3 Enter a descriptive name for the new filter in the Filter Name field.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 15 When the filter is complete, click Apply. The filter is saved on the access point, but it is not enabled until you apply it on the Apply Filters page. Step 16 Click the Apply Filters tab to return to the Apply Filters page. Figure 16-7 shows the Apply Filters page. Figure 16-7 Apply Filters Page Step 17 Select the filter name from one of the IP drop-down menus.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-8 Ethertype Filters Page Follow this link path to reach the Ethertype Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the Ethertype Filters tab at the top of the page. Creating an Ethertype Filter Follow these steps to create an Ethertype filter: Step 1 Follow the link path to the Ethertype Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 7 Click Add. The Ethertype appears in the Filters Classes field. To remove the Ethertype from the Filters Classes list, select it and click Delete Class. Repeat Step 4 through Step 7 to add Ethertypes to the filter. Step 8 Select Forward All or Block All from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the Ethertypes in the filter.
CH A P T E R 17 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet IOS Command Reference for Access Points and Bridges for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 17 Configuring CDP Understanding CDP Understanding CDP Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. Information in CDP packets is used in network management software such as CiscoWorks2000. CDP is enabled on the access point Ethernet port by default.
Chapter 17 Configuring CDP Configuring CDP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is from 10 to 255 seconds; the default is 180 seconds. Step 3 cdp timer seconds (Optional) Set the transmission frequency of CDP updates in seconds. The range is from 5 to 254; the default is 60 seconds.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP This example shows how to enable CDP. AP# configure terminal AP(config)# cdp run AP(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Command Description show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent. show cdp entry entry-name [protocol | version] Display information about a specific neighbor. You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Device ID: idf2-1-lab-l3.cisco.com Entry address(es): IP address: 10.1.1.10 Platform: cisco WS-C3524-XL, Capabilities: Trans-Bridge Switch Interface: GigabitEthernet0/1, Port ID (outgoing port): FastEthernet0/10 Holdtime : 141 sec Version : Cisco Internetwork Operating System Software IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.1)XP, MAINTENANCE IN TERIM SOFTWARE Copyright (c) 1986-1999 by cisco Systems, Inc.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP AP# show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device IDLocal InterfaceHoldtmeCapabilityPlatformPort ID Perdido2Gig 0/6125R S IWS-C3550-1Gig0/6 Perdido2Gig 0/5125R S IWS-C3550-1Gig 0/5 AP# show cdp traffic CDP counters : Total packets output: 50882, Input: 52510 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 C
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 17-8 OL-21881-03
CH A P T E R 18 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.3.
Chapter 18 Configuring SNMP Understanding SNMP Understanding SNMP SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. The SNMP manager can be part of a network management system (NMS) such as CiscoWorks. The agent and management information base (MIB) reside on the access point. To configure SNMP on the access point, you define the relationship between the manager and the agent.
Chapter 18 Configuring SNMP Understanding SNMP Table 18-1 lists the SNMP versions and security levels supported on access points: Table 18-1 SNMP Versions and Security Levels SNMP Version Security Level Authentication Encryption v1 NoAuthNoPriv Community string match None v2C NoAuthNoPriv Community string match None v3 NoAuthNoPriv Username match None v3 AuthNoPriv HMAC-MD5 or HMAC-SHA algorithms None v3 AuthPriv HMAC-MD5 or HMAC-SHA algorithms DES 56-bit encryption For detailed
Chapter 18 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 18 Configuring SNMP Configuring SNMP Configuring SNMP This section describes how to configure SNMP on your access point.
Chapter 18 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the access point.
Chapter 18 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 18 Configuring SNMP Configuring SNMP Configuring SNMP-Server Hosts To configure the recipient of an SNMP trap operation, use the following command in global configuration mode: Command Purpose snmp-server host host [traps | informs][version {1 | 2c | 3 [auth | noauth | priv]} ] community-string [udp-port port] [notification-type] Configures the recipient of an SNMP trap operation.
Chapter 18 Configuring SNMP Configuring SNMP Table 18-4 Notification Types (continued) Notification Type Description syslog Enable syslog traps. wlan-wep Enable WEP traps. Some notification types cannot be controlled with the snmp-server enable global configuration command, such as udp-port. These notification types are always enabled. You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 18-4.
Chapter 18 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified host from receiving traps, use the no snmp-server host host global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command.
Chapter 18 Configuring SNMP Configuring SNMP This example shows how to assign the strings open and ieee to SNMP, to allow read-write access for both, and to specify that open is the community string for queries on non-IEEE802dot11-MIB objects and ieee is the community string for queries on IEEE802dot11-mib objects: bridge(config)# snmp-server view dot11view ieee802dot11 included bridge(config)# snmp-server community open rw bridge(config)# snmp-server community ieee view ieee802dot11 rw This example show
Chapter 18 Configuring SNMP Displaying SNMP Status AP(config)# snmp-server group admin v3 priv read iso write iso AP(config)# snmp-server user joe admin v3 auth md5 xyz123 priv des56 key007 AP(config)# snmp-server user fred admin v3 encrypted auth md5 abc789 priv des56 key99 Note After you enter the last command in this example, the show running-config and show startup-config commands display only a partial SNMP configuration.
CH A P T E R 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This chapter describes how to configure your access point as a repeater, as a hot standby unit, or as a workgroup bridge.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Repeater Access Points Understanding Repeater Access Points A repeater access point is not connected to the wired LAN; it is placed within radio range of an access point connected to the wired LAN to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. You can configure either the 2.4-GHz radio or the 5-GHz radio as a repeater.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Repeater Access Point Figure 19-1 Access Point as a Repeater Access Point (Root Unit) Wired LAN 66000 Access Point (Repeater) Configuring a Repeater Access Point This section provides instructions for setting up an access point as a repeater and includes these sections: • Default Configuration, page 19-4 • Guidelines for Repeaters, page 19-4 • Setting Up a Repeater, page 19-5 • Verifying Repeater
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Repeater Access Point Default Configuration Access points are configured as root units by default. Table 19-1 shows the default values for settings that control the access point’s role in the wireless LAN.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Repeater Access Point Setting Up a Repeater Beginning in Privileged Exec mode, follow these steps to configure an access point as a repeater: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio and the 2.4-GHz 802.11n radio is 0. The 5-GHz radio and the 5-GHz 802.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Aligning Antennas Command Purpose Step 9 end Return to privileged EXEC mode. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Aligning Antennas Use the show dot11 antenna-alignment command to list the MAC addresses and signal level for the last 10 devices that responded to the probe. Verifying Repeater Operation After you set up the repeater, check the LEDs on top of the repeater access point.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Aligning Antennas Command Purpose Step 4 authentication network-eap list-name Enable LEAP authentication on the repeater so that LEAP-enabled client devices can authenticate through the repeater. For list-name, specify the list name you want to use for EAP authentication. You define list names for EAP and for MAC addresses using the aaa authentication login command.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Hot Standby Command Purpose wpa-psk { hex | ascii } [ 0 | 7 ] encryption-key Enter a pre-shared key for the repeater. Step 8 end Return to privileged EXEC mode. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 7 Enter the key using either hexadecimal or ASCII characters.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Hot Standby Access Point Configuring a Hot Standby Access Point When you set up the standby access point, you must enter the MAC address of the access point that the standby unit will monitor. Record the MAC address of the monitored access point before you configure the standby access point. The standby access point also must duplicate several key settings on the monitored access point.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Hot Standby Access Point Beginning in Privileged Exec mode, follow these steps to enable hot standby mode on an access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 iapp standby mac-address Puts the access point into standby mode and specifies the MAC address of radio on the monitored access point.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Hot Standby Access Point Step 9 Command Purpose iapp standby timeout seconds Sets the number of seconds the standby access point waits for a response from the monitored access point before it assumes that the monitored access point has malfunctioned. The default timeout is 20 seconds.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode Table 19-2 Standby Status Messages (continued) Message Description IAPP—AP is operating in active mode The standby access point has taken over for the monitored access point and is functioning as a root access point. IAPP—AP is operating in repeater mode The standby access point has taken over for the monitored access point and is functioning as a repeater access point.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode Caution An access point in workgroup bridge mode can introduce a bridge loop if you connect its Ethernet port to your wired LAN. To avoid a bridge loop on your network, disconnect the workgroup bridge from your wired LAN before or soon after you configure it as a workgroup bridge.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode Figure 19-2 shows an access point in workgroup bridge mode.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode bridges, that can associate to an access point or bridge. To increase beyond 20 the number of workgroup bridges that can associate to the access point, the access point must reduce the delivery reliability of multicast packets to workgroup bridges.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Workgroup Bridge VLAN Tagging The following example shows how the command is used. In the example, channels 1, 6, and 11 are specified to scan: ap# ap#confure terminal Enter configuration commands, one per line. ap(config)#int d0 ap(config-if)#ssid limited_scan ap(config-if)#station-role workgroup-bridge ap(config-if)#mobile station ap(config-if)#mobile station scan 1 6 11 ap(config-if)#end ap# End with CNTL/Z.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring Workgroup Bridge Mode In the upstream direction, WGB removes the 802.1q header from the packet while sending to the WLC. In the downstream direction while forwarding the packet to the switch connecting the wired-client, the WLC sends the packet to WGB without the 802.1q tag and WGB adds a 4-byte 802.1q header based on the destination mac-address.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring Workgroup Bridge Mode Step 8 Command Purpose parent {1-4} mac-address [timeout] (Optional) Enter the MAC address for the access point to which the workgroup bridge should associate. • Note • You can enter MAC addresses for up to four parent access points, designated 1 to 4. The workgroup bridge always attempts to associate to the best access point from the list of its parent access points.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Using Workgroup Bridges in a Lightweight Environment This example shows how to set up a workgroup bridge with the parent access points, designated 1 and 2: AP(config-if)# parent 1 0040.9631.81cf AP(config-if)# parent 2 0040.9631.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Using Workgroup Bridges in a Lightweight Environment • Note The workgroup bridge can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release JA or greater (on 32-MB access points) or Cisco IOS Release 12.3(8)JEB or greater (on 16-MB access points). These access points include the AP1040, AP1121, AP1130, AP1140, AP1231, AP1240, AP1250, AP1260 and AP1310.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Using Workgroup Bridges in a Lightweight Environment • When you delete a workgroup bridge record from the controller, all of the workgroup bridge wired clients’ records are also deleted. • Wired clients connected to a workgroup bridge inherit the workgroup bridge’s QoS and AAA override attributes.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Using Workgroup Bridges in a Lightweight Environment Enabling VideoStream Support on Workgroup Bridges VideoStream improves the reliability of an IP multicast stream by converting the multicast frame, over the air, to a unicast frame. Cisco IOS Releases 15.2(2)JA and later provide VideoStream support for wired devices connected to workgroup bridges. For access points running release 15.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Using Workgroup Bridges in a Lightweight Environment Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 19-24 OL-21881-03
CH A P T E R 20 Managing Firmware and Configurations This chapter describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Access Points and Bridges for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.4.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Displaying Available File Systems To display the available file systems on your access point, use the show file systems privileged EXEC command as shown in this example: ap# show file systems File Systems: * Size(b) 16128000 16128000 32768 - Free(b) 11118592 11118592 26363 - Type flash unknown nvram network opaque opaque opaque opaque network network Flags rw rw rw rw rw rw ro ro rw rw Prefixes flash: zflash: nvram:
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command. You can set the default file system to omit the filesystem: argument from related commands. For example, for all privileged EXEC commands that have the optional filesystem: argument, the system uses the file system specified by the cd command.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board Flash device. Step 2 mkdir old_configs Create a new directory. The command example shows how to create the directory named old_configs.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System • From a startup configuration to a startup configuration • From a device to the same device (for example, the copy flash: flash: command is invalid) For specific examples of using the copy command with configuration files, see the “Working with Configuration Files” section on page 20-7.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System • For the Trivial File Transfer Protocol (TFTP), the syntax is tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file to be created. For flash:/file-url, specify the location on the local Flash file system from which the new tar file is created. You can also specify an optional list of files or directories within the source directory to write to the new tar file.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Extracting a tar File To extract a tar file into a directory on the Flash file system, use this privileged EXEC command: archive tar /xtract source-url flash:/file-url For source-url, specify the source URL alias for the local or network file system.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files You can copy (download) configuration files from a TFTP, FTP, or RCP server to the running configuration of the access point for various reasons: • To restore a backed-up configuration file. • To use the configuration file for another access point. For example, you might add another access point to your network and want it to have a configuration similar to the original access point.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files configuration is used. However, some commands in the existing configuration might not be replaced or negated. In this case, the resulting configuration file is a mixture of the existing configuration file and the copied configuration file, with the copied configuration file having precedence.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Preparing to Download or Upload a Configuration File by Using TFTP Before you begin downloading or uploading a configuration file by using TFTP, perform these tasks: • Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line: tftp dgram udp wait root /usr/etc/in.tftpd in.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files The configuration file downloads, and the commands are executed as the file is parsed line-by-line. This example shows how to configure the software from the file tokyo-confg at IP address 172.16.2.155: ap# copy tftp://172.16.2.155/tokyo-confg system:running-config Configure using tokyo-confg from 172.16.2.155? [confirm] y Booting tokyo-confg from 172.16.2.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files • The access point forms a password named username@apname.domain. The variable username is the username associated with the current session, apname is the configured host name, and domain is the domain of the access point. The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Step 3 Command Purpose configure terminal Enter global configuration mode on the access point. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password. Step 6 end Return to privileged EXEC mode.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using FTP” section on page 20-12. Step 2 Log into the access point through a Telnet session. Step 3 configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6).
Chapter 20 Managing Firmware and Configurations Working with Configuration Files access to a server that supports the remote shell (rsh). (Most UNIX systems support rsh.) Because you are copying a file from one place to another, you must have read permission on the source file and write permission on the destination file. If the destination file does not exist, RCP creates it for you. The RCP requires a client to send a remote username with each RCP request to a server.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files ap1.company.com ap1 For more information, refer to the documentation for your RCP server. Downloading a Configuration File by Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using RCP” section on page 20-15.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files %SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by rcp from 172.16.101.101 Uploading a Configuration File by Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using RCP” section on page 20-15.
Chapter 20 Managing Firmware and Configurations Working with Software Images Deleting a Stored Configuration File Caution You cannot restore a file after it has been deleted. To delete a saved configuration from Flash memory, use the delete flash:filename privileged EXEC command. Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the access point prompts for confirmation on destructive file operations.
Chapter 20 Managing Firmware and Configurations Working with Software Images tar File Format of Images on a Server or Cisco.com Software images located on a server or downloaded from Cisco.com are provided in a tar file format, which contains these files: • info file The info file is always at the beginning of the tar file and contains information about the files within it. • Cisco IOS image • Web management files needed by the HTTP server on the access point • radio firmware 5000.
Chapter 20 Managing Firmware and Configurations Working with Software Images Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For more information on the TFTP daemon, refer to the documentation for your workstation. • Ensure that the access point has a route to the TFTP server.
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name Download the image file from the TFTP server to the access point, and overwrite the current image. archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-name Note • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 20 Managing Firmware and Configurations Working with Software Images The algorithm installs the downloaded image on the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the system boot path variable is updated to point to the newly installed image.
Chapter 20 Managing Firmware and Configurations Working with Software Images • Downloading an Image File by Using FTP, page 20-24 • Uploading an Image File by Using FTP, page 20-26 Preparing to Download or Upload an Image File by Using FTP You can copy images files to or from an FTP server. The FTP protocol requires a client to send a remote username and password on each FTP request to a server.
Chapter 20 Managing Firmware and Configurations Working with Software Images For more information, refer to the documentation for your FTP server. Downloading an Image File by Using FTP You can download a new image file and overwrite the current image or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Step 7 Step 8 Purpose archive download-sw /overwrite /reload Download the image file from the FTP server to the access ftp:[[//username[:password]@location]/directory] point, and overwrite the current image. /image-name.tar • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 20 Managing Firmware and Configurations Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough space to install the new image and keep the running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image onto the system board Flash device (flash:).
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running access point image to the FTP ftp:[[//[username[:password]@]location]/directory]/ server. image-name.tar • For //username:password, specify the username and password. These must be associated with an account on the FTP server.
Chapter 20 Managing Firmware and Configurations Working with Software Images RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the access point to a server by using RCP, the Cisco IOS software sends the first valid username in this list: • The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.
Chapter 20 Managing Firmware and Configurations Working with Software Images Downloading an Image File by Using RCP You can download a new image file and replace or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image. To keep the current image, skip Step 6.
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the access point, and overwrite the current image. archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Note • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 20 Managing Firmware and Configurations Working with Software Images Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running access point image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username.
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 7 Click the Upgrade button. For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the access point image file. Follow the instructions below to use a TFTP server: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.
Chapter 20 Managing Firmware and Configurations Working with Software Images Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 20-34 OL-21881-03
CH A P T E R 21 Configuring System Message Logging This chapter describes how to configure system message logging on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.3.
Chapter 21 Configuring System Message Logging Understanding System Message Logging Understanding System Message Logging By default, access points send the output from system messages and debug privileged EXEC commands to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, or a UNIX syslog server, depending on your configuration. The process also sends messages to the console.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-1 describes the elements of syslog messages. Table 21-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 21-6. timestamp formats: Date and time of the message or event.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-2 Default System Message Logging Configuration (continued) Feature Default Setting Timestamps Disabled Synchronous logging Disabled Logging server Disabled Syslog server IP address None configured Server facility Local7 (see Table 21-4 on page 21-11) Server severity Informational (and numerically lower levels; see Table 21-3 on page 21-8) Disabling and Enabling Message Logging Message logging is enab
Chapter 21 Configuring System Message Logging Configuring System Message Logging Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Timestamps on Log Messages By default, log messages are not timestamped. Beginning in privileged EXEC mode, follow these steps to enable timestamping of log messages: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log timestamps.
Chapter 21 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 21-3.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults: Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 21-3 on page 21-8 for a list of level keywords.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Configuring UNIX Syslog Servers The next sections describe how to configure the 4.3 BSD UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 21-3 on page 21-8 for level keywords. Step 4 logging facility facility-type Configure the syslog facility. See Table 21-4 on page 21-11 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode.
Chapter 21 Configuring System Message Logging Displaying the Logging Configuration Displaying the Logging Configuration To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2. To display the logging history file, use the show logging history privileged EXEC command.
CH A P T E R 22 Troubleshooting This chapter provides troubleshooting procedures for basic problems with the wireless device. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at the following URL (select Top Issues and then select Wireless Technologies): http://www.cisco.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Checking the Top Panel Indicators If your wireless device is not communicating, check the three LED indicators on the top panel to quickly assess the device’s status. Figure 22-1 shows the indicators on the 1200 series access point. Figure 22-2 shows the indicators on the 1100 series access point. Figure 22-3 and Figure 22-4 show the indicators on the 350 series access point.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Figure 22-2 Indicators on the 1100 Series Access Point Ethernet Status 81597 Radio Figure 22-3 Indicators on the 350 Series Access Point (Plastic Case) CISCO AIRONET 350 SERIES W I R E L E S S AC C E S S P O I N T Radio 49075 S Ethernet Status Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-21881-03 22-3
Chapter 22 Troubleshooting Checking the Top Panel Indicators Figure 22-4 Indicators on the 350 Series Access Point (Metal Case) CISCO AIRONET 350 SERIES WIRELESS ACCESS POINT ETHERNET ACTIVITY ASSOCIATION STATUS 60511 RADIO ACTIVITY Ethernet Status Radio The indicator signals on the wireless device have the following meanings (for additional details refer to Table 22-1): • The Ethernet indicator signals traffic on the wired LAN.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Table 22-1 Message type Ethernet indicator Status indicator Radio indicator Meaning Operating status – Green Blinking green Transmitting/receiving radio packets. Green – – Ethernet link is operational. Blinking green – – Transmitting/receiving Ethernet packets. Red – Red DRAM memory test failure. – Red Red File system failure. Red Red – Ethernet failure during image recovery.
Chapter 22 Troubleshooting Checking the Top Panel Indicators The LED signals are listed in Table 22-2. Table 22-2 LED Signals Cable Bay Area Top of Unit Message type Ethernet LED Radio LED Status LED Meaning Boot loader status Green Green Green DRAM memory test ok. Off Blinking green Light blue Initialize Flash file system. Off Green Pink Flash memory test ok. Green Off Blue Ethernet test ok. Green Green Green Starting Cisco IOS.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Table 22-2 LED Signals (continued) Cable Bay Area Top of Unit Message type Ethernet LED Radio LED Status LED Meaning Boot loader errors Red Red Red DRAM memory test failure. Off Red Blinking red Flash file system failure. and blue Off Amber Blinking red Environment variable (ENVAR) failure. and light blue Amber Off Blinking red Bad MAC address. and yellow Red Off Blinking red Ethernet failure during image recovery.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Indicators on 1040 or 1140 Series Access Point If your access point is not working properly, check the Ethernet and Status LEDs of the unit. You can use the LED indications to quickly assess the unit’s status. Table 22-3 shows the access point LEDs (for additional information refer to the Event Log using the access point browser interface). Figure 22-5 shows the 1140 series access point LEDs.
Chapter 22 Troubleshooting Checking the Top Panel Indicators C O N SO LE ETH ERN ET 48VD C 207523 M O DE 1 Table 22-3 2 4 3 1 Reset Button 3 Ethernet LED 2 Console LED 4 DC Power 1040 or 1140 Series Access Point LED Signals Message type Ethernet LED Status LED Radio LED Meaning Boot loader status Green Off Amber DRAM test in progress. Green Green Green DRAM memory test ok. Off Off Red Board initialization in progress.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Table 22-3 1040 or 1140 Series Access Point LED Signals (continued) (continued) Message type Ethernet LED Status LED Radio LED Meaning Operating status Green — — Ethernet link is operational. Blinking green — — Transmitting or receiving Ethernet packets. — — Blinking green Transmitting or receiving radio packets. — Blinking blue — Software upgrade in progress.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Indicators on 1240 Series Access Points If your access point is not working properly, check the Status, Ethernet, and Radio LEDs on the 2.4 GHz end of the unit. You can use the LED indications to quickly assess the unit’s status. Figure 22-1 shows the access point LEDs (for additional information refer to the Event Log using the access point browser interface).
Chapter 22 Troubleshooting Checking the Top Panel Indicators Message type Ethernet LED Radio LED Status LED Meaning Boot loader warnings Off Off Yellow Ethernet link not operational. Red Off Yellow Ethernet failure. Amber Off Yellow Configuration recovery in progress (Mode button pressed for 2 to 3 seconds). Off Red Pink Image recovery (Mode button pressed for 20 to 30 seconds) Blinking green Red Blinking pink and off Image recovery in progress and Mode button is released.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Indicators on 1250 Access Points If your access point is not working properly, check the Ethernet, Status, and Radio LEDs on the 2.4 GHz end of the unit. You can use the LED indications to quickly assess the unit’s status.Table 22-5 shows the access point LEDs (for additional information refer to the Event Log using the access point browser interface). Figure 22-7 shows the 1250 series access point LEDs.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Table 22-5 1250 Series Access Point LED Signals Message type Ethernet LED Status LED Radio LED Meaning Boot loader status Green Off Amber DRAM test in progress. Green Green Green DRAM memory test ok. Off Off Red Board initialization in progress. Off Blinking green Blinking green Initialize Flash file system. Off Green Green Flash memory test ok. Amber White Off Initialize Ethernet.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Table 22-5 1250 Series Access Point LED Signals (continued) (continued) Message type Ethernet LED Status LED Radio LED Meaning Boot loader errors Red Red Red DRAM memory test failure. Off Blinking red and blue Red Flash file system failure. Off Alternating red Amber and green Environment variable (ENVAR) failure. Amber Rapid blinking Off red Bad MAC address.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Figure 22-8 1260 Series Access Point LED 207522 1 1 Status LED Table 22-6 shows the 1260 access point LED indicators for various conditions.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Message type Status LED Message Meaning Operating status Blinking Blue Software upgrade in progress. Cycling Discovery/join process in progress through green, red, and off Rapidly cycling through blue, green, and red Access point location command invoked Blinking Red Ethernet link is operational. Boot loader warnings Blinking blue Red Configuration recovery in progress (Mode button pressed for 2 to 3 seconds).
Chapter 22 Troubleshooting Checking the Top Panel Indicators Figure 22-9 LEDs R S E 117061 I R Radio LED E Ethernet LED S Status LED I Install LED 1300 Series AP Mode LED Indications During access point/bridge operation the LEDs provide status information as shown in Table 22-7. Table 22-7 1300 Series Access Point/Bridge LED Indications Ethernet LED Status LED Radio LED Install LED Meaning Off — — — Ethernet link is down or disabled.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Table 22-7 1300 Series Access Point/Bridge LED Indications (continued) Ethernet LED Status LED Radio LED Install LED Meaning Red Amber Red — Loading Firmware error—disconnect and reconnect the power injector power. If the problem continues, contact technical support for assistance. — — Off — Normal operation. — — Blinking green — Transmitting and receiving radio packets—normal operation.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Table 22-8 LED Blinking Error Codes Blinking Codes LED First Digit Second Digit Description Ethernet 2 1 Ethernet cable problem—verify that the cable is properly connected and not defective. This error might also indicate a problem with the Ethernet link. If the cable is connected properly and not defective, contact technical support for assistance. Radio 1 2 Radio not detected—contact technical support for assistance.
Chapter 22 Troubleshooting Checking Power • Cisco Aironet Power Injector LR2—standard (included with the bridge) – 48-VDC input power – Uses the 48-VDC power module (included with the bridge) • Cisco Aironet Power Injector LR2T—optional transportation version – 12- to 40-VDC input power – Uses 12 to 40 VDC from a vehicle battery Checking Power You can verify the availability of power to the access point/bridge by checking the power injector LED (see Figure 22-10): • Power LED – Green color indicates
Chapter 22 Troubleshooting Checking Basic Settings access point remains in low power mode with the radios disabled to prevent a possible over-current condition. In low power mode, the access point activates the Status LED low power error indication, displays a low power message on the browser and serial interfaces, and creates an event log entry. Checking Basic Settings Mismatched basic settings are the most common causes of lost connectivity with wireless clients.
Chapter 22 Troubleshooting Resetting to the Default Configuration Note The wireless device MAC address that appears on the Status page in the Aironet Client Utility (ACU) is the MAC address for the wireless device radio. The MAC address for the access point Ethernet port is printed on the label on the back of the access point. Resetting to the Default Configuration If you forget the password that allows you to configure the wireless device, you may need to completely reset the configuration.
Chapter 22 Troubleshooting Resetting to the Default Configuration Using the Web Browser Interface Follow these steps to delete the current configuration and return all wireless device settings to the factory defaults using the web browser interface: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 6.x or later) or Netscape Navigator (version 7.x). Step 2 Enter the wireless device’s IP address in the browser address line and press Enter.
Chapter 22 Troubleshooting Reloading the Access Point Image flashfs[0]: flashfs fsck took 0 seconds. ...done initializing Flash. Step 5 Use the dir flash: command to display the contents of Flash and find the config.txt configuration file. ap: dir flash: Directory of flash:/ 3 .rwx 223 env_vars 4 .rwx 2190 config.txt 5 .rwx 27 private.config 150 drwx 320 c350.k9w7.mx.122.13.
Chapter 22 Troubleshooting Reloading the Access Point Image Using the MODE button You can use the MODE button on 1040, 1100 and 1200 series access points to reload the access point image file from an active Trivial File Transfer Protocol (TFTP) server on your network or on a PC connected to the access point Ethernet port. Note You cannot use the mode button to reload the image file on 350 series access points.
Chapter 22 Troubleshooting Reloading the Access Point Image Browser HTTP Interface The HTTP interface enables you to browse to the wireless device image file on your PC and download the image to the wireless device. Follow the instructions below to use the HTTP interface: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 6.x or later) or Netscape Navigator (version 7.x). Step 2 Enter the wireless device’s IP address in the browser address line and press Enter.
Chapter 22 Troubleshooting Reloading the Access Point Image Using the CLI Follow the steps below to reload the wireless device image using the CLI. When the wireless device begins to boot, you interrupt the boot process and use boot loader commands to load an image from a TFTP server to replace the image in the wireless device. Note Your wireless device configuration is not changed when using the CLI to reload the image file. Step 1 Open the CLI using a connection to the wireless device console port.
Chapter 22 Troubleshooting Reloading the Access Point Image extracting c350-k9w7-mx.122-13.JA1/html/level1/appsui.js (558 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/back.htm (205 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/cookies.js (5027 bytes). extracting c350-k9w7-mx.122-13.JA1/html/level1/forms.js (15704 bytes)... extracting c350-k9w7-mx.122-13.JA1/html/level1/sitewide.js (14621 bytes)... extracting c350-k9w7-mx.122-13.JA1/html/level1/config.
Chapter 22 Troubleshooting Image Recovery on the 1520 Access Point Step 6 Click IOS. A list of available Cisco IOS versions appears. Step 7 Choose the version you wish to download. The download page for the version you chose appears. Step 8 Click WIRELESS LAN. Step 9 If prompted, enter your login and password. The Encryption Software Export Distribution Authorization page appears. Step 10 Answer the questions on the page and click Submit. The Download page appears. Step 11 Click DOWNLOAD.
Chapter 22 Troubleshooting Image Recovery on the 1520 Access Point To perform image recovery on the 1520 access point, follow these steps: Step 1 With the access point powered off, connect an RJ45 console cable to the console port (). The console port is the black plastic RJ45 jack inside the unit. Figure 22-11 Connecting an RJ45 Console Cable to the Console Port Step 2 Configure the terminal emulator for 8 databits, no parity, no flow control, 9600 bps. Step 3 Apply power to the access point.
Chapter 22 Troubleshooting Image Recovery on the 1520 Access Point Note If the ENABLE_BREAK=no environmental variable is set, you will not be able to escape to the bootloader. Step 5 Cable the 1520 access point’s LAN port (“PoE In”) to a TFTP server. For example, a Windows PC with tftpd32 installed. Step 6 Install a good copy of the c1520 k9w8 IOS image on the TFTP server. Step 7 Configure the TFTP server's LAN interface with a static IP address. For example, 10.1.1.1.
Chapter 22 Troubleshooting Image Recovery on the 1520 Access Point MAC_ADDR=00:1F:27:75:DB:00 MAC_ADDR_BLOCK_SIZE=01 00 NETMASK=255.255.255.
Chapter 22 Troubleshooting Image Recovery on the 1520 Access Point Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 22-34 OL-21881-03
A P P E N D I X A Protocol Filters The tables in this appendix list some of the protocols that you can filter on the access point. The tables include: • Table A-1, Ethertype Protocols • Table A-2, IP Protocols • Table A-3, IP Port Protocols In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.
Appendix A Table 0-1 Protocol Filters Ethertype Protocols Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802.2 — 0x00E0 IPX 802.
Appendix A Protocol Filters Table 0-2 IP Protocols Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw —
Appendix A Table 0-3 Protocol Filters IP Port Protocols Protocol Additional Identifier ISO Designator TCP port service multiplexer tcpmux 1 echo — 7 discard (9) — 9 systat (11) — 11 daytime (13) — 13 netstat (15) — 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp-data 20 FTP Control (21) ftp 21 Secure Shell (22) ssh 22 Telnet — 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Locati
Appendix A Protocol Filters Table 0-3 IP Port Protocols (continued) Protocol Additional Identifier ISO Designator TSAP iso-tsap 102 CSO Name Server cso-ns csnet-ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111 tap ident authentication auth 113 sftp — 115 uucp-path — 117 Network News Transfer Protocol Network News readnews nntp 119 USENET News Transfer Protocol Network News readnews nntp 119 Network Time Pro
Appendix A Table 0-3 Protocol Filters IP Port Protocols (continued) Protocol Additional Identifier ISO Designator SNMP Unix Multiplexer smux 199 AppleTalk Routing at-rtmp 201 AppleTalk name binding at-nbp 202 AppleTalk echo at-echo 204 AppleTalk Zone Information at-zis 206 NISO Z39.
A P P E N D I X B Supported MIBs This appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Cisco IOS SNMP agent supports SNMPv1, SNMPv2, and SNMPv3.
Appendix B Supported MIBs Using FTP to Access the MIB Files • CISCO-MEMORY-POOL-MIB • CISCO-PROCESS-MIB • CISCO-PRODUCTS-MIB • CISCO-SMI-MIB • CISCO-TC-MIB • CISCO-SYSLOG-MIB • CISCO-WDS-INFO-MIB • ENTITY-MIB • IF-MIB • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP: Step 1 Use
A P P E N D I X C Error and Event Messages This appendix lists the CLI error and event messages. The appendix contains the following sections: • Conventions, page C-2 • Software Auto Upgrade Messages, page C-3 • Association Management Messages, page C-5 • Unzip Messages, page C-6 • System Log Messages, page C-7 • 802.
Appendix C Error and Event Messages Conventions Conventions System error messages are displayed in the format shown in Table 3-1. Table 3-1 Message Component System Error Message Format Description Example Error identifier A string categorizing the error. STATION-ROLE Software component A string identifying the software component of the error. AUTO_INSTALL Severity Level A numerical string 0-LOG-EMERG—emergency situation, nothing is indicating the severity of the functional error.
Appendix C Error and Event Messages Software Auto Upgrade Messages Software Auto Upgrade Messages Error Message SW-AUTO-UPGRADE-2-FATAL_FAILURE: “Attempt to upgrade software failed, software on flash may be deleted. Please copy software into flash. Explanation Auto upgrade of the software failed. The software on the flash might have been deleted. Copy software into the flash. Recommended Action Copy software before rebooting the unit.
Appendix C Error and Event Messages Software Auto Upgrade Messages Error Message AUTO-INSTALL-4-IP_ADDRESS_DHCP: “The radio is operating in automatic install mode and has set ip address dhcp.” Explanation The radio is operating in automatic install mode and is configured to receive an IP address through DHCP. Recommended Action Use the station-role configuration interface command to configure the radio for a role other than install mode. Error Message AUTO-INSTALL-6_STATUS: “%s” %s. RSSI=-%d dBm.
Appendix C Error and Event Messages Association Management Messages Association Management Messages Error Message DOT11-3-BADSTATE: “%s %s ->%s.” Explanation 802.11 association and management uses a table-driven state machine to keep track and transition an association through various states. A state transition occurs when an association receives one of many possible events. When this error occurs, it means that an association received an event that it did not expect while in this state.
Appendix C Error and Event Messages Unzip Messages Error Message DOT11-4-DIVER_USED: Interface $s, Mcs rates 8-15 disabled due to only one transmit or recieve antenna enabled Explanation These rates require that at least 2 receive and transmit antennas be enabled. Recommended Action Copy the error message exactly as it appears on the console or in the system log. Research and attempt to resolve the error using the Output Interpreter https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl.
Appendix C Error and Event Messages System Log Messages System Log Messages Error Message %DOT11-4-LOADING_RADIO: Interface [chars], loading the radio firmware ([chars]) Explanation The radio has been stopped to load new firmware. Recommended Action No action is required. Error Message %LINEPROTO-5-UPDOWN: Line protocol on Interface [chars], changed state to [chars] Explanation The data link level line protocol has changed state. Recommended Action No action is required.
Appendix C Error and Event Messages 802.11 Subsystem Messages 802.11 Subsystem Messages Error Message DOT11-6-FREQ_USED: “Interface %s, frequency %d selected.” Explanation After scanning for an unused frequency, the indicated interface selected the displayed frequency. Recommended Action None. Error Message DOT11-4-NO-VALID_INFRA_SSID: “No infrastructure SSID configured. %s not started.” Explanation No infrastructure SSID was configured and the indicated interface was not started.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-3-TX_PWR_OUT_OF_RANGE: “Interface %s Radio transmit power out of range.” Explanation The transmitter power level is outside the normal range on the indicated radio interface. Recommended Action Remove unit from the network and service. Error Message DOT11-3-RADIO_RF_LO: “Interface %s Radio cannot lock RF freq.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-6-DFS_SCAN_START: “DFS: Scanning frequency %d MHz for %d seconds.” Explanation The device has begun its DFS scanning process. Recommended Action None. Error Message DOT11-6-DFS_TRIGGERED: “DFS: triggered on frequency %d MHz.” Explanation DFS has detected RADAR signals on the indicated frequency. Recommended Action None. The channel will be placed on the non-occupancy list for 30 minutes and a new channel will be selected.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT114-NO_MBSSID_BACKUP_VLAN: “Backup VLANs cannot be configured if MBSSID is not enabled. %s not started. Explanation To enable a backup VLAN, MBSSID mode should be configured. Recommended Action Configure MBSSID on the device. Error Message IF-4-MISPLACED_VLAN_TAG: “Detected a misplaced VLAN tag on source Interface %. Dropping packet. Explanation Received an 802.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-2-UPLINK_FAILED: “Uplink to parent failed: %s.” Explanation The connection to the parent access point failed for the displayed reason. The uplink will stop its connection attempts. Recommended Action Try resetting the uplink interface. Contact Technical Support if the problem persists. Error Message DOT11-4-CANT_ASSOC: “Interface %, cannot associate %s.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-MAXRETRIES: “Packet to client %e reached max retries, removing the client.” Explanation The maximum packet send retry limit has been reached and the client is being removed. This error message indicates that the access point attempts to poll the client a certain number of times, but does not receive a response. Therefore, the client is removed from the association table.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-RADIO_NO_FREQ: “Interface &s, all frequencies have been blocked, interface not started.” Explanation The frequencies set for operation are invalid and a channel scan is being forced in order to select a valid operating frequency. Recommended Action None. Error Message DOT11-4-BCN_BURST_NO_MBSSID: “Beacon burst mode is enabled but MBSSID is not enabled, %s is down.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-FLASHING_RADIO: “Interface %s, flashing radio firmware (%s).” Explanation The indicated interface radio has been stopped to load the indicated new firmware. Recommended Action None. Error Message DOT11-4-LOADING_RADIO: “Interface %s, loading the radio firmware (%s).” Explanation The indicated interface radio has been stopped to load new indicated firmware. Recommended Action None.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-UPLINK_LINK_DOWN: “Interface %s, parent lost: %s.” Explanation The connection to the parent access point on the indicated interface was lost for the reason indicated. The unit will try to find a new parent access point. Recommended Action None. Error Message DOT11-4-CANT_ASSOC: Cannot associate: $s Explanation The unit could not establish a connection to a parent access point for the displayed reason.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-6-ANTENNA_GAIN: “Interface %s, antenna position/gain changed, adjusting transmitter power.” Explanation The antenna gain has changed so the list of allowed power levels must be adjusted. Recommended Action None. Error Message DOT11-4-DIVER_USED: “Interface %s Mcs rates 8-15 disabled due to only one transmit or receive antenna enabled.” Explanation The rates listed require at least 2 receive or transmit antennas be enabled.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-CCMP_REPLAY: “AES-CCMP TSC replay was detected on packet (TSC 0x%11x received from &e).” Explanation AES-CCMP TSC replay was indicated on a frame. A replay of the AES-CCMP TSC in a received packet almost indicates an active attack. Recommended Action None. Recommended Action Error Message DOT11-4-CKIP_MIC_FAILURE: “CKIP MIC failure was detected on a packet (Digest 0x%x) received from %e).
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-3-TKIP_MIC_FAILURE_REPEATED: “Two TKIP Michael MIC failures were detected within %s seconds on %s interface. The interface will be put on MIC failure hold state for next %d seconds” Explanation Two TKIP Michael MIC failures were detected within the indicated time on the indicated interface. Because this usually indicates an active attack on your network, the interface will be put on hold for the indicated time.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-NO_VLAN_ID: “VLAN id %d from Radius server is not configured for station %e.” Explanation The VLAN ID returned by the Radius server must be configured on the access point. Recommended Action Configure the VLAN ID on the access point. Error Message SOAP-3-ERROR: “Reported on line %d in file %s.%s.” Explanation An internal error occurred on the indicated line number in the indicated filename in the controller ASIC.
Appendix C Error and Event Messages Inter-Access Point Protocol Messages Error Message SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: “IOS crypto FIPS self test passed.” Explanation SOAP FIPS self test passed. Recommended Action None. Error Message SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: “RADIO crypto FIPS self test passed on interface %s %d.” Explanation SOAP FIPS self test passed on a radio interface. Recommended Action None.
Appendix C Error and Event Messages Local Authenticator Messages Local Authenticator Messages Error Message RADSRV-4-NAS_UNKNOWN: Unknown authenticator: [ip-address] Explanation The local RADIUS server received an authentication request but does not recognize the IP address of the network access server (NAS) that forwarded the request. Recommended Action Make sure that every access point on your wireless LAN is configured as a NAS on your local RADIUS server.
Appendix C Error and Event Messages Local Authenticator Messages Error Message DOT1X-SHIM-3-UNSUPPORTED_KM: “Unsupported key management: %X.” Explanation Am error occurred during the initialization of the shim layer. An unsupported key management type was found. Recommended Action None. Error Message DPT1X-SHIM-4-PLUMB_KEY_ERR: “Unable to plumb keys - %s.” Explanation An unexpected error occurred when the shim layer tried to plumb the keys. Recommended Action None.
Appendix C Error and Event Messages WDS Messages out before trying the next configured server. A Radius server marked as dead is skipped by additional requests for the duration of the minutes unless all servers are marked dead. Configuring dead time for 10 minutes means that the server cannot be used for 10 minutes. Recommended Action You can disable this command if you want this log to disappear. Actually this message is not really a major problem, it is just an informational log.
Appendix C Error and Event Messages Mini IOS Messages Error Message WLCCP-NM-3-WNM_LINK_DOWN: Link to WNM is down Explanation The network manager is not responding to keep-active messages. Recommended Action Check for a problem with the network manager or with the network path to the network manager. Error Message WLCCP-NM-6-WNM_LINK_UP: Link to WNM is up Explanation The network manager is now responding to keep-active messages. Recommended Action None.
Appendix C Error and Event Messages Access Point/Bridge Messages Error Message Saving this config to nvram may corrupt any network management or security files stored at the end of nvram. Continue? [no]: Explanation This warning message displays on the access point CLI interface while saving configuration changes through the CLI. This is due to insufficient space in flash memory. When a radio crashes, .rcore files are created.
Appendix C Error and Event Messages External Radius Server Error Messages External Radius Server Error Messages Error Message RADUYS:response-authenticator decrypt fail, paklen 32 Explanation This error message means that there is a mismatch in the RADIUS shared key between the RADIUS server and the access point. Recommended Action Make sure that the shared key used on the RADIUS server and the access point are the same.
Appendix C Error and Event Messages Sensor Messages Sensor Messages Error Message SENSOR-3-TEMP_CRITICAL: System sensor “d” has exceeded CRITCAL temperature thresholds Explanation One of the measured environmental test points exceeds the extreme threshold. Recommended Action Correct the specified condition, or the system may shut itself down as a preventive measure. Enter the show environment all to help determine if this is due to temperature or volatage condition.
Appendix C Error and Event Messages SNMP Error Messages Error Message SENSOR-3-VOLT_NORMAL: System sensor “d”(“d”) is now operating under NORMAL voltage Explanation One of the measured environmental test points is under normal operating voltage. Recommended Action None required Error Message SENSOR-3-VOLT_WARNING: Voltage monitor “d”(“d”) has exceeded voltage thresholds Explanation One of the measured voltage test points indicates that voltage is out of normal range.
Appendix C Error and Event Messages SSH Error Messages Error Message SNMP-4-NOENGINEIDV6: Remote snmpEngineID for Unrecognized format ‘ %P’ not found when creating user: “s” Explanation An attempt to create a user failed.This is likely because the engine ID of the remote agent (or SNMP manager) was not configured. Recommended Action Configure the remote snmpEngineID and reconfigure the user.
Appendix C Error and Event Messages SSH Error Messages Error Message SSH-5-SSH_CLOSE: SSH Session from “%s”(tty = “%d”) for user ’”%s”’ using crypto cipher ’”%s”’ closed Explanation The SSH Session closure information Recommended Action No action necessary - informational message Error Message SSH-5-SSH_SESSION: SSH Session request from ”%s” (tty = “%d”) using crypto cipher ’”%s”’ ”%s” Explanation The SSH session request information Recommended Action No action necessary - informational message Error Me
Appendix C Error and Event Messages SSH Error Messages Cisco IOS Software Configuration Guide for Cisco Aironet Access Points C-32 OL-21881-03
G L OS S A RY 802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4-GHz band. 802.11a The IEEE standard that specifies carrier sense media access control and physical layer specifications for wireless LANs operating in the 5-GHz frequency band. 802.11b The IEEE standard that specifies carrier sense media access control and physical layer specifications for 5.
Glossary beacon A wireless LAN packet that signals the availability and presence of the wireless device. Beacon packets are sent by access points and base stations; however, client radio cards send beacons when operating in computer to computer (Ad Hoc) mode. BOOTP Boot Protocol. A protocol used for the static assignment of IP addresses to devices on the network. BPSK A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 1 Mbps.
Glossary dipole A type of low-gain (2.2-dBi) antenna consisting of two (often internal) elements. domain name The text name that refers to a grouping of networks or network resources based on organization-type or geography; for example: name.com—commercial; name.edu—educational; name.gov—government; ISPname.net—network provider (such as an ISP); name.ar—Argentina; name.au—Australia; and so on. DNS Domain Name System server. A server that translates text names into IP addresses.
Glossary IP subnet mask The number used to identify the IP subnetwork, indicating whether the IP address can be recognized on the LAN or if it must be reached through a gateway. This number is expressed in a form similar to an IP address; for example: 255.255.255.0. isotropic An antenna that radiates its signal in a spherical pattern. M MAC Media Access Control address. A unique 48-bit number used in Ethernet data packets to identify an Ethernet device, such as an access point or your client adapter.
Glossary roaming A feature of some Access Points that allows users to move through a facility while maintaining an unbroken connection to the LAN. RP-TNC A connector type unique to Cisco Aironet radios and antennas. Part 15.203 of the FCC rules covering spread spectrum devices limits the types of antennas that may be used with transmission equipment.
Glossary W WDS Wireless Domain Services (WDS). An access point providing WDS on your wireless LAN maintains a cache of credentials for CCKM-capable client devices on your wireless LAN. When a CCKM-capable client roams from one access point to another, the WDS access point forwards the client’s credentials to the new access point with the multicast key. Only two packets pass between the client and the new access point, greatly shortening the reassociation time. WEP Wired Equivalent Privacy.