Cisco IOS Software Configuration Guide for Cisco Aironet Access Points Cisco IOS Release 12.2(15)JA April 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E N T S Preface xvii Audience Purpose xvii xvii Organization xvii Conventions xix Related Publications xxi Obtaining Documentation xxi Cisco.
Contents Assigning Basic Settings 2-6 Default Settings on the Express Setup Page 2-10 Configuring Basic Security Settings 2-11 Understanding Express Security Settings 2-12 Using VLANs 2-12 Express Security Types 2-12 Express Security Limitations 2-13 Using the Express Security Page 2-14 CLI Configuration Examples 2-14 Using the IP Setup Utility 2-19 Obtaining and Installing IPSU 2-20 Using IPSU to Find the Access Point’s IP Address 2-20 Using IPSU to Set the Access Point’s IP Address and SSID Assigning a
Contents Accessing the CLI 4-8 Opening the CLI with Telnet 4-8 Opening the CLI with Secure Shell CHAPTER 5 Administering the Access Point 4-9 5-1 Preventing Unauthorized Access to Your Access Point 5-2 Protecting Access to Privileged EXEC Commands 5-2 Default Password and Privilege Level Configuration 5-2 Setting or Changing a Static Enable Password 5-3 Protecting Enable and Enable Secret Passwords with Encryption Configuring Username and Password Pairs 5-5 Configuring Multiple Privilege Levels 5-6
Contents Understanding Client ARP Caching Optional ARP Caching 5-22 Configuring ARP Caching 5-22 5-21 Managing the System Time and Date 5-22 Understanding the System Clock 5-23 Understanding Network Time Protocol 5-23 Configuring NTP 5-24 Default NTP Configuration 5-25 Configuring NTP Authentication 5-25 Configuring NTP Associations 5-27 Configuring NTP Broadcast Service 5-28 Configuring NTP Access Restrictions 5-29 Configuring the Source IP Address for NTP Packets 5-31 Displaying the NTP Configuration 5
Contents Disabling and Enabling Short Radio Preambles Configuring Transmit and Receive Antennas 6-11 6-11 Disabling and Enabling Aironet Extensions 6-12 Configuring the Ethernet Encapsulation Transformation Method Enabling and Disabling Reliable Multicast to Workgroup Bridges Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports 6-15 Configuring the Beacon Period and the DTIM Configure RTS Threshold and Retries Configuring Multiple SSIDs 7-1 7-2 Configuring Multiple SSID
Contents WEP Key Restrictions 9-4 Example WEP Key Setup 9-5 Enabling Cipher Suites and WEP 9-6 Matching Cipher Suites with WPA and CCKM 9-7 Enabling and Disabling Broadcast Key Rotation 9-7 CHAPTER 10 Configuring Authentication Types 10-1 Understanding Authentication Types 10-2 Open Authentication to the Access Point 10-2 Shared Key Authentication to the Access Point 10-3 EAP Authentication to the Network 10-3 MAC Address Authentication to the Network 10-5 Combining MAC-Based, EAP, and Open Authentica
Contents Configuration Overview 11-7 Configuring Access Points as Potential WDS Access Points 11-8 CLI Configuration Example 11-12 Configuring Access Points to use the WDS Device 11-13 CLI Configuration Example 11-14 Enabling Layer 3 Mobility on an SSID 11-15 CLI Configuration Example 11-15 Configuring the Authentication Server to Support Fast Secure Roaming Viewing WDS Information 11-21 Using Debug Messages 11-22 11-15 Configuring Radio Management 11-23 CLI Configuration Example 11-24 CHAPTER 12 Conf
Contents Starting TACACS+ Accounting 12-26 Displaying the TACACS+ Configuration 12-27 CHAPTER 13 Configuring VLANs 13-1 Understanding VLANs 13-2 Related Documents 13-3 Incorporating Wireless Devices into VLANs 13-4 Configuring VLANs 13-4 Configuring a VLAN 13-4 Using a RADIUS Server to Assign Users to VLANs 13-6 Viewing VLANs Configured on the Access Point 13-6 VLAN Configuration Example CHAPTER 14 Configuring QoS 13-7 14-1 Understanding QoS for Wireless LANs 14-2 QoS for Wireless LANs Versus
Contents Configuring Proxy Mobile IP 15-6 Configuration Guidelines 15-7 Configuring Proxy Mobile IP on Your Wired LAN 15-7 Configuring Proxy Mobile IP on Your Access Point 15-8 CHAPTER 16 Configuring Filters 16-1 Understanding Filters 16-2 Configuring Filters Using the CLI 16-2 Configuring Filters Using the Web-Browser Interface 16-2 Configuring and Enabling MAC Address Filters 16-3 Creating a MAC Address Filter 16-4 Using MAC Address ACLs to Block or Allow Client Association to the Access Point C
Contents Configuring Trap Managers and Enabling Traps 18-7 Setting the Agent Contact and Location Information 18-9 Using the snmp-server view Command 18-9 SNMP Examples 18-9 Displaying SNMP Status CHAPTER 19 18-10 Configuring Repeater and Standby Access Points Understanding Repeater Access Points 19-2 Configuring a Repeater Access Point 19-3 Default Configuration 19-4 Guidelines for Repeaters 19-4 Setting Up a Repeater 19-4 Verifying Repeater Operation 19-5 Setting Up a Repeater As a LEAP Client Sett
Contents Downloading the Configuration File by Using TFTP 20-11 Uploading the Configuration File by Using TFTP 20-11 Copying Configuration Files by Using FTP 20-12 Preparing to Download or Upload a Configuration File by Using FTP 20-13 Downloading a Configuration File by Using FTP 20-13 Uploading a Configuration File by Using FTP 20-14 Copying Configuration Files by Using RCP 20-15 Preparing to Download or Upload a Configuration File by Using RCP 20-16 Downloading a Configuration File by Using RCP 20-16 Up
Contents Enabling and Disabling Sequence Numbers in Log Messages 21-6 Defining the Message Severity Level 21-7 Limiting Syslog Messages Sent to the History Table and to SNMP 21-8 Setting a Logging Rate Limit 21-9 Configuring UNIX Syslog Servers 21-10 Logging Messages to a UNIX Syslog Daemon 21-10 Configuring the UNIX System Logging Facility 21-10 Displaying the Logging Configuration CHAPTER 22 Troubleshooting 21-12 22-1 Checking the Top Panel Indicators 22-2 Checking Basic Settings 22-5 SSID 22-5 W
Contents APPENDIX B Protocol Filters APPENDIX C Supported MIBs MIB List B-1 C-1 C-1 Using FTP to Access the MIB Files APPENDIX D Error and Event Messages C-2 D-1 Software Auto Upgrade Messages D-1 Association Management Messages Proxy Mobile IP Subsystem Messages Unzip Messages D-2 D-2 D-5 802.
Contents Cisco IOS Software Configuration Guide for Cisco Aironet Access Points xvi OL-5260-01
Preface Audience This guide is for the networking professional who installs and manages Cisco Aironet Access Points. To use this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of wireless local area networks. Purpose This guide provides the information you need to install and configure your access point.
Preface Organization Chapter 5, “Administering the Access Point,” describes how to perform one-time operations to administer your access point, such as preventing unauthorized access to the access point, setting the system date and time, and setting the system name and prompt. Chapter 6, “Configuring Radio Settings,” describes how to configure settings for the access point radio such as the role in the radio network, data rates, transmit power, channel settings, and others.
Preface Conventions Appendix A, “Channels and Antenna Settings,” lists the access point radio channels and the maximum power levels supported by the world’s regulatory domains. Appendix B, “Protocol Filters,” lists some of the protocols that you can filter on the access point. Appendix C, “Supported MIBs,” lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release.
Preface Conventions Warning Waarschuwing This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. (To see translations of the warnings that appear in this publication, refer to the appendix “Translated Safety Warnings.”) Dit waarschuwingssymbool betekent gevaar.
Preface Related Publications ¡Advertencia! Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”) Varning! Denna varningssymbol signalerar fara.
Preface Documentation Feedback Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription. Registered Cisco.
Preface Obtaining Technical Assistance Cisco TAC Website The Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL: http://tools.cisco.
Preface Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://www.cisco.com/en/US/products/products_catalog_links_launch.
C H A P T E R 1 Overview Cisco Aironet Access Points (hereafter called access points) provide a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, Cisco Aironet 350, 1100, and 1200 series access points are Wi-Fi certified, 802.11b-compliant, 802.11g-compliant, and 802.11a-compliant wireless LAN transceivers.
Chapter 1 Overview Features Features Access points running Cisco IOS software offer these software features: • World mode—Use this feature to communicate the access point’s regulatory setting information, including maximum transmit power and available channels, to world mode-enabled clients. Clients using world mode can be used in countries with different regulatory settings and automatically conform to local regulations. World mode is supported only on the 2.4-GHz radio.
Chapter 1 Overview Features • Wi-Fi Protected Access (WPA)—Wi-Fi Protected Access is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key management.
Chapter 1 Overview Management Options Management Options You can use the access point management system through the following interfaces: • The Cisco IOS command-line interface (CLI), which you use through a Telnet session. Most of the examples in this manual are taken from the CLI. Chapter 4, “Using the Command-Line Interface,” provides a detailed description of the CLI. • A web-browser interface, which you use through a web browser.
Chapter 1 Overview Network Configuration Examples Figure 1-1 Access Points as Root Units on a Wired LAN Access Point (Root Unit) Access Point (Root Unit) 65999 Wired LAN Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-5260-01 1-5
Chapter 1 Overview Network Configuration Examples Repeater Unit that Extends Wireless Range An access point can be configured as a stand-alone repeater to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. The repeater forwards traffic between wireless users and the wired LAN by sending packets to either another repeater or to an access point connected to the wired LAN. The data is sent through the route that provides the best performance for the client.
Chapter 1 Overview Network Configuration Examples Central Unit in an All-Wireless Network In an all-wireless network, an access point acts as a stand-alone root unit. The access point is not attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as the focal point for communications, increasing the communication range of wireless users. Figure 1-3 shows an access point in an all-wireless network.
Chapter 1 Overview Network Configuration Examples Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 1-8 OL-5260-01
C H A P T E R 2 Configuring the Access Point for the First Time This chapter describes how to configure basic settings on your access point for the first time. The contents of this chapter are similar to the instructions in the quick start guide that shipped with your access point.
Chapter 2 Configuring the Access Point for the First Time Before You Start Before You Start Before you install the access point, make sure you are using a computer connected to the same network as the access point, and obtain the following information from your network administrator: • A system name for the access point • The case-sensitive wireless service set identifier (SSID) for your radio network • If not connected to a DHCP server, a unique IP address for your access point (such as 172.17.255.
Chapter 2 Configuring the Access Point for the First Time Obtaining and Assigning an IP Address Step 7 Click the Reset to Defaults button. Note If the access point is configured with a static IP address, the IP address does not change. If the access point is not configured with a static IP address, the access point requests a DHCP address. If it does not receive an address from a DHCP server, its IP address is 10.0.0.1.
Chapter 2 Configuring the Access Point for the First Time Connecting to the 350 Series Access Point Locally Connecting to the 350 Series Access Point Locally If you need to configure the access point locally (without connecting the access point to a wired LAN), you can connect a PC to its RS-232 console port using a nine-pin, male-to-female, straight-through serial cable.
Chapter 2 Configuring the Access Point for the First Time Connecting to the 1100 Series Access Point Locally Connecting to the 1100 Series Access Point Locally If you need to configure the access point locally (without connecting the access point to a wired LAN), you can connect a PC to its Ethernet port using a Category 5 Ethernet cable. You can use a local connection to the Ethernet port much as you would use a serial port connection.
Chapter 2 Configuring the Access Point for the First Time Connecting to the 1200 Series Access Point Locally Connecting to the 1200 Series Access Point Locally If you need to configure the access point locally (without connecting the access point to a wired LAN), you can connect a PC to its console port using a DB-9 to RJ-45 serial cable.
Chapter 2 Configuring the Access Point for the First Time Assigning Basic Settings Figure 2-4 Step 5 Summary Status Page Click Express Setup. The Express Setup screen appears. Figure 2-5 shows the Express Setup page.
Chapter 2 Configuring the Access Point for the First Time Assigning Basic Settings Figure 2-5 Step 6 Express Setup Page Enter the configuration settings you obtained from your system administrator. The configurable settings include: • System Name— The system name, while not an essential setting, helps identify the access point on your network. The system name appears in the titles of the management system pages. Note You can enter up to 32 characters for the system name.
Chapter 2 Configuring the Access Point for the First Time Assigning Basic Settings • Configuration Server Protocol—Click on the button that matches the network’s method of IP address assignment. – DHCP—IP addresses are automatically assigned by your network’s DHCP server. – Static IP—The access point uses a static IP address that you enter in the IP address field. • Note IP Address—Use this setting to assign or change the access point’s IP address.
Chapter 2 Configuring the Access Point for the First Time Assigning Basic Settings Default Settings on the Express Setup Page Table 2-1 lists the default settings for the settings on the Express Setup page. Table 2-1 Default Settings on the Express Setup Page Setting Default System Name ap Configuration Server Protocol DHCP IP Address Assigned by DHCP by default; if DHCP is disabled, the default setting is 10.0.0.
Chapter 2 Configuring the Access Point for the First Time Configuring Basic Security Settings Configuring Basic Security Settings After you assign basic settings to your access point, you must configure security settings to prevent unauthorized access to your network. Because it is a radio device, the access point can communicate beyond the physical boundaries of your worksite.
Chapter 2 Configuring the Access Point for the First Time Configuring Basic Security Settings Understanding Express Security Settings When the access point configuration is at factory defaults, the first SSID that you create using the Express security page overwrites the default SSID, tsunami, which has no security settings. The SSIDs that you create appear in the SSID table at the bottom of the page. You can create up to 16 SSIDs on the access point.
Chapter 2 Configuring the Access Point for the First Time Configuring Basic Security Settings Table 2-2 Security Types on Express Security Setup Page (continued) Security Type Description Security Features Enabled EAP Authentication This option enables 802.1x authentication (such as LEAP, PEAP, EAP-TLS, EAP-GTC, EAP-SIM, and others) and requires you to enter the IP address and shared secret for an authentication server on your network (server authentication port 1645). Because 802.
Chapter 2 Configuring the Access Point for the First Time Configuring Basic Security Settings Using the Express Security Page Follow these steps to create an SSID using the Express Security page: Step 1 Type the SSID in the SSID entry field. The SSID can contain up to 32 alphanumeric characters. Step 2 To broadcast the SSID in the access point beacon, check the Broadcast SSID in Beacon check box. When you broadcast the SSID, devices that do not specify an SSID can associate to the access point.
Chapter 2 Configuring the Access Point for the First Time Configuring Basic Security Settings station-role root ! interface Dot11Radio0.
Chapter 2 Configuring the Access Point for the First Time Configuring Basic Security Settings interface Dot11Radio0.
Chapter 2 Configuring the Access Point for the First Time Configuring Basic Security Settings bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.
Chapter 2 Configuring the Access Point for the First Time Configuring Basic Security Settings ! interface BVI1 ip address 10.91.104.91 255.255.255.192 no ip route-cache ! ip http server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100 ip radius source-interface BVI1 radius-server attribute 32 include-in-access-req format %h radius-server host 10.91.104.
Chapter 2 Configuring the Access Point for the First Time Using the IP Setup Utility rts threshold 2312 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.
Chapter 2 Configuring the Access Point for the First Time Using the IP Setup Utility Obtaining IPSU IPSU is available on the Cisco web site. Click this link to browse to the Software Center on Cisco.com: http://www.cisco.com/public/sw-center/sw-wireless.shtml You can find IPSU in the Software Display Tables for access points that run Cisco IOS software.
Chapter 2 Configuring the Access Point for the First Time Using the IP Setup Utility If IPSU reports that the IP address is 10.0.0.1, the default IP address, then the access point did not receive a DHCP-assigned IP address. To change the access point IP address from the default value using IPSU, refer to the “Using IPSU to Set the Access Point’s IP Address and SSID” section on page 2-21. Using IPSU to Set the Access Point’s IP Address and SSID If you want to change the default IP address (10.0.0.
Chapter 2 Configuring the Access Point for the First Time Assigning an IP Address Using the CLI Step 4 Enter the IP address you want to assign to the access point in the IP Address field. Step 5 Enter the SSID you want to assign to the access point in the SSID field. Note You cannot set the SSID without also setting the IP address. However, you can set the IP address without setting the SSID. Step 6 Click Set Parameters to change the access point’s IP address and SSID settings.
Chapter 2 Configuring the Access Point for the First Time Using a Telnet Session to Access the CLI Step 2 When the Telnet window appears, click Connect and select Remote System. Note Step 3 In Windows 2000, the Telnet window does not contain drop-down menus. To start the Telnet session in Windows 2000, type open followed by the access point’s IP address. In the Host Name field, type the access point’s IP address and click Connect.
Chapter 2 Configuring the Access Point for the First Time Using a Telnet Session to Access the CLI Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 2-24 OL-5260-01
C H A P T E R 3 Using the Web-Browser Interface This chapter describes the web-browser interface that you can use to configure the access point.
Chapter 3 Using the Web-Browser Interface Using the Web-Browser Interface for the First Time Using the Web-Browser Interface for the First Time Use the access point’s IP address to browse to the management system. See the “Obtaining and Assigning an IP Address” section on page 2-3 for instructions on assigning an IP address to the access point. Follow these steps to begin using the web-browser interface: Step 1 Start the browser.
Chapter 3 Using the Web-Browser Interface Using the Management Pages in the Web-Browser Interface Figure 3-1 Web-Browser Interface Home Page Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-5260-01 3-3
Chapter 3 Using the Web-Browser Interface Using the Management Pages in the Web-Browser Interface Using Action Buttons Table 3-1 lists the page links and buttons that appear on most management pages. Table 3-1 Common Buttons on Management Pages Button/Link Description Navigation Links Home Displays access point status page with information on the number of radio devices associated to the access point, the status of the Ethernet and radio interfaces, and a list of recent access point activity.
Chapter 3 Using the Web-Browser Interface Using Online Help Character Restrictions in Entry Fields Because the 1200 series access point uses Cisco IOS software, there are certain characters that you cannot use in the entry fields on the web-browser interface. Table 3-2 lists the illegal characters and the fields in which you cannot use them.
Chapter 3 Using the Web-Browser Interface Using Online Help Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 3-6 OL-5260-01
C H A P T E R 4 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure your access point.
Chapter 4 Using the Command-Line Interface Cisco IOS Command Modes Cisco IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode. When you start a session on the access point, you begin in user mode, often called user EXEC mode. Only a limited subset of the commands are available in user EXEC mode.
Chapter 4 Using the Command-Line Interface Getting Help Getting Help You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 4-2. Table 4-2 Help Summary Command Purpose help Obtains a brief description of the help system in any command mode. abbreviated-command-entry? Obtains a list of commands that begin with a particular character string.
Chapter 4 Using the Command-Line Interface Understanding CLI Messages Configuration commands can also have a default form. The default form of a command returns the command setting to its default. Most commands are disabled by default, so the default form is the same as the no form. However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values.
Chapter 4 Using the Command-Line Interface Using Editing Features The range is from 0 to 256. Beginning in line configuration mode, enter this command to configure the number of command lines the access point records for all sessions on a particular line: ap(config-line)# history [size number-of-lines] The range is from 0 to 256.
Chapter 4 Using the Command-Line Interface Using Editing Features Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it.
Chapter 4 Using the Command-Line Interface Using Editing Features Table 4-5 Editing Commands Through Keystrokes (continued) Capability Keystroke1 Purpose Capitalize or lowercase words or capitalize a set of letters. Esc C Capitalize at the cursor. Esc L Change the word at the cursor to lowercase. Esc U Capitalize letters from the cursor to the end of the word. Designate a particular keystroke as Ctrl-V or Esc Q an executable command, perhaps as a shortcut.
Chapter 4 Using the Command-Line Interface Searching and Filtering Output of show and more Commands After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right: ap(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$ The software assumes you have a terminal screen that is 80 columns wide.
Chapter 4 Using the Command-Line Interface Accessing the CLI Note In Windows 2000, the Telnet window does not contain drop-down menus. To start the Telnet session in Windows 2000, type open followed by the access point’s IP address. Step 3 In the Host Name field, type the access point’s IP address and click Connect. Step 4 At the username and password prompts, enter your administrator username and password. The default username is Cisco, and the default password is Cisco.
Chapter 4 Using the Command-Line Interface Accessing the CLI Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 4-10 OL-5260-01
C H A P T E R 5 Administering the Access Point This chapter describes how to administer your access point.
Chapter 5 Administering the Access Point Preventing Unauthorized Access to Your Access Point Preventing Unauthorized Access to Your Access Point You can prevent unauthorized users from reconfiguring your access point and viewing configuration information. Typically, you want network administrators to have access to the access point while you restrict access to users who connect through a terminal or workstation from within the local network.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands Table 5-1 Default Password and Privilege Levels (continued) Feature Default Setting Enable secret password and privilege level The default enable password is Cisco. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file. Line password Default password is Cisco. The password is encrypted in the configuration file.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. You must have at least one username configured and you must have login local set to open a Telnet session to the access point.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. or show privilege The first command displays the password and access level configuration. The second command displays the privilege level configuration. copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS These sections describe RADIUS configuration: • Default RADIUS Configuration, page 5-8 • Configuring RADIUS Login Authentication, page 5-8 (required) • Defining AAA Server Groups, page 5-9 (optional) • Configuring RADIUS Authorization for User Privileged Access and Network Services, page 5-11 (optional) • Displaying the RADIUS Configuration, page 5-12 Default RADIUS Configuration RADIUS and AAA are disabled by
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Step 4 Command Purpose aaa group server radius group-name Define the AAA server-group with a group name. This command puts the access point in a server group configuration mode. Step 5 server ip-address Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2.
Chapter 5 Administering the Access Point Controlling Access Point Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network-related service requests.
Chapter 5 Administering the Access Point Controlling Access Point Access with TACACS+ Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application.When enabled, TACACS+ can authenticate administrators accessing the access point through the CLI.
Chapter 5 Administering the Access Point Controlling Access Point Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 5 Administering the Access Point Configuring Ethernet Speed and Duplex Settings The aaa authorization exec tacacs+ local command sets these authorization parameters: Note • Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+. • Use the local database if authentication was not performed by using TACACS+. Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.
Chapter 5 Administering the Access Point Configuring the Access Point for Wireless Network Management The Ethernet speed and duplex are set to auto by default. Beginning in privileged EXEC mode, follow these steps to configure Ethernet speed and duplex: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface fastethernet0 Enter configuration interface mode. Step 3 speed { 10 | 100 | auto } Configure the Ethernet speed.
Chapter 5 Administering the Access Point Configuring the Access Point for Local Authentication and Authorization Beginning in privileged EXEC mode, follow these steps to configure the access point for local AAA: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login default local Set the login authentication to use the local username database.
Chapter 5 Administering the Access Point Configuring the Access Point to Provide DHCP Service Configuring the Access Point to Provide DHCP Service These sections describe how to configure the access point to act as a DHCP server: • Setting up the DHCP Server, page 5-18 • Monitoring and Maintaining the DHCP Server Access Point, page 5-19 Setting up the DHCP Server By default, access points are configured to receive IP settings from a DHCP server on your network.
Chapter 5 Administering the Access Point Configuring the Access Point to Provide DHCP Service Step 5 Command Purpose lease { days [ hours ] [ minutes ] | infinite } Configure the duration of the lease for IP addresses assigned by the access point.
Chapter 5 Administering the Access Point Configuring the Access Point for Secure Shell Table 5-2 Show Commands for DHCP Server (continued) Command Purpose show ip dhcp database [ url ] Displays recent activity on the DHCP database. Note show ip dhcp server statistics Use this command in privileged EXEC mode. Displays count information about server statistics and messages sent and received. Clear Commands In privileged Exec mode, use the commands in Table 5-3 to clear DHCP server variables.
Chapter 5 Administering the Access Point Configuring Client ARP Caching SSH provides more security for remote connections than Telnet by providing strong encryption when a device is authenticated. The SSH feature has an SSH server and an SSH integrated client.
Chapter 5 Administering the Access Point Managing the System Time and Date Optional ARP Caching When a non-Cisco client device is associated to an access point and is not passing data, the access point might not know the client’s IP address. If this situation occurs frequently on your wireless LAN, you can enable optional ARP caching.
Chapter 5 Administering the Access Point Managing the System Time and Date Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time.
Chapter 5 Administering the Access Point Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. Cisco recommends that the time service for your network be derived from the public NTP servers available on the IP Internet. Figure 5-1 shows a typical network example using NTP.
Chapter 5 Administering the Access Point Managing the System Time and Date This section contains this configuration information: • Default NTP Configuration, page 5-25 • Configuring NTP Authentication, page 5-25 • Configuring NTP Associations, page 5-27 • Configuring NTP Broadcast Service, page 5-28 • Configuring NTP Access Restrictions, page 5-29 • Configuring the Source IP Address for NTP Packets, page 5-31 • Displaying the NTP Configuration, page 5-32 Default NTP Configuration Table 5-4 s
Chapter 5 Administering the Access Point Managing the System Time and Date Step 3 Command Purpose ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. • For number, specify a key number. The range is 1 to 4294967295. • md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5). • For value, enter an arbitrary string of up to eight characters for the key.
Chapter 5 Administering the Access Point Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this access point can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this access point synchronizes to the other device, and not the other way around).
Chapter 5 Administering the Access Point Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead.
Chapter 5 Administering the Access Point Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the access point to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to receive NTP broadcast packets. Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets.
Chapter 5 Administering the Access Point Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 5 Administering the Access Point Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. To remove access control to the access point NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.
Chapter 5 Administering the Access Point Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP source address is to be taken: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken. By default, the source address is determined by the outgoing interface.
Chapter 5 Administering the Access Point Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock.
Chapter 5 Administering the Access Point Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. The access point keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 5 Administering the Access Point Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 5 Administering the Access Point Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 5 Administering the Access Point Configuring a System Name and Prompt Configuring a System Name and Prompt You configure the system name on the access point to identify it. By default, the system name and prompt are ap. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol (>) is appended.
Chapter 5 Administering the Access Point Configuring a System Name and Prompt When you set the system name, it is also used as the system prompt. To return to the default host name, use the no hostname global configuration command. Understanding DNS The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map host names to IP addresses.
Chapter 5 Administering the Access Point Configuring a System Name and Prompt Setting Up DNS Beginning in privileged EXEC mode, follow these steps to set up your access point to use the DNS: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip domain-name name Define a default domain name that the software uses to complete unqualified host names (names without a dotted-decimal domain name).
Chapter 5 Administering the Access Point Creating a Banner Displaying the DNS Configuration To display the DNS configuration information, use the show running-config privileged EXEC command. Note When DNS is configured on the access point, the show running-config command sometimes displays a server’s IP address instead of its name. Creating a Banner You can configure a message-of-the-day (MOTD) and a login banner.
Chapter 5 Administering the Access Point Creating a Banner Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day. For c, enter the delimiting character of your choice, such as a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text.
Chapter 5 Administering the Access Point Creating a Banner Configuring a Login Banner You can configure a login banner to appear on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
C H A P T E R 6 Configuring Radio Settings This chapter describes how to configure radio settings for your access point.
Chapter 6 Configuring Radio Settings Disabling and Enabling the Radio Interface Disabling and Enabling the Radio Interface The access point radios are enabled by default. Beginning in privileged EXEC mode, follow these steps to disable the access point radio: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Configuring the Role in Radio Network You can configure your access point as a root device that is connected to the wired LAN or as a repeater (non-root) device that is not connected to the wired LAN. Figure 6-1 shows root, scanner, and repeater access points.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates Beginning in privileged EXEC mode, follow these steps to set the access point’s radio network role and fallback role: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Step 3 speed Set each data rate to basic or enabled, or enter range to optimize access point range or throughput to optimize throughput. These options are available for the 802.11b, 2.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the speed command to disable data rates. When you use the no form of the command, all data rates are disabled except the rates you name in the command. This example shows how to disable data rate 1.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Step 4 Command Purpose power local Set the transmit power for the 802.11g, 2.4-GHz radio to one of the power levels allowed in your regulatory domain. All settings are in mW. These options are available for the 802.11g, 2.4-GHz radio: power local cck settings: { 1 | 5 | 10 | 20 | 30 | 50 | 100 | maximum } power local ofdm settings: { 1 | 5 | 10 | 20 | 30 | maximum } On the 2.4-GHz, 802.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Step 3 Command Purpose power client Set the maximum power level allowed on client devices that associate to the access point. All settings are in mW. These options are available for 802.11b, 2.4-GHz clients: { 1 | 5 | 20 | 30 | 50 | 100 | maximum} Note The settings allowed in your regulatory domain might differ from the settings listed here. These options are available for 802.11g, 2.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1. Step 3 channel frequency | least-congested Set the default channel for the access point radio. To search for the least-congested channel on startup, enter least-congested.
Chapter 6 Configuring Radio Settings Enabling and Disabling World-Mode Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Enabling and Disabling World-Mode You can configure the access point to support 802.11d world mode or Cisco legacy world mode. When you enable world mode, the access point adds channel carrier set information to its beacon.
Chapter 6 Configuring Radio Settings Disabling and Enabling Short Radio Preambles Disabling and Enabling Short Radio Preambles The radio preamble (sometimes called a header) is a section of data at the head of a packet that contains information that the access point and client devices need when sending and receiving packets. You can set the radio preamble to long or short: • Short—A short preamble improves throughput performance. Cisco Aironet Wireless LAN Client Adapters support short preambles.
Chapter 6 Configuring Radio Settings Disabling and Enabling Aironet Extensions Beginning in privileged EXEC mode, follow these steps to select the antennas the access point uses to receive and transmit data: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 6 Configuring Radio Settings Configuring the Ethernet Encapsulation Transformation Method Aironet extensions are enabled by default. Beginning in privileged EXEC mode, follow these steps to disable Aironet extensions: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 6 Configuring Radio Settings Enabling and Disabling Reliable Multicast to Workgroup Bridges Enabling and Disabling Reliable Multicast to Workgroup Bridges The Reliable multicast messages from the access point to workgroup bridges setting limits reliable delivery of multicast messages to approximately 20 Cisco Aironet Workgroup Bridges that are associated to the access point.
Chapter 6 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding Enabling and Disabling Public Secure Packet Forwarding Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN.
Chapter 6 Configuring Radio Settings Configuring the Beacon Period and the DTIM Command Purpose Step 3 switchport protected Configure the interface to be a protected port. Step 4 end Return to privileged EXEC mode. Step 5 show interfaces interface-id switchport Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable protected port, use the no switchport protected interface configuration command.
Chapter 6 Configuring Radio Settings Configuring the Maximum Data Retries Maximum RTS Retries is the maximum number of times the access point issues an RTS before stopping the attempt to send the packet over the radio. Enter a value from 1 to 128. The default RTS threshold is 2312, and the default maximum RTS retries setting is 32.
Chapter 6 Configuring Radio Settings Enabling Short Slot Time for 802.11g Radios The default setting is 2338 bytes. Beginning in privileged EXEC mode, follow these steps to configure the fragmentation threshold: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
C H A P T E R 7 Configuring Multiple SSIDs This chapter describes how to configure and manage multiple service set identifiers (SSIDs) on the access point.
Chapter 7 Configuring Multiple SSIDs Understanding Multiple SSIDs Understanding Multiple SSIDs The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or sub-network can use the same SSIDs. SSIDs are case sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSIDs.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Default SSID Configuration Table 7-1 shows the default SSID configuration: Table 7-1 Default SSID Configuration Feature Default Setting SSID tsunami Guest Mode SSID tsunami (The access point broadcasts this SSID in its beacon and allows client devices with no SSID to associate.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Command Purpose Step 8 infrastructure-ssid [optional] (Optional) Designate the SSID as the SSID that other access points and workgroup bridges use to associate to this access point. If you do not designate an SSID as the infrastructure SSID, infrastructure devices can associate to the access point using any SSID.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs ssid buffalo vlan 7 authentication open However, this sample output from a show dot11 associations privileged EXEC command shows the spaces in the SSIDs: SSID [buffalo] : SSID [buffalo ] : SSID [buffalo ] : Using a RADIUS Server to Restrict SSIDs To prevent client devices from associating to the access point using an unauthorized SSID, you can create a list of authorized SSIDs that clients must use on your RADIUS authentication server.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 7-6 OL-5260-01
C H A P T E R 8 Configuring an Access Point as a Local Authenticator This chapter describes how to configure the access point as a local authenticator to serve as a stand-alone authenticator for a small wireless LAN or to provide backup authentication service. As a local authenticator, the access point performs both LEAP and MAC-based authentication for up to 50 client devices.
Chapter 8 Configuring an Access Point as a Local Authenticator Understanding Local Authentication Understanding Local Authentication Many small wireless LANs that could be made more secure with 802.1x authentication do not have access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely on RADIUS servers housed in a distant location to authenticate client devices, and the authentication traffic must cross a WAN link.
Chapter 8 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Guidelines for Local Authenticators Follow these guidelines when configuring an access point as a local authenticator: • Use an access point that does not serve a large number of client devices. When the access point acts as an authenticator, performance might degrade for associated client devices. • Secure the access point physically to protect its configuration.
Chapter 8 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Step 4 Command Purpose nas ip-address key shared-key Add an access point to the list of units that use the local authenticator. Enter the access point’s IP address and the shared key used to authenticate communication between the local authenticator and other access points. You must enter this shared key on the access points that use the local authenticator.
Chapter 8 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Step 11 Command Purpose user username { password | nthash } password [ group group-name ] Enter the users allowed to authenticate using the local authenticator. You must enter a user name and password for each user. If you only know the NT value of the password, which you can often find in the authentication server database, you can enter the NT hash as a string of hexadecimal digits.
Chapter 8 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Configuring Other Access Points to Use the Local Authenticator You add the local authenticator to the list of servers on the access point the same way that you add other servers. For detailed instructions on setting up RADIUS servers on your access points, see Chapter 12, “Configuring RADIUS and TACACS+ Servers.
Chapter 8 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Unblocking Locked Usernames You can unblock usernames before the lockout time expires, or when the lockout time is set to infinite.
Chapter 8 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 8-8 OL-5260-01
C H A P T E R 9 Configuring Cipher Suites and WEP This chapter describes how to configure the cipher suites required to use WPA and CCKM authenticated key management, Wired Equivalent Privacy (WEP), WEP features including Message Integrity Check (MIC), Temporal Key Integrity Protocol (TKIP), and broadcast key rotation.
Chapter 9 Configuring Cipher Suites and WEP Understanding Cipher Suites and WEP Understanding Cipher Suites and WEP This section describes how WEP and cipher suites protect traffic on your wireless LAN. Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's radio transmissions.
Chapter 9 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP • Broadcast key rotation (also known as Group Key Update)—Broadcast Key Rotation allows the access point to generate the best possible random group key and update all key-management capable clients periodically. Wi-Fi Protected Access (WPA) also provides additional options for group key updates. See the “Using WPA Key Management” section on page 10-7 for details on WPA.
Chapter 9 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Step 3 Command Purpose encryption [vlan vlan-id] key 1-4 size { 40 | 128 } encryption-key [0|7] [transmit-key] Create a WEP key and set up its properties. • (Optional) Select the VLAN for which you want to create a key. • Name the key slot in which this WEP key resides. You can assign up to 4 WEP keys for each VLAN. • Enter the key and set the size of the key, either 40-bit or 128-bit.
Chapter 9 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Table 9-1 WEP Key Restrictions (continued) Security Configuration WEP Key Restriction Cipher suite with TKIP and 40-bit WEP or Cannot configure a WEP key in key slot 1 and 4 128-bit WEP Static WEP with MIC or CMIC Access point and client devices must use the same WEP key as the transmit key, and the key must be in the same key slot on both access point and clients Broadcast key rotation Keys in slots 2 and 3 are overwritt
Chapter 9 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Enabling Cipher Suites and WEP Beginning in privileged EXEC mode, follow these steps to enable a cipher suite: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Chapter 9 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Matching Cipher Suites with WPA and CCKM If you configure your access point to use WPA or CCKM authenticated key management, you must select a cipher suite compatible with the authenticated key management type. Table 9-3 lists the cipher suites that are compatible with WPA and CCKM.
Chapter 9 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Step 3 Command Purpose broadcast-key change seconds [ vlan vlan-id ] [ membership-termination ] [ capability-change ] Enable broadcast key rotation. • Enter the number of seconds between each rotation of the broadcast key. • (Optional) Enter a VLAN for which you want to enable broadcast key rotation.
C H A P T E R 10 Configuring Authentication Types This chapter describes how to configure authentication types on the access point.
Chapter 10 Configuring Authentication Types Understanding Authentication Types Understanding Authentication Types This section describes the authentication types that you can configure on the access point. The authentication types are tied to the SSIDs that you configure for the access point. If you want to serve different types of client devices with the same access point, you can configure multiple SSIDs.
Chapter 10 Configuring Authentication Types Understanding Authentication Types Figure 10-1 Sequence for Open Authentication Access point or bridge with WEP key = 123 Client device with WEP key = 321 1. Authentication request 54583 2. Authentication response Shared Key Authentication to the Access Point Cisco provides shared key authentication to comply with the IEEE 802.11b standard. However, because of shared key’s security flaws, Cisco recommends that you avoid using it.
Chapter 10 Configuring Authentication Types Understanding Authentication Types When you enable EAP on your access points and client devices, authentication to the network occurs in the sequence shown in Figure 10-3: Figure 10-3 Sequence for EAP Authentication Wired LAN Client device Access point or bridge Server 1. Authentication request 3. Username (relay to server) (relay to client) 4. Authentication challenge 5. Authentication response (relay to server) (relay to client) 6.
Chapter 10 Configuring Authentication Types Understanding Authentication Types MAC Address Authentication to the Network The access point relays the wireless client device’s MAC address to a RADIUS server on your network, and the server checks the address against a list of allowed MAC addresses. Intruders can create counterfeit MAC addresses, so MAC-based authentication is less secure than EAP authentication.
Chapter 10 Configuring Authentication Types Understanding Authentication Types Combining MAC-Based, EAP, and Open Authentication You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network.
Chapter 10 Configuring Authentication Types Understanding Authentication Types Using WPA Key Management Wi-Fi Protected Access is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key management.
Chapter 10 Configuring Authentication Types Understanding Authentication Types Figure 10-6 WPA Key Management Process Wired LAN Client device Access point Authentication server Client and server authenticate to each other, generating an EAP master key Server uses the EAP master key to generate a pairwise master key (PMK) to protect communication between the client and the access point. (However, if the client is using 802.
Chapter 10 Configuring Authentication Types Understanding Authentication Types – Aironet Client Utility (ACU) version 6.2 – Client firmware version 5.30.
Chapter 10 Configuring Authentication Types Configuring Authentication Types Configuring Authentication Types This section describes how to configure authentication types. You attach configuration types to the access point’s SSIDs. See Chapter 7, “Configuring Multiple SSIDs,” for details on setting up multiple SSIDs.
Chapter 10 Configuring Authentication Types Configuring Authentication Types Command Step 4 Purpose authentication open (Optional) Set the authentication type to open for this SSID. [mac-address list-name [alternate]] Open authentication allows any device to authenticate and then [eap list-name] attempt to communicate with the access point. • (Optional) Set the SSID’s authentication type to open with MAC address authentication.
Chapter 10 Configuring Authentication Types Configuring Authentication Types Step 6 Command Purpose authentication network-eap list-name [mac-address list-name] (Optional) Set the authentication type for the SSID to Network-EAP. Using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key.
Chapter 10 Configuring Authentication Types Configuring Authentication Types Use the no form of the SSID commands to disable the SSID or to disable SSID features. This example sets the authentication type for the SSID batman to Network-EAP with CCKM authenticated key management. Client devices using the batman SSID authenticate using the adam server list. After they are authenticated, CCKM-enabled clients can perform fast reassociations using CCKM.
Chapter 10 Configuring Authentication Types Configuring Authentication Types Configuring Additional WPA Settings Use two optional settings to configure a pre-shared key on the access point and adjust the frequency of group key updates. Setting a Pre-Shared Key To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must configure a pre-shared key on the access point. You can enter the pre-shared key as ASCII or hexadecimal characters.
Chapter 10 Configuring Authentication Types Configuring Authentication Types Command Purpose Step 6 broadcast-key [ vlan vlan-id ] { change seconds } [ membership-termination ] [ capability-change ] Use the broadcast key rotation command to configure additional updates of the WPA group key. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 10 Configuring Authentication Types Configuring Authentication Types Use the no form of the dot11 aaa mac-authen filter-cache command to disable MAC authentication caching.
Chapter 10 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Command Purpose Step 6 countermeasure tkip hold-time seconds Configure a TKIP MIC failure holdtime. If the access point detects two MIC failures within 60 seconds, it blocks all the TKIP clients on that interface for the holdtime period. Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 10 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 10-3 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting EAP-FAST authentication with WPA Enable EAP-FAST and Wi-Fi Protected Access (WPA) and enable automatic provisioning or import a PAC file. Select a cipher suite that includes TKIP, set up and enable WEP, and enable Network-EAP and WPA for the SSID.
Chapter 10 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 10-3 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting If using ACU to configure card Enable Host Based EAP and Use Dynamic WEP Keys in ACU and select Enable network access control using IEEE 802.
Chapter 10 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 10-3 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting If using ACU to configure card Enable Host Based EAP and Use Dynamic WEP Keys in ACU and select Enable network access control using IEEE 802.
C H A P T E R 11 Configuring WDS, Fast Secure Roaming, and Radio Management This chapter describes how to configure your access points for wireless domain services (WDS), fast, secure roaming of client devices, and radio management.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Understanding WDS Understanding WDS When you configure Wireless Domain Services on your network, access points on your wireless LAN use the WDS device (either an access point or a switch configured as the WDS device) to provide fast, secure roaming for client devices and to participate in radio management. If you use a switch as the WDS device, the switch must be equipped with a Wireless LAN Services Module (WLSM).
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Understanding Fast Secure Roaming Role of Access Points Using the WDS Device The access points on your wireless LAN interact with the WDS device in these activities: • Discover and track the current WDS device and relay WDS advertisements to the wireless LAN. • Authenticate with the WDS device and establish a secure communication channel to the WDS device. • Register associated client devices with the WDS device.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Understanding Radio Management Figure 11-2 Client Reassociation Using CCKM and a WDS Access Point Wired LAN Access point WDS Access point or switch providing Wireless Domain Services Reassociation request Authentication server 103569 Roaming client device Pre-registration request Pre-registration reply Reassociation response The WDS device maintains a cache of credentials for CCKM-capable client devices on your wireless LAN.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Understanding Layer 3 Mobility IP-Based Wireless Domain Services You use IP-based WDS to configure the access point with the IP address of its WDS device. This allows the access point to use a Cisco network infrastructure device running WDS from anywhere in the network. Layer 3 Mobility Service Through Fast Secure Roaming Tunnels The access point uses this feature to segregate WLAN clients into different mobility groups.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Figure 11-3 Required Components for Layer 3 Mobility CiscoWorks Wireless LAN Solution Engine (WLSE) Catalyst 6500 Wireless Domain Services (WDS) on the Wireless LAN Solutions Module (WLSM) CiscoSecure ACS AAA Server Cisco or Cisco compatible clients (version 2) 117993 Infrastructure access points (registered with WDS) Configuring WDS on the WLSM For instructions on configuring WDS on a swit
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Guidelines for WDS Follow these guidelines when configuring WDS: • If you use an access point as your WDS device, either disable the radio interfaces on the unit or use an access point that does not serve a large number of client devices. If client devices associate to the WDS access point when it starts up, the clients might wait up to 10 minutes to be authenticated.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Figure 11-4 shows the required configuration for each device that participates in fast, secure roaming.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming On the access point that you want to configure as your primary WDS access point, follow these steps to configure the access point as the main WDS candidate: Step 1 Browse to the Wireless Services Summary page. Figure 11-5 shows the Wireless Services Summary page. Figure 11-5 Wireless Services Summary Page Step 2 Click WDS to browse to the WDS/WNM Summary page.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Step 5 In the Wireless Domain Services Priority field, enter a priority number from 1 to 255 to set the priority of this WDS candidate. The WDS access point candidate with the highest number in the priority field becomes the acting WDS access point.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Figure 11-7 WDS Server Groups Page Step 10 Create a group of servers to be used for 802.1x authentication for the infrastructure devices (access points) that use the WDS access point. Enter a group name in the Server Group Name field. Step 11 Select the primary server from the Priority 1 drop-down menu.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Step 14 Configure the list of servers to be used for 802.1x authentication for CCKM-enabled client devices. You can specify a separate list for clients using a certain type of authentication, such as EAP, LEAP, or MAC-based, or specify a list for client devices using any type of authentication. Enter a group name for the server or servers in the Server Group Name field.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Configuring Access Points to use the WDS Device Follow these steps to configure an access point to authenticate through the WDS device and participate in CCKM: Step 1 Browse to the Wireless Services Summary page. Step 2 Click AP to browse to the Wireless Services AP page. Figure 11-8 shows the Wireless Services AP page.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Step 7 (Optional) Select Enable for the L3 Mobility Service via IP/GRE Tunnel setting to configure the access point to participate in Layer 3 mobility.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Enabling Layer 3 Mobility on an SSID Use the Network ID entry field on the SSID Manager page to map an SSID to a specific mobility network ID. Figure 11-9 shows the SSID Manager page.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Figure 11-10 Network Configuration Page Step 2 Click Add Entry under the AAA Clients table. The Add AAA Client page appears. Figure 11-11 shows the Add AAA Client page.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Figure 11-11 Add AAA Client Page Step 3 In the AAA Client Hostname field, enter the name of the WDS device. Step 4 In the AAA Client IP Address field, enter the IP address of the WDS device. Step 5 In the Key field, enter exactly the same password that is configured on the WDS device. Step 6 From the Authenticate Using drop-down menu, select RADIUS (Cisco Aironet). Step 7 Click Submit.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Figure 11-12 User Setup Page Step 10 Enter the name of the access point in the User field. Step 11 Click Add/Edit. Step 12 Scroll down to the User Setup box. Figure 11-13 shows the User Setup box.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Figure 11-13 ACS User Setup Box Step 13 Select CiscoSecure Database from the Password Authentication drop-down menu. Step 14 In the Password and Confirm Password fields, enter exactly the same password that you entered on the access point on the Wireless Services AP page. Step 15 Click Submit. Step 16 Repeat Step 10 through Step 15 for each access point that uses the WDS device.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Step 17 Browse to the System Configuration page, click Service Control, and restart ACS to apply your entries. Figure 11-14 shows the System Configuration page.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Viewing WDS Information On the web-browser interface, browse to the Wireless Services Summary page to view a summary of WDS status.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Using Debug Messages In privileged exec mode, use these debug commands to control the display of debug messages for devices interacting with the WDS device: Command Description debug wlccp ap {mn | wds-discovery | state} Use this command to turn on display of debug messages related to client devices (mn), the WDS discovery process, and access point authentication to the WDS device (state).
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring Radio Management Configuring Radio Management When you configure access points on your wireless LAN to use WDS, the access points automatically play a role in radio management when they interact with the WDS device. To complete the radio management configuration, you configure the WDS device to interact with the WLSE device on your network.
Chapter 11 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring Radio Management Figure 11-16 WDS/WNM General Setup Page Step 4 Check the Configure Wireless Network Manager check box. Step 5 In the Wireless Network Manager IP Address field, enter the IP address of the WLSE device on your network. Step 6 Click Apply. The WDS access point is configured to interact with your WLSE device.
C H A P T E R 12 Configuring RADIUS and TACACS+ Servers This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), which provide detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS and TACACS+ are facilitated through AAA and can be enabled only through AAA commands.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Configuring and Enabling RADIUS This section describes how to configure and enable RADIUS.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS RADIUS Operation When a wireless user attempts to log in and authenticate to an access point whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in Figure 12-1: Figure 12-1 Sequence for EAP Authentication Wired LAN Client device Access point or bridge Server 1. Authentication request 3. Username (relay to server) (relay to client) 4. Authentication challenge 5.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Configuring RADIUS This section describes how to configure your access point to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS • Key string • Timeout period • Retransmission value You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: AP(config)# radius-server host host1 Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the access point and the key string to be shared by both the server and the access point.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Defining AAA Server Groups You can configure the access point to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network-related service requests.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Selecting the CSID Format You can select the format for MAC addresses in Called-Station-ID (CSID) and Calling-Station-ID attributes in RADIUS packets. Use the dot11 aaa csid global configuration command to select the CSID format. Table 12-1 lists the format options with corresponding MAC address examples. Table 12-1 CSID Format Options Option MAC Address Example default 0007.85b3.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 6 radius-server attribute 32 include-in-access-req format %h Configure the access point to send its system name in the NAS_ID attribute for authentication. Step 7 end Return to privileged EXEC mode. Step 8 show running-config Verify your settings. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server vsa send [accounting | authentication] Enable the access point to recognize and use VSAs as defined by RADIUS IETF attribute 26. • (Optional) Use the accounting keyword to limit the set of recognized vendor-specific attributes to only accounting attributes.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server key string Specify the shared secret text string used between the access point and the vendor-proprietary RADIUS server. The access point and the RADIUS server use this text string to encrypt passwords and exchange responses. Note The key is a text string that must match the encryption key used on the RADIUS server.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify WISPr RADIUS attributes on the access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server location location Specify the WISPr location-name attribute.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS RADIUS Attributes Sent by the Access Point Table 12-2 through Table 12-6 identify the attributes sent by an access point to a client in access-request, access-accept, and accounting-request packets.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Table 12-4 Attributes Sent in Accounting-Request (start) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 44 Acct-Session-Id 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NAS-Location VSA (attribute 26) Cisco-NAS-Port VSA (attribute 26) Interface Table 12-5 Attributes Sent in Accounting-Request (update) Packets Attrib
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Table 12-6 Attributes Sent in Accounting-Request (stop) Packets Note Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 42 Acct-Input-Octets 43 Acct-Output-Octets 44 Acct-Session-Id 46 Acct-Session-Time 47 Acct-Input-Packets 48 Acct-Output-Packets 49 Acct-Terminate-Cause 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NAS
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Configuring and Enabling TACACS+ This section contains this configuration information: • Understanding TACACS+, page 12-21 • TACACS+ Operation, page 12-22 • Configuring TACACS+, page 12-22 • Displaying the TACACS+ Configuration, page 12-27 Understanding TACACS+ TACACS+ is a security application that provides centralized validation of users attempting to gain access to your access point.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ TACACS+ Operation When an administrator attempts a simple ASCII login by authenticating to an access point using TACACS+, this process occurs: 1. When the connection is established, the access point contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the administrator. The administrator enters a username, and the access point then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 12-23 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 12-23 • Configuring TACACS+ Login Authentication, page 12-24 • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 12-25 • Starting TACACS+ Accounting, page 12-26 Default TACACS+ Configuration TACACS+ and
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Step 5 Command Purpose server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ The aaa authorization exec tacacs+ local command sets these authorization parameters: Note • Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+. • Use the local database if authentication was not performed by using TACACS+. Authorization is bypassed for authenticated administrators who log in through the CLI even if authorization has been configured.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global configuration command. Displaying the TACACS+ Configuration To display TACACS+ server statistics, use the show tacacs privileged EXEC command.
Chapter 12 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 12-28 OL-5260-01
C H A P T E R 13 Configuring VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN.
Chapter 13 Configuring VLANs Understanding VLANs Understanding VLANs A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams.
Chapter 13 Configuring VLANs Understanding VLANs Figure 13-1 LAN and VLAN Segmentation with Wireless Devices Traditional LAN segmentation VLAN segmentation VLAN 1 VLAN 2 VLAN 3 LAN 1 Catalyst VLAN switch Shared hub Floor 3 LAN 2 Catalyst VLAN switch Shared hub Floor 2 LAN 3 SSID 0 SSID 0 Floor 1 SSID 0 Catalyst VLAN switch Trunk SSID 1 = VLAN1 SSID 2 = VLAN2 port SSID 3 = VLAN3 SSID 1 SSID 2 SSID 3 81652 Shared hub Related Documents These documents provide more detailed information pe
Chapter 13 Configuring VLANs Configuring VLANs Incorporating Wireless Devices into VLANs The basic wireless components of a VLAN consist of an access point and a client associated to it using wireless technology. The access point is physically connected through a trunk port to the network VLAN switch on which the VLAN is configured. The physical connection to the VLAN switch is through the access point’s Ethernet port.
Chapter 13 Configuring VLANs Configuring VLANs This section describes how to assign SSIDs to VLANs and how to enable a VLAN on the access point radio and Ethernet ports. For detailed instructions on assigning authentication types to SSIDs, see Chapter 10, “Configuring Authentication Types.” For instructions on assigning other settings to SSIDs, see Chapter 7, “Configuring Multiple SSIDs.
Chapter 13 Configuring VLANs Configuring VLANs ap1200(config-if)# ssid batman ap1200(config-ssid)# vlan 1 ap1200(config-ssid)# exit ap1200(config)# interface dot11radio0.1 ap1200(config-subif)# encapsulation dot1q 1 native ap1200(config-subif)# exit ap1200(config)# interface fastEthernet0.
Chapter 13 Configuring VLANs VLAN Configuration Example Dot11Radio0 FastEthernet0 Virtual-Dot11Radio0 Protocols Configured: Address: Bridging Bridge Group 1 Bridging Bridge Group 1 Bridging Bridge Group 1 Virtual LAN ID: Received: 201688 201688 201688 Transmitted: 0 0 0 Received: Transmitted: 2 (IEEE 802.1Q Encapsulation) vLAN Trunk Interfaces: FastEthernet0.2 Virtual-Dot11Radio0.2 Protocols Configured: Dot11Radio0.
Chapter 13 Configuring VLANs VLAN Configuration Example 4. Configure VLAN 1, the Management VLAN, on both the fastethernet and dot11radio interfaces on the access point. You should make this VLAN the native VLAN. 5. Configure VLANs 2 and 3 on both the fastethernet and dot11radio interfaces on the access point. 6. Configure the client devices. Table 13-2 shows the commands needed to configure the three VLANs in this example.
Chapter 13 Configuring VLANs VLAN Configuration Example Table 13-3 shows the results of the configuration commands in Table 13-2. Use the show running command to display the running configuration on the access point. Table 13-3 Results of Example Configuration Commands VLAN 1 Interfaces VLAN 2 Interfaces VLAN 3 Interfaces interface Dot11Radio0.
Chapter 13 Configuring VLANs VLAN Configuration Example Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 13-10 OL-5260-01
C H A P T E R 14 Configuring QoS This chapter describes how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 14 Configuring QoS Understanding QoS for Wireless LANs Understanding QoS for Wireless LANs Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 14 Configuring QoS Understanding QoS for Wireless LANs To contrast the wireless LAN QoS implementation with the QoS implementation on other Cisco network devices, see the Cisco IOS Quality of Service Solutions Configuration Guide at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/index.htm Impact of QoS on a Wireless LAN Wireless LAN QoS features are a subset of the proposed 802.11e draft.
Chapter 14 Configuring QoS Configuring QoS 2. QoS Element for Wireless Phones setting—If you enable the QoS Element for Wireless Phones setting, traffic from voice clients takes priority over other traffic regardless of other policy settings. The QoS Element for Wireless Phones setting takes precedence over other policies, second only to previously assigned packet classifications. 3.
Chapter 14 Configuring QoS Configuring QoS Figure 14-2 QoS Policies Page Step 3 With selected in the Create/Edit Policy field, type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters. Do not include spaces in the policy name.
Chapter 14 Configuring QoS Configuring QoS Step 4 Step 5 If the packets that you need to prioritize contain IP precedence information in the IP header TOS field, select an IP precedence classification from the IP Precedence drop-down menu.
Chapter 14 Configuring QoS Configuring QoS • Class Selector 1 • Class Selector 2 • Class Selector 3 • Class Selector 4 • Class Selector 5 • Class Selector 6 • Class Selector 7 • Expedited Forwarding Step 8 Use the Apply Class of Service drop-down menu to select the class of service that the access point will apply to packets of the type that you selected from the IP DSCP menu. The access point matches your IP DSCP selection with your class of service selection.
Chapter 14 Configuring QoS Configuring QoS Step 19 Click the Apply button at the bottom of the page to apply the policies to the access point ports. Step 20 If you want the access point to give priority to all voice packets regardless of VLAN, click the Advanced tab. Figure 14-3 shows the QoS Policies - Advanced page. Figure 14-3 QoS Policies - Advanced Page Select Enable and click Apply to give top priority to all voice packets.
Chapter 14 Configuring QoS Configuring QoS The values listed in Table 14-2 are to the power of 2. The access point computes Contention Window values with this equation: CW = 2 ** X minus 1 where X is the value from Table 14-2.
Chapter 14 Configuring QoS QoS Configuration Examples Disabling IGMP Snooping Helper When Internet Group Membership Protocol (IGMP) snooping is enabled on a switch and a client roams from one access point to another, the client’s multicast session is dropped. When the access point’s IGMP snooping helper is enabled, the access point sends a general IGMP query to the network infrastructure on behalf of the client every time the client associates or reassociates to the access point.
Chapter 14 Configuring QoS QoS Configuration Examples Figure 14-5 QoS Policies Page for Voice Example The network administrator also enables the QoS element for wireless phones setting on the QoS Policies - Advanced page. This setting gives priority to all voice traffic regardless of VLAN.
Chapter 14 Configuring QoS QoS Configuration Examples Giving Priority to Video Traffic This section demonstrates how you could apply a QoS policy to a VLAN on your network dedicated to video traffic. In this example, the network administrator creates a policy named video_policy that applies video class of service to video traffic. The user applies the video_policy to the incoming and outgoing radio ports and to the outgoing Ethernet port. Figure 14-6 shows the administrator’s QoS Policies page.
C H A P T E R 15 Configuring Proxy Mobile IP This chapter describes how to configure your access point’s proxy Mobile IP feature.
Chapter 15 Configuring Proxy Mobile IP Understanding Proxy Mobile IP Understanding Proxy Mobile IP These sections explain how access points conduct proxy Mobile IP: • Overview, page 15-2 • Components of a Proxy Mobile IP Network, page 15-2 • How Proxy Mobile IP Works, page 15-3 • Proxy Mobile IP Security, page 15-6 Overview The access point’s proxy Mobile IP feature works in conjunction with the Mobile IP feature in Cisco IOS software.
Chapter 15 Configuring Proxy Mobile IP Understanding Proxy Mobile IP • An authoritative access point on your network supporting proxy Mobile IP. The authoritative access point uses a subnet map to keep track of the home agent information for all visiting client devices. • A home agent. The home agent is a router on the visiting client’s home network that serves as the anchor point for communication with the access point and the visiting client.
Chapter 15 Configuring Proxy Mobile IP Understanding Proxy Mobile IP The IRDP advertisements carry Mobile IP extensions that specify whether an agent is a home agent, foreign agent, or both; its care-of address; the types of services it provides, such as reverse tunneling and generic routing encapsulation (GRE); and the allowed registration lifetime or roaming period for visiting client devices. Rather than waiting for agent advertisements, an access point can send out an agent solicitation.
Chapter 15 Configuring Proxy Mobile IP Understanding Proxy Mobile IP When a client device associates to an access point and the access point determines that the client is visiting from another network, the access point performs a longest-match lookup on its subnet map table and obtains the home agent address for the visiting client. When the access point has the home agent address, it can proceed to the registration step.
Chapter 15 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Typically, the visiting client sends packets as it normally would. The access point intercepts these packets and sends them to the foreign agent, which routes them to their final destination, the correspondent node. GRE Encapsulation Instead of IPinIP Encapsulation, you can select GRE encapsulation. Use the ip proxy-mobile tunnel gre command to select GRE encapsulation.
Chapter 15 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Configuration Guidelines Before configuring proxy Mobile IP, you should consider these guidelines: • You can enable proxy Mobile IP only on root access points (units connected to the wired LAN). You cannot enable proxy Mobile IP on repeater access points. • Access points participating in proxy Mobile IP should be configured with gateway addresses.
Chapter 15 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Configuring Proxy Mobile IP on Your Access Point Beginning in privileged EXEC mode, follow these steps to configure proxy Mobile IP on your access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip proxy-mobile enable Enable proxy Mobile IP on the access point.
Chapter 15 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Use the no form of the ip proxy-mobile commands to disable proxy Mobile IP. Use the ip proxy-mobile pause command to disable proxy Mobile IP without losing your proxy Mobile IP configuration. This example shows how to enable proxy Mobile IP on an access point for the SSID tsunami for IP addresses from 10.91.7.151 to 10.91.7.176: ap1200# configure terminal ap1200(config)# ip proxy-mobile enable ap1200(config)# ip proxy-mobile aap 192.168.
Chapter 15 Configuring Proxy Mobile IP Configuring Proxy Mobile IP Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 15-10 OL-5260-01
C H A P T E R 16 Configuring Filters This chapter describes how to configure and manage MAC address, IP, and Ethertype filters on the access point using the web-browser interface.
Chapter 16 Configuring Filters Understanding Filters Understanding Filters Protocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. You can set up individual protocol filters or sets of filters. You can filter protocols for wireless client devices, users on the wired LAN, or both.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Configuring and Enabling MAC Address Filters MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the MAC Address Filters tab at the top of the page. Creating a MAC Address Filter Follow these steps to create a MAC address filter: Step 1 Follow the link path to the MAC Address Filters page. Step 2 If you are creating a new MAC address filter, make sure (the default) is selected in the Create/Edit Filter Index menu.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-2 Apply Filters Page Step 12 Select the filter number from one of the MAC drop-down menus. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets. Step 13 Click Apply. The filter is enabled on the selected ports. If clients are not filtered immediately, click Reload on the System Configuration page to restart the access point.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 2 Click Security to browse to the Security Summary page. Figure 16-3 shows the Security Summary page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 3 Click Advanced Security to browse to the Advanced Security: MAC Address Authentication page. Figure 16-4 shows the MAC Address Authentication page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 4 Click the Association Access List tab to browse to the Association Access List page. Figure 16-5 shows the Association Access List page. Figure 16-5 Association Access List Page Step 5 Select your MAC address ACL from the drop-down menu. Step 6 Click Apply.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Use the IP Filters page to create IP filters for the access point. Figure 16-6 shows the IP Filters page. Figure 16-6 IP Filters Page Follow this link path to reach the IP Filters page: 1. Click Services in the page navigation bar.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the IP Filters tab at the top of the page. Creating an IP Filter Follow these steps to create an IP filter: Step 1 Follow the link path to the IP Filters page. Step 2 If you are creating a new filter, make sure (the default) is selected in the Create/Edit Filter Index menu.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 14 Click Add. The protocol appears in the Filters Classes field. To remove the protocol from the Filters Classes list, select it and click Delete Class. Repeat Step 12 to Step 14 to add protocols to the filter. Step 15 When the filter is complete, click Apply. The filter is saved on the access point, but it is not enabled until you apply it on the Apply Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-8 Ethertype Filters Page Follow this link path to reach the Ethertype Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the Ethertype Filters tab at the top of the page. Creating an Ethertype Filter Follow these steps to create an Ethertype filter: Step 1 Follow the link path to the Ethertype Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 7 Click Add. The Ethertype appears in the Filters Classes field. To remove the Ethertype from the Filters Classes list, select it and click Delete Class. Repeat Step 4 through Step 7 to add Ethertypes to the filter. Step 8 Select Forward All or Block All from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the Ethertypes in the filter.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 16-14 OL-5260-01
C H A P T E R 17 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 17 Configuring CDP Understanding CDP Understanding CDP Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. Information in CDP packets is used in network management software such as CiscoWorks2000. CDP is enabled on the access point’s Ethernet port by default.
Chapter 17 Configuring CDP Configuring CDP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is from 10 to 255 seconds; the default is 180 seconds. Step 3 cdp timer seconds (Optional) Set the transmission frequency of CDP updates in seconds. The range is from 5 to 254; the default is 60 seconds.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP This example shows how to enable CDP. AP# configure terminal AP(config)# cdp run AP(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Command Description show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent. show cdp entry entry-name [protocol | version] Display information about a specific neighbor. You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Interface: GigabitEthernet0/1, Holdtime : 141 sec Port ID (outgoing port): FastEthernet0/10 Version : Cisco Internetwork Operating System Software IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.1)XP, MAINTENANCE IN TERIM SOFTWARE Copyright (c) 1986-1999 by cisco Systems, Inc.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Perdido2 Perdido2 Gig 0/6 Gig 0/5 125 125 R S I R S I WS-C3550-1Gig WS-C3550-1Gig 0/6 0/5 AP# show cdp traffic CDP counters : Total packets output: 50882, Input: 52510 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 CDP version 1 advertisements output: 0, Input: 0 CDP version 2 advertisements output: 50882, Input: 52510 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-5
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 17-8 OL-5260-01
C H A P T E R 18 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 18 Configuring SNMP Understanding SNMP Understanding SNMP SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. The SNMP manager can be part of a network management system (NMS) such as CiscoWorks. The agent and management information base (MIB) reside on the access point. To configure SNMP on the access point, you define the relationship between the manager and the agent.
Chapter 18 Configuring SNMP Understanding SNMP You must configure the SNMP agent to use the version of SNMP supported by the management station. An agent can communicate with multiple managers; therefore, you can configure the software to support communications with one management station using the SNMPv1 protocol and another using the SNMPv2 protocol. SNMP Manager Functions The SNMP manager uses information in the MIB to perform the operations described in Table 18-1.
Chapter 18 Configuring SNMP Configuring SNMP • Read-write—Gives read and write access to authorized management stations to all objects in the MIB, but does not allow access to the community strings Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the access point MIB variables to set device variables and to poll devices on the network for specific information.
Chapter 18 Configuring SNMP Configuring SNMP Default SNMP Configuration Table 18-2 shows the default SNMP configuration. Table 18-2 Default SNMP Configuration Feature Default Setting SNMP agent Disabled SNMP community strings No strings are configured by default. However, when you enable SNMP using the web-browser interface, the access point automatically creates the public community with read-only access to the IEEE802dot11 MIB.
Chapter 18 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [ access-list-number ] [ view mib-view ] [ro | rw] Configure the community string. • For string, specify a string that acts like a password and permits access to the SNMP protocol.
Chapter 18 Configuring SNMP Configuring SNMP To disable access for an SNMP community, set the community string for that community to the null string (do not enter a value for the community string). To remove a specific community string, use the no snmp-server community string global configuration command.
Chapter 18 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the access point to send traps to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c}} community-string notification-type • For host-addr, specify the name or address of the host (the targeted recipient).
Chapter 18 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 18 Configuring SNMP Displaying SNMP Status This example shows how to permit any SNMP manager to access all objects with read-only permission using the community string public. The access point also sends config traps to the hosts 192.180.1.111 and 192.180.1.33 using SNMPv1 and to the host 192.180.1.27 using SNMPv2C. The community string public is sent with the traps.
C H A P T E R 19 Configuring Repeater and Standby Access Points This chapter descibes how to configure your access point as a hot standby unit or as a repeater unit.
Chapter 19 Configuring Repeater and Standby Access Points Understanding Repeater Access Points Understanding Repeater Access Points A repeater access point is not connected to the wired LAN; it is placed within radio range of an access point connected to the wired LAN to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. You can configure either the 2.4-GHz radio or the 5-GHz radio as a repeater.
Chapter 19 Configuring Repeater and Standby Access Points Configuring a Repeater Access Point Figure 19-1 Access Point as a Repeater Access Point (Root Unit) Wired LAN 66000 Access Point (Repeater) Configuring a Repeater Access Point This section provides instructions for setting up an access point as a repeater and includes these sections: • Default Configuration, page 19-4 • Guidelines for Repeaters, page 19-4 • Setting Up a Repeater, page 19-4 • Verifying Repeater Operation, page 19-5 • Se
Chapter 19 Configuring Repeater and Standby Access Points Configuring a Repeater Access Point Default Configuration Access points are configured as root units by default. Table 19-1 shows the default values for settings that control the access point’s role in the wireless LAN.
Chapter 19 Configuring Repeater and Standby Access Points Configuring a Repeater Access Point Command Purpose Step 3 ssid ssid-string Create the SSID that the repeater uses to associate to a root access point; in the next step designate this SSID as an infrastructure SSID. If you created an infrastructure SSID on the root access point, create the same SSID on the repeater, also. Step 4 infrastructure-ssid [optional] Designate the SSID as an infrastructure SSID.
Chapter 19 Configuring Repeater and Standby Access Points Configuring a Repeater Access Point • The status LED on the repeater access point is steady green when it is associated with the root access point and the repeater has client devices associated to it. The repeater's status LED flashes (steady green for 7/8 of a second and off for 1/8 of a second) when it is associated with the root access point but the repeater has no client devices associated to it.
Chapter 19 Configuring Repeater and Standby Access Points Configuring a Repeater Access Point Command Purpose Step 6 infrastructure ssid [optional] (Optional) Designate the SSID as the SSID that other access points and workgroup bridges use to associate to this access point. If you do not designate an SSID as the infrastructure SSID, infrastructure devices can associate to the access point using any SSID.
Chapter 19 Configuring Repeater and Standby Access Points Understanding Hot Standby Understanding Hot Standby Hot Standby mode designates an access point as a backup for another access point. The standby access point is placed near the access point it monitors, configured exactly the same as the monitored access point. The standby access point associates with the monitored access point as a client and sends IAPP queries to the monitored access point through both the Ethernet and the radio ports.
Chapter 19 Configuring Repeater and Standby Access Points Configuring a Hot Standby Access Point Tip To quickly duplicate the monitored access point’s settings on the standby access point, save the monitored access point configuration and load it on the standby access point. See the “Working with Configuration Files” section on page 20-8 for instructions on uploading and downloading configuration files.
Chapter 19 Configuring Repeater and Standby Access Points Configuring a Hot Standby Access Point Command Purpose Step 10 iapp standby primary-shutdown (Optional) Configures the standby access point to send a Dumb Device Protocol (DDP) message to the monitored access point to disable the radios of the monitored access point when the standby unit becomes active. This feature prevents client devices that are associated to the monitored access point from remaining associated to the malfunctioning unit.
Chapter 19 Configuring Repeater and Standby Access Points Configuring a Hot Standby Access Point Table 19-2 Standby Status Messages (continued) Message Description Standby State: Init The standby access point is initializing link tests with the monitored access point. Standby State: Running The standby access point is operating in standby mode and is running link tests to the monitored access point. Standby State: Stopped Standby mode has been stopped by a configuration command.
Chapter 19 Configuring Repeater and Standby Access Points Configuring a Hot Standby Access Point Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 19-12 OL-5260-01
C H A P T E R 20 Managing Firmware and Configurations This chapter describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet 1200 Series Access Point Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Working with the Flash File System The Flash file system on your access point provides several commands to help you manage software image and configuration files. The Flash file system is a single Flash device on which you can store files. This Flash device is called flash:.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Table 20-1 show file systems Field Descriptions (continued) Field Value Type Type of file system. flash—The file system is for a Flash memory device. network—The file system is for a network device. nvram—The file system is for a nonvolatile RAM (NVRAM) device. opaque—The file system is a locally generated pseudo file system (for example, the system) or a download interface, such as brimux.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table 20-2: Table 20-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System For source-url, specify the source URL alias for the local or network file system. These options are supported: • For the local Flash file system, the syntax is flash: • For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password]@location]/directory]/tar-filename.tar • For the Remote Copy Protocol (RCP), the syntax is rcp:[[//username@location]/directory]/tar-filename.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files This example shows how to extract the contents of a tar file located on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local Flash file system. The remaining files in the saved.tar file are ignored. ap# archive tar /xtract tftp://172.20.10.30/saved.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files This section includes this information: • Guidelines for Creating and Using Configuration Files, page 20-9 • Configuration File Types and Location, page 20-9 • Creating a Configuration File by Using a Text Editor, page 20-10 • Copying Configuration Files by Using TFTP, page 20-10 • Copying Configuration Files by Using FTP, page 20-12 • Copying Configuration Files by Using RCP, page 20-15 • Clearing Configuration
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Creating a Configuration File by Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from an access point to a server.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read. • Before uploading the configuration file, you might need to create an empty file on the TFTP server.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Use one of these privileged EXEC commands: • copy system:running-config tftp:[[[//location]/directory]/filename] • copy nvram:startup-config tftp:[[[//location]/directory]/filename] The file is uploaded to the TFTP server. This example shows how to upload a configuration file from an access point to a TFTP server: ap# copy system:running-config tftp://172.16.2.155/tokyo-confg Write file tokyo-confg on host 172.16.2.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Preparing to Download or Upload a Configuration File by Using FTP Before you begin downloading or uploading a configuration file by using FTP, perform these tasks: • Ensure that the access point has a route to the FTP server. The access point and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Connected to 172.16.101.101 Loading 1112 byte file host1-confg:![OK] ap# %SYS-5-CONFIG: Configured from host1-config by ftp from 172.16.101.101 This example shows how to specify a remote username of netadmin1. The software copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the access point startup configuration.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Building configuration...[OK] Connected to 172.16.101.101 ap# This example shows how to store a startup configuration file on a server by using FTP to copy the file: ap# configure terminal ap(config)# ip ftp username netadmin2 ap(config)# ip ftp password mypass ap(config)# end ap# copy nvram:startup-config ftp: Remote host[]? 172.16.101.101 Name of configuration file to write [ap2-confg]? Write file ap2-confg on host 172.16.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Preparing to Download or Upload a Configuration File by Using RCP Before you begin downloading or uploading a configuration file by using RCP, perform these tasks: • Ensure that the workstation acting as the RCP server supports the remote shell (rsh). • Ensure that the access point has a route to the RCP server.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy rcp:[[[//[username@]location]/directory]/filename] system:running-config Using RCP, copy the configuration file from a network server to the running configuration or to the startup configuration file.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy system:running-config rcp:[[[//[username@]location]/directory]/filename] Using RCP, copy the configuration file from an access point running or startup configuration file to a network server.
Chapter 20 Managing Firmware and Configurations Working with Software Images The protocol you use depends on which type of server you are using. The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP. These improvements are possible because FTP and RCP are built on and use the Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which is connection-oriented.
Chapter 20 Managing Firmware and Configurations Working with Software Images Copying Image Files by Using TFTP You can download an access point image from a TFTP server or upload the image from the access point to a TFTP server. You download an access point image file from a server to upgrade the access point software. You can overwrite the current image with the new one.
Chapter 20 Managing Firmware and Configurations Working with Software Images Downloading an Image File by Using TFTP You can download a new image file and replace the current image or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories. Beginning in privileged EXEC mode, follow Steps 1 through 3 to download a new image from a TFTP server and overwrite the existing image. Step 1 Command Purpose .
Chapter 20 Managing Firmware and Configurations Working with Software Images The download algorithm verifies that the image is appropriate for the access point model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Chapter 20 Managing Firmware and Configurations Working with Software Images Copying Image Files by Using FTP You can download an access point image from an FTP server or upload the image from the access point to an FTP server. You download an access point image file from a server to upgrade the access point software. You can overwrite the current image with the new one or keep the current image after a download. You upload an access point image file to a server for backup purposes.
Chapter 20 Managing Firmware and Configurations Working with Software Images • If you are accessing the access point through a Telnet session and you do not have a valid username, make sure that the current FTP username is the one that you want to use for the FTP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new FTP username by using the ip ftp username username global configuration command.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Step 7 Step 8 Purpose archive download-sw /overwrite /reload Download the image file from the FTP server to the access ftp:[[//username[:password]@location]/directory] point, and overwrite the current image. /image-name.tar • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 20 Managing Firmware and Configurations Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough space to install the new image and keep the running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image onto the system board Flash device (flash:).
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running access point image to the FTP ftp:[[//[username[:password]@]location]/directory]/ server. image-name.tar • For //username:password, specify the username and password. These must be associated with an account on the FTP server.
Chapter 20 Managing Firmware and Configurations Working with Software Images RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the access point to a server by using RCP, the Cisco IOS software sends the first valid username in this list: • The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.
Chapter 20 Managing Firmware and Configurations Working with Software Images Downloading an Image File by Using RCP You can download a new image file and replace or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image. To keep the current image, skip Step 6.
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the access point, and overwrite the current image. archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Note • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 20 Managing Firmware and Configurations Working with Software Images Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running access point image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username.
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 7 Click the Upgrade button. For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the access point image file. Follow the instructions below to use a TFTP server: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.
Chapter 20 Managing Firmware and Configurations Working with Software Images Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 20-34 OL-5260-01
C H A P T E R 21 Configuring System Message Logging This chapter describes how to configure system message logging on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 21 Configuring System Message Logging Understanding System Message Logging Understanding System Message Logging By default, access points send the output from system messages and debug privileged EXEC commands to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, or a UNIX syslog server, depending on your configuration. The process also sends messages to the console.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-1 describes the elements of syslog messages. Table 21-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 21-6. Date and time of the message or event.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-2 Default System Message Logging Configuration (continued) Feature Default Setting Timestamps Disabled Synchronous logging Disabled Logging server Disabled Syslog server IP address None configured Server facility Local7 (see Table 21-4 on page 21-11) Server severity Informational (and numerically lower levels; see Table 21-3 on page 21-8) Disabling and Enabling Message Logging Message logging is enabl
Chapter 21 Configuring System Message Logging Configuring System Message Logging Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Timestamps on Log Messages By default, log messages are not timestamped. Beginning in privileged EXEC mode, follow these steps to enable timestamping of log messages: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log timestamps.
Chapter 21 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 21-3.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults: Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 21-3 on page 21-8 for a list of level keywords.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Configuring UNIX Syslog Servers The next sections describe how to configure the 4.3 BSD UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 21-3 on page 21-8 for level keywords. Step 4 logging facility facility-type Configure the syslog facility. See Table 21-4 on page 21-11 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode.
Chapter 21 Configuring System Message Logging Displaying the Logging Configuration Displaying the Logging Configuration To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2. To display the logging history file, use the show logging history privileged EXEC command.
C H A P T E R 22 Troubleshooting This chapter provides troubleshooting procedures for basic problems with the access point. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at the following URL (select Top Issues and then select Wireless Technologies): http://www.cisco.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Checking the Top Panel Indicators If your access point is not communicating, check the three LED indicators on the top panel to quickly assess the unit’s status. Figure 22-1 shows the indicators on the 1200 series access point. Figure 22-2 shows the indicators on the 1100 series access point. Figure 22-3 and Figure 22-4 show the indicators on the 350 series access point.
Chapter 22 Troubleshooting Checking the Top Panel Indicators Figure 22-3 Indicators on the 350 Series Access Point (Plastic Case) CISCO AIRONET 350 SERIES W I R E L E S S AC C E S S P O I N T Radio 49075 Ethernet Status S Figure 22-4 Indicators on the 350 Series Access Point (Metal Case) CISCO AIRONET 350 SERIES WIRELESS ACCESS POINT ETHERNET ACTIVITY ASSOCIATION STATUS 60511 RADIO ACTIVITY Ethernet Status Radio The indicator signals have the following meanings (for additional details refer to
Chapter 22 Troubleshooting Checking the Top Panel Indicators Table 22-1 Top Panel Indicator Signals Message type Ethernet indicator Status indicator Radio indicator Meaning Boot loader status Green – Green DRAM memory test. – Amber Red Board initialization test. – Blinking green Blinking green Flash memory test. Amber Green – Ethernet initialization test. Green Green Green Starting Cisco IOS software. – Green – At least one wireless client device is associated with the unit.
Chapter 22 Troubleshooting Checking Basic Settings Checking Basic Settings Mismatched basic settings are the most common causes of lost connectivity with wireless clients. If the access point does not communicate with client devices, check the following areas. SSID Wireless clients attempting to associate with the access point must use the same SSID as the access point. If a client device’s SSID does not match the SSID of an access point in radio range, the client device will not associate.
Chapter 22 Troubleshooting Resetting to the Default Configuration Using the MODE Button Follow these steps to delete the current configuration and return all access point settings to the factory defaults using the MODE button. Note You cannot use the mode button to reset the configuration to defaults on 350 series access points.
Chapter 22 Troubleshooting Resetting to the Default Configuration Step 8 After the access point reboots, you must reconfigure the access point by using the Web-browser interface or the CLI. The default username and password are Cisco, which is case-sensitive. Using the CLI Follow the steps below to delete the current configuration and return all access point settings to the factory defaults using the CLI. Step 1 Open the CLI using a Telnet session or a connection to the access point console port.
Chapter 22 Troubleshooting Reloading the Access Point Image Base ethernet MAC Address: 00:40:96:41:e4:df Loading "flash:/c350.k9w7.mx.122.13.JA/c350.k9w7.mx.122.13.JA"...######## . . . Note Step 8 The access point is configured with factory default values, including the IP address (set to receive an IP address using DHCP) and the default username and password (Cisco). When IOS software is loaded, you can use the del privileged EXEC command to delete the config.old file from Flash.
Chapter 22 Troubleshooting Reloading the Access Point Image Follow these steps to reload the access point image file: Step 1 The PC you intend to use must be configured with a static IP address in the range of 10.0.0.2 to 10.0.0.30. Step 2 Make sure that the PC contains the access point image file (such as c1100-k9w7-tar.122-15.JA.tar for an 1100 series access point or c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
Chapter 22 Troubleshooting Reloading the Access Point Image Step 7 Click Upload. For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the access point image file. Follow the instructions below to use a TFTP server: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).
Chapter 22 Troubleshooting Reloading the Access Point Image Step 3 Let the access point boot until it begins to inflate the image. When you see these lines on the CLI, press Esc: Loading "flash:/c350-k9w7-mx.v122_13_ja.20031010/c350-k9w7-mx.v122_13_ja.20031010" ...
Chapter 22 Troubleshooting Reloading the Access Point Image extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_last_flat.gif (318 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_nth.gif (1177 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_leftnav_dkgreen.gif (869 bytes) -- MORE -- If you do not press the spacebar to continue, the process eventually times out and the access point stops inflating the image.
A P P E N D I X A Channels and Antenna Settings This appendix lists the access point radio channels and the maximum power levels supported by the world’s regulatory domains.
Appendix A Channels and Antenna Settings Channels Channels IEEE 802.11b (2.4-GHz Band) The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11b 22-MHz-wide channel are shown in Table A-1. Table A-1 Channels for IEEE 802.
Appendix A Channels and Antenna Settings Channels IEEE 802.11g (2.4-GHz Band) The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11g 22-MHz-wide channel are shown in Table A-2. Table A-2 Channels for IEEE 802.
Appendix A Channels and Antenna Settings Channels IEEE 802.11a (5-GHz Band) The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11a 20-MHz-wide channel are shown in Table A-3. . Table A-3 Note Channels for IEEE 802.
Appendix A Channels and Antenna Settings Maximum Power Levels and Antenna Gains Maximum Power Levels and Antenna Gains IEEE 802.11b (2.4-GHz Band) An improper combination of power level and antenna gain can result in equivalent isotropic radiated power (EIRP) above the amount allowed per regulatory domain. Table A-4 indicates the maximum power levels and antenna gains allowed for each IEEE 802.11b regulatory domain. Table A-4 Maximum Power Levels Per Antenna Gain for IEEE 802.
Appendix A Channels and Antenna Settings Maximum Power Levels and Antenna Gains IEEE 802.11g (2.4-GHz Band) An improper combination of power level and antenna gain can result in equivalent isotropic radiated power (EIRP) above the amount allowed per regulatory domain. Table A-5 indicates the maximum power levels and antenna gains allowed for each IEEE 802.11g regulatory domain. Table A-5 Maximum Power Levels Per Antenna Gain for IEEE 802.
Appendix A Channels and Antenna Settings Maximum Power Levels and Antenna Gains IEEE 802.11a (5-GHz Band) An improper combination of power level and antenna gain can result in equivalent isotropic radiated power (EIRP) above the amount allowed per regulatory domain. Table A-6 indicates the maximum power levels allowed with the Cisco integrated antenna for each IEEE 802.11a regulatory domain. Table A-6 Maximum Power Levels Per Antenna Gain for IEEE 802.
Appendix A Channels and Antenna Settings Maximum Power Levels and Antenna Gains Cisco IOS Software Configuration Guide for Cisco Aironet Access Points A-8 OL-5260-01
A P P E N D I X B Protocol Filters The tables in this appendix list some of the protocols that you can filter on the access point. The tables include: • Table E-1, Ethertype Protocols • Table E-2, IP Protocols • Table E-3, IP Port Protocols In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.
Appendix B Table B-1 Protocol Filters Ethertype Protocols Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802.2 — 0x00E0 IPX 802.
Appendix B Protocol Filters Table B-2 IP Protocols Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw —
Appendix B Table B-3 Protocol Filters IP Port Protocols Protocol Additional Identifier ISO Designator TCP port service multiplexer tcpmux 1 echo — 7 discard (9) — 9 systat (11) — 11 daytime (13) — 13 netstat (15) — 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp-data 20 FTP Control (21) ftp 21 Secure Shell (22) ssh 22 Telnet — 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Locati
Appendix B Protocol Filters Table B-3 IP Port Protocols (continued) Protocol Additional Identifier ISO Designator TSAP iso-tsap 102 CSO Name Server cso-ns csnet-ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111 tap ident authentication auth 113 sftp — 115 uucp-path — 117 Network News Transfer Protocol Network News readnews nntp 119 USENET News Transfer Protocol Network News readnews nntp 119 Network Time Pro
Appendix B Table B-3 Protocol Filters IP Port Protocols (continued) Protocol Additional Identifier ISO Designator SNMP Unix Multiplexer smux 199 AppleTalk Routing at-rtmp 201 AppleTalk name binding at-nbp 202 AppleTalk echo at-echo 204 AppleTalk Zone Information at-zis 206 NISO Z39.
A P P E N D I X C Supported MIBs This appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Cisco IOS SNMP agent supports both SNMPv1 and SNMPv2.
Appendix C Supported MIBs Using FTP to Access the MIB Files • CISCO-PROCESS-MIB • CISCO-PRODUCTS-MIB • CISCO-SMI-MIB • CISCO-TC-MIB • CISCO-SYSLOG-MIB • ENTITY-MIB • IF-MIB • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP: Step 1 Use FTP to access the server ftp.cisco.com.
A P P E N D I X D Error and Event Messages This appendix lists the CLI error and event messages. Software Auto Upgrade Messages Error Message SW_AUTO_UPGRADE-FATAL: Attempt to upgrade software failed, software on Flash may be deleted. Please copy software into Flash. Explanation Auto upgrade of the software failed. The software on the Flash memory might have been deleted. Copy software into the Flash memory. Recommended Action Copy software before rebooting the unit.
Appendix D Error and Event Messages Association Management Messages Association Management Messages Error Message DOT11-3-BADSTATE: [mac-address] [chars] [chars] -> [chars] Explanation 802.11 Association and management uses a table-driven state machine to keep track and transition an Association through various states. A state transition occurs when an Association receives one of many possible events.
Appendix D Error and Event Messages Proxy Mobile IP Subsystem Messages Error Message PMIP-3-REG_AUTH_FAIL: Mobile Node 10.4.1.3 registration failed due to authentication failure Explanation When a mobile node (MN) moves to a foreign network, the access point registers the MN to its Home Agent. This message indicates that the registration failed because the HA or FA failed to authenticate each other or the MN.
Appendix D Error and Event Messages Proxy Mobile IP Subsystem Messages Error Message PMIP-6-HAFA_DOWN: Mobile IP Agent 10.4.1.1 is down or unavailable Explanation Mobile IP Home or Foreign agent has gone down or is inaccessible to the access point. Recommended Action Make sure there is at least one Home and Foreign Agent configured on that subnet and is accessible to the access point.
Appendix D Error and Event Messages Unzip Messages Unzip Messages Error Message SOAP-4-UNZIP_OVERFLOW: Failed to unzip Flash:/c1200-k9w7-mx.122-3.6.JA1/html/level15/ap_xxx.htm.gz, exceeds maximum uncompressed html size Explanation The HTTP server cannot retrieve a compressed file in response to an HTTP GET request because the size of the file is too large for the buffers used in the uncompression process. Recommended Action Make sure file is a valid HTML page.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-VERSION_UPGRADE: Interface [number], upgrading radio firmware Explanation When starting the radio, the access point found the wrong firmware version. The radio will be loaded with the required version. Recommended Action None. Error Message DOT11-2-VERSION_INVALID: Unable to find required radio version [hex].
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-2-RADIO_FAILED: Interface [interface] failed — [chars] Explanation The radio driver found a severe error and is shutting down. Recommended Action None. Error Message DOT11-4-FLASH_RADIO_DONE: Flashing the radio firmware completed Explanation The radio firmware Flash is complete, and the radio will be restarted with the new firmware. Recommended Action None.
Appendix D Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-3-RF_LOOPBACK_FAILURE: Interface [number] Radio failed to pass RF loopback test Explanation Radio loopback test failed for a radio interface. Recommended Action None. Error Message DOT11-3-RF_LOOPBACK__FREQ_FAILURE: Radio failed to pass RF loopback test at freq [frequency] Explanation Radio loopback test failed at a given frequency. Recommended Action None.
Appendix D Error and Event Messages Inter-Access Point Protocol Messages Error Message DOT11-TKIP_MIC_FAILURE_REPEATED: Two TKIP Michael MIC failures were detected within [number] seconds on [interface] interface. The interface will be put on MIC failure hold state for next [number] seconds Explanation Because MIC failures usually indicate an active attack on your network, the interface will be put on hold for the configured time.
Appendix D Error and Event Messages Radio Diagnostic Messages Error Message SCHED-3-UNEXPECTEDEVENT: Process received unknown event (maj [hex], min [hex]). Explanation A process can register to be notified when various events occur in the router. This message indicates that a process received an event that it did not know how to handle. Recommended Action Copy the error message exactly as it appears, and report it to your technical support representative.
G L O S S A RY 802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4-GHz band. 802.11a The IEEE standard that specifies carrier sense media access control and physical layer specifications for wireless LANs operating in the 5-GHz frequency band. 802.11b The IEEE standard that specifies carrier sense media access control and physical layer specifications for 5.
Glossary BPSK A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 1 Mbps. broadcast packet A single data message (packet) sent to all addresses on the same subnet. C CCK Complementary code keying. A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 5.5 and 11 Mbps. CCKM Cisco Centralized Key Management.
Glossary DNS Domain Name System server. A server that translates text names into IP addresses. The server maintains a database of host alphanumeric names and their corresponding IP addresses. DSSS Direct sequence spread spectrum. A type of spread spectrum radio transmission that spreads its signal continuously over a wide frequency band. E EAP Extensible Authentication Protocol. An optional IEEE 802.
Glossary M MAC Media Access Control address. A unique 48-bit number used in Ethernet data packets to identify an Ethernet device, such as an access point or your client adapter. modulation Any of several techniques for combining user information with a transmitter’s carrier signal. multipath The echoes created as a radio signal bounces off of physical objects. multicast packet A single data message (packet) sent to multiple addresses.
Glossary roaming A feature of some Access Points that allows users to move through a facility while maintaining an unbroken connection to the LAN. RP-TNC A connector type unique to Cisco Aironet radios and antennas. Part 15.203 of the FCC rules covering spread spectrum devices limits the types of antennas that may be used with transmission equipment.
Glossary W WDS Wireless Domain Services (WDS). An access point providing WDS on your wireless LAN maintains a cache of credentials for CCKM-capable client devices on your wireless LAN. When a CCKM-capable client roams from one access point to another, the WDS access point forwards the client’s credentials to the new access point with the multicast key. Only two packets pass between the client and the new access point, greatly shortening the reassociation time. WEP Wired Equivalent Privacy.
I N D EX Network-EAP A open abbreviating commands access point image 4-3 10-3 authoritative time source, described access point security settings, matching client devices 10-17 with RADIUS 5-11, 12-11 with TACACS+ with RADIUS 12-12 with TACACS+ AES-CCMP 5-23 authorization accounting 5-14, 12-21, 12-25 AVVID priority mapping 14-10 12-21, 12-26 9-2 B antenna gains A-5 Back button Apply button 3-4 ARP caching 5-21 vendor-proprietary 12-18 default configuration 12-14 when displ
Index enabling and disabling on an interface monitoring configuration files creating using a text editor 17-4 deleting a stored configuration 17-4 Cisco Centralized Key Management preparing 22-1 CiscoWorks 2000 18-4 CLI abbreviating commands command modes 20-10, 20-13, 20-16 reasons for 20-8 using FTP 20-13 using RCP 20-16 using TFTP 4-3 20-11 guidelines for creating and using 4-2 editing features keystroke editing wrapped lines types and location 4-6 preparing filtering command o
Index DHCP server setting on client and access point configuring access point as receiving IP settings from 5-18 changing EAP-SIM authentication setting on client and access point 2-9 directories 10-20 EAP-TLS authentication setting on client and access point 20-4 creating and removing 20-4 displaying the working 20-4 enabling and disabling keystrokes used default configuration wrapped lines 5-38 displaying the configuration 10-19 editing features DNS 5-40 4-7 EIRP, maximum A-5, A-
Index displaying file information local file system names 20-3 network file system names setting the default H 20-2 help, for the command line 20-5 history 20-3 changing the buffer size filtering configuring filters Ethertype filters IP filters 16-1 16-11 4-4 disabling 4-5 Flash device, number of 20-2 fragmentation threshold 6-17 A-2, A-3, A-4 FTP 4-8 Home button overview 22-2 interface configuration mode 20-13 IP filters IPSU 20-14 image files downloading 2-19 B-1 20-26 20-2
Index local authenticator, access point as NTP 8-1 login authentication with RADIUS associations with TACACS+ login banners authenticating 5-8, 12-7 defined 5-13, 12-24 5-25 5-23 enabling broadcast messages 5-40 log messages peer 5-27 server See system message logging 5-27 default configuration MAC overview 5-32 5-23 restricting access 2-21, 2-22 MAC address ACLs, blocking association with MAC address filters creating an access group 16-5 source IP address, configuring 10-15
Index setting on client and access point ports, protected access point as local server 10-19 accounting 6-15 power level on client devices 6-7 power level, maximum preferential treatment of traffic authentication 5-8, 12-7 authorization 5-11, 12-11 multiple UDP ports pre-shared key privileged EXEC mode 5-2 4-2 privilege levels overview 5-8, 12-4 defining AAA server groups 5-9, 12-9 displaying the configuration 5-12, 12-17 identifying the server 12-4 limiting the services to the u
Index as a WPA client SNMP 19-7 chain of access points accessing MIB variables with 19-2 restricting access agent NTP services overview 5-29 5-2 passwords and privilege levels RADIUS disabling 18-5 overview 18-5 18-3 configuration examples 15-6 RFC default configuration 1157, SNMPv1 1305, NTP manager functions 5-23 1902 to 1907, SNMPv2 location of 18-2 overview 1-4 fast secure roaming using CCKM rotation, broadcast key RTS threshold 18-5 21-8 18-3 MIBs 18-2 role in radio ne
Index troubleshooting 22-5 timestamps, enabling and disabling using spaces in 7-4 UNIX syslog servers static WEP configuring the daemon with shared key authentication, setting on client and access point 10-17 facilities supported 17-4 SNMP input and output status indicators 5-23 summer time 5-35 21-11 default configuration 5-37 manual configuration 5-37 See also DNS 18-10 system prompt 22-3 stratum, NTP 21-10 system name statistics CDP 21-10 configuring the logging facility wi
Index See TACACS+ terminal emulator 2-4, 2-6 TFTP 20-22 TFTP server using FTP 20-26 using RCP 20-31 20-22 4-2 5-5 W 21-6 WDS 5-34 11-1, 11-8 Web-based interface 9-1 common buttons traps 3-4 compatible browsers configuring managers enabling 20-18 22-8 timestamps in log messages defined 20-20, 20-23, 20-27 username-based authentication 20-22 See NTP and system clock TKIP 20-11 user EXEC mode 20-20 time time zones 20-17 using TFTP 20-21 preparing the server uploading usin
Index Cisco IOS Software Configuration Guide for Cisco Aironet Access Points IN-10 OL-5260-01