Cisco Wireless LAN Controller Configuration Guide, Release 7.2

Cisco Wireless LAN Controller
Configuration Guide
Software Release 7.2
February 2012
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Text Part Number: OL-2152-03
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
All rights reserved.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Copyright © 2012 Cisco Systems, Inc.
All rights reserved.
CONTENTS
Preface
xxxix
Audience
Purpose
xl
xl
Organization
xl
Conventions
xli
Related Documentation
xliii
Obtaining Documentation and Submitting a Service Request
CHAPTER
1
Overview
xliv
1-1
Cisco Unified Wireless Network Solution Overview
Single-Controller Deployments 1-3
Multiple-Controller Deployments 1-3
Operating System Software
1-1
1-4
Operating System Security 1-4
Cisco WLAN Solution Wired Security
1-5
Layer 2 and Layer 3 Operation 1-5
Operational Requirements 1-6
Configuration Requirements 1-6
Cisco Wireless LAN Controllers
Client Location 1-7
1-6
Controller Platforms 1-7
Cisco 2500 Series Controller 1-7
Features Not Supported 1-8
Cisco 5500 Series Controllers 1-8
Features Not Supported 1-8
Cisco Flex 7500 Series Controller 1-9
Features Not Supported 1-9
Cisco Wireless Services Module 2 1-9
Features Not Supported 1-10
Cisco Wireless Controller on Cisco Services-Ready Engine (SRE)
Features Not Supported 1-11
Cisco UWN Solution Wired Connections
1-10
1-11
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
i
Contents
Cisco UWN Solution WLANs
File Transfers
1-11
1-12
Power Over Ethernet
1-12
Cisco Wireless LAN Controller Memory
1-12
Cisco Wireless LAN Controller Failover Protection
CHAPTER
2
Using the Web-Browser and CLI Interfaces
1-13
2-1
Configuring the Controller Using the GUI Configuration Wizard
Connecting the Controller’s Console Port 2-1
Configuring the Controller (GUI) 2-2
Additional References 2-13
2-1
Configuring the Controller Using the CLI Configuration Wizard
Guidelines and Limitations 2-14
Configuring the Controller (CLI) 2-14
2-13
Using the Controller Web GUI 2-16
Guidelines and Limitations 2-17
Logging On to the GUI 2-17
Logging Out of the GUI 2-17
Enabling Web and Secure Web Modes 2-18
Enabling Web and Secure Web Modes (GUI) 2-18
Enabling Web and Secure Web Modes (CLI) 2-19
Loading an Externally Generated SSL Certificate
Guidelines and Limitations 2-20
Loading an SSL Certificate 2-20
Loading an SSL Certificate (GUI) 2-20
Loading an SSL Certificate (CLI) 2-21
2-20
Using the Controller CLI 2-22
Information About the Controller CLI 2-23
Guidelines and Limitations 2-23
Logging on to the Controller CLI 2-23
Using a Local Serial Connection 2-23
Using a Remote Ethernet Connection 2-24
Logging Out of the CLI 2-25
Navigating the CLI 2-25
Additional References 2-26
Using the AutoInstall Feature for Controllers Without a Configuration
Information About the AutoInstall Feature 2-26
Guidelines and Limitations 2-27
2-26
Cisco Wireless LAN Controller Configuration Guide
ii
OL-21524-03
Contents
Obtaining an IP Address Through DHCP and Downloading a Configuration File from a TFTP
Server 2-27
Selecting a Configuration File 2-28
Example: AutoInstall Operation 2-29
Additional References 2-30
Managing the Controller System Date and Time 2-30
Information About Controller System Date and Time 2-30
Guidelines and Limitations 2-30
Configuring an NTP Server to Obtain the Date and Time 2-30
Configuring NTP Authentication 2-31
Configuring NTP Authentication (GUI) 2-31
Configuring NTP Authentication (CLI) 2-31
Configuring the Date and Time 2-32
Configuring the Date and Time (GUI) 2-32
Configuring the Date and Time (CLI) 2-33
Configuring Telnet and SSH Sessions 2-35
Information About Telnet and SSH 2-35
Guidelines and Limitations 2-35
Configuring Telnet and SSH Sessions 2-35
Configuring Telnet and SSH Sessions (GUI) 2-35
Configuring Telnet and SSH Sessions (CLI) 2-37
Additional References 2-38
Managing the Controller Wirelessly 2-38
Information About Managing the Controller Wirelessly
Enabling Wireless Connections 2-38
Enabling Wireless Connections (GUI) 2-38
Enabling Wireless Connections (CLI) 2-39
2-38
2-39
CHAPTER
3
Configuring Ports and Interfaces
3-1
Information About Ports 3-1
Information About Distribution System Ports
Guidelines and Limitations 3-3
Information About Service Ports 3-4
Guidelines and Limitations 3-4
3-3
Information About Interfaces 3-4
Guidelines and Limitations 3-5
Additional References 3-5
Configuring the Management Interface
3-5
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
iii
Contents
Information About the Management Interface 3-6
Guidelines and Limitations 3-6
Configuring the Management Interface 3-6
Configuring the Management Interface (GUI) 3-6
Configuring the Management Interface (CLI) 3-8
Configuring the AP-Manager Interface 3-10
Information About the AP-Manager Interface 3-10
Guidelines and Limitations 3-10
Configuring the AP-Manager Interface 3-10
Configuring the AP-Manager Interface (GUI) 3-11
Configuring the AP-Manager Interface (CLI) 3-12
Additional References 3-12
Configuring Virtual Interfaces 3-12
Information About Virtual Interfaces 3-13
Guidelines and Limitations 3-13
Configuring Virtual Interfaces 3-13
Configuring Virtual Interfaces (GUI) 3-13
Configuring Virtual Interfaces (CLI) 3-14
Configuring Service-Port Interfaces 3-15
Information About Service-Port Interfaces 3-15
Guidelines and Limitations 3-15
Configuring Service-Port Interfaces 3-15
Configuring Service-Port Interfaces (GUI) 3-15
Configuring Service-Port Interfaces (CLI) 3-16
Configuring Dynamic Interfaces 3-16
Information About Dynamic Interfaces 3-17
Guidelines and Limitations 3-17
Configuring Dynamic Interfaces 3-17
Configuring Dynamic Interfaces (GUI) 3-17
Configuring Dynamic Interfaces (CLI) 3-19
Information About Dynamic AP Management
Information About WLANs
3-21
3-21
Configuring Ports 3-23
Information About Configuring Ports
Configuring Ports (GUI) 3-23
3-23
Configuring Port Mirroring 3-25
Information About Port Mirroring 3-26
Guidelines and Limitations 3-26
Enabling Port Mirroring (GUI) 3-26
Cisco Wireless LAN Controller Configuration Guide
iv
OL-21524-03
Contents
Configuring the Spanning Tree Protocol 3-27
Information About the Spanning Tree Protocol 3-27
Configuring the Spanning Tree Protocol 3-27
Configuring the Spanning Tree Protocol (GUI) 3-28
Configuring the Spanning Tree Protocol (CLI) 3-31
Using the Cisco 5500 Series Controller USB Console Port 3-32
Installing the Cisco Windows USB Console Driver 3-32
Changing the Cisco USB Systems Management Console COM Port to an Unused Port
Choosing Between Link Aggregation and Multiple AP-Manager Interfaces
Configuring Link Aggregation 3-34
Information About Link Aggregation 3-34
Guidelines and Limitations 3-35
Enabling Link Aggregation 3-37
Enabling Link Aggregation (GUI) 3-37
Enabling Link Aggregation (CLI) 3-38
Verifying Link Aggregation Settings (CLI) 3-38
Configuring Neighbor Devices to Support Link Aggregation
3-33
3-33
3-39
Configuring Multiple AP-Manager Interfaces 3-39
Information About Multiple AP-Manager Interfaces 3-39
Guidelines and Limitations 3-40
Creating Multiple AP-Manager Interfaces 3-42
Creating Multiple AP-Manager Interfaces (GUI) 3-42
Creating Multiple AP-Manager Interfaces (CLI) 3-44
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
3-44
Configuring VLAN Select 3-46
Information About VLAN Select 3-46
Guidelines and Limitations 3-46
Configuring Interface Groups 3-47
Information About Interface Groups 3-47
Guidelines and Limitations 3-47
Configuring Interface Groups 3-48
Creating Interface Groups (GUI) 3-48
Creating Interface Groups (CLI) 3-48
Adding Interfaces to Interface Groups (GUI) 3-48
Adding Interfaces to Interface Groups (CLI) 3-49
Viewing VLANs in Interface Groups (CLI) 3-49
Adding an Interface Group to a WLAN (GUI) 3-49
Adding an Interface Group to a WLAN (CLI) 3-49
Multicast Optimization
3-49
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
v
Contents
Information About Multicast Optimization 3-50
Configuring Multicast VLAN 3-50
Configuring Multicast VLAN (GUI) 3-50
Configuring Multicast VLAN (CLI) 3-50
3-51
CHAPTER
4
Configuring Controller Settings
4-1
Installing and Configuring Licenses 4-2
Information About Installing and Configuring Licenses 4-2
Guidelines and Limitations 4-2
Obtaining an Upgrade or Capacity Adder License 4-4
Information About Obtaining an Upgrade or Capacity Adder License 4-4
Obtaining and Registering a PAK Certificate 4-5
Installing a License 4-6
Installing a License (GUI) 4-6
Installing a License (CLI) 4-7
Additional References 4-7
Viewing Licenses 4-8
Viewing Licenses (GUI) 4-8
Viewing Licenses (CLI) 4-9
Activating an AP-Count Evaluation License 4-12
Information About Activating an AP-Count Evaluation License 4-12
Activating an AP-Count Evaluation License 4-12
Rehosting Licenses 4-15
Information About Rehosting Licenses 4-15
Rehosting a License 4-15
Transferring Licenses to a Replacement Controller after an RMA 4-19
Information About Transferring Licenses to a Replacement Controller after an RMA
Transferring a License to a Replacement Controller after an RMA 4-19
Configuring the License Agent 4-20
Information About Configuring the License Agent 4-20
Configuring the License Agent 4-20
Configuring 802.11 Bands 4-23
Information About Configuring 802.11 Bands
Configuring 802.11 Bands 4-23
Configuring 802.11 Bands (GUI) 4-23
Configuring 802.11 Bands (CLI) 4-25
4-19
4-23
Configuring 802.11n Parameters 4-27
Information About Configuring 802.11n Parameters
4-27
Cisco Wireless LAN Controller Configuration Guide
vi
OL-21524-03
Contents
Configuring 802.11n Parameters 4-27
Configuring 802.11n Parameters (GUI) 4-28
Configuring 802.11n Parameters (CLI) 4-29
Additional References 4-32
Configuring 802.11h Parameters 4-32
Information About Configuring 802.11h Parameters
Configuring 802.11h Parameters 4-32
Configuring 802.11h Parameters (GUI) 4-32
Configuring 802.11h Parameters (CLI) 4-33
4-32
Configuring DHCP Proxy 4-34
Information About Configuring DHCP Proxy 4-34
Guidelines and Limitations 4-34
Configuring DHCP Proxy 4-35
Configuring DHCP Proxy (GUI) 4-35
Configuring DHCP Proxy (CLI) 4-35
Configuring DHCP Timeout (GUI) 4-35
Configuring DHCP Timeout (CLI) 4-36
Configuring Administrator Usernames and Passwords 4-36
Information About Configuring Administrator Usernames and Passwords
Configuring Usernames and Passwords 4-36
Configuring Usernames and Passwords (CLI) 4-36
Restoring Passwords (CLI) 4-37
Configuring SNMP 4-37
Configuring SNMP (CLI)
4-36
4-37
SNMP Community Strings 4-38
Information About SNMP Community Strings 4-38
Changing the SNMP Community String Default Values 4-39
Changing the SNMP Community String Default Values (GUI) 4-39
Changing the SNMP Community String Default Values (CLI) 4-39
Changing the Default Values for SNMP v3 Users 4-40
Information About Changing the Default Values for SNMP v3 Users
Changing the SNMP v3 User Default Values 4-40
Changing the SNMP v3 User Default Values (GUI) 4-41
Changing the SNMP v3 User Default Values (CLI) 4-41
Configuring Aggressive Load Balancing 4-42
Information About Configuring Aggressive Load Balancing
Guidelines and Limitations 4-43
Configuring Aggressive Load Balancing 4-44
Configuring Aggressive Load Balancing (GUI) 4-44
4-40
4-42
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
vii
Contents
Configuring Aggressive Load Balancing (CLI)
Configuring Band Selection 4-46
Information About Configuring Band Selection
Guidelines and Limitations 4-46
Configuring Band Selection 4-46
Configuring Band Selection (GUI) 4-47
Configuring Band Selection (CLI) 4-48
4-45
4-46
Configuring Fast SSID Changing 4-48
Information About Configuring Fast SSID Changing
Configuring Fast SSID 4-49
Configuring Fast SSID Changing (GUI) 4-49
Configuring Fast SSID Changing (CLI) 4-49
Enabling 802.3X Flow Control
4-49
4-49
Configuring 802.3 Bridging 4-49
Information About Configuring 802.3 Bridging
Guidelines and Limitations 4-50
Configuring 802.3 Bridging 4-50
Configuring 802.3 Bridging (GUI) 4-50
Configuring 802.3 Bridging (CLI) 4-51
4-50
Configuring Multicast Mode 4-52
Information About Configuring Multicast Mode 4-52
Guidelines and Limitations 4-53
Configuring Multicast Mode 4-54
Enabling Multicast Mode (GUI) 4-54
Enabling Multicast Mode (CLI) 4-55
Viewing Multicast Groups (GUI) 4-56
Viewing Multicast Groups (CLI) 4-56
Viewing an Access Point’s Multicast Client Table (CLI)
4-57
Configuring Client Roaming 4-57
Information About Client Roaming 4-58
Intra-Controller Roaming 4-58
Inter-Controller Roaming 4-58
Inter-Subnet Roaming 4-58
Voice-over-IP Telephone Roaming 4-58
CCX Layer 2 Client Roaming 4-59
Guidelines and Limitations 4-60
Configuring CCX Client Roaming Parameters 4-60
Configuring CCX Client Roaming Parameters (GUI) 4-60
Configuring CCX Client Roaming Parameters (CLI) 4-61
Cisco Wireless LAN Controller Configuration Guide
viii
OL-21524-03
Contents
Obtaining CCX Client Roaming Information (CLI) 4-62
Debugging CCX Client Roaming Issues (CLI) 4-62
Configuring IP-MAC Address Binding 4-62
Information About Configuring IP-MAC Address Binding
Configuring IP-MAC Address Binding (CLI) 4-63
4-63
Configuring Quality of Service 4-64
Information About Configuring Quality of Service Profiles
Configuring Quality of Service Profiles 4-64
Configuring QoS Profiles (GUI) 4-64
Configuring QoS Profiles (CLI) 4-66
Configuring Quality of Service Roles 4-67
Information About Configuring Quality of Service Roles
Configuring QoS Roles 4-68
Configuring QoS Roles (GUI) 4-68
Configuring QoS Roles (CLI) 4-69
4-64
4-68
Configuring Voice and Video Parameters 4-71
Information About Configuring Voice and Video Parameters
Call Admission Control 4-72
Expedited Bandwidth Requests 4-72
U-APSD 4-73
Traffic Stream Metrics 4-73
Configuring Voice Parameters 4-74
Configuring Voice Parameters (GUI) 4-74
Configuring Voice Parameters (CLI) 4-76
Configuring Video Parameters 4-77
Configuring Video Parameters (GUI) 4-78
Configuring Video Parameters (CLI) 4-79
Viewing Voice and Video Settings 4-80
Viewing Voice and Video Settings (GUI) 4-80
Viewing Voice and Video Settings (CLI) 4-81
Configuring Media Parameters (GUI) 4-84
4-71
Configuring SIP Based CAC 4-85
Guidelines and Limitations 4-86
Configuring SIP-Based CAC (CLI) 4-86
Configuring Voice Prioritization Using Preferred Call Numbers 4-86
Information About Configuring Voice Prioritization Using Preferred Call Numbers
Guidelines and Limitations 4-87
Configuring a Preferred Call Number 4-87
Configuring a Preferred Call Number (GUI) 4-87
4-86
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
ix
Contents
Configuring a Preferred Call Number (CLI)
4-87
Configuring EDCA Parameters 4-88
Information About EDCA Parameters 4-88
Configuring EDCA Parameters 4-88
Configuring EDCA Parameters (GUI) 4-88
Configuring EDCA Parameters (CLI) 4-90
Configuring the Cisco Discovery Protocol 4-90
Information About Configuring the Cisco Discovery Protocol 4-91
Guidelines and Limitations 4-91
Configuring the Cisco Discovery Protocol 4-93
Configuring the Cisco Discovery Protocol (GUI) 4-93
Configuring the Cisco Discovery Protocol (CLI) 4-95
Viewing Cisco Discovery Protocol Information 4-96
Viewing Cisco Discovery Protocol Information (GUI) 4-96
Viewing Cisco Discovery Protocol Information (CLI) 4-98
Configuring Authentication for the Controller and NTP Server 4-99
Information About Configuring Authentication for the Controller and NTP Server
Configuring Authentication for the Controller and NTP Server 4-100
Configuring the NTP Server for Authentication (GUI) 4-100
Configuring the NTP Server for Authentication (CLI) 4-100
4-100
Configuring RFID Tag Tracking 4-100
Information About Configuring RFID Tag Tracking 4-101
Configuring RFID Tag Tracking 4-102
Configuring RFID Tag Tracking (CLI) 4-102
Viewing RFID Tag Tracking Information (CLI) 4-103
Debugging RFID Tag Tracking Issues (CLI) 4-104
Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues (CLI)
Viewing NMSP Settings (CLI) 4-105
Debugging NMSP Issues 4-108
Configuring and Viewing Location Settings 4-108
Information About Configuring and Viewing Location Settings
Installing the Location Appliance Certificate 4-109
Synchronizing the Controller and Location Appliance 4-110
Configuring Location Settings 4-110
Configuring Location Settings (CLI) 4-110
Viewing Location Settings (CLI) 4-112
Using the Wireless LAN Controller Network Module
4-105
4-109
4-114
Resetting the Controller to Default Settings 4-114
Information About Resetting the Controller to Default Settings
4-115
Cisco Wireless LAN Controller Configuration Guide
x
OL-21524-03
Contents
Resetting the Controller to Default Settings 4-115
Resetting the Controller to Default Settings (GUI) 4-115
Resetting the Controller to Default Settings (CLI) 4-115
CHAPTER
5
Configuring VideoStream
5-1
Information About VideoStream
Guidelines and Limitations
5-1
5-1
Configuring VideoStream 5-2
Configuring the VideoStream on the Controller (GUI) 5-2
Configuring the VideoStream on the Controller (CLI) 5-6
Viewing and Debugging Media Streams 5-7
CHAPTER
6
Configuring Security Solutions
6-1
Information about Cisco Unified Wireless Network Solution Security
Security Overview 6-2
Layer 1 Solutions 6-2
Layer 2 Solutions 6-2
Layer 3 Solutions 6-3
Integrated Security Solutions 6-3
Configuring RADIUS 6-3
Information About RADIUS 6-3
Guidelines and Limitations 6-4
RADIUS Server Support 6-4
Radius ACS Support 6-4
Primary and Fallback RADIUS Servers 6-4
Configuring RADIUS on the ACS 6-5
Configuring RADIUS 6-6
Configuring RADIUS (GUI) 6-6
Configuring RADIUS (CLI) 6-10
RADIUS Authentication Attributes Sent by the Access Point
RADIUS Accounting Attributes 6-16
6-2
6-13
Configuring TACACS+ 6-17
Information About TACACS+ 6-17
TACACS+ VSA 6-19
Guidelines and Limitations 6-19
Configuring TACACS+ on the ACS 6-19
Configuring TACACS+ 6-21
Configuring TACACS+ (GUI) 6-21
Configuring TACACS+ (CLI) 6-23
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xi
Contents
Viewing the TACACS+ Administration Server Logs
Prerequisites 6-24
6-24
Configuring Maximum Local Database Entries 6-26
Information About Configuring Maximum Local Database Entries
Configuring Maximum Local Database Entries (GUI) 6-26
Configuring Maximum Local Database Entries (CLI) 6-27
6-26
Configuring Local Network Users on the Controller 6-27
Information About Local Network Users on Controller 6-28
Configuring Local Network Users for the Controller 6-28
Configuring Local Network Users for the Controller (GUI) 6-28
Configuring Local Network Users for the Controller (CLI) 6-29
Additional References 6-30
Configuring Password Policies 6-30
Information About Password Policies 6-30
Configuring Password Policies (GUI) 6-30
Configuring Password Policies (CLI) 6-31
Configuring LDAP 6-31
Information About LDAP 6-32
Configuring LDAP (GUI) 6-32
Configuring LDAP (CLI) 6-34
Additional References 6-36
Configuring Local EAP 6-36
Information About Local EAP 6-36
Guidelines and Limitations 6-38
Configuring Local EAP (GUI) 6-38
Configuring Local EAP (CLI) 6-42
Additional References 6-47
Configuring the System for SpectraLink NetLink Telephones 6-47
Information About SpectraLink NetLink Telephones 6-47
Configuring SpectraLink NetLink Phones 6-47
Enabling Long Preambles (GUI) 6-47
Enabling Long Preambles (CLI) 6-48
Configuring Enhanced Distributed Channel Access (CLI) 6-49
Configuring RADIUS NAC Support 6-49
Information About RADIUS NAC Support
Device Registration 6-49
Central Web Authentication 6-50
Local Web Authentication 6-50
Guidelines and Limitations 6-50
6-49
Cisco Wireless LAN Controller Configuration Guide
xii
OL-21524-03
Contents
Configuring RADIUS NAC Support (GUI) 6-51
Configuring RADIUS NAC Support (CLI) 6-51
Using Management Over Wireless 6-52
Information About Management Over Wireless 6-52
Enabling Management over Wireless (GUI) 6-52
Enabling Management over Wireless (CLI) 6-52
Using Dynamic Interfaces for Management 6-53
Information About Using Dynamic Interfaces for Management
Enabling Management using Dynamic Interfaces (CLI) 6-53
6-53
Configuring DHCP Option 82 6-53
Information About DHCP Option 82 6-53
Guidelines and Limitations 6-54
Configuring DHCP Option 82 (GUI) 6-54
Configuring DHCP Option 82 (CLI) 6-55
Additional References 6-56
Configuring and Applying Access Control Lists 6-56
Information About Access Control Lists 6-56
Guidelines and Limitations 6-56
Configuring and Applying Access Control Lists (GUI) 6-57
Configuring Access Control Lists 6-57
Applying an Access Control List to an Interface 6-60
Applying an Access Control List to the Controller CPU 6-61
Applying an Access Control List to a WLAN 6-61
Applying a Preauthentication Access Control List to a WLAN
Configuring and Applying Access Control Lists (CLI) 6-63
Configuring Access Control Lists 6-63
Applying Access Control Lists 6-65
6-62
Configuring Management Frame Protection 6-66
Information About Management Frame Protection 6-66
Guidelines and Limitations 6-67
Configuring Management Frame Protection (GUI) 6-68
Viewing the Management Frame Protection Settings (GUI) 6-69
Configuring Management Frame Protection (CLI) 6-70
Viewing the Management Frame Protection Settings (CLI) 6-70
Debugging Management Frame Protection Issues (CLI) 6-72
Configuring Client Exclusion Policies 6-72
Configuring Client Exclusion Policies (GUI) 6-73
Configuring Client Exclusion Policies (CLI) 6-73
Configuring Identity Networking
6-75
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xiii
Contents
Information About Identity Networking 6-75
RADIUS Attributes Used in Identity Networking
6-75
Configuring AAA Override 6-78
Information About AAA Override 6-78
Guidelines and Limitations 6-79
Updating the RADIUS Server Dictionary File for Proper QoS Values
Configuring AAA Override (GUI) 6-80
Configure AAA Override (CLI) 6-81
6-79
Managing Rogue Devices 6-81
Information About Rogue Devices 6-81
Detecting Rogue Devices 6-82
Guidelines and Limitations 6-82
WCS Interaction and Rogue Detection 6-83
Configuring Rogue Detection (GUI) 6-83
Configuring Rogue Detection (CLI) 6-85
Classifying Rogue Access Points 6-88
Information About Classifying Rogue Access Points 6-88
Configuring Rogue Classification Rules (GUI) 6-90
Viewing and Classifying Rogue Devices (GUI) 6-93
Configuring Rogue Classification Rules (CLI) 6-96
Viewing and Classify Rogue Devices (CLI) 6-98
Configuring Cisco TrustSec SXP 6-102
Information About Cisco TrustSec SXP 6-103
Guidelines and Limitations 6-103
Configuring Cisco TrustSec SXP (GUI) 6-104
Creating a New SXP Connection (GUI) 6-105
Configuring Cisco TrustSec SXP (CLI) 6-105
Configuring Cisco Intrusion Detection System 6-106
Information About Cisco Intrusion Detection System
Additional Information 6-107
Configuring IDS Sensors (GUI) 6-107
Viewing Shunned Clients (GUI) 6-108
Configuring IDS Sensors (CLI) 6-108
Viewing Shunned Clients (CLI) 6-110
6-106
Configuring IDS Signatures 6-110
Information About IDS Signatures 6-111
Configuring IDS Signatures (GUI) 6-113
Uploading or Downloading IDS Signatures 6-113
Enabling or Disabling IDS Signatures 6-115
Cisco Wireless LAN Controller Configuration Guide
xiv
OL-21524-03
Contents
Viewing IDS Signature Events (GUI) 6-116
Configure IDS Signatures (CLI) 6-118
Viewing IDS Signature Events (CLI) 6-119
Configuring wIPS 6-121
Information About wIPS 6-121
Guidelines and Limitations 6-124
Additional References 6-124
Configuring wIPS on an Access Point (GUI) 6-124
Configuring wIPS on an Access Point (CLI) 6-124
Viewing wIPS Information (CLI) 6-126
Configuring Wi-Fi Direct Client Policy 6-127
Information About Wi-Fi Direct Client Policy 6-127
Guidelines and Limitations 6-127
Configuring Wi-Fi Direct Client Policy (GUI) 6-127
Configuring Wi-Fi Direct Client Policy (CLI) 6-128
Monitoring and Troubleshooting Wi-Fi Direct Client Policy (CLI)
6-128
Configuring Web Auth Proxy 6-128
Information About Web Auth Proxy 6-128
Configuring Web Auth Proxy (GUI) 6-129
Configuring Web Auth Proxy (CLI) 6-130
Detecting Active Exploits
CHAPTER
7
Working with WLANs
6-130
7-1
Information About WLANs
7-1
Guidelines and Limitations
7-1
Creating WLANs 7-3
Creating and Removing WLANs (GUI) 7-3
Enabling and Disabling WLANs (GUI) 7-6
Creating and Deleting WLANs (CLI) 7-6
Viewing WLANs (CLI) 7-7
Enabling and Disabling WLANs (CLI) 7-7
Searching WLANs 7-8
Searching WLANs (GUI) 7-8
Setting the Client Count per WLAN 7-9
Information About Setting Client Count per WLAN 7-9
Guidelines and Limitations 7-9
Configuring Client Count per WLAN (GUI) 7-9
Configuring Maximum Number of Clients per WLAN (CLI) 7-10
Configuring Maximum Number of Clients per AP Radio Per WLAN (GUI)
7-10
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xv
Contents
Configuring Maximum Number of Clients per AP Radio Per WLAN (CLI)
7-10
Configuring WLANs 7-10
Configuring DHCP 7-11
Internal DHCP Server 7-12
External DHCP Servers 7-12
DHCP Assignment 7-13
Security Considerations 7-13
Guidelines and Limitations 7-14
Configuring DHCP 7-14
Configuring DHCP (GUI) 7-14
Configuring DHCP (CLI) 7-15
Debugging DHCP (CLI) 7-15
Configuring DHCP Scopes 7-16
Configuring DHCP Scopes (GUI) 7-16
Configuring DHCP Scopes (CLI) 7-18
Configuring MAC Filtering for WLANs 7-19
Configuring Local MAC Filters 7-19
Information About Local MAC Filters 7-20
Configuring Local MAC Filters (CLI) 7-20
Guidelines and Limitations 7-20
Configuring a Timeout for Disabled Clients 7-20
Configuring a Timeout for Disabled Clients (CLI) 7-20
Assigning WLANs to Interfaces 7-21
Configuring the DTIM Period 7-21
Information About the DTIM Period 7-21
Guidelines and Limitations 7-22
Configuring the DTIM Period 7-22
Configuring Peer-to-Peer Blocking 7-24
Information About Peer-to-Peer Blocking 7-24
Guidelines and Limitations 7-25
Configuring Peer-to-Peer Blocking 7-26
Configuring Layer 2 Security 7-27
Configuring Static WEP Keys (CLI) 7-28
Configuring Dynamic 802.1X Keys and Authorization (CLI) 7-28
Configuring a WLAN for Both Static and Dynamic WEP 7-28
Information About WLAN for Both Static and Dynamic WEP 7-29
WPA1 and WPA2 7-29
Guidelines and Limitations 7-30
Configuring WPA1 +WPA2 7-30
Configuring WPA1+WPA2 (GUI) 7-30
Cisco Wireless LAN Controller Configuration Guide
xvi
OL-21524-03
Contents
Configuring WPA1+WPA2 (CLI) 7-32
Configuring Sticky PMKID Caching 7-33
Information About Sticky PMKID Caching 7-33
Guidelines and Limitations 7-33
Configuring Sticky PMKID Caching (CLI) 7-33
Configuring CKIP 7-34
Information About CKIP 7-35
Configuring CKIP 7-35
Configuring Session Timeouts 7-37
Configuring a Session Timeout (GUI) 7-37
Configuring a Session Timeout (CLI) 7-37
Configuring Layer 3 Security Using VPN Passthrough 7-38
Information About VPN Passthrough 7-38
Guidelines and Limitations 7-38
Configuring VPN Passthrough 7-38
Configuring Layer 3 Security Using Web Authentication 7-39
Information About Web Authentication 7-39
Guidelines and Limitations 7-39
Configuring Web Authentication 7-40
Configuring WISPr Bypassing 7-41
Information about WISPr 7-41
Configuring WISPr Bypassing 7-42
Configuring WISPr Bypassing (CLI) 7-42
Configuring a Fallback Policy with MAC Filtering and Web Authentication 7-42
Information About Fallback Policy with MAC Filtering and Web Authentication 7-42
Configuring a Fallback Policy with MAC Filtering and Web Authentication 7-42
Assigning a QoS Profile to a WLAN 7-44
Information About QoS Profiles 7-44
Assigning QoS Profiles 7-45
Configuring QoS Enhanced BSS 7-46
Information About QoS Enhanced BSS 7-46
Guidelines and Limitations 7-47
Configuring QBSS 7-48
Configuring Media Session Snooping and Reporting 7-49
Information About Media Session Snooping and Reporting 7-50
Guidelines and Limitations 7-50
Configuring Media Session Snooping 7-50
Configuring Key Telephone System-Based CAC 7-55
Information About Key Telephone System-Based CAC 7-56
Guidelines and Limitations 7-56
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xvii
Contents
Configuring KTS-based CAC 7-56
Configuring Reanchoring of Roaming Voice Clients 7-58
Information About Reanchoring of Roaming Voice Clients 7-58
Guidelines and Limitations 7-58
Configuring Reanchoring of Roaming Voice Clients 7-58
Configuring Seamless IPv6 Mobility 7-60
Information About IPv6 Mobility 7-60
Guidelines and Limitations 7-60
Configuring RA Guard for IPv6 Clients 7-61
Information About RA Guard 7-61
Configuring RA Guard (GUI) 7-61
Configuring RA Guard (CLI) 7-62
Configuring RA Throttling for IPv6 Clients 7-62
Information about RA Throttling 7-62
Configuring RA Throttling (GUI) 7-63
Configuring RA Throttle Policy (CLI) 7-64
Configuring IPv6 Neighbor Discovery Caching 7-64
Information About IPv6 Neighbor Discovery 7-64
Configuring Neighbor Binding Timers (GUI) 7-65
Configure Neighbor Binding Timers (CLI) 7-66
Configuring Unknown Address NS Multicast Forwarding 7-66
Configuring NS Multicast Forwarding (CLI) 7-66
Configuring Cisco Client Extensions 7-67
Information About Cisco Client Extensions 7-67
Guidelines and Limitations 7-67
Configuring CCX Aironet IEs 7-67
Configuring AP Groups 7-70
Information About Access Point Groups 7-70
Guidelines and Limitations 7-72
Configuring Access Point Groups 7-72
Configuring RF Profiles 7-76
Information About RF Profiles 7-77
Guidelines and Limitations 7-77
Configuring RF Profiles 7-77
Configuring Web Redirect with 802.1X Authentication 7-81
Information About Web Redirect with 802.1X Authentication 7-81
Configuring Web Redirect 7-83
Configuring NAC Out-of-Band Integration 7-87
Information About NAC Out-of-Band Integration 7-87
Guidelines and Limitations 7-88
Cisco Wireless LAN Controller Configuration Guide
xviii
OL-21524-03
Contents
Configuring NAC Out-of-Band Integration 7-89
Configuring Passive Clients 7-93
Information About Passive Clients 7-93
Guidelines and Limitations 7-94
Configuring Passive Clients 7-94
Configuring Per-WLAN RADIUS Source Support 7-99
Information About Per-WLAN RADIUS Source Support 7-99
Guidelines and Limitations 7-100
Configuring Per-WLAN RADIUS Source Support 7-100
Configuring Remote LANs 7-101
Guidelines and Limitations 7-101
Configuring Remote LANs 7-102
CHAPTER
8
Controlling Lightweight Access Points
8-1
Access Point Communication Protocols 8-2
Information About Access Point Communication Protocols 8-2
Guidelines and Limitations 8-2
Configuring Data Encryption 8-3
Information About Data Encryption 8-3
Guidelines and Limitations 8-3
Upgrading or Downgrading DTLS Images for Cisco 5500 Series Controllers
Configuring Data Encryption 8-4
Viewing CAPWAP Maximum Transmission Unit Information 8-6
Debugging CAPWAP 8-7
Controller Discovery Process 8-7
Guidelines and Limitations 8-7
Verifying that Access Points Join the Controller 8-8
Verifying that Access Points Join the Controller (GUI) 8-8
Verifying that Access Points Join the Controller (CLI) 8-9
Searching for Access Points 8-9
Information About Searching for Access Points
Filtering the AP Search (GUI) 8-9
Monitoring the Interface Details (GUI) 8-12
8-4
8-9
Searching for Access Point Radios 8-14
Information About Searching for Access Point Radios
Searching for Access Point Radios (GUI) 8-14
8-14
Configuring Global Credentials for Access Points 8-16
Information About Configuring Global Credentials for Access Points
Guidelines and Limitations 8-17
8-16
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xix
Contents
Configuring Global Credentials for Access Points 8-17
Configuring Global Credentials for Access Points (GUI) 8-17
Configuring Global Credentials for Access Points (CLI) 8-19
Configuring Authentication for Access Points 8-20
Information About Configuring Authentication for Access Points 8-21
Guidelines and Limitations 8-21
Prerequisites for Configuring Authentication for Access Points 8-21
Configuring Authentication for Access Points 8-22
Configuring Authentication for Access Points (GUI) 8-22
Configuring Authentication for Access Points (CLI) 8-24
Configuring the Switch for Authentication 8-26
Configuring Embedded Access Points 8-26
Information About Embedded Access Points
Guidelines and Limitations 8-27
Additional References 8-28
8-26
Converting Autonomous Access Points to Lightweight Mode 8-28
Information About Autonomous Access Points Converted to Lightweight Mode 8-28
Guidelines and Limitations 8-29
Reverting from Lightweight Mode to Autonomous Mode 8-29
Reverting to a Previous Release (CLI) 8-29
Reverting to a Previous Release (Using the MODE Button and a TFTP Server) 8-30
Authorizing Access Points 8-30
Authorizing Access Points Using SSCs 8-31
Authorizing Access Points Using MICs 8-31
Authorizing Access Points Using LSCs 8-31
Authorizing Access Points (GUI) 8-35
Authorizing Access Points (CLI) 8-36
Using DHCP Option 43 and DHCP Option 60 8-37
Troubleshooting the Access Point Join Process 8-38
Configuring the Syslog Server for Access Points (CLI) 8-39
Viewing Access Point Join Information 8-40
Sending Debug Commands to Access Points Converted to Lightweight Mode 8-43
Understanding How Converted Access Points Send Crash Information to the Controller 8-43
Understanding How Converted Access Points Send Radio Core Dumps to the Controller 8-43
Retrieving Radio Core Dumps (CLI) 8-43
Uploading Radio Core Dumps 8-44
Uploading Memory Core Dumps from Converted Access Points 8-45
Uploading Access Point Core Dumps (GUI) 8-46
Uploading Access Point Core Dumps (CLI) 8-46
Cisco Wireless LAN Controller Configuration Guide
xx
OL-21524-03
Contents
Viewing the AP Crash Log Information 8-47
Viewing the AP Crash Log information (GUI) 8-47
Viewing the AP Crash Log information (CLI) 8-48
Displaying MAC Addresses for Converted Access Points 8-48
Disabling the Reset Button on Access Points Converted to Lightweight Mode
Configuring a Static IP Address on a Lightweight Access Point 8-48
Configuring a Static IP Address (GUI) 8-49
Configuring a Static IP Address (CLI) 8-50
Supporting Oversized Access Point Images 8-51
Recovering the Access Point (Using the TFTP Recovery Procedure) 8-51
8-48
Configuring OfficeExtend Access Points 8-51
Information About OfficeExtend Access Points 8-52
OEAP 600 Series Access Points 8-52
Supported Controller Platforms 8-53
OEAP in Local Mode 8-53
Supported WLAN Settings for 600 Series OfficeExtend Access Point 8-54
WLAN Security Settings for the 600 Series OfficeExtend Access Point 8-55
Authentication Settings 8-58
Supported User Count on 600 Series OfficeExtend Access Point 8-58
Remote LAN Settings 8-59
Channel Management and Settings 8-60
Additional Caveats 8-61
Implementing Security 8-61
Licensing for an OfficeExtend Access Point 8-62
Configuring OfficeExtend Access Points 8-62
Configuring OfficeExtend Access Points (GUI) 8-62
Configuring OfficeExtend Access Points (CLI) 8-65
Configuring a Personal SSID on an OfficeExtend Access Point 8-67
Viewing OfficeExtend Access Point Statistics 8-69
Additional References 8-70
Using Cisco Workgroup Bridges 8-70
Information About Cisco Workgroup Bridges 8-70
Guidelines and Limitations 8-71
WGB Configuration Example 8-73
Viewing the Status of Workgroup Bridges 8-73
Viewing the Status of Workgroup Bridges (GUI) 8-73
Viewing the Status of Workgroup Bridges (CLI) 8-74
Debugging WGB Issues (CLI) 8-75
Configuring Non-Cisco Workgroup Bridges
8-75
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xxi
Contents
Information About Non-Cisco Workgroup Bridges
Guidelines and Limitations 8-76
8-75
Configuring Backup Controllers 8-77
Information About Configuring Backup Controllers
Guidelines and Limitations 8-77
Configuring Backup Controllers 8-78
Configuring Backup Controllers (GUI) 8-78
Configuring Backup Controllers (CLI) 8-79
8-77
Configuring Failover Priority for Access Points 8-81
Information About Configuring Failover Priority for Access Points
Guidelines and Limitations 8-82
Configuring Failover Priority for Access Points 8-82
Configuring Failover Priority for Access Points (GUI) 8-82
Configuring Failover Priority for Access Points (CLI) 8-83
Viewing Failover Priority Settings (CLI) 8-84
8-82
Configuring Access Point Retransmission Interval and Retry Count 8-84
Information About Configuring Access Point Retransmission Interval and Retry Count
Guidelines and Limitations 8-85
Configuring the Access Point Retransmission Interval and Retry Count 8-85
Configuring Country Codes 8-87
Information About Configuring Country Codes
Guidelines and Limitations 8-87
Configuring Country Codes 8-88
Configuring Country Codes (GUI) 8-88
Configuring Country Codes (CLI) 8-90
8-85
8-87
Migrating Access Points from the -J Regulatory Domain to the -U Regulatory Domain 8-93
Information About Migrating Access Points from the -J Regulatory Domain to the -U Regulatory
Domain 8-93
Guidelines and Limitations 8-94
Migrating Access Points to the -U Regulatory Domain (CLI) 8-94
Using the W56 Band in Japan
8-96
Dynamic Frequency Selection
8-96
Optimizing RFID Tracking on Access Points 8-97
Information About Optimizing RFID Tracking on Access Points
Optimizing RFID Tracking on Access Points 8-98
Optimizing RFID Tracking on Access Points (GUI) 8-98
Optimizing RFID Tracking on Access Points (CLI) 8-99
Configuring Probe Request Forwarding 8-100
Information About Configuring Probe Request Forwarding
8-97
8-100
Cisco Wireless LAN Controller Configuration Guide
xxii
OL-21524-03
Contents
Configuring Probe Request Forwarding (CLI)
8-100
Retrieving the Unique Device Identifier on Controllers and Access Points 8-101
Information About Retrieving the Unique Device Identifier on Controllers and Access Points
Retrieving the Unique Device Identifier on Controllers and Access Points 8-101
Retrieving the Unique Device Identifier on Controllers and Access Points (GUI) 8-101
Retrieving the Unique Device Identifier on Controllers and Access Points (CLI) 8-102
Performing a Link Test 8-102
Information About Performing a Link Test
Performing a Link Test 8-103
Performing a Link Test (GUI) 8-104
Performing a Link Test (CLI) 8-105
8-101
8-103
Configuring Link Latency 8-105
Information About Configuring Link Latency
Guidelines and Limitations 8-106
Configuring Link Latency 8-106
Configuring Link Latency (GUI) 8-106
Configuring Link Latency (CLI) 8-107
8-106
Configuring the TCP MSS 8-108
Information About Configuring the TCP MSS
Configuring TCP MSS 8-109
Configuring TCP MSS (GUI) 8-109
Configuring TCP MSS (CLI) 8-109
8-109
Configuring Power over Ethernet 8-110
Information About Configuring Power over Ethernet
Guidelines and Limitations 8-110
Configuring Power over Ethernet 8-111
Configuring Power over Ethernet (GUI) 8-111
Configuring Power over Ethernet (CLI) 8-113
Configuring Flashing LEDs 8-114
Information About Configuring Flashing LEDs
Configuring Flashing LEDs (CLI) 8-114
8-110
8-114
Viewing Clients 8-115
Viewing Clients (GUI) 8-115
Viewing Clients (CLI) 8-119
Configuring LED States for Access Points 8-120
Guidelines and Limitations 8-120
Configuring LED State of Access Point in a Network Globally (GUI) 8-120
Configuring LED State of Access Point in a Network Globally (CLI) 8-120
Configuring LED State on an Access Point (GUI) 8-120
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xxiii
Contents
Configuring LED State on an Access Point (CLI)
CHAPTER
9
Controlling Mesh Access Points
8-120
9-1
Information About Cisco Aironet Mesh Access Points
Guidelines and Limitations 9-2
Additional References 9-2
Access Point Roles 9-2
Network Access 9-3
Network Segmentation 9-4
Cisco Indoor Mesh Access Points 9-4
Cisco Outdoor Mesh Access Points 9-4
Mesh Deployment Modes 9-5
Wireless Mesh Network 9-5
Wireless Backhaul 9-6
Point-to-Multipoint Wireless Bridging 9-7
Point-to-Point Wireless Bridging 9-7
9-1
Architecture Overview 9-11
Control And Provisioning of Wireless Access Points (CAPWAP)
Cisco Adaptive Wireless Path Protocol Wireless Mesh Routing
Mesh Neighbors, Parents, and Children 9-11
Design Considerations 9-12
Wireless Mesh Constraints 9-12
Wireless Backhaul Data Rate 9-12
ClientLink Technology 9-15
Commands Related to Cisco ClientLink
Controller Planning 9-17
9-11
9-11
9-17
Adding Mesh Access Points to the Mesh Network 9-19
Adding MAC Addresses of Mesh Access Points to the MAC Filter 9-20
Adding the MAC Address of the Mesh Access Point to the Controller Filter List (GUI) 9-20
Adding the MAC Address of the Mesh Access Point to the Controller Filter List (CLI) 9-21
Defining Mesh Access Point Role 9-21
Information About MAP and RAP Association With the Controller 9-21
Configuring the AP Role (GUI) 9-22
Configuring the AP Role (CLI) 9-22
Configuring Multiple Controllers Using DHCP 43 and DHCP 60 9-22
Configuring Backup Controllers 9-23
Information About Configuring Backup Controllers 9-24
Guidelines and Limitations 9-24
Configuring Backup Controllers (GUI) 9-24
Cisco Wireless LAN Controller Configuration Guide
xxiv
OL-21524-03
Contents
Configuring Backup Controllers (CLI) 9-26
Configuring External Authentication and Authorization Using a RADIUS Server
Configuring RADIUS Servers 9-29
Adding a Username to a RADIUS Server 9-29
Enabling External Authentication of Mesh Access Points 9-30
Viewing Security Statistics 9-31
Configuring Global Mesh Parameters 9-31
Information About Configuring Global Mesh Parameters 9-31
Configuring Global Mesh Parameters (GUI) 9-32
Configuring Global Mesh Parameters (CLI) 9-36
Viewing Global Mesh Parameter Settings (CLI) 9-37
Configuring Local Mesh Parameters 9-38
Configuring Wireless Backhaul Data Rate 9-38
Configuring Ethernet Bridging 9-43
Configuring Bridge Group Names 9-45
Configuring Public Safety Band Settings 9-46
Configuring Interoperability with Cisco 3200 9-48
Configuring Power and Channel Settings 9-51
Configuring Antenna Gain 9-54
Backhaul Channel Deselection on Serial Backhaul Access Point 9-55
Configuring Dynamic Channel Assignment (GUI) 9-60
9-28
Configuring Advanced Features 9-63
Using the 2.4-GHz Radio for Backhaul 9-64
Changing the Backhaul from 5 GHz to 2.4 GHz 9-64
Changing the Backhaul from 2.4 GHz to 5 GHz 9-65
Verifying the Current Backhaul in Use 9-65
Universal Client Access 9-66
Configuring Universal Client Access (GUI) 9-66
Configuring Universal Client Access (CLI) 9-66
Universal Client Access on Serial Backhaul Access Points 9-67
Configuring Extended Universal Access (GUI) 9-67
Configuring Extended Universal Access (CLI) 9-70
Configuring Extended Universal Access from the Wireless Control System (WCS)
Configuring Ethernet VLAN Tagging 9-71
Ethernet Port Notes 9-72
Ethernet VLAN Tagging Guidelines 9-73
VLAN Registration 9-75
Enabling Ethernet VLAN Tagging (GUI) 9-75
Configuring Ethernet VLAN Tagging (CLI) 9-77
Viewing Ethernet VLAN Tagging Configuration Details (CLI) 9-78
9-71
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xxv
Contents
Workgroup Bridge Interoperability with Mesh Infrastructure 9-79
Configuring Workgroup Bridges 9-81
Supported Workgroup Bridge Modes and Capacities 9-81
Guidelines and Limitations 9-83
Example—Configuration of a Workgroup Bridge 9-84
WGB Association Check 9-85
Link Test Result 9-86
WGB Wired/Wireless Client 9-88
Client Roaming 9-89
WGB Roaming Guidelines 9-89
Configuration Example 9-90
Troubleshooting Tips 9-90
Configuring Voice Parameters in Indoor Mesh Networks 9-91
CAC 9-91
QoS and DSCP Marking 9-91
Encapsulations 9-92
Queuing on the Mesh Access Point 9-93
Bridging Backhaul Packets 9-95
Bridging Packets from and to a LAN 9-96
Guidelines For Using Voice on the Mesh Network 9-96
Voice Call Support in a Mesh Network 9-97
Viewing the Voice Details for Mesh Networks (CLI) 9-98
Enabling Mesh Multicast Containment for Video 9-101
Enabling Multicast on a Mesh Network (CLI) 9-102
IGMP Snooping 9-102
Locally Significant Certificates for Mesh APs 9-103
Guidelines and Limitations 9-103
Differences Between LSCs for Mesh APs and Normal APs 9-104
Certificate Verification Process in LSC AP 9-104
Configuring an LSC (CLI) 9-104
LSC-Related Commands 9-105
Controller CLI show Commands 9-107
Controller GUI Security Settings 9-107
Deployment Guidelines 9-109
Slot Bias Options 9-109
Information About Slot Bias Options 9-109
Disabling Slot Bias 9-109
Guidelines and Limitations 9-110
Commands Related to Slot Bias 9-110
Preferred Parent Selection 9-111
Cisco Wireless LAN Controller Configuration Guide
xxvi
OL-21524-03
Contents
Guidelines and Limitations 9-111
Configuring a Preferred Parent 9-111
Co-Channel Interference 9-113
Viewing Mesh Statistics for a Mesh Access Point 9-113
Viewing Mesh Statistics for a Mesh Access Point (GUI) 9-113
Viewing Mesh Statistics for an Mesh Access Point (CLI) 9-117
Viewing Neighbor Statistics for a Mesh Access Point 9-118
Viewing Neighbor Statistics for a Mesh Access Point (GUI) 9-118
Viewing the Neighbor Statistics for a Mesh Access Point (CLI) 9-121
Converting Indoor Access Points to Mesh Access Points 9-122
Changing MAP and RAP Roles for Indoor Mesh Access Points 9-122
Changing MAP and RAP Roles for Indoor Mesh Access Points (GUI) 9-123
Changing MAP and RAP Roles for Indoor Mesh Access Points (CLI) 9-123
Converting Indoor Mesh Access Points to Nonmesh Lightweight Access Points (1130AG, 1240AG)
9-123
Configuring Mesh Access Points to Operate with Cisco 3200 Series Mobile Access Routers 9-124
Guidelines and Limitations 9-125
Enabling Mesh Access Points to Operate with Cisco 3200 Series Mobile Access Routers (GUI) 9-125
Enabling Mesh Access Points to Operate with Cisco 3200 Series Mobile Access Routers (CLI) 9-126
CHAPTER
10
Managing Controller Software and Configurations
10-1
Upgrading the Controller Software 10-1
Information About Upgrading the Controller Software
Guidelines and Limitations 10-2
Upgrading Controller Software 10-5
Upgrading Controller Software (GUI) 10-5
Upgrading Controller Software (CLI)1 10-7
10-1
Predownloading an Image to an Access Point 10-10
Information About Predownloading an Image to an Access Point 10-10
Access Point Predownload Process 10-11
Guidelines and Limitations 10-12
Predownloading an Image to an Access Point 10-12
Configuring Predownload Image to Access Points- Global Configuration (GUI)
Configuring Predownload Image to an Access Point (GUI) 10-13
Predownloading an Image to Access Points (CLI) 10-13
Transferring Files to and from a Controller 10-15
Downloading a Login Banner File 10-15
Information About Downloading a Login Banner File
Downloading a Login Banner File 10-16
Clearing the Login Banner (GUI) 10-18
10-12
10-16
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xxvii
Contents
Downloading Device Certificates 10-19
Information About Downloading Device Certificates 10-19
Guidelines and Limitations 10-19
Downloading Device Certificates 10-20
Downloading CA Certificates 10-22
Information About Downloading CA Certificates 10-22
Guidelines and Limitations 10-22
Downloading CA Certificates 10-23
Uploading PACs 10-25
Information About Uploading PACs 10-25
Guidelines and Limitations 10-25
Uploading PACs 10-26
Uploading and Downloading Configuration Files 10-28
Information About Uploading and Downloading Configuration Files
Guidelines and Limitations 10-28
Uploading Configuration Files 10-29
Downloading Configuration Files 10-31
Saving Configurations
10-33
Editing Configuration Files
10-34
Clearing the Controller Configuration
Erasing the Controller Configuration
Resetting the Controller
CHAPTER
11
Managing User Accounts
10-28
10-35
10-35
10-36
11-1
Creating Guest User Accounts 11-1
Information About Creating Guest Accounts 11-1
Guidelines and Limitations 11-2
Creating a Lobby Ambassador Account 11-2
Creating a Lobby Ambassador Account (GUI) 11-2
Creating a Lobby Ambassador Account (CLI) 11-3
Creating Guest User Accounts as a Lobby Ambassador (GUI)
Viewing Guest User Accounts 11-5
Viewing the Guest Accounts (GUI) 11-5
Viewing the Guest Accounts (CLI) 11-6
Additional References 11-6
Obtaining a Web Authentication Certificate 11-6
Information About Web Authentication Certificate
Support for Chained Certificate 11-6
Obtaining Web Authentication Certificates 11-6
11-3
11-6
Cisco Wireless LAN Controller Configuration Guide
xxviii
OL-21524-03
Contents
Obtaining a Web Authentication Certificate (GUI) 11-7
Obtaining a Web Authentication Certificate (CLI) 11-8
Web Authentication Process 11-9
Information About Web Authentication Process
Guidelines and Limitations 11-9
11-9
Choosing the Default Web Authentication Login Page 11-12
Information About Default Web Authentication Login Page 11-12
Guidelines and Limitations 11-13
Choosing the Default Web Authentication Login Page (GUI) 11-13
Choosing the Default Web Authentication Login Page (CLI) 11-14
Example: Modified Default Web Authentication Login Page Example 11-16
Example: Creating a Customized Web Authentication Login Page 11-17
Choosing a Customized Web Authentication Login Page from an External Web Server 11-19
Information About Customized Web Authentication Login Page 11-20
Guidelines and Limitations 11-20
Choosing a Customized Web Authentication Login Page from An External Web Server 11-20
Choosing a Customized Web Authentication Login Page from an External Web Server
(GUI) 11-20
Choosing a Customized Web Authentication Login Page from an External Web Server
(CLI) 11-21
Additional References 11-21
Downloading a Customized Web Authentication Login Page 11-21
Information About Downloading Customized Web Authentication Login Page
Guidelines and Limitations 11-22
Additional References 11-22
Downloading a Customized Web Authentication Login Page (GUI) 11-23
Downloading a Customized Web Authentication Login Page (CLI) 11-24
Additional References 11-24
Example: Customized Web Authentication Login Page 11-25
Verifying the Web Authentication Login Page Settings (CLI) 11-25
Assigning Login, Login Failure, and Logout Pages per WLAN 11-25
Information About Assigning Login, Login Failure, and Logout Pages per WLAN
Assigning Login, Login Failure, and Logout Pages per WLAN (GUI) 11-26
Assigning Login, Login Failure, and Logout Pages per WLAN (CLI) 11-27
Configuring Wired Guest Access 11-28
Information About Wired Guest Access 11-28
Prerequisites for Configuring Wired Guest Access
Guidelines and Limitations 11-30
Configuring Wired Guest Access 11-31
11-22
11-26
11-30
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xxix
Contents
Configuring Wired Guest Access (GUI) 11-31
Configuring Wired Guest Access (CLI) 11-34
Supporting IPv6 Client Guest Access
CHAPTER
12
11-37
Configuring Radio Resource Management 12-1
Information About Radio Resource Management 12-1
Radio Resource Monitoring 12-2
Transmit Power Control 12-2
Dynamic Channel Assignment 12-3
Coverage Hole Detection and Correction 12-4
Benefits of RRM 12-5
Guidelines and Limitations 12-5
Configuring RRM 12-5
Configuring the RF Group Mode (GUI) 12-6
Configuring the RF Group Mode (CLI) 12-7
Configuring Transmit Power Control (GUI) 12-7
Configuring Off-Channel Scanning Defer 12-9
Information About Off-Channel Scanning Defer 12-9
Configuring Off-Channel Scanning Defer for WLANs 12-9
Configuring RRM Neighbor Discovery Packets 12-25
Important About RRM NDP and RF Grouping 12-25
Configuring RRM NDP (CLI) 12-26
Configuring RF Groups 12-26
Information About RF Groups 12-26
RF Group Leader 12-27
RF Group Name 12-28
Guidelines and Limitations 12-28
Configuring RF Groups 12-29
Configuring an RF Group Name (GUI) 12-29
Configuring an RF Group Name (CLI) 12-30
Viewing the RF Group Status 12-30
Viewing RF Group Status (GUI) 12-30
Viewing RF Group Status (CLI) 12-31
Overriding RRM 12-32
Information About Overriding RRM 12-32
Guidelines and Limitations 12-33
Statically Assigning Channel and Transmit Power Settings to Access Point Radios
Statically Assigning Channel and Transmit Power Settings (GUI) 12-33
Statically Assigning Channel and Transmit Power Settings (CLI) 12-37
12-33
Cisco Wireless LAN Controller Configuration Guide
xxx
OL-21524-03
Contents
Disabling Dynamic Channel and Power Assignment Globally for a Controller
Disabling Dynamic Channel and Power Assignment (GUI) 12-40
Disabling Dynamic Channel and Power Assignment (CLI) 12-40
12-39
Configuring Rogue Access Point Detection in RF Groups 12-40
Information About Rogue Access Point Detection in RF Groups 12-41
Configuring Rogue Access Point Detection in RF Groups 12-41
Enabling Rogue Access Point Detection in RF Groups (GUI) 12-41
Configuring Rogue Access Point Detection in RF Groups (CLI) 12-43
Configuring CCX Radio Management Features 12-44
Information About CCX Radio Management Features 12-44
Radio Measurement Requests 12-44
Location Calibration 12-45
Guidelines and Limitations 12-45
Configuring CCX Radio Management 12-45
Configuring CCX Radio Management (GUI) 12-45
Configuring CCX Radio Management (CLI) 12-46
Viewing CCX Radio Management Information (CLI) 12-47
Debugging CCX Radio Management Issues (CLI) 12-48
CHAPTER
13
Configuring Cisco CleanAir
13-1
Information About CleanAir 13-1
Role of the Controller in a Cisco CleanAir System 13-2
Interference Types that Cisco CleanAir can Detect 13-2
Persistent Devices 13-3
Persistent Devices Detection 13-3
Persistent Devices Propagation 13-4
Guidelines and Limitations
13-4
Configuring Cisco CleanAir 13-5
Configuring Cisco CleanAir on the Controller 13-5
Configuring Cisco CleanAir on the Controller (GUI) 13-5
Configuring Cisco CleanAir on the Controller (CLI) 13-8
Configuring Cisco CleanAir on an Access Point 13-11
Configuring Cisco CleanAir on an Access Point (GUI) 13-12
Configuring Cisco CleanAir on an Access Point (CLI) 13-13
Monitoring the Interference Devices 13-14
Prerequisites for Monitoring the Interference Devices
Monitoring the Interference Device (GUI) 13-14
Monitoring the Interference Device (CLI) 13-16
Detecting Interferers by an Access Point 13-16
13-14
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xxxi
Contents
Detecting Interferers by Device Type 13-17
Detecting Persistent Sources of Interference
Monitoring Persistent Devices (GUI) 13-18
Monitoring Persistent Devices (CLI) 13-18
13-17
Monitoring the Air Quality of Radio Bands 13-19
Monitoring the Air Quality of Radio Bands (GUI) 13-19
Monitoring the Air Quality of Radio Bands (CLI) 13-20
Viewing a Summary of the Air Quality 13-20
Viewing Air Quality for all Access Points on a Radio Band 13-20
Viewing Air Quality for an Access Point on a Radio Band 13-21
Monitoring the Worst Air Quality of Radio Bands (GUI) 13-21
Monitoring the Worst Air Quality of Radio Bands (CLI) 13-22
Viewing a Summary of the Air Quality (CLI) 13-22
Viewing Worst Air Quality Information for all Access Points on a Radio Band (CLI)
Viewing Air Quality for an Access Point on a Radio Band (CLI) 13-23
Viewing Air Quality for an Access Point by Device Type (CLI) 13-23
Detecting Persistent Sources of Interference (CLI) 13-24
Configuring a Spectrum Expert Connection
13-22
13-24
Additional References 13-26
Related Documents 13-27
Feature History for Configuring CleanAir
CHAPTER
14
Configuring Mobility Groups
14-1
Information About Mobility
14-1
13-27
Information About Mobility Groups 14-4
Determining When to Include Controllers in a Mobility Group
Messaging Among Mobility Groups 14-7
Using Mobility Groups with NAT Devices 14-7
Configuring Mobility Groups 14-9
Prerequisites for Configuring Mobility Groups
Configuring Mobility Groups (GUI) 14-11
Configuring Mobility Groups (CLI) 14-15
14-7
14-9
Viewing Mobility Group Statistics 14-16
Viewing Mobility Group Statistics (GUI) 14-16
Viewing Mobility Group Statistics (CLI) 14-19
Configuring Auto-Anchor Mobility 14-19
Information About Auto-Anchor Mobility 14-19
Guidelines and Limitations 14-20
Configuring Auto-Anchor Mobility (GUI) 14-20
Cisco Wireless LAN Controller Configuration Guide
xxxii
OL-21524-03
Contents
Configuring Auto-Anchor Mobility (CLI)
14-21
Validating WLAN Mobility Security Values 14-23
Information About WLAN Mobility Security Values
Using Symmetric Mobility Tunneling 14-24
Information About Symmetric Mobility Tunneling
Guidelines and Limitations 14-26
14-23
14-24
Verifying Symmetric Mobility Tunneling 14-26
Verifying Symmetric Mobility Tunneling (GUI) 14-26
Verifying if Symmetric Mobility Tunneling is Enabled (CLI)
14-26
Running Mobility Ping Tests 14-27
Information About Mobility Ping Tests 14-27
Guidelines and Limitations 14-27
Running Mobility Ping Tests (CLI) 14-28
Configuring Dynamic Anchoring for Clients with Static IP Addresses 14-28
Information About Dynamic Anchoring for Clients with Static IP 14-28
How Dynamic Anchoring of Static IP Clients Works 14-29
Guidelines and Limitations 14-29
Configuring Dynamic Anchoring of Static IP Clients (GUI) 14-30
Configuring Dynamic Anchoring of Static IP Clients (CLI) 14-30
Configuring Foreign Mappings 14-30
Information About Foreign Mappings 14-30
Configuring Foreign Controller MAC Mapping (GUI) 14-30
Configuring Foreign Controller MAC Mapping (CLI) 14-31
CHAPTER
15
Configuring FlexConnect
15-1
Information About FlexConnect 15-1
FlexConnect Authentication Process
Guidelines and Limitations 15-5
15-2
Configuring FlexConnect 15-7
Configuring the Switch at the Remote Site 15-7
Configuring the Controller for FlexConnect 15-8
Configuring the Controller for FlexConnect (GUI) 15-8
Configuring the Controller for FlexConnect (CLI) 15-11
Configuring an Access Point for FlexConnect 15-12
Configuring an Access Point for FlexConnect (GUI) 15-12
Configuring an Access Point for FlexConnect (CLI) 15-13
Configuring an Access Point for Local Authentication on a WLAN (GUI) 15-14
Configuring an Access Point for Local Authentication on a WLAN (CLI) 15-15
Connecting Client Devices to WLANs 15-15
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xxxiii
Contents
Configuring FlexConnect ACLs 15-16
Information About Access Control Lists 15-16
Guidelines and Limitations 15-16
Configuring FlexConnect ACLs 15-17
Configuring FlexConnect ACLs (GUI) 15-17
Configuring FlexConnect ACLs (CLI) 15-19
Viewing and Debugging FlexConnect ACLs (CLI)
15-19
Configuring FlexConnect Groups 15-20
Information About FlexConnect Groups 15-20
FlexConnect Groups and Backup RADIUS Servers 15-21
FlexConnect Groups and CCKM 15-21
FlexConnect Groups and Opportunistic Key Caching 15-21
FlexConnect Groups and Local Authentication 15-22
Configuring FlexConnect Groups 15-22
Configuring FlexConnect Groups (GUI) 15-22
Configuring FlexConnect Groups (CLI) 15-25
Configuring VLAN-ACL Mapping on FlexConnect Groups (GUI) 15-27
Configuring VLAN-ACL Mapping on FlexConnect Groups (CLI) 15-27
Viewing VLAN-ACL Mappings (CLI) 15-27
Configuring AAA Overrides for FlexConnect 15-28
Information About AAA Overrides 15-28
Guidelines and Limitations 15-29
Configuring AAA Override for FlexConnect on an Access Point (GUI) 15-29
Configuring VLAN Overrides for FlexConnect on an Access Point (CLI) 15-30
Configuring Efficient AP Image Upgrades for FlexConnect Access Points
Information About Efficient AP Image Upgrades 15-31
Guidelines and Limitations 15-31
Configuring Efficient AP Image Upgrades on FlexConnect APs (GUI)
Configuring Efficient AP Image Upgrades (CLI) 15-32
CHAPTER
16
Configuring Mobile Concierge
15-30
15-31
16-1
Information About 802.11u 16-1
Guidelines and Limitations 16-1
Configuring 802.11u 16-1
Configuring 802.11u (GUI) 16-2
Configuring 802.11u (CLI) 16-3
Configuring Venue Details on Access Points (GUI) 16-6
Configuring Venue Details on Access Points (CLI) 16-7
Information About 802.11u MSAP
16-10
Cisco Wireless LAN Controller Configuration Guide
xxxiv
OL-21524-03
Contents
Configuring 802.11u MSAP 16-10
Configuring 802.11u MSAP(GUI) 16-11
Configuring 802.11u MSAP(CLI) 16-11
Information About Hotspot 2.0
16-11
Configuring Hotspot 2.0 16-11
Configuring Hotspot 2.0 (GUI) 16-12
Configuring Hotspot 2.0 (CLI) 16-13
APPENDIX
A
Troubleshooting
A-1
Information About Troubleshooting
A-1
Interpreting LEDs A-2
Information About Interpreting LEDs A-2
Interpreting Controller LEDs A-2
Interpreting Lightweight Access Point LEDs
System Messages A-3
Information About System Messages
A-3
Viewing System Resources A-6
Information About Viewing System Resources
Guidelines and Limitations A-6
Viewing System Resources (GUI) A-6
Viewing System Resources (CLI) A-7
Using the CLI to Troubleshoot Problems
A-2
A-6
A-8
Configuring System and Message Logging A-9
Information About System and Message Logging A-9
Configuring System and Message Logging (GUI) A-10
Viewing Message Logs (GUI) A-12
Configuring System and Message Logging (CLI) A-12
Viewing System and Message Logs (CLI) A-15
Viewing Access Point Event Logs A-16
Information About Access Point Event Logs A-17
Viewing Access Point Event Logs (CLI) A-17
Uploading Logs and Crash Files A-17
Prerequisites to Upload Logs and Crash Files
Uploading Logs and Crash Files (GUI) A-18
Uploading Logs and Crash Files (CLI) A-19
A-18
Uploading Core Dumps from the Controller A-20
Information About Uploading Core Dumps from the Controller A-20
Configuring the Controller to Automatically Upload Core Dumps to an FTP Server (GUI)
A-20
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xxxv
Contents
Configuring the Controller to Automatically Upload Core Dumps to an FTP Server (CLI)
Uploading Core Dumps from Controller to a TFTP or FTP Server (CLI) A-22
Uploading Packet Capture Files A-23
Information About Uploading Packet Capture Files
Guidelines and Limitations A-24
Uploading Packet Capture Files (GUI) A-24
Uploading Packet Capture Files (CLI) A-25
Monitoring Memory Leaks A-26
Monitoring Memory Leaks (CLI)
A-21
A-23
A-26
Troubleshooting CCXv5 Client Devices A-27
Information About Troubleshooting CCXv5 Client Devices A-28
Guidelines and Limitations A-28
Configuring Diagnostic Channel A-28
Configuring the Diagnostic Channel (GUI) A-28
Configuring the Diagnostic Channel (CLI) A-29
Configuring Client Reporting A-33
Configuring Client Reporting (GUI) A-33
Configuring Client Reporting (CLI) A-36
Configuring Roaming and Real-Time Diagnostics A-39
Configuring Roaming and Real-Time Diagnostics (CLI) A-40
Using the Debug Facility A-42
Information About Using the Debug Facility
Configuring the Debug Facility (CLI) A-43
A-42
Configuring Wireless Sniffing A-47
Information About Wireless Sniffing A-47
Guidelines and Limitations A-47
Prerequisites for Wireless Sniffing A-47
Configuring Sniffing on an Access Point (GUI) A-48
Configuring Sniffing on an Access Point (CLI) A-49
Troubleshooting Access Points Using Telnet or SSH A-49
Information About Troubleshooting Access Points Using Telnet or SSH
Guidelines and Limitations A-50
Troubleshooting Access Points Using Telnet or SSH (GUI) A-50
Troubleshooting Access Points Using Telnet or SSH (CLI) A-51
Debugging the Access Point Monitor Service A-52
Information About Debugging the Access Point Monitor Service
Debugging Access Point Monitor Service Issues (CLI) A-52
Troubleshooting OfficeExtend Access Points A-53
Information About Troubleshooting OfficeExtend Access Points
A-50
A-52
A-53
Cisco Wireless LAN Controller Configuration Guide
xxxvi
OL-21524-03
Contents
Interpreting OfficeExtend LEDs A-53
Positioning OfficeExtend Access Points for Optimal RF Coverage
Troubleshooting Common Problems A-53
Troubleshooting Mesh Access Points A-55
Mesh MAP Backhaul Deselection on Ethernet Backhaul at Runtime
A-53
A-55
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
xxxvii
Contents
Cisco Wireless LAN Controller Configuration Guide
xxxviii
OL-21524-03
Preface
This preface describes the audience, organization, and conventions of the Cisco Wireless LAN Controller
Configuration Guide, Release 7.2. It also provides information on how to obtain other documentation.
This chapter includes the following sections:
•
Audience, page 2
•
Purpose, page 2
•
Organization, page 2
•
Conventions, page 3
•
Related Documentation, page 5
•
Obtaining Documentation and Submitting a Service Request, page 6
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
1
Audience
This publication is for experienced network administrators or management users who configure and
maintain Cisco wireless LAN controllers and Cisco lightweight access points.
Purpose
This guide provides the information you need to set up and configure wireless LAN controllers.
Note
This version of the Cisco Wireless LAN Controller Configuration Guide pertains specifically to
controller software release 7.2. If you are using an earlier version of software, you will notice differences
in features, functionality, and GUI pages.
Organization
This guide is organized into these chapters:
Chapter Title
Description
Chapter 2, “Overview”
Provides an overview of the network roles and features of wireless LAN
controllers.
Chapter 3, “Using the
Web-Browser and CLI
Interfaces”
Describes how to initially configure and log into the controller
Chapter 4, “Configuring
Ports and Interfaces”
Describes the controller’s physical ports and interfaces and provides
instructions for configuring them.
Chapter 4, “Configuring
Controller Settings”
Describes how to configure settings on the controllers.
Chapter 6, “Configuring
VideoStream”
Describes how to configure VideoStream settings on the controller.
Chapter 7, “Configuring
Security Solutions”
Describes application-specific solutions for wireless LANs.
Chapter 8, “Working with
WLANs”
Describes how to configure wireless LANs and SSIDs on your system.
Chapter 9, “Controlling
Lightweight Access
Points”
Explains how to connect lightweight access points to the controller and
manage access point settings.
Chapter 10, “Controlling
Mesh Access Points”
Explains how to connect mesh access points to the controller and manage
access point settings.
Chapter 11, “Managing
Controller Software and
Configurations”
Describes how to upgrade and manage controller software and
configurations.
Cisco Wireless LAN Controller Configuration Guide
2
OL-21524-03
Chapter Title
Description
Chapter 12, “Managing
User Accounts”
Explains how to create and manage guest user accounts, describes the
web authentication process, and provides instructions for customizing the
web authentication login.
Chapter 13, “Configuring
Radio Resource
Management”
Describes radio resource management (RRM) and explains how to
configure it on the controllers.
Chapter 14, “Configuring
Cisco CleanAir”
Describes how to configure Cisco CleanAir functionality on the
controller and lightweight access points.
Chapter 15, “Configuring
Mobility Groups”
Describes mobility groups and explains how to configure them on the
controllers.
Chapter 16, “Configuring
FlexConnect”
Describes FlexConnect and explains how to configure this feature on
controllers and access points.
Appendix A, “Safety
Considerations and
Translated Safety
Warnings”
Lists safety considerations and translations of the safety warnings that
apply to the Cisco Unified Wireless Network solution products.
Appendix B,
“Declarations of
Conformity and
Regulatory Information”
Provides declarations of conformity and regulatory information for the
products in the Cisco Unified Wireless Network solution.
Appendix C, “End User
License and Warranty”
Describes the end user license and warranty that apply to the Cisco
Unified Wireless Network solution products.
Appendix 18,
“Troubleshooting”
Describes the LED patterns on controllers and lightweight access points,
lists system messages that can appear on the Cisco Unified Wireless
Network solution interfaces, and provides CLI commands that can be
used to troubleshoot problems on the controller.
Appendix E, “Logical
Connectivity Diagrams”
Provides logical connectivity diagrams and related software commands
for controllers that are integrated into other Cisco products.
Conventions
This document uses the following conventions:
Convention
Indication
bold font
Commands and keywords and user-entered text appear in bold font.
italic font
Document titles, new or emphasized terms, and arguments for which you supply
values are in italic font.
[ ]
Elements in square brackets are optional.
{x | y | z }
Required alternative keywords are grouped in braces and separated by
vertical bars.
[x|y|z]
Optional alternative keywords are grouped in brackets and separated by
vertical bars.
string
A nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3
courier
font
Terminal sessions and information the system displays appear in courier font.
< >
Nonprinting characters such as passwords are in angle brackets.
[ ]
Default responses to system prompts are in square brackets.
!, #
An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.
Note
Means reader take note.
Tip
Means the following information will help you solve a problem.
Caution
Timesaver
Warning
Waarschuwing
Means reader be careful. In this situation, you might perform an action that could result in equipment
damage or loss of data.
Means the described action saves time. You can save time by performing the action described in
the paragraph.
This warning symbol means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar
with standard practices for preventing accidents. (To see translations of the warnings that appear
in this publication, refer to the appendix “Translated Safety Warnings.”)
Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan
veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij
elektrische schakelingen betrokken risico’s en dient u op de hoogte te zijn van standaard
maatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in deze
publicatie verschijnen, kunt u het aanhangsel “Translated Safety Warnings” (Vertalingen van
veiligheidsvoorschriften) raadplegen.)
Varoitus
Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen
kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja
tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten
käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat
varoitukset).)
Attention
Ce symbole d’avertissement indique un danger. Vous vous trouvez dans une situation pouvant
entraîner des blessures. Avant d’accéder à cet équipement, soyez conscient des dangers posés par
les circuits électriques et familiarisez-vous avec les procédures courantes de prévention des
accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez
consulter l’annexe intitulée « Translated Safety Warnings » (Traduction des avis de sécurité).
Cisco Wireless LAN Controller Configuration Guide
4
OL-21524-03
Warnung
Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer
Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie
sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur
Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen
Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der
Warnhinweise).)
Avvertenza
Questo simbolo di avvertenza indica un pericolo. Si è in una situazione che può causare infortuni.
Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti
elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione
delle avvertenze riportate in questa pubblicazione si trova nell’appendice, “Translated Safety
Warnings” (Traduzione delle avvertenze di sicurezza).
Advarsel
Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du
utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser
innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se
oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated
Safety Warnings" [Oversatte sikkerhetsadvarsler].)
Aviso
Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos
fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos
relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir
possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o
apêndice “Translated Safety Warnings” - “Traduções dos Avisos de Segurança”).
¡Advertencia!
Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular
cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los
procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias
que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”)
Varning!
Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada.
Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och
känna till vanligt förfarande för att förebygga skador. (Se förklaringar av de varningar som
förekommer i denna publikation i appendix "Translated Safety Warnings" [Översatta
säkerhetsvarningar].)
Related Documentation
These documents provide complete information about the Cisco Unified Wireless Network solution:
•
Cisco 5500 Series Wireless Controller Installation Guide
•
Cisco Wireless LAN Controller Command Reference
•
Cisco Wireless Control System Configuration Guide
•
Release Noted for Cisco Wireless LAN Controllers and Lightweight Access Points, Release 7.2.100.0
•
Quick Start Guide: Cisco Wireless Control System
•
Quick start guide and hardware installation guide for your specific lightweight access point
Click this link to browse to user documentation for the Cisco Unified Wireless Network solution:
http://www.cisco.com/cisco/web/psa/default.html?mode=prod
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
5
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
Cisco Wireless LAN Controller Configuration Guide
6
OL-21524-03
CH A P T E R
2
Overview
This chapter describes the controller components and features. It contains these sections:
•
Cisco Unified Wireless Network Solution Overview, page 2-1
•
Operating System Software, page 2-4
•
Operating System Security, page 2-4
•
Layer 2 and Layer 3 Operation, page 2-5
•
Cisco Wireless LAN Controllers, page 2-6
•
Controller Platforms, page 2-7
•
Cisco UWN Solution Wired Connections, page 2-11
•
Cisco UWN Solution WLANs, page 2-11
•
File Transfers, page 2-12
•
Power Over Ethernet, page 2-12
•
Cisco Wireless LAN Controller Memory, page 2-12
•
Cisco Wireless LAN Controller Failover Protection, page 2-13
Cisco Unified Wireless Network Solution Overview
The Cisco Unified Wireless Network (Cisco UWN) solution is designed to provide 802.11 wireless
networking solutions for enterprises and service providers. The Cisco UWN solution simplifies
deploying and managing large-scale wireless LANs and enables a unique best-in-class security
infrastructure. The operating system manages all data client, communications, and system
administration functions, performs radio resource management (RRM) functions, manages system-wide
mobility policies using the operating system security solution, and coordinates all security functions
using the operating system security framework.
The Cisco UWN solution consists of Cisco wireless LAN controllers and their associated lightweight
access points controlled by the operating system, all concurrently managed by any or all of the operating
system user interfaces:
•
An HTTP and/or HTTPS full-featured Web User Interface hosted by Cisco wireless LAN controllers
can be used to configure and monitor individual controllers. See Chapter 3, “Using the
Web-Browser and CLI Interfaces.”
•
A full-featured command-line interface (CLI) can be used to configure and monitor individual Cisco
wireless LAN controllers. See Chapter 3, “Using the Web-Browser and CLI Interfaces.”
Book Title
OL-xxxxx-xx
2-1
Chapter 2
Overview
Cisco Unified Wireless Network Solution Overview
•
The Network Control System (NCS), which you use to configure and monitor one or more Cisco
wireless LAN controllers and associated access points. NCS has tools to facilitate large-system
monitoring and control. WCS runs on Windows 2000, Windows 2003, and Red Hat Enterprise Linux
ES servers.
Note
•
NCS software release 1.1, must be used with controllers that run controller software release
7.2.
An industry-standard SNMP V1, V2c, and V3 interface can be used with any SNMP-compliant
third-party network management system.
The Cisco UWN solution supports client data services, client monitoring and control, and all rogue
access point detection, monitoring, and containment functions. It uses lightweight access points, Cisco
wireless LAN controllers, and the optional Cisco WCS to provide wireless services to enterprises and
service providers.
Note
Unless otherwise noted in this publication, all of the Cisco wireless LAN controllers are referred to as
controllers, and all of the Cisco lightweight access points are referred to as access points.
Figure 2-1 shows the Cisco wireless LAN controller components, which can be simultaneously deployed
across multiple floors and buildings.
Figure 2-1
Cisco UWN Solution Components
Book Title
2-2
OL-xxxxx-xx
Chapter 2
Overview
Cisco Unified Wireless Network Solution Overview
Single-Controller Deployments
A standalone controller can support lightweight access points across multiple floors and buildings
simultaneously and support the following features:
•
Autodetecting and autoconfiguring lightweight access points as they are added to the network.
•
Full control of lightweight access points.
•
Lightweight access points connect to controllers through the network. The network equipment may
or may not provide Power over Ethernet (PoE) to the access points.
Some controllers use redundant Gigabit Ethernet connections to bypass single network failures.
Note
Some controllers can connect through multiple physical ports to multiple subnets in the network. This
feature can be helpful when you want to confine multiple VLANs to separate subnets.
Figure 2-2 shows a typical single-controller deployment.
Figure 2-2
Single-Controller Deployment
Multiple-Controller Deployments
Each controller can support lightweight access points across multiple floors and buildings
simultaneously. However, full functionality of the Cisco wireless LAN solution occurs when it includes
multiple controllers. A multiple-controller system has the following additional features:
•
Autodetecting and autoconfiguring RF parameters as the controllers are added to the network.
•
Same-subnet (Layer 2) roaming and inter-subnet (Layer 3) roaming.
•
Automatic access point failover to any redundant controller with a reduced access point load (see
the Cisco Wireless LAN Controller Failover Protection, page 2-13).
Figure 2-3 shows a typical multiple-controller deployment. The figure also shows an optional dedicated
management network and the three physical connection types between the network and the controllers.
Book Title
OL-xxxxx-xx
2-3
Chapter 2
Overview
Operating System Software
Figure 2-3
Typical Multiple-Controller Deployment
Operating System Software
The operating system software controls controllers and lightweight access points. It includes full
operating system security and radio resource management (RRM) features.
Operating System Security
Operating system security bundles Layer 1, Layer 2, and Layer 3 security components into a simple,
Cisco WLAN solution-wide policy manager that creates independent security policies for each of up to
16 wireless LANs. See “Cisco UWN Solution WLANs” section on page 2-11.
The 802.11 Static WEP weaknesses can be overcome using the following robust industry-standard
security solutions:
•
802.1X dynamic keys with extensible authentication protocol (EAP).
•
Wi-Fi protected access (WPA) dynamic keys. The Cisco WLAN solution WPA implementation
includes:
– Temporal key integrity protocol (TKIP) and message integrity code checksum dynamic keys
– WEP keys, with or without a preshared key passphrase
•
RSN with or without a preshared key
Book Title
2-4
OL-xxxxx-xx
Chapter 2
Overview
Layer 2 and Layer 3 Operation
•
Optional MAC filtering
The WEP problem can be further solved using the following industry-standard Layer 3 security
solutions:
•
Passthrough VPNs
•
Local and RADIUS MAC address filtering
•
Local and RADIUS user/password authentication
•
Manual and automated disabling to block access to network services. In manual disabling, you block
access using client MAC addresses. In automated disabling, which is always active, the operating
system software automatically blocks access to network services for a user-defined period of time
when a client fails to authenticate for a fixed number of consecutive attempts. This feature can be
used to deter brute-force login attacks.
These and other security features use industry-standard authorization and authentication methods to
ensure the highest possible security for your business-critical wireless LAN traffic.
Cisco WLAN Solution Wired Security
Each controller and lightweight access point is manufactured with a unique, signed X.509 certificate.
These signed certificates are used to verify downloaded code before it is loaded, ensuring that hackers
do not download malicious code into any controller or lightweight access point.
The controllers and lightweight access points also use the signed certificates to verify the downloaded
code before it is loaded, ensuring that hackers do not download malicious code into any Cisco wireless
controller or lightweight access point.
Layer 2 and Layer 3 Operation
Lightweight Access Point Protocol (LWAPP) communications between the controller and lightweight
access points can be conducted at Layer 2 or Layer 3. Control and Provisioning of Wireless Access
Points protocol (CAPWAP) communications between the controller and lightweight access points are
conducted at Layer 3. Layer 2 mode does not support CAPWAP.
Note
Controller software release 5.2 or later releases support only Layer 3 CAPWAP mode, controller
software releases 5.0 and 5.1 support only Layer 3 LWAPP mode, and controller software releases prior
to 5.0 support Layer 2 or Layer 3 LWAPP mode.
Note
The IPv4 network layer protocol is supported for transport through a CAPWAP or LWAPP controller
system. IPv6 (for clients only) and Appletalk are also supported but only on Cisco 5500 Series
Controllers, and the Cisco WiSM. Other Layer 3 protocols (such as IPX, DECnet Phase IV, OSI CLNP,
and so on) and Layer 2 (bridged) protocols (such as LAT and NetBeui) are not supported.
Book Title
OL-xxxxx-xx
2-5
Chapter 2
Overview
Cisco Wireless LAN Controllers
Operational Requirements
The requirement for Layer 3 LWAPP communications is that the controller and lightweight access points
can be connected through Layer 2 devices on the same subnet or connected through Layer 3 devices
across subnets. Another requirement is that the IP addresses of access points should be either statically
assigned or dynamically assigned through an external DHCP server.
The requirement for Layer 3 CAPWAP communications across subnets is that the controller and
lightweight access points are connected through Layer 3 devices. Another requirement is that the IP
addresses of access points should be either statically assigned or dynamically assigned through an
external DHCP server.
Configuration Requirements
When you are operating the Cisco wireless LAN solution in Layer 2 mode, you must configure a
management interface to control your Layer 2 communications.
When you are operating the Cisco wireless LAN solution in Layer 3 mode, you must configure an
AP-manager interface to control lightweight access points and a management interface as configured for
Layer 2 mode.
Cisco Wireless LAN Controllers
When you are adding lightweight access points to a multiple-controller deployment network, it is
convenient to have all lightweight access points associate with one master controller on the same subnet.
That way, the you do not have to log into multiple controllers to find out which controller newly-added
lightweight access points associated with.
One controller in each subnet can be assigned as the master controller while adding lightweight access
points. As long as a master controller is active on the same subnet, all new access points without a
primary, secondary, and tertiary controller assigned automatically attempt to associate with the master
controller. This process is described in the “Cisco Wireless LAN Controller Failover Protection” section
on page 2-13.
You can monitor the master controller using the WCS Web User Interface and watch as access points
associate with the master controller. You can then verify the access point configuration and assign a
primary, secondary, and tertiary controller to the access point, and reboot the access point so it
reassociates with its primary, secondary, or tertiary controller.
Note
Lightweight access points without a primary, secondary, and tertiary controller assigned always search
for a master controller first upon reboot. After adding lightweight access points through the master
controller, you should assign primary, secondary, and tertiary controllers to each access point. We
recommend that you disable the master setting on all controllers after initial configuration.
Book Title
2-6
OL-xxxxx-xx
Chapter 2
Overview
Controller Platforms
Client Location
When you use Cisco WCS in your Cisco wireless LAN solution, controllers periodically determine the
client, rogue access point, rogue access point client, radio frequency ID (RFID) tag location and store
the locations in the Cisco WCS database. For more information on location solutions, see these
documents:
Cisco Wireless Control System Configuration Guide:
http://www.cisco.com/en/US/products/ps6305/products_installation_and_configuration_guides_list.ht
ml
Cisco Location Appliance Configuration Guide:
http://www.cisco.com/en/US/products/ps6386/products_installation_and_configuration_guides_list.ht
ml
Cisco 3300 Series Mobility Services Engine Configuration Guide:
http://www.cisco.com/en/US/products/ps9742/products_installation_and_configuration_guides_list.ht
ml
Controller Platforms
Controllers are enterprise-class high-performance wireless switching platforms that support 802.11a/n
and 802.11b/g/n protocols. They operate under control of the operating system, which includes the radio
resource management (RRM), creating a Cisco UWN solution that can automatically adjust to real-time
changes in the 802.11 RF environment. Controllers are built around high-performance network and
security hardware, resulting in highly reliable 802.11 enterprise networks with unparalleled security.
The following controllers are supported in software release 7.2:
•
Cisco 2500 Series Controller
•
Cisco 5500 Series Controller
•
Catalyst 6500 series switch Wireless Services Module (WiSM2s)
•
Cisco Flex 7500 Series Controller
Cisco 2500 Series Controller
The Cisco 2500 Series Wireless Controller works in conjunction with Cisco lightweight access points
and the Cisco Wireless Control System (WCS) to provide system-wide wireless LAN functions. As a
component of the Cisco Unified Wireless Network (CUWN), the Cisco 2500 Series controller provides
real-time communication between a wireless access points and other devices to deliver centralized
security policies, guest access, wireless intrusion prevention system (wIPS), context-aware (location),
RF management, quality of services for mobility services such as voice and video, and OEAP support
for the teleworker solution.
Cisco 2500 Series Wireless Controllers support up to 50 lightweight access points in increments of 5 and
25 access points with a minimum of 5 access points.
The Cisco 2500 Series Controller offers robust coverage with 802.11 a/b/g or delivers reliability using
802.11n and Cisco Next-Generation Wireless Solutions and Cisco Enterprise Wireless Mesh.
Book Title
OL-xxxxx-xx
2-7
Chapter 2
Overview
Controller Platforms
Features Not Supported
•
Wired guest access
•
Cannot be configured as an auto anchor controller. However you can configure it as a foreign
controller
•
Bandwidth contract
•
Access points in direct connect mode
•
Service port
•
Apple Talk Bridging
•
LAG
Cisco 5500 Series Controllers
The Cisco 5500 Series Wireless LAN Controller is currently available in one model: 5508. The 5508
controller supports up to 500 lightweight access points and 7000 wireless clients (or 5000 wireless
clients and 2500 RFID tags when using the client location feature), making it ideal for large enterprises
and high-density applications.
The Cisco 5500 Series Controller can be equipped with one or two power supplies. When the controller
is equipped with two power supplies, the power supplies are redundant, and either power supply can
continue to power the controller if the other power supply fails.
Features Not Supported
•
Static AP-manager interface
Note
For Cisco 5500 Series Controllers, you are not required to configure an AP-manager
interface. The management interface acts like an AP-manager interface by default, and the
access points can join on this interface.
•
Asymmetric mobility tunneling
•
Spanning Tree Protocol (STP)
•
Port mirroring
•
Layer 2 access control list (ACL) support
•
VPN termination (such as IPsec and L2TP)
•
VPN passthrough option
Note
•
You can replicate this functionality on a Cisco 5500 Series Controller by creating an open
WLAN using an ACL.
Configuration of 802.3 bridging, AppleTalk, and Point-to-Point Protocol over Ethernet (PPPoE)
Note
The Cisco 5500 Series Controllers bridge these packets by default. If desired, you can use
ACLs to block the bridging of these protocols.
Book Title
2-8
OL-xxxxx-xx
Chapter 2
Overview
Controller Platforms
Cisco Flex 7500 Series Controller
The Cisco Flex 7500 Series Controller enables you to deploy full featured, scalable, and secure
FlexConnect network services across geographic locations. Cisco Flex 7500 Series Controller virtualizes
the complex security, management, configuration and troubleshooting operations within the data center
and then transparently extends those services to each store. Deployments using Cisco Flex 7500 Series
Controller are easier for IT to set up, manage and scale.
The Cisco Flex 7500 Series Controller is designed to meet the scaling requirements to deploy the
FlexConnect solution in branch networks. Cisco Unified Wireless Solution supports two major
deployment models: FlexConnect and monitor mode. FlexConnect is designed to support wireless
branch networks by allowing the data to be switched locally while the access points are being controlled
and managed by a centralized controller. It aims at delivering a cost effective FlexConnect solution on a
large scale.
The Cisco Flex 7500 Series Controller supports the following access points: 1140, 3500, 3600, 1250,
1260, 1040, 1130, 1240, 800 and the Cisco Aironet 600 Series OfficeExtend Access Point.
The Cisco Flex 7500 Series Controller provides the following features:
Note
•
Increases scalability with 3000 AP support.
•
Increased resiliency using controller redundancy and FlexConnect Fault Tolerance.
•
Increased traffic segmentation using FlexConnect (central and local switching).
•
Increased security (PCI compliance) by supporting Enhanced wIPS for FlexConnect (ELM).
•
Replicates store designs using AP groups and FlexConnect groups.
The Cisco 7500 Flex Controller detects the power supply status by periodically probing the system in
intervals of 10 minutes. As a result, there is a delay of 10 minutes to detect the actual power supply status
on a Cisco 7500 Flex Controller.
Features Not Supported
These software features are not supported on Cisco Flex 7500 Series Controllers:
•
L3 Roaming
•
VideoStream
•
TrustSec SXP
•
IPv6
•
WGB
•
Multicast
•
Client rate limiting for centrally switched clients
Cisco Wireless Services Module 2
The Cisco Wireless Services Module 2 (WiSM2) provides medium-sized to large single-site WLAN
deployments with exceptional performance, security, and scalability to support mission-critical wireless
business communications. It helps to lower hardware costs and offers flexible configuration options that
can reduce the total cost of operations and ownership for wireless networks. Features include:
Book Title
OL-xxxxx-xx
2-9
Chapter 2
Overview
Controller Platforms
•
Connections for up to 1000 access points and 15,000 clients
•
Support for higher client density than other wireless LAN controllers
•
Ability to update 500 access points at once
•
Layer 3 mobility services for video, voice, guest, location, Enterprise Wireless Mesh, and
teleworking
•
Advanced wireless security, with Layer 1 wireless intrusion prevention system (wIPS) capabilities
Features Not Supported
•
Static AP-manager interface
•
Asymmetric mobility tunneling
•
Spanning Tree Protocol (STP)
•
Port mirroring
•
Layer 2 access control list (ACL) support
•
VPN termination (such as IPsec and L2TP)
•
VPN passthrough option
•
Configuration of 802.3 bridging, AppleTalk, and Point-to-Point Protocol over Ethernet (PPPoE)
•
Fragmented pings on any interface
Cisco Wireless Controller on Cisco Services-Ready Engine (SRE)
The Cisco Wireless Controller application on the Cisco Services-Ready Engine (SRE) enables
systemwide wireless functions in small to medium-sized enterprises and branch offices. Delivering
802.11n performance and scalability, the Cisco Wireless Controller on the SRE is an entry-level
controller that provides low total cost of ownership and investment protection by integrating seamlessly
with the existing network. The Cisco SRE Modules are router blades for the Cisco Integrated Services
Routers Generation 2 (ISR G2), which allows you to provision the Cisco Wireless Controller
applications on the module remotely at any time. This can help your organization to quickly deploy
wireless on-demand, reduce operating costs, and consolidate the branch office infrastructure.
As a component of the Cisco Unified Wireless Network, this controller provides real-time
communication between Cisco Aironet access points, the Cisco Wireless Control System (WCS), and
the Cisco Mobility Services Engine (MSE) to deliver centralized security policies, wireless intrusion
prevention system (wIPS) capabilities, award-winning RF management, context-aware capabilities for
location tracking, and quality of service (QoS) for voice and video.
The Cisco Wireless LAN Controller on the Cisco SRE supports from five to 50 access points, and
additional access point support may be added in increments of five or 25. The licensing structure
supports a variety of business mobility needs as part of the basic feature set, including Enterprise
Wireless Mesh, which allows access points to dynamically establish wireless connections in locations
where it may be difficult or impossible to physically connect to the wired network.
The Cisco Wireless Controller application is available for Cisco SRE Internal Services Module (ISM)
300 and the Cisco SRE Service Module (SM) 700 and SM 900, with flexible licensing and deployment
options.
Book Title
2-10
OL-xxxxx-xx
Chapter 2
Overview
Cisco UWN Solution Wired Connections
Features Not Supported
•
Wired guest access
•
Cannot be configured as an auto anchor controller. However, you can configure it as a foreign
controller.
•
Bandwidth contract
•
Access points in direct connect mode
•
Service port support
•
AppleTalk Bridging
•
LAG
Cisco UWN Solution Wired Connections
The Cisco UWN solution components communicate with each other using industry-standard Ethernet
cables and connectors. Details of the wired connections are as follows:
•
The Cisco 5500 Series Controllers connect to the network using up to eight fiber-optic Gigabit
Ethernet cables.
•
The Cisco Flex 7500 Series Controllers support 2 x 10 Gigabit Ethernet interfaces.
•
The Cisco 2500 Series Controllers support four 1 Gbps Ethernet.
•
Cisco lightweight access points connect to the network using 10/100BASE-T Ethernet cables. The
standard CAT-5 cable can also be used to conduct power for the lightweight access points from a
network device equipped with Power over Ethernet (PoE) capability. This power distribution plan
can be used to reduce the cost of individual AP power supplies and related cabling.
Cisco UWN Solution WLANs
The Cisco UWN solution can control up to 512 WLANs for lightweight access points. Each WLAN has
a separate WLAN ID (1 through 512), a separate profile name, and a WLAN SSID and can be assigned
with unique security policies. The lightweight access points broadcast all active Cisco UWN solution
WLAN SSIDs and enforce the policies defined for each WLAN.
Note
We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for
management interfaces to ensure that controllers operate with optimum performance and ease of
management.
If management over wireless is enabled across the Cisco UWN solution, you can manage the system
across the enabled WLAN using CLI and Telnet, http/https, and SNMP.
To configure WLANs, see Chapter 8, “Working with WLANs.”
Book Title
OL-xxxxx-xx
2-11
Chapter 2
Overview
File Transfers
File Transfers
You can upload and download operating system code, configuration, and certificate files to and from the
controller using the GUI, CLI, or Cisco WCS as follows:
•
To use the controller GUI or CLI, see Chapter 11, “Managing Controller Software and
Configurations.”
•
To use Cisco WCS to upgrade software, see the Cisco Wireless Control System Configuration Guide.
Click this URL to browse to this document:
http://www.cisco.com/en/US/products/ps6305/products_installation_and_configuration_guides_lis
t.html
Power Over Ethernet
Lightweight access points can receive power through their Ethernet cables from 802.3af-compatible
Power over Ethernet (PoE) devices, which can reduce the cost of discrete power supplies, additional
wiring, conduits, outlets, and installation time. PoE frees you from having to mount lightweight access
points or other powered equipment near AC outlets, which provides greater flexibility in positioning the
access points for maximum coverage.
When you are using PoE, you run a single CAT-5 cable from each lightweight access point to
PoE-equipped network elements, such as a PoE power hub or a Cisco WLAN Solution single-line PoE
injector. When the PoE equipment determines that the lightweight access point is PoE-enabled, it sends
48 VDC over the unused pairs in the Ethernet cable to power the access point.
The PoE cable length is limited by the 100BASE-T or 10BASE-T specification to 100 m or 200 m,
respectively.
Lightweight access points can receive power from an 802.3af-compliant device or from the external
power supply.
Cisco Wireless LAN Controller Memory
The controller contains two kinds of memory: volatile RAM, which holds the current, active controller
configuration, and NVRAM (nonvolatile RAM), which holds the reboot configuration. When you are
configuring the operating system in controller, you are modifying volatile RAM; you must save the
configuration from the volatile RAM to the NVRAM to ensure that the controller reboots in the current
configuration.
Knowing which memory you are modifying is important when you are doing the following tasks:
•
Using the configuration wizard
•
Clearing the controller configuration
•
Saving configurations
•
Resetting the controller
•
Logging out of the CLI
Book Title
2-12
OL-xxxxx-xx
Chapter 2
Overview
Cisco Wireless LAN Controller Failover Protection
Cisco Wireless LAN Controller Failover Protection
During installation, we recommend that you connect all lightweight access points to a dedicated
controller, and configure each lightweight access point for final operation. This step configures each
lightweight access point for a primary, secondary, and tertiary controller and allows it to store the
configured mobility group information.
During failover recovery, the following tasks are performed:
•
The configured access point attempts to contact the primary, secondary, and tertiary controllers, and
then attempts to contact the IP addresses of the other controllers in the mobility group.
•
DNS is resolved with controller IP address.
•
DHCP servers get the controller IP Addresses (vendor specific option 43 in DHCP offer).
In multiple-controller deployments, if one controller fails, the access points perform the following tasks:
•
If the lightweight access point has a primary, secondary, and tertiary controller assigned, it attempts
to associate with that controller.
•
If the access point has no primary, secondary, or tertiary controllers assigned or if its primary,
secondary, or tertiary controllers are unavailable, it attempts to associate with a master controller.
•
If the access point finds no master controller, it attempts to contact stored mobility group members
by the IP address.
•
If the mobility group members are available, and if the lightweight access point has no primary,
secondary, and tertiary controllers assigned and there is no master controller active, it attempts to
associate with the least-loaded controller to respond to its discovery messages.
When sufficient controllers are deployed, if one controller fails, active access point client sessions are
momentarily dropped while the dropped access point associates with another controller, allowing the
client device to immediately reassociate and reauthenticate.
To know more about high availability, see
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809a3f5d.shtml
Book Title
OL-xxxxx-xx
2-13
Chapter 2
Overview
Cisco Wireless LAN Controller Failover Protection
Book Title
2-14
OL-xxxxx-xx
CH A P T E R
3
Using the Web-Browser and CLI Interfaces
This chapter describes how to initially configure and log into the controller. It contains these sections:
•
Configuring the Controller Using the GUI Configuration Wizard, page 3-1
•
Configuring the Controller Using the CLI Configuration Wizard, page 3-13
•
Using the Controller Web GUI, page 3-16
•
Loading an Externally Generated SSL Certificate, page 3-20
•
Using the Controller CLI, page 3-22
•
Using the AutoInstall Feature for Controllers Without a Configuration, page 3-26
•
Managing the Controller System Date and Time, page 3-30
•
Configuring Telnet and SSH Sessions, page 3-35
•
Managing the Controller Wirelessly, page 3-38
Configuring the Controller Using the GUI Configuration Wizard
The configuration wizard enables you to configure basic settings on the controller. You can run the
wizard after you receive the controller from the factory or after the controller has been reset to factory
defaults. The configuration wizard is available in GUI or CLI format.
This section contains the following topics:
•
Connecting the Controller’s Console Port, page 3-1
•
Configuring the Controller (GUI), page 3-2
•
Additional References, page 3-13
Connecting the Controller’s Console Port
Before you can configure the controller for basic operations, you need to connect it to a PC that uses a
VT-100 terminal emulation program (such as HyperTerminal, ProComm, Minicom, or Tip).
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-1
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Note
On Cisco 5500 Series Controllers, you can use either the RJ-45 console port or the USB console
port. If you use the USB console port, plug the 5-pin mini Type B connector into the controller’s
USB console port and the other end of the cable into the PC’s USB Type A port. The first time
that you connect a Windows PC to the USB console port, you are prompted to install the USB
console driver. Follow the installation prompts to install the driver. The USB console driver maps
to a COM port on your PC; you then need to map the terminal emulator application to the COM
port.
Step 1
Connect one end of a null-modem serial cable to the controller’s console port and the other end to your
PC’s serial port.
Step 2
Start the PC’s VT-100 terminal emulation program.
Step 3
Configure the terminal emulation program for these parameters:
Step 4
•
9600 baud
•
8 data bits
•
1 stop bit
•
No parity
•
No hardware flow control
Plug the AC power cord into the controller and a grounded 100 to 240 VAC, 50/60-Hz electrical
outlet.Turn on the power supply. The bootup script displays operating system software initialization
(code download and power-on self test verification) and basic configuration.
If the controller passes the power-on self test, the bootup script runs the configuration wizard, which
prompts you for basic configuration input.
Configuring the Controller (GUI)
Step 1
Connect your PC to the service port and configure it to use the same subnet as the controller (for
example, 209.165.200.225).
Step 2
Start Internet Explorer 6.0 SP1 (or later) or Firefox 2.0.0.11 (or later) on your PC and browse to
http://209.165.200.225. The configuration wizard appears.
Cisco Wireless LAN Controller Configuration Guide
3-2
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Figure 3-1
Configuration Wizard — System Information Screen
Step 3
In the System Name text box, enter the name that you want to assign to this controller. You can enter up
to 31 ASCII characters.
Step 4
In the User Name text box, enter the administrative username to be assigned to this controller. You can
enter up to 24 ASCII characters. The default username is admin.
Step 5
In the Password and Confirm Password text boxes, enter the administrative password to be assigned to
this controller. You can enter up to 24 ASCII characters. The default password is admin.
Starting in release 7.0.116.0, the following password policy has been implemented:
•
The password must contain characters from at least three of the following classes:
– Lowercase letters
– Uppercase letters
– Digits
– Special characters.
Step 6
•
No character in the password must be repeated more than three times consecutively.
•
The new password must not be the same as the associated username and not be the username
reversed.
•
The password must not be cisco, ocsic, or any variant obtained by changing the capitalization of
letters of the word Cisco. In addition, you cannot substitute 1, I, or ! for i, 0 for o, or $ for s..
Click Next. The SNMP Summary screen appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-3
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Figure 3-2
Step 7
Configuration Wizard — SNMP Summary Screen
If you want to enable Simple Network Management Protocol (SNMP) v1 mode for this controller,
choose Enable from the SNMP v1 Mode drop-down list. Otherwise, leave this parameter set to Disable.
Note
SNMP manages nodes (servers, workstations, routers, switches, and so on) on an IP network.
Currently, there are three versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3.
Step 8
If you want to enable SNMPv2c mode for this controller, leave this parameter set to Enable. Otherwise,
choose Disable from the SNVP v2c Mode drop-down list.
Step 9
If you want to enable SNMPv3 mode for this controller, leave this parameter set to Enable. Otherwise,
choose Disable from the SNVP v3 Mode drop-down list.
Step 10
Click Next.
Step 11
When the following message appears, click OK:
Default values are present for v1/v2c community strings. Please make sure to create new
v1/v2c community strings once the system comes up. Please make sure to create new v3 users
once the system comes up.
The Service Interface Configuration screen appears.
Cisco Wireless LAN Controller Configuration Guide
3-4
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Figure 3-3
Step 12
If you want the controller’s service-port interface to obtain an IP address from a DHCP server, select the
DHCP Protocol Enabled check box. If you do not want to use the service port or if you want to assign
a static IP address to the service port, leave the check box unselected.
Note
Step 13
Step 14
Configuration Wizard — Service Interface Configuration Screen
The service-port interface controls communications through the service port. Its IP address must
be on a different subnet from the management interface. This configuration enables you to
manage the controller directly or through a dedicated management network to ensure service
access during network downtime.
Perform one of the following:
•
If you enabled DHCP in Step 12, clear out any entries in the IP Address and Netmask text boxes,
leaving them blank.
•
If you disabled DHCP in Step 12, enter the static IP address and netmask for the service port in the
IP Address and Netmask text boxes.
Click Next. The LAG Configuration screen appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-5
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Figure 3-4
Configuration Wizard — LAG Configuration Screen
Step 15
To enable link aggregation (LAG), choose Enabled from the Link Aggregation (LAG) Mode drop-down
list. To disable LAG, leave this text box set to Disabled.
Step 16
Click Next. The Management Interface Configuration screen appears.
Figure 3-5
Note
Configuration Wizard — Management Interface Configuration Screen
The management interface is the default interface for in-band management of the controller and
connectivity to enterprise services such as AAA servers.
Cisco Wireless LAN Controller Configuration Guide
3-6
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Step 17
In the VLAN Identifier text box, enter the VLAN identifier of the management interface (either a valid
VLAN identifier or 0 for an untagged VLAN). The VLAN identifier should be set to match the switch
interface configuration.
Step 18
In the IP Address text box, enter the IP address of the management interface.
Step 19
In the Netmask text box, enter the IP address of the management interface netmask.
Step 20
In the Gateway text box, enter the IP address of the default gateway.
Step 21
In the Port Number text box, enter the number of the port assigned to the management interface. Each
interface is mapped to at least one primary port.
Step 22
In the Backup Port text box, enter the number of the backup port assigned to the management interface.
If the primary port for the management interface fails, the interface automatically moves to the backup
port.
Step 23
In the Primary DHCP Server text box, enter the IP address of the default DHCP server that will supply
IP addresses to clients, the controller’s management interface, and optionally, the service port interface.
Step 24
In the Secondary DHCP Server text box, enter the IP address of an optional secondary DHCP server that
will supply IP addresses to clients, the controller’s management interface, and optionally, the service
port interface.
Step 25
Click Next. The AP-Manager Interface Configuration screen appears.
Note
This screen does not appear for Cisco 5500 Series Controllers because you are not required to
configure an AP-manager interface. The management interface acts like an AP-manager
interface by default.
Step 26
In the IP Address text box, enter the IP address of the AP-manager interface.
Step 27
Click Next. The Miscellaneous Configuration screen appears.
Figure 3-6
Step 28
Configuration Wizard — Miscellaneous Configuration Screen
In the RF Mobility Domain Name text box, enter the name of the mobility group/RF group to which you
want the controller to belong.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-7
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Note
Step 29
Although the name that you enter here is assigned to both the mobility group and the RF group,
these groups are not identical. Both groups define clusters of controllers, but they have different
purposes. All of the controllers in an RF group are usually also in the same mobility group and
vice versa. However, a mobility group facilitates scalable, system-wide mobility and controller
redundancy while an RF group facilitates scalable, system-wide dynamic RF management.
The Configured Country Code(s) text box shows the code for the country in which the controller will be
used. If you want to change the country of operation, select the check box for the desired country.
Note
You can choose more than one country code if you want to manage access points in multiple
countries from a single controller. After the configuration wizard runs, you need to assign each
access point joined to the controller to a specific country. See the “Configuring Country Codes”
section on page 9-87 for instructions.
Step 30
Click Next.
Step 31
When the following message appears, click OK:
Warning! To maintain regulatory compliance functionality, the country code setting may
only be modified by a network administrator or qualified IT professional. Ensure that
proper country codes are selected before proceeding.
The Virtual Interface Configuration screen appears.
Figure 3-7
Step 32
Configuration Wizard — Virtual Interface Configuration Screen
In the IP Address text box, enter the IP address of the controller’s virtual interface. You should enter a
fictitious, unassigned IP address.
Note
The virtual interface is used to support mobility management, DHCP relay, and embedded Layer
3 security such as guest web authentication and VPN termination. All controllers within a
mobility group must be configured with the same virtual interface IP address.
Cisco Wireless LAN Controller Configuration Guide
3-8
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Step 33
In the DNS Host Name text box, enter the name of the Domain Name System (DNS) gateway used to
verify the source of certificates when Layer 3 web authorization is enabled.
Note
Step 34
To ensure connectivity and web authentication, the DNS server should always point to the virtual
interface. If a DNS host name is configured for the virtual interface, then the same DNS host
name must be configured on the DNS servers used by the client.
Click Next. The WLAN Configuration screen appears.
Figure 3-8
Configuration Wizard — WLAN Configuration Screen
Step 35
In the Profile Name text box, enter up to 32 alphanumeric characters for the profile name to be assigned
to this WLAN.
Step 36
In the WLAN SSID text box, enter up to 32 alphanumeric characters for the network name, or service
set identifier (SSID). The SSID enables basic functionality of the controller and allows access points that
have joined the controller to enable their radios.
Step 37
Click Next.
Step 38
When the following message appears, click OK:
Default Security applied to WLAN is: [WPA2(AES)][Auth(802.1x)]. You can change this after
the wizard is complete and the system is rebooted.
The RADIUS Server Configuration screen appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-9
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Figure 3-9
Configuration Wizard — RADIUS Server Configuration Screen
Step 39
In the Server IP Address text box, enter the IP address of the RADIUS server.
Step 40
From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared
secret.
Note
Due to security reasons, the RADIUS shared secret key reverts to ASCII mode even if you have selected
HEX as the shared secret format from the Shared Secret Format drop-down list.
Step 41
In the Shared Secret and Confirm Shared Secret text boxes, enter the secret key used by the RADIUS
server.
Step 42
In the Port Number text box, enter the communication port of the RADIUS server. The default value is
1812.
Step 43
To enable the RADIUS server, choose Enabled from the Server Status drop-down list. To disable the
RADIUS server, leave this text box set to Disabled.
Step 44
Click Apply. The 802.11 Configuration screen appears.
Cisco Wireless LAN Controller Configuration Guide
3-10
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Figure 3-10
Configuration Wizard — 802.11 Configuration Screen
Step 45
To enable the 802.11a, 802.11b, and 802.11g lightweight access point networks, leave the 802.11a
Network Status, 802.11b Network Status, and 802.11g Network Status check boxes selected. To
disable support for any of these networks, unselect the check boxes.
Step 46
To enable the controller’s radio resource management (RRM) auto-RF feature, leave the Auto RF check
box selected. To disable support for the auto-RF feature, unselect this check box.
Note
Step 47
The auto-RF feature enables the controller to automatically form an RF group with other
controllers. The group dynamically elects a leader to optimize RRM parameter settings, such as
channel and transmit power assignment, for the group.
Click Next. The Set Time screen appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-11
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the GUI Configuration Wizard
Figure 3-11
Configuration Wizard — Set Time Screen
Step 48
To manually configure the system time on your controller, enter the current date in Month/DD/YYYY
format and the current time in HH:MM:SS format.
Step 49
To manually set the time zone so that Daylight Saving Time (DST) is not set automatically, enter the
local hour difference from Greenwich Mean Time (GMT) in the Delta Hours text box and the local
minute difference from GMT in the Delta Mins text box.
Note
Step 50
When manually setting the time zone, enter the time difference of the local current time zone
with respect to GMT (+/–). For example, Pacific time in the United States is 8 hours behind
GMT. Therefore, it is entered as –8.
Click Next. The Configuration Wizard Completed screen appears.
Cisco Wireless LAN Controller Configuration Guide
3-12
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the CLI Configuration Wizard
Figure 3-12
Configuration Wizard — Configuration Wizard Completed Screen
Step 51
Click Save and Reboot to save your configuration and reboot the controller.
Step 52
When the following message appears, click OK:
Configuration will be saved and the controller will be rebooted. Click ok to confirm.
Step 53
The controller saves your configuration, reboots, and prompts you to log in. Follow the instructions in
the “Using the Controller Web GUI” section on page 3-16 to log into the controller.
Additional References
•
“Resetting the Controller to Default Settings” section on page 4-116 for instructions on returning
the controller to factory defaults.
•
Chapter 13, “Configuring Radio Resource Management,”
•
Chapter 15, “Configuring Mobility Groups,”
•
See the“SNMP Community Strings” section on page 4-40 and the “Changing the Default Values for
SNMP v3 Users” section on page 4-42.
Configuring the Controller Using the CLI Configuration Wizard
This section contains the following topics:
•
Guidelines and Limitations, page 3-14
•
Configuring the Controller (CLI), page 3-14
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-13
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the CLI Configuration Wizard
Guidelines and Limitations
•
The available options appear in brackets after each configuration parameter. The default value
appears in all uppercase letters.
•
If you enter an incorrect response, the controller provides you with an appropriate error message,
such as “Invalid Response,” and returns you to the wizard prompt.
•
Press the hyphen key if you ever need to return to the previous command line.
Configuring the Controller (CLI)
Step 1
When prompted to terminate the AutoInstall process, enter yes. If you do not enter yes, the AutoInstall
process begins after 30 seconds.
Note
The AutoInstall feature downloads a configuration file from a TFTP server and then loads the
configuration onto the controller automatically. See the “Using the AutoInstall Feature for
Controllers Without a Configuration” section on page 3-26 for more information.
Step 2
Enter the system name, which is the name that you want to assign to the controller. You can enter up to
31 ASCII characters.
Step 3
Enter the administrative username and password to be assigned to this controller. You can enter up to 24
ASCII characters for each.
Starting in release 7.0.116.0, the following password policy has been implemented:
•
The password must contain characters from at least three of the following classes:
– Lowercase letters
– Uppercase letters
– Digits
– Special characters.
Step 4
•
No character in the password must be repeated more than three times consecutively.
•
The new password must not be the same as the associated username and not be the username
reversed.
•
The password must not be cisco, ocsic, or any variant obtained by changing the capitalization of
letters of the word Cisco. In addition, you cannot substitute 1, I, or ! for i, 0 for o, or $ for s.
If you want the controller’s service-port interface to obtain an IP address from a DHCP server, enter
DHCP. If you do not want to use the service port or if you want to assign a static IP address to the service
port, enter none.
Note
Step 5
The service-port interface controls communications through the service port. Its IP address must
be on a different subnet from the management interface. This configuration enables you to
manage the controller directly or through a dedicated management network to ensure service
access during network downtime.
If you entered none in Step 4, enter the IP address and netmask for the service-port interface on the next
two lines.
Cisco Wireless LAN Controller Configuration Guide
3-14
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring the Controller Using the CLI Configuration Wizard
Step 6
Enable or disable link aggregation (LAG) by choosing yes or NO.
Step 7
Enter the IP address of the management interface.
Note
The management interface is the default interface for in-band management of the controller and
connectivity to enterprise services such as AAA servers.
Step 8
Enter the IP address of the management interface netmask.
Step 9
Enter the IP address of the default router.
Step 10
Enter the VLAN identifier of the management interface (either a valid VLAN identifier or 0 for an
untagged VLAN). The VLAN identifier should be set to match the switch interface configuration.
Step 11
Enter the IP address of the default DHCP server that will supply IP addresses to clients, the controller’s
management interface, and optionally, the service port interface. Enter the IP address of the AP-manager
interface.
Note
Step 12
Enter the IP address of the controller’s virtual interface. You should enter a fictitious unassigned IP
address.
Note
Step 13
This prompt does not appear for Cisco 5500 Series Controllers because you are not required to
configure an AP-manager interface. The management interface acts like an AP-manager
interface by default.
The virtual interface is used to support mobility management, DHCP relay, and embedded Layer
3 security such as guest web authentication and VPN termination. All controllers within a
mobility group must be configured with the same virtual interface IP address.
If desired, enter the name of the mobility group/RF group to which you want the controller to belong.
Note
Although the name that you enter here is assigned to both the mobility group and the RF group,
these groups are not identical. Both groups define clusters of controllers, but they have different
purposes. All of the controllers in an RF group are usually also in the same mobility group and
vice versa. However, a mobility group facilitates scalable, system-wide mobility and controller
redundancy while an RF group facilitates scalable, system-wide dynamic RF management.
Step 14
Enter the network name or service set identifier (SSID). The SSID enables basic functionality of the
controller and allows access points that have joined the controller to enable their radios.
Step 15
Enter YES to allow clients to assign their own IP address or no to require clients to request an IP address
from a DHCP server.
Step 16
To configure a RADIUS server now, enter YES and then enter the IP address, communication port, and
secret key of the RADIUS server. Otherwise, enter no. If you enter no, the following message appears:
“Warning! The default WLAN security policy requires a RADIUS server. Please see the documentation
for more details.”
Step 17
Enter the code for the country in which the controller will be used.
Note
Enter help to view the list of available country codes.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-15
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the Controller Web GUI
Note
You can enter more than one country code if you want to manage access points in multiple
countries from a single controller. To do so, separate the country codes with a comma (for
example, US,CA,MX). After the configuration wizard runs, you need to assign each access point
joined to the controller to a specific country.
Step 18
Enable or disable the 802.11b, 802.11a, and 802.11g lightweight access point networks by entering YES
or no.
Step 19
Enable or disable the controller’s radio resource management (RRM) auto-RF feature by entering YES
or no.
Note
Step 20
The auto-RF feature enables the controller to automatically form an RF group with other
controllers. The group dynamically elects a leader to optimize RRM parameter settings, such as
channel and transmit power assignment, for the group.
If you want the controller to receive its time setting from an external Network Time Protocol (NTP)
server when it powers up, enter YES to configure an NTP server. Otherwise, enter no.
Note
The controller network module installed in a Cisco Integrated Services Router does not have a
battery and cannot save a time setting. Therefore, it must receive a time setting from an external
NTP server when it powers up.
Step 21
If you entered no in Step 20 and want to manually configure the system time on your controller now,
enter YES. If you do not want to configure the system time now, enter no.
Step 22
If you entered YES in Step 21, enter the current date in MM/DD/YY format and the current time in
HH:MM:SS format.
Step 23
When prompted to verify that the configuration is correct, enter yes or NO.
The controller saves your configuration, reboots, and prompts you to log in. Follow the instructions in
the “Using the Controller CLI” section on page 3-22 to log into the controller.
Using the Controller Web GUI
A web browser, or graphical user interface (GUI), is built into each controller. It allows up to five users
to simultaneously browse into the controller HTTP or HTTPS (HTTP + SSL) management pages to
configure parameters and monitor the operational status for the controller and its associated access
points.
This section contains the following topics:
•
Guidelines and Limitations, page 3-17
•
Logging On to the GUI, page 3-17
•
Logging Out of the GUI, page 3-17
•
Enabling Web and Secure Web Modes, page 3-18
Cisco Wireless LAN Controller Configuration Guide
3-16
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the Controller Web GUI
Guidelines and Limitations
Follow these guidelines when using the controller GUI:
•
The GUI must be used on a PC running Windows XP SP1 (or later) or Windows 2000 SP4 (or later).
•
The GUI is fully compatible with Microsoft Internet Explorer version 6.0 SP1 (or later) or Mozilla
Firefox 2.0.0.11 (or later). Internet Explorer 6.0 SP1 (or later) and Mozilla Firefox 2.0.0.11 (or later)
are the only browsers supported for accessing the controller GUI and for using web authentication.
•
Opera is not supported.
•
You can use either the service port interface or the management interface to access the GUI. We
recommend that you use the service-port interface. See Chapter 4, “Configuring Ports and
Interfaces,” for instructions on configuring the service port interface.
•
Click Help at the top of any page in the GUI to display online help. You might need to disable your
browser’s pop-up blocker to view the online help.
•
We recommend that you enable the HTTPS interface and disable the HTTP interface to ensure more
robust security for your Cisco UWN solution.
Logging On to the GUI
Step 1
Enter the controller IP address in your browser’s address line. For a secure connection, enter
https://ip-address. For a less secure connection, enter http://ip-address.
Note
Step 2
See the “Enabling Web and Secure Web Modes” section on page 3-18 for instructions on setting
up HTTPS.
When prompted, enter a valid username and password and click OK. The controller Summary page
appears.
Note
The administrative username and password that you created in the configuration wizard are case
sensitive. The default username is admin, and the default password is admin.
Logging Out of the GUI
Step 1
Click Logout in the top right corner of the page.
Step 2
Click Close to complete the logoff process and prevent unauthorized users from accessing the controller
GUI.
Step 3
When prompted to confirm your decision, click Yes.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-17
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the Controller Web GUI
Enabling Web and Secure Web Modes
This section provides instructions for enabling the distribution system port as a web port (using HTTP)
or as a secure web port (using HTTPS). You can protect communication with the GUI by enabling
HTTPS. HTTPS protects HTTP browser sessions by using the Secure Socket Layer (SSL) protocol.
When you enable HTTPS, the controller generates its own local web administration SSL certificate and
automatically applies it to the GUI. You also have the option of downloading an externally generated
certificate.This section contains the following topics:
•
Enabling Web and Secure Web Modes (GUI), page 3-18
•
Enabling Web and Secure Web Modes (CLI), page 3-19
Enabling Web and Secure Web Modes (GUI)
Step 1
Choose Management > HTTP to open the HTTP Configuration page.
Figure 3-13
HTTP Configuration Page
Step 2
To enable web mode, which allows users to access the controller GUI using “http://ip-address,” choose
Enabled from the HTTP Access drop-down list. Otherwise, choose Disabled. The default value is
Disabled. Web mode is not a secure connection.
Step 3
To enable secure web mode, which allows users to access the controller GUI using “https://ip-address,”
choose Enabled from the HTTPS Access drop-down list. Otherwise, choose Disabled. The default value
is Enabled. Secure web mode is a secure connection.
Step 4
In the Web Session Timeout text box, enter the amount of time (in minutes) before the web session times
out due to inactivity. You can enter a value between 30 and 160 minutes (inclusive), and the default value
is 30 minutes.
Step 5
Click Apply to commit your changes.
Cisco Wireless LAN Controller Configuration Guide
3-18
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the Controller Web GUI
Step 6
Step 7
If you enabled secure web mode in Step 3, the controller generates a local web administration SSL
certificate and automatically applies it to the GUI. The details of the current certificate appear in the
middle of the HTTP Configuration page.
Note
If you want to download your own SSL certificate to the controller, follow the instructions in the
“Loading an Externally Generated SSL Certificate” section on page 3-20.
Note
If desired, you can delete the current certificate by clicking Delete Certificate and have the
controller generate a new certificate by clicking Regenerate Certificate.
Click Save Configuration to save your changes.
Enabling Web and Secure Web Modes (CLI)
Step 1
To enable or disable web mode, enter this command:
config network webmode {enable | disable}
This command allows users to access the controller GUI using “http://ip-address.” The default value is
disabled. Web mode is not a secure connection.
Step 2
To enable or disable secure web mode, enter this command:
config network secureweb {enable | disable}
This command allows users to access the controller GUI using “https://ip-address.” The default value is
enabled. Secure web mode is a secure connection.
Step 3
To enable or disable secure web mode with increased security, enter this command:
config network secureweb cipher-option high {enable | disable}
This command allows users to access the controller GUI using “https://ip-address” but only from
browsers that support 128-bit (or larger) ciphers. The default value is disabled.
Step 4
To enable or disable SSLv2 for web administration, enter this command:
config network secureweb cipher-option sslv2 {enable | disable}
If you disable SSLv2, users cannot connect using a browser configured with SSLv2 only. They must use
a browser that is configured to use a more secure protocol such as SSLv3 or later. The default value is
enabled.
Step 5
To verify that the controller has generated a certificate, enter this command:
show certificate summary
Information similar to the following appears:
Web Administration Certificate................. Locally Generated
Web Authentication Certificate................. Locally Generated
Certificate compatibility mode:................ off
Note
If you want to download your own SSL certificate to the controller, follow the instructions in the
“Loading an Externally Generated SSL Certificate” section on page 3-20.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-19
Chapter 3
Using the Web-Browser and CLI Interfaces
Loading an Externally Generated SSL Certificate
Step 6
(Optional) If you need to generate a new certificate, enter this command:
config certificate generate webadmin
After a few seconds, the controller verifies that the certificate has been generated.
Step 7
To save the SSL certificate, key, and secure web password to nonvolatile RAM (NVRAM) so that your
changes are retained across reboots, enter this command:
save config
Step 8
To reboot the controller, enter this command:
reset system
Loading an Externally Generated SSL Certificate
You can use a TFTP server to download an externally generated SSL certificate to the controller.
This section contains the following topics:
•
Guidelines and Limitations, page 3-20
•
Loading an SSL Certificate, page 3-20
Guidelines and Limitations
•
If you load the certificate through the service port, the TFTP server must be on the same subnet as
the controller because the service port is not routable, or you must create static routes on the
controller. Also, if you load the certificate through the distribution system network port, the TFTP
server can be on any subnet.
•
A third-party TFTP server cannot run on the same PC as the Cisco WCS because the WCS built-in
TFTP server and the third-party TFTP server require the same communication port.
•
Chained certificates are supported for web authentication only and not for the management
certificate.
•
Every HTTPS certificate contains an embedded RSA key. The length of the key can vary from 512
bits, which is relatively insecure, to thousands of bits, which is very secure. When you obtain a new
certificate from a Certificate Authority, make sure that the RSA key embedded in the certificate is
at least 768 bits long.
Loading an SSL Certificate
This section contains the following topics:
•
Loading an SSL Certificate (GUI), page 3-20
•
Loading an SSL Certificate (CLI), page 3-21
Loading an SSL Certificate (GUI)
Step 1
On the HTTP Configuration page, select the Download SSL Certificate check box.
Cisco Wireless LAN Controller Configuration Guide
3-20
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Loading an Externally Generated SSL Certificate
Figure 3-14
HTTP Configuration Page
Step 2
In the Server IP Address text box, enter the IP address of the TFTP server.
Step 3
In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to
download the certificate.
Step 4
In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download
the certificate.
Step 5
In the Certificate File Path text box, enter the directory path of the certificate.
Step 6
In the Certificate File Name text box, enter the name of the certificate (webadmincert_name.pem).
Step 7
(Optional) In the Certificate Password text box, enter a password to encrypt the certificate.
Step 8
Click Apply to commit your changes.
Step 9
Click Save Configuration to save your changes.
Step 10
To reboot the controller for your changes to take effect, choose Commands > Reboot > Reboot > Save
and Reboot.
Loading an SSL Certificate (CLI)
Step 1
Use a password to encrypt the HTTPS certificate in a .PEM-encoded file. The PEM-encoded file is called
a web administration certificate file (webadmincert_name.pem).
Step 2
Move the webadmincert_name.pem file to the default directory on your TFTP server.
Step 3
To view the current download settings, enter this command and answer n to the prompt:
transfer download start
Information similar to the following appears:
Mode...........................................
Data Type......................................
TFTP Server IP.................................
TFTP Path......................................
TFTP
Admin Cert
xxx.xxx.xxx.xxx
<directory path>
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-21
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the Controller CLI
TFTP Filename..................................
Are you sure you want to start? (y/n) n
Transfer Canceled
Step 4
Use these commands to change the download settings:
transfer download mode tftp
transfer download datatype webauthcert
transfer download serverip TFTP_server IP_address
transfer download path absolute_TFTP_server_path_to_the_update_file
transfer download filename webadmincert_name.pem
Step 5
To set the password for the .PEM file so that the operating system can decrypt the web administration
SSL key and certificate, enter this command:
transfer download certpassword private_key_password
Step 6
To confirm the current download settings and start the certificate and key download, enter this command
and answer y to the prompt:
transfer download start
Information similar to the following appears:
Mode...........................................
Data Type......................................
TFTP Server IP.................................
TFTP Path......................................
TFTP Filename..................................
Are you sure you want to start? (y/n) y
TFTP Webadmin cert transfer starting.
Certificate installed.
Please restart the switch (reset system) to use
Step 7
TFTP
Site Cert
xxx.xxx.xxx.xxx
directory path
webadmincert_name
the new certificate.
To save the SSL certificate, key, and secure web password to NVRAM so that your changes are retained
across reboots, enter this command:
save config
Step 8
To reboot the controller, enter this command:
reset system
Using the Controller CLI
This section contains the following topics:
•
Information About the Controller CLI, page 3-23
•
Guidelines and Limitations, page 3-23
•
Logging on to the Controller CLI, page 3-23
•
Using a Local Serial Connection, page 3-23
•
Using a Remote Ethernet Connection, page 3-24
•
Logging Out of the CLI, page 3-25
•
Navigating the CLI, page 3-25
Cisco Wireless LAN Controller Configuration Guide
3-22
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the Controller CLI
•
Additional References, page 3-26
Information About the Controller CLI
A Cisco UWN solution command-line interface (CLI) is built into each controller. The CLI enables you
to use a VT-100 terminal emulation program to locally or remotely configure, monitor, and control
individual controllers and its associated lightweight access points. The CLI is a simple text-based,
tree-structured interface that allows up to five users with Telnet-capable terminal emulation programs to
access the controller.
Guidelines and Limitations
•
On Cisco 5500 Series Controllers, you can use either the RJ-45 console port or the USB console
port. If you use the USB console port, plug the 5-pin mini Type B connector into the controller’s
USB console port and the other end of the cable into the PC’s USB Type A port. The first time that
you connect a Windows PC to the USB console port, you are prompted to install the USB console
driver. Follow the installation prompts to install the driver. The USB console driver maps to a COM
port on your PC; you then need to map the terminal emulator application to the COM port.
•
If you want to input any strings from the XML configuration into CLI commands, you must enclose
the strings in quotation marks.
Logging on to the Controller CLI
You access the controller CLI using one of two methods:
•
A direct serial connection to the controller console port
•
A remote console session over Ethernet through the preconfigured service port or the distribution
system ports
Before you log on to the CLI, configure your connectivity and environment variables based on the type
of connection you use.
Using a Local Serial Connection
You need these items to connect to the serial port:
•
A PC that is running a VT-100 terminal emulation program (such as HyperTerminal, ProComm,
Minicom, or Tip)
•
A null-modem serial cable
To log into the controller CLI through the serial port, follow these steps:
Step 1
Connect one end of a null-modem serial cable to the controller’s console port and the other end to your
PC’s serial port.
Step 2
Start the PC’s VT-100 terminal emulation program.Configure the terminal emulation program for these
parameters:
•
9600 baud
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-23
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the Controller CLI
•
8 data bits
•
1 stop bit
•
No parity
•
No hardware flow control
Note
Step 3
The controller serial port is set for a 9600 baud rate and a short timeout. If you would like to
change either of these values, enter config serial baudrate baudrate and config serial timeout
timeout to make your changes. If you enter config serial timeout 0, serial sessions never time
out.
When prompted, enter a valid username and password to log into the controller. The administrative
username and password that you created in the configuration wizard are case sensitive.
Note
The default username is admin, and the default password is admin.
The CLI displays the root level system prompt:
#(system prompt)>
Note
The system prompt can be any alphanumeric string up to 31 characters. You can change it by
entering the config prompt command.
Using a Remote Ethernet Connection
You need these items to connect to a controller remotely:
Note
•
A PC with access to the controller over the Ethernet network
•
The IP address of the controller
•
A VT-100 terminal emulation program or a DOS shell for the Telnet session
By default, controllers block Telnet sessions. You must use a local connection to the serial port to enable
Telnet sessions.
To log into the controller CLI through a remote Ethernet connection, follow these steps:
Step 1
Step 2
Verify that your VT-100 terminal emulation program or DOS shell interface is configured with these
parameters:
•
Ethernet address
•
Port 23
Use the controller IP address to Telnet to the CLI.
Cisco Wireless LAN Controller Configuration Guide
3-24
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the Controller CLI
Step 3
When prompted, enter a valid username and password to log into the controller. The administrative
username and password that you created in the configuration wizard are case sensitive.
The default username is admin, and the default password is admin.
Note
The CLI displays the root level system prompt:
#(system prompt)>
The system prompt can be any alphanumeric string up to 31 characters. You can change it by
entering the config prompt command.
Note
Logging Out of the CLI
When you finish using the CLI, navigate to the root level and enter logout. The system prompts you to
save any changes you made to the volatile RAM.
Note
The CLI automatically logs you out without saving any changes after 5 minutes of inactivity. You can
set the automatic logout from 0 (never log out) to 160 minutes using the config serial timeout command.
Navigating the CLI
The CLI is organized around five levels:
•
Root Level
•
Level 2
•
Level 3
•
Level 4
•
Level 5
When you log into the CLI, you are at the root level. From the root level, you can enter any full command
without first navigating to the correct command level. Table 3-1 lists commands you use to navigate the
CLI and to perform common tasks.
Table 3-1
Commands for CLI Navigation and Common Tasks
Command
Action
help
At the root level, view system wide navigation
commands
?
View commands available at the current level
command ?
View parameters for a specific command
exit
Move down one level
Ctrl-Z
Return from any level to the root level
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-25
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the AutoInstall Feature for Controllers Without a Configuration
Table 3-1
Commands for CLI Navigation and Common Tasks
Command
Action
save config
At the root level, save configuration changes from
active working RAM to nonvolatile RAM
(NVRAM) so they are retained after reboot
reset system
At the root level, reset the controller without
logging out
Additional References
•
See the Cisco Wireless LAN Controller Command Reference for information on specific commands.
•
See the “Configuring Telnet and SSH Sessions” section on page 3-35 for information on enabling
Telnet sessions.
Using the AutoInstall Feature for Controllers Without a
Configuration
This section contains the following topics:
•
Information About the AutoInstall Feature, page 3-26
•
Guidelines and Limitations, page 3-27
•
Obtaining an IP Address Through DHCP and Downloading a Configuration File from a TFTP
Server, page 3-27
•
Selecting a Configuration File, page 3-28
•
Example: AutoInstall Operation, page 3-29
•
Additional References, page 3-30
Information About the AutoInstall Feature
When you boot up a controller that does not have a configuration, the AutoInstall feature can download
a configuration file from a TFTP server and then load the configuration onto the controller automatically.
If you create a configuration file on a controller that is already on the network (or through a WCS filter),
place that configuration file on a TFTP server, and configure a DHCP server so that a new controller can
get an IP address and TFTP server information, the AutoInstall feature can obtain the configuration file
for the new controller automatically.
When the controller boots, the AutoInstall process starts. The controller does not take any action until
AutoInstall is notified that the configuration wizard has started. If the wizard has not started, the
controller has a valid configuration.
If AutoInstall is notified that the configuration wizard has started (which means that the controller does
not have a configuration), AutoInstall waits for an additional 30 seconds. This time period gives you an
opportunity to respond to the first prompt from the configuration wizard:
Would you like to terminate autoinstall? [yes]:
Cisco Wireless LAN Controller Configuration Guide
3-26
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the AutoInstall Feature for Controllers Without a Configuration
When the 30-second abort timeout expires, AutoInstall starts the DHCP client. You can abort the
AutoInstall task even after this 30-second timeout if you enter Yes at the prompt. However, AutoInstall
cannot be aborted if the TFTP task has locked the flash and is in the process of downloading and
installing a valid configuration file.
Guidelines and Limitations
AutoInstall uses the following interfaces:
•
Cisco 5500 Series Controllers
– eth0—Service port (untagged)
– dtl0—Gigabit port 1 through the NPU (untagged)
Obtaining an IP Address Through DHCP and Downloading a Configuration File
from a TFTP Server
AutoInstall attempts to obtain an IP address from the DHCP server until the DHCP process is successful
or until you abort the AutoInstall process. The first interface to successfully obtain an IP address from
the DHCP server registers with the AutoInstall task. The registration of this interface causes AutoInstall
to begin the process of obtaining TFTP server information and downloading the configuration file.
Following the acquisition of the DHCP IP address for an interface, AutoInstall begins a short sequence
of events to determine the host name of the controller and the IP address of the TFTP server. Each phase
of this sequence gives preference to explicitly configured information over default or implied
information and to explicit host names over explicit IP addresses.
The process is as follows:
•
If at least one Domain Name System (DNS) server IP address is learned through DHCP, AutoInstall
creates a /etc/resolv.conf file. This file includes the domain name and the list of DNS servers that
have been received. The Domain Name Server option provides the list of DNS servers, and the
Domain Name option provides the domain name.
•
If the domain servers are not on the same subnet as the controller, static route entries are installed
for each domain server. These static routes point to the gateway that is learned through the DHCP
Router option.
•
The host name of the controller is determined in this order by one of the following:
– If the DHCP Host Name option was received, this information (truncated at the first period [.])
is used as the host name for the controller.
– A reverse DNS lookup is performed on the controller IP address. If DNS returns a hostname,
this name (truncated at the first period [.]) is used as the hostname for the controller.
•
The IP address of the TFTP server is determined in this order by one of the following:
– If AutoInstall received the DHCP TFTP Server Name option, AutoInstall performs a DNS
lookup on this server name. If the DNS lookup is successful, the returned IP address is used as
the IP address of the TFTP server.
– If the DHCP Server Host Name (sname) text box is valid, AutoInstall performs a DNS lookup
on this name. If the DNS lookup is successful, the IP address that is returned is used as the IP
address of the TFTP server.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-27
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the AutoInstall Feature for Controllers Without a Configuration
– If AutoInstall received the DHCP TFTP Server Address option, this address is used as the IP
address of the TFTP server.
– AutoInstall performs a DNS lookup on the default TFTP server name (cisco-wlc-tftp). If the
DNS lookup is successful, the IP address that is received is used as the IP address of the TFTP
server.
– If the DHCP server IP address (siaddr) text box is nonzero, this address is used as the IP address
of the TFTP server.
– The limited broadcast address (255.255.255.255) is used as the IP address of the TFTP server.
•
If the TFTP server is not on the same subnet as the controller, a static route (/32) is installed for the
IP address of the TFTP server. This static route points to the gateway that is learned through the
DHCP Router option.
Selecting a Configuration File
After the hostname and TFTP server have been determined, AutoInstall attempts to download a
configuration file. AutoInstall performs three full download iterations on each interface that obtains a
DHCP IP address. For example, if a Cisco 4400 Series Controller obtains DHCP IP addresses on both
eth0 and dtl0, each interface tries to download a configuration. If the interface cannot download a
configuration file successfully after three attempts, the interface does not attempt further.
The first configuration file that is downloaded and installed successfully triggers a reboot of the
controller. After the reboot, the controller runs the newly downloaded configuration.
AutoInstall searches for configuration files in the order in which the names are listed:
•
The filename that is provided by the DHCP Boot File Name option
•
The filename that is provided by the DHCP File text box
•
host name-confg
•
host name.cfg
•
base MAC address-confg (for example, 0011.2233.4455-confg)
•
serial number-confg
•
ciscowlc-confg
•
ciscowlc.cfg
AutoInstall runs through this list until it finds a configuration file. It stops running if it does not find a
configuration file after it cycles through this list three times on each registered interface.
Note
The downloaded configuration file can be a complete configuration, or it can be a minimal configuration
that provides enough information for the controller to be managed by WCS. Full configuration can then
be deployed directly from WCS.
Note
The autoinstall does not expect the switch connected to the controller to be configured for either
channels. Autoinstall works with service port in lag-configuration.
Cisco Wireless LAN Controller Configuration Guide
3-28
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Using the AutoInstall Feature for Controllers Without a Configuration
Note
For information about creating and uploading a configuration file that AutoInstall can obtain from a
TFTP server, see Chapter 11, “Managing Controller Software and Configurations.”
Note
WCS release 5.0 and later releases provide AutoInstall capabilities for controllers. A WCS administrator
can create a filter that includes the host name, the MAC address, or the serial number of the controller
and associate a group of templates (a configuration group) to this filter rule. WCS pushes the initial
configuration to the controller when the controller boots up initially. After the controller is discovered,
WCS pushes the templates that are defined in the configuration group. For more information about the
AutoInstall feature and WCS, see Chapter 15 of the Cisco Wireless Control System Configuration Guide,
Release 7.0.172.0.
Example: AutoInstall Operation
The following is an example of an AutoInstall process from start to finish:
Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup
Would you like to terminate autoinstall? [yes]:
AUTO-INSTALL: starting now...
AUTO-INSTALL: interface 'service-port' - setting DHCP TFTP Filename ==> 'abcd-confg'
AUTO-INSTALL: interface 'service-port' - setting DHCP TFTP Server IP ==> 1.100.108.2
AUTO-INSTALL: interface 'service-port' - setting DHCP siaddr ==> 1.100.108.2
AUTO-INSTALL: interface 'service-port' - setting DHCP Domain Server[0] ==> 1.100.108.2
AUTO-INSTALL: interface 'service-port' - setting DHCP Domain Name ==> 'engtest.com'
AUTO-INSTALL: interface 'service-port' - setting DHCP yiaddr ==> 172.19.29.253
AUTO-INSTALL: interface 'service-port' - setting DHCP Netmask ==> 255.255.255.0
AUTO-INSTALL: interface 'service-port' - setting DHCP Gateway ==> 172.19.29.1
AUTO-INSTALL: interface 'service-port' registered
AUTO-INSTALL: interation 1 -- interface 'service-port'
AUTO-INSTALL: DNS reverse lookup 172.19.29.253 ===> 'wlc-1'
AUTO-INSTALL: hostname 'wlc-1'
AUTO-INSTALL: TFTP server 1.100.108.2 (from DHCP Option 150)
AUTO-INSTALL: attempting download of 'abcd-confg'
AUTO-INSTALL: TFTP status - 'TFTP Config transfer starting.' (2)
AUTO-INSTALL: interface 'management' - setting DHCP file ==> 'bootfile1'
AUTO-INSTALL: interface 'management' - setting DHCP TFTP Filename ==> 'bootfile2-confg'
AUTO-INSTALL: interface 'management' - setting DHCP siaddr ==> 1.100.108.2
AUTO-INSTALL: interface 'management' - setting DHCP Domain Server[0] ==> 1.100.108.2
AUTO-INSTALL: interface 'management' - setting DHCP Domain Server[1] ==> 1.100.108.3
AUTO-INSTALL: interface 'management' - setting DHCP Domain Server[2] ==> 1.100.108.4
AUTO-INSTALL: interface 'management' - setting DHCP Domain Name ==> 'engtest.com'
AUTO-INSTALL: interface 'management' - setting DHCP yiaddr ==> 1.100.108.238
AUTO-INSTALL: interface 'management' - setting DHCP Netmask ==> 255.255.254.0
AUTO-INSTALL: interface 'management' - setting DHCP Gateway ==> 1.100.108.1
AUTO-INSTALL: interface 'management' registered
AUTO-INSTALL: TFTP status - 'Config file transfer failed - Error from server: File not
found' (3)
AUTO-INSTALL: attempting download of 'wlc-1-confg'
AUTO-INSTALL: TFTP status - 'TFTP Config transfer starting.' (2)
AUTO-INSTALL: TFTP status - 'TFTP receive complete... updating configuration.' (2)
AUTO-INSTALL: TFTP status - 'TFTP receive complete... storing in flash.' (2)
AUTO-INSTALL: TFTP status - 'System being reset.' (2)
Resetting system
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-29
Chapter 3
Using the Web-Browser and CLI Interfaces
Managing the Controller System Date and Time
Additional References
•
For information about configuring DHCP on a controller, See the “Configuring WLANs” section on
page 8-8.
•
For information about configuring a TFTP server on a controller, see Chapter 11, “Managing
Controller Software and Configurations.”
•
For information about configuring DHCP and TFTP servers through WCS, see Chapter 10 of the
Cisco Wireless Control System Configuration Guide.
Managing the Controller System Date and Time
This section contains the following topics:
•
Information About Controller System Date and Time, page 3-30
•
Guidelines and Limitations, page 3-30
•
Configuring an NTP Server to Obtain the Date and Time, page 3-30
•
Configuring NTP Authentication, page 3-31
•
Configuring the Date and Time, page 3-32
Information About Controller System Date and Time
You can configure the controller system date and time at the time of configuring the controller using the
configuration wizard. If you did not configure the system date and time through the configuration wizard
or if you want to change your configuration, you can follow the instructions in this section to configure
the controller to obtain the date and time from a Network Time Protocol (NTP) server or to configure
the date and time manually. Greenwich Mean Time (GMT) is used as the standard for setting the time
zone on the controller.
You can also configure an authentication mechanism between various NTP servers.
Guidelines and Limitations
•
If you are configuring wIPS, you must set the controller time zone to UTC.
•
Cisco Aironet lightweight access points might not connect to the controller if the date and time are
not set properly. Set the current date and time on the controller before allowing the access points to
connect to it.
•
Starting in the 7.0.116.0 release, you can configure an authentication channel between the controller
and the NTP server.
Configuring an NTP Server to Obtain the Date and Time
Each NTP server IP address is added to the controller database. Each controller searches for an NTP
server and obtains the current time upon reboot and at each user-defined polling interval (daily to
weekly).
Cisco Wireless LAN Controller Configuration Guide
3-30
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Managing the Controller System Date and Time
Use these commands to configure an NTP server to obtain the date and time:
•
To specify the NTP server for the controller, enter this command:
config time ntp server index ip_address
•
To specify the polling interval (in seconds), enter this command:
config time ntp interval
Configuring NTP Authentication
This section contains the following topics:
•
Configuring NTP Authentication (GUI), page 3-31
•
Configuring NTP Authentication (CLI), page 3-31
Configuring NTP Authentication (GUI)
Step 1
Choose Controller > NTP > Servers to open the NTP Servers page.
Step 2
Click New to add an NTP server.
The NTP Servers > New page appears
Step 3
Select a server priority from the Server Index (Priority) from the drop-down list.
Step 4
Enter the NTP server IP Address in the Server IP Address text box.
Step 5
Enable NTP server authentication by selecting the NTP Server Authentication check box.
Step 6
Click Apply.
Step 7
Choose Controller > NTP > Keys.
Step 8
Click New to create a key.
Step 9
Enter the key index in the Key Index text box.
Step 10
Select the key format from the Key Format drop-down list.
Step 11
Enter the Key in the Key text box.
Step 12
Click Apply.
Configuring NTP Authentication (CLI)
Note
By default MD5 is used.
•
config time ntp auth enable server-index key-index
•
config time ntp auth disable server-index
•
config time ntp key-auth add key-index md5 key-format key
•
To delete an authentication key, use the following command:
config time ntp key-auth delete key-index
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-31
Chapter 3
Using the Web-Browser and CLI Interfaces
Managing the Controller System Date and Time
•
To view the list of NTP key Indices, use the following command:
show ntp-keys
Configuring the Date and Time
This section contains the following topics:
•
Configuring the Date and Time (GUI), page 3-32
•
Configuring the Date and Time (CLI), page 3-33
Configuring the Date and Time (GUI)
Step 1
Choose Commands > Set Time to open the Set Time page.
Figure 3-15
Set Time Page
The current date and time appear at the top of the page.
Step 2
In the Timezone area, choose your local time zone from the Location drop-down list.
Note
When you choose a time zone that uses Daylight Saving Time (DST), the controller
automatically sets its system clock to reflect the time change when DST occurs. In the United
States, DST starts on the second Sunday in March and ends on the first Sunday in November.
Note
You cannot set the time zone delta on the controller GUI. However, if you do so on the controller
CLI, the change is reflected in the Delta Hours and Mins text boxes on the controller GUI.
Step 3
Click Set Timezone to apply your changes.
Step 4
In the Date area, choose the current local month and day from the Month and Day drop-down lists, and
enter the year in the Year text box.
Cisco Wireless LAN Controller Configuration Guide
3-32
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Managing the Controller System Date and Time
Step 5
In the Time area, choose the current local hour from the Hour drop-down list, and enter the minutes and
seconds in the Minutes and Seconds text boxes.
Note
If you change the time zone location after setting the date and time, the values in the Time area
are updated to reflect the time in the new time zone location. For example, if the controller is
currently configured for noon Eastern time and you change the time zone to Pacific time, the
time automatically changes to 9:00 a.m.
Step 6
Click Set Date and Time to apply your changes.
Step 7
Click Save Configuration to save your changes.
Configuring the Date and Time (CLI)
Step 1
To configure the current local date and time in GMT on the controller, enter this command:
config time manual mm/dd/yy hh:mm:ss
Note
Step 2
When setting the time, the current local time is entered in terms of GMT and as a value between
00:00 and 24:00. For example, if it is 8:00 a.m. Pacific time in the United States, you would enter
16:00 because the Pacific time zone is 8 hours behind GMT.
Perform one of the following to set the time zone for the controller:
•
To set the time zone location in order to have Daylight Saving Time (DST) set automatically when
it occurs, enter this command:
config time timezone location location_index
where location_index is a number representing one of the following time zone locations:
1. (GMT-12:00) International Date Line West
2. (GMT-11:00) Samoa
3. (GMT-10:00) Hawaii
4. (GMT-9:00) Alaska
5. (GMT-8:00) Pacific Time (US and Canada)
6. (GMT-7:00) Mountain Time (US and Canada)
7. (GMT-6:00) Central Time (US and Canada)
8. (GMT-5:00) Eastern Time (US and Canada)
9. (GMT-4:00) Atlantic Time (Canada)
10. (GMT-3:00) Buenos Aires (Argentina)
11. (GMT-2:00) Mid-Atlantic
12. (GMT-1:00) Azores
13. (GMT) London, Lisbon, Dublin, Edinburgh (default value)
14. (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
15. (GMT +2:00) Jerusalem
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-33
Chapter 3
Using the Web-Browser and CLI Interfaces
Managing the Controller System Date and Time
16. (GMT +3:00) Baghdad
17. (GMT +4:00) Muscat, Abu Dhabi
18. (GMT +4:30) Kabul
19. (GMT +5:00) Karachi, Islamabad, Tashkent
20. (GMT +5:30) Colombo, Kolkata, Mumbai, New Delhi
21. (GMT +5:45) Katmandu
22. (GMT +6:00) Almaty, Novosibirsk
23. (GMT +6:30) Rangoon
24. (GMT +7:00) Saigon, Hanoi, Bangkok, Jakarta
25. (GMT +8:00) Hong Kong, Beijing, Chongqing
26. (GMT +9:00) Tokyo, Osaka, Sapporo
27. (GMT +9:30) Darwin
28. (GMT+10:00) Sydney, Melbourne, Canberra
29. (GMT+11:00) Magadan, Solomon Is., New Caledonia
30. (GMT+12:00) Kamchatka, Marshall Is., Fiji
31. (GMT+12:00) Auckland (New Zealand)
Note
•
If you enter this command, the controller automatically sets its system clock to reflect DST
when it occurs. In the United States, DST starts on the second Sunday in March and ends on
the first Sunday in November.
To manually set the time zone so that DST is not set automatically, enter this command:
config time timezone delta_hours delta_mins
where delta_hours is the local hour difference from GMT, and delta_mins is the local minute
difference from GMT.
When manually setting the time zone, enter the time difference of the local current time zone with
respect to GMT (+/–). For example, Pacific time in the United States is 8 hours behind GMT.
Therefore, it is entered as –8.
Note
Step 3
You can manually set the time zone and prevent DST from being set only on the controller
CLI.
To save your changes, enter this command:
save config
Step 4
To verify that the controller shows the current local time with respect to the local time zone, enter this
command:
show time
Information similar to the following appears:
Time.................................... Thu Apr 7 13:56:37 2011
Timezone delta........................... 0:0
Timezone location....................... (GMT +5:30) Colombo, New Delhi, Chennai, Kolkata
Cisco Wireless LAN Controller Configuration Guide
3-34
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring Telnet and SSH Sessions
NTP Servers
NTP Polling Interval.........................
Index
------1
Note
3600
NTP Key Index
NTP Server
NTP Msg Auth Status
--------------------------------------------------------------1
209.165.200.225 AUTH SUCCESS
If you configured the time zone location, the Timezone Delta value is set to “0:0.” If you
manually configured the time zone using the time zone delta, the Timezone Location is blank.
Configuring Telnet and SSH Sessions
This section contains the following topics:
•
Information About Telnet and SSH, page 3-35
•
Guidelines and Limitations, page 3-35
•
Configuring Telnet and SSH Sessions, page 3-35
•
Additional References, page 3-38
Information About Telnet and SSH
Telnet is a network protocol used to provide access to the controller’s CLI. Secure Shell (SSH) is a more
secure version of Telnet that uses data encryption and a secure channel for data transfer. You can use the
controller GUI or CLI to configure Telnet and SSH sessions.
Guidelines and Limitations
•
Only the FIPS approved algorithm aes128-cbc is supported when using SSH to control WLANs.
•
The controller does not support raw Telnet mode.
Configuring Telnet and SSH Sessions
This section contains the following topics:
•
Configuring Telnet and SSH Sessions (GUI), page 3-35
•
Configuring Telnet and SSH Sessions (CLI), page 3-37
Configuring Telnet and SSH Sessions (GUI)
Step 1
Choose Management > Telnet-SSH to open the Telnet-SSH Configuration page.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-35
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring Telnet and SSH Sessions
Figure 3-16
Telnet-SSH Configuration Page
Step 2
In the Telnet Login Timeout text box, enter the number of minutes that a Telnet session is allowed to
remain inactive before being terminated. The valid range is 0 to 160 minutes (inclusive), and the default
value is 5 minutes. A value of 0 indicates no timeout.
Step 3
From the Maximum Number of Sessions drop-down list, choose the number of simultaneous Telnet or
SSH sessions allowed. The valid range is 0 to 5 sessions (inclusive), and the default value is 5 sessions.
A value of zero indicates that Telnet/SSH sessions are disallowed.
Step 4
From the Allow New Telnet Sessions drop-down list, choose Yes or No to allow or disallow new Telnet
sessions on the controller. The default value is No.
Step 5
From the Allow New SSH Sessions drop-down list, choose Yes or No to allow or disallow new SSH
sessions on the controller. The default value is Yes.
Step 6
Click Apply to commit your changes.
Step 7
Click Save Configuration to save your changes.
Step 8
To see a summary of the Telnet configuration settings, choose Management > Summary. The Summary
page appears.
Figure 3-17
Summary Page
Cisco Wireless LAN Controller Configuration Guide
3-36
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Configuring Telnet and SSH Sessions
This page shows whether additional Telnet and SSH sessions are permitted.
Configuring Telnet and SSH Sessions (CLI)
Step 1
To allow or disallow new Telnet sessions on the controller, enter this command:
config network telnet {enable | disable}
The default value is disabled.
Step 2
To allow or disallow new SSH sessions on the controller, enter this command:
config network ssh {enable | disable}
The default value is enabled.
Step 3
To specify the number of minutes that a Telnet session is allowed to remain inactive before being
terminated, enter this command:
config sessions timeout timeout
where timeout is a value between 0 and 160 minutes (inclusive). The default value is 5 minutes. A value
of 0 indicates no timeout.
Step 4
To specify the number of simultaneous Telnet or SSH sessions allowed, enter this command:
config sessions maxsessions session_num
where session_num is a value between 0 and 5 (inclusive). The default value is 5 sessions. A value of
zero indicates that Telnet/SSH sessions are disallowed.
Step 5
To save your changes, enter this command:
save config
Step 6
To see the Telnet and SSH configuration settings, enter this command:
show network summary
Information similar to the following appears:
RF-Network Name............................. TestNetwork1
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Enable
Secure Shell (ssh).......................... Enable
Telnet................................... Disable
...
Step 7
To see the Telnet session configuration settings, enter this command:
show sessions
Information similar to the following appears:
CLI Login Timeout (minutes)............ 5
Maximum Number of CLI Sessions....... 5
Step 8
To see all active Telnet sessions, enter this command:
show loginsession
Information similar to the following appears:
ID
User Name
Connection From
Idle Time
Session Time
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-37
Chapter 3
Using the Web-Browser and CLI Interfaces
Managing the Controller Wirelessly
-- --------------00
admin
Step 9
--------------- ------------ -----------EIA-232
00:00:00
00:19:04
If you ever want to close all active Telnet sessions or a specific Telnet session, enter this command:
config loginsession close {all | session_id}
Additional References
See the “Troubleshooting” section on page 18-1 for instructions on using Telnet or SSH to troubleshoot
lightweight access points.
Managing the Controller Wirelessly
This section contains the following topics:
•
Information About Managing the Controller Wirelessly, page 3-38
•
Enabling Wireless Connections, page 3-38
Information About Managing the Controller Wirelessly
You can monitor and configure controllers using a wireless client. This feature is supported for all
management tasks except uploads from and downloads to the controller.
Before you can open the GUI or the CLI from a wireless client device, you must configure the controller
to allow the connection.
Enabling Wireless Connections
This section contains the following topics:
•
Enabling Wireless Connections (GUI), page 3-38
•
Enabling Wireless Connections (CLI), page 3-39
Enabling Wireless Connections (GUI)
Step 1
Log on to the controller GUI.
Step 2
Choose Management > Mgmt Via Wireless page.
Step 3
Enable the Enable Controller Management to be accessible from Wireless Clients checkbox.
Step 4
Click Apply.
Cisco Wireless LAN Controller Configuration Guide
3-38
OL-21524-03
Chapter 3
Using the Web-Browser and CLI Interfaces
Managing the Controller Wirelessly
Enabling Wireless Connections (CLI)
Step 1
Log on to the controller CLI.
Step 2
Enter the config network mgmt-via-wireless enable command.
Step 3
Use a wireless client to associate to a lightweight access point connected to the controller.
Step 4
On the wireless client, open a Telnet session to the controller, or browse to the controller GUI.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
3-39
Chapter 3
Using the Web-Browser and CLI Interfaces
Managing the Controller Wirelessly
Cisco Wireless LAN Controller Configuration Guide
3-40
OL-21524-03
CH A P T E R
4
Configuring Ports and Interfaces
This chapter contains these sections:
•
Information About Ports, page 4-1
•
Information About Interfaces, page 4-3
•
Configuring the Management Interface, page 4-4
•
Configuring the AP-Manager Interface, page 4-8
•
Configuring Virtual Interfaces, page 4-11
•
Configuring Service-Port Interfaces, page 4-13
•
Configuring Dynamic Interfaces, page 4-15
•
Information About Dynamic AP Management, page 4-20
•
Information About WLANs, page 4-20
•
Configuring Ports, page 4-22
•
Using the Cisco 5500 Series Controller USB Console Port, page 4-24
•
Choosing Between Link Aggregation and Multiple AP-Manager Interfaces, page 4-26
•
Configuring Link Aggregation, page 4-26
•
Configuring Multiple AP-Manager Interfaces, page 4-32
•
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller, page 4-37
•
Configuring VLAN Select, page 4-39
•
Configuring Interface Groups, page 4-40
•
Multicast Optimization, page 4-42
Information About Ports
A port is a physical entity that is used for connections on the controller platform. Controllers have two
types of ports: distribution system ports and a service port. Figure 4-1 shows the ports available on a
5500 series controller as an example.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-1
Chapter 4
Configuring Ports and Interfaces
Information About Ports
Figure 4-1
1
2
Ports on the Cisco 5500 Series Wireless LAN Controllers
3 4
6
5
251197
Cisco 5500 Series Wireless Controller
Model 5508
RP SP
USB0 USB1
EN
EN
7
1
2
3
4
5
6
7
8
8
PS1 PS2 SYS ALM
9
10
1
Redundant port for future use (RJ-45)
6
SFP distribution system ports 1–8
2
Service port (RJ-45)
7
Management port LEDs
3
Console port (RJ-45)
8
SFP distribution port Link and Activity LEDs
4
USB ports 0 and 1 (Type A)
9
Power supply (PS1 and PS2), System (SYS), and
Alarm (ALM) LEDs
Console port (Mini USB Type B)
Note
5
Expansion module slot
You can use only one console port
(either RJ-45 or mini USB). When
you connect to one console port,
the other is disabled.
10
This section contains the following topics:
•
Information About Distribution System Ports, page 4-2
•
Information About Service Ports, page 4-3
•
Additional References, page 4-4
Information About Distribution System Ports
A distribution system port connects the controller to a neighbor switch and serves as the data path
between these two devices.
Guidelines and Limitations
•
Cisco 5508 Controllers have eight Gigabit Ethernet distribution system ports, through which the
Controller can manage multiple access points. The 5508-12, 5508-25, 5508-50, 5508-100, and
5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller. Cisco
5508 controllers have no restrictions on the number of access points per port. However, we
recommend using link aggregation (LAG) or configuring dynamic AP-manager interfaces on each
Gigabit Ethernet port to automatically balance the load. If more than 100 access points are
connected to the Cisco 5500 Series Controller, make sure that more than one Gigabit Ethernet
interface is connected to the upstream switch.
Cisco Wireless LAN Controller Configuration Guide
4-2
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Information About Interfaces
Note
The Gigabit Ethernet ports on the Cisco 5508 Controllers accept these SX/LC/T small
form-factor plug-in (SFP) modules:
- 1000BASE-SX SFP modules, which provide a 1000-Mbps wired connection to a network
through an 850nM (SX) fiber-optic link using an LC physical connector
- 1000BASE-LX SFP modules, which provide a 1000-Mbps wired connection to a network
through a 1300nM (LX/LH) fiber-optic link using an LC physical connector
- 1000BASE-T SFP modules, which provide a 1000-Mbps wired connection to a network
through a copper link using an RJ-45 physical connector
Each distribution system port is, by default, an 802.1Q VLAN trunk port. The VLAN trunking
characteristics of the port are not configurable.
Information About Service Ports
Cisco 5500 Series Controllers also have a 10/100/1000 copper Ethernet service port. The service port is
controlled by the service-port interface and is reserved for out-of-band management of the controller and
system recovery and maintenance in the event of a network failure. It is also the only port that is active
when the controller is in boot mode. The service port is not capable of carrying 802.1Q tags, so it must
be connected to an access port on the neighbor switch. Use of the service port is optional.
Guidelines and Limitations
•
The Cisco WiSM2 uses the service port for internal protocol communication between the controllers
and the Supervisor 720.
•
The service port is not autosensing. You must use the correct straight-through or crossover Ethernet
cable to communicate with the service port.
•
Do not configure wired clients in the same VLAN or subnet of the service port of the controller on
the network. If you configure wired clients on the same subnet or VLAN as the service port, it is not
possible to access the management interface of the controller.
Information About Interfaces
An interface is a logical entity on the controller. An interface has multiple parameters associated with it,
including an IP address, default gateway (for the IP subnet), primary physical port, secondary physical
port, VLAN identifier, and DHCP server.
These five types of interfaces are available on the controller. Four of these are static and are configured
at setup time:
•
Management interface (static and configured at setup time; mandatory)
•
AP-manager interface (static and configured at setup time; mandatory)
Note
•
You are not required to configure an AP-manager interface on Cisco 5500 Series
Controllers.
Virtual interface (static and configured at setup time; mandatory)
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-3
Chapter 4
Configuring Ports and Interfaces
Configuring the Management Interface
•
Service-port interface (static and configured at setup time; optional)
•
Dynamic interface (user-defined)
Each interface is mapped to at least one primary port, and some interfaces (management and dynamic)
can be mapped to an optional secondary (or backup) port. If the primary port for an interface fails, the
interface automatically moves to the backup port. In addition, multiple interfaces can be mapped to a
single controller port.
Guidelines and Limitations
Note
For Cisco 5500 Series Controllers in a non-link-aggregation (non-LAG) configuration, the management
interface must be on a different VLAN than any dynamic AP-manager interface. Otherwise, the
management interface cannot fail over to the port that the AP-manager is on.
Note
Cisco 5500 Series Controllers do not support fragmented pings on any interface.
Additional References
See the “Configuring Link Aggregation” section on page 4-26 if you want to configure the controller to
dynamically map the interfaces to a single port channel rather than having to configure primary and
secondary ports for each interface.
Configuring the Management Interface
This section contains the following topics:
•
Information About the Management Interface, page 4-4
•
Guidelines and Limitations, page 4-5
•
Configuring the Management Interface (GUI), page 4-5
•
Configuring the Management Interface (CLI), page 4-7
Information About the Management Interface
The management interface is the default interface for in-band management of the controller and
connectivity to enterprise services such as AAA servers. It is also used for communications between the
controller and access points. The management interface has the only consistently “pingable” in-band
interface IP address on the controller. You can access the controller’s GUI by entering the controller’s
management interface IP address in Internet Explorer’s or Mozilla Firefox’s address field.
For CAPWAP, the controller requires one management interface to control all inter-controller
communications and one AP-manager interface to control all controller-to-access point
communications, regardless of the number of ports.
Cisco Wireless LAN Controller Configuration Guide
4-4
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring the Management Interface
Guidelines and Limitations
•
For CAPWAP, the controller requires one management interface to control all inter-controller
communications and one AP-manager interface to control all controller-to-access point
communications, regardless of the number of ports.
•
If the service port is in use, the management interface must be on a different supernet from the
service-port interface.
•
Do not map a guest WLAN to the management interface. If the EoIP tunnel breaks, the client could
obtain an IP and be placed on the management subnet.
•
Do not configure wired clients in the same VLAN or subnet of the service port of the controller on
the network. If you configure wired clients on the same subnet or VLAN as the service port, it is not
possible to access the management interface of the controller.
•
Typically, you define the management, AP-manager, virtual, and service-port interface parameters
using the Startup Wizard. However, you can display and configure interface parameters through
either the GUI or CLI after the controller is running.
Configuring the Management Interface
This section contains the following topics:
•
Configuring the Management Interface (GUI), page 4-5
•
Configuring the Management Interface (CLI), page 4-7
Configuring the Management Interface (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Figure 4-2
Interfaces Page
This page shows the current controller interface settings.
Step 2
Click management link. The Interfaces > Edit page appears.
Step 3
Set the management interface parameters:
Note
•
The management interface uses the controller’s factory-set distribution system MAC address.
Quarantine and quarantine VLAN ID, if applicable
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-5
Chapter 4
Configuring Ports and Interfaces
Configuring the Management Interface
Note
•
•
Select the Quarantine check box if you want to configure this VLAN as unhealthy or you
want to configure network access control (NAC) out-of-band integration. Doing so causes
the data traffic of any client that is assigned to this VLAN to pass through the controller. See
Chapter 8, “Working with WLANs,” for more information about NAC out-of-band
integration.
NAT address (only Cisco 2500 Series Controllers and Cisco 5500 Series Controllers are configured
for dynamic AP management)
Note
Select the Enable NAT Address check box and enter the external NAT IP address if you
want to be able to deploy your Cisco 2500 Series Controllers or Cisco 5500 Series Controller
behind a router or other gateway device that is using one-to-one mapping network address
translation (NAT). NAT allows a device, such as a router, to act as an agent between the
Internet (public) and a local network (private). In this case, it maps the controller’s intranet
IP addresses to a corresponding external address. The controller’s dynamic AP-manager
interface must be configured with the external NAT IP address so that the controller can send
the correct IP address in the Discovery Response.
Note
The NAT parameters are supported for use only with one-to-one-mapping NAT, where each
private client has a direct and fixed mapping to a global address. The NAT parameters do not
support one-to-many NAT, which uses source port mapping to enable a group of clients to
be represented by a single IP address.
Note
If a Cisco 2500 Series Controllers or Cisco 5500 Series Controller is configured with an
external NAT IP address under the management interface, the APs in local mode cannot
associate with the controller. The workaround is to either ensure that the management
interface has a globally valid IP address or ensure that external NAT IP address is valid
internally for the local APs.
VLAN identifier
Note
Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using
tagged VLANs for the management interface.
•
Fixed IP address, IP netmask, and default gateway
•
Dynamic AP management (for Cisco 5500 Series Controllers only)
Note
For Cisco 2500 Series Controllers or Cisco 5500 Series Controllers, the management
interface acts like an AP-manager interface by default. If desired, you can disable the
management interface as an AP-manager interface and create another dynamic interface as
an AP manager.
•
Physical port assignment (for all controllers except the Cisco 5500 Series Controller)
•
Primary and secondary DHCP servers
Cisco Wireless LAN Controller Configuration Guide
4-6
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring the Management Interface
•
Access control list (ACL) setting, if required
Note
To create ACLs, follow the instructions in Chapter 7, “Configuring Security Solutions.”
Step 4
Click Save Configuration to save your changes.
Step 5
If you made any changes to the management or virtual interface, reboot the controller so that your
changes take effect.
Configuring the Management Interface (CLI)
Step 1
Enter the show interface detailed management command to view the current management interface
settings.
Note
The management interface uses the controller’s factory-set distribution system MAC address.
Step 2
Enter the config wlan disable wlan-number command to disable each WLAN that uses the management
interface for distribution system communication.
Step 3
Enter these commands to define the management interface:
•
config interface address management ip-addr ip-netmask gateway
•
config interface quarantine vlan management vlan_id
Note
•
config interface vlan management {vlan-id | 0}
Note
•
Use the config interface quarantine vlan management vlan_id command to configure a
quarantine VLAN on the management interface.
Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using
tagged VLANs for the management interface.
config interface ap-manager management {enable | disable} (for Cisco 5500 Series Controllers
only)
Note
Use the config interface ap-manager management {enable | disable} command to enable
or disable dynamic AP management for the management interface. For Cisco 5500 Series
Controllers, the management interface acts like an AP-manager interface by default. If
desired, you can disable the management interface as an AP-manager interface and create
another dynamic interface as an AP manager.
•
config interface port management physical-ds-port-number (for all controllers except the 5500
series)
•
config interface dhcp management ip-address-of-primary-dhcp-server
[ip-address-of-secondary-dhcp-server]
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-7
Chapter 4
Configuring Ports and Interfaces
Configuring the AP-Manager Interface
•
config interface acl management access-control-list-name
Note
Step 4
See Chapter 7, “Configuring Security Solutions,” for more information on ACLs.
Enter these commands if you want to be able to deploy your Cisco 5500 Series Controller behind a router
or other gateway device that is using one-to-one mapping network address translation (NAT):
•
config interface nat-address management {enable | disable}
•
config interface nat-address management set public_IP_address
NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network
(private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address.
The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so
that the controller can send the correct IP address in the Discovery Response.
Note
These NAT commands can be used only on Cisco 5500 Series Controllers and only if the
management interface is configured for dynamic AP management.
Note
These commands are supported for use only with one-to-one-mapping NAT, where each private
client has a direct and fixed mapping to a global address. These commands do not support
one-to-many NAT, which uses source port mapping to enable a group of clients to be represented
by a single IP address.
Step 5
Enter the save config command to save your changes.
Step 6
Enter the show interface detailed management command to verify that your changes have been saved.
Step 7
If you made any changes to the management interface, enter the reset system command to reboot the
controller in order for the changes to take effect.
Configuring the AP-Manager Interface
This section contains the following topics:
•
Information About the AP-Manager Interface, page 4-8
•
Guidelines and Limitations, page 4-9
•
Configuring the AP-Manager Interface, page 4-9
•
Additional References, page 4-11
Information About the AP-Manager Interface
A controller has one or more AP-manager interfaces, which are used for all Layer 3 communications
between the controller and lightweight access points after the access points have joined the controller.
The AP-manager IP address is used as the tunnel source for CAPWAP packets from the controller to the
access point and as the destination for CAPWAP packets from the access point to the controller.
Cisco Wireless LAN Controller Configuration Guide
4-8
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring the AP-Manager Interface
Guidelines and Limitations
•
The Controller does not support transmitting the jumbo frames. To avoid having the controller
transmit CAPWAP packets to the AP that will necessitate fragmentation and reassembly, reduce
MTU/MSS on the client side.
•
The AP-manager interface communicates through any distribution system port by listening across
the Layer 3 network for access point CAPWAP or LWAPP join messages to associate and
communicate with as many lightweight access points as possible.
•
For Cisco 5500 Series Controllers, you are not required to configure an AP-manager interface. The
management interface acts like an AP-manager interface by default, and the access points can join
on this interface.
•
With the 7.0.116.0 release onwards, the MAC address of the management interface and the
AP-manager interface is the same as the base LAG MAC address.
•
If only one distribution system port can be used, you should use distribution system port 1.
•
If link aggregation (LAG) is enabled, there can be only one AP-manager interface. But when LAG
is disabled, one or more AP-manager interfaces can be created, generally one per physical port.
•
Port redundancy for the AP-manager interface is not supported. You cannot map the AP-manager
interface to a backup port.
•
Typically, you define the management, AP-manager, virtual, and service-port interface parameters
using the Startup Wizard. However, you can display and configure interface parameters through
either the GUI or CLI after the controller is running.
Configuring the AP-Manager Interface
This section contains the following topics:
•
Configuring the AP-Manager Interface (GUI), page 4-9
•
Configuring the AP-Manager Interface (CLI), page 4-10
Configuring the AP-Manager Interface (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Figure 4-3
Interfaces Page
This page shows the current controller interface settings.
Step 2
Click AP-Manager Interface. The Interface > Edit page appears.
Step 3
Set the AP-Manager Interface parameters:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-9
Chapter 4
Configuring Ports and Interfaces
Configuring the AP-Manager Interface
•
Physical port assignment
•
VLAN identifier
Note
•
Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using
tagged VLANs for the AP-manager interface.
Fixed IP address, IP netmask, and default gateway
Note
The AP-manager interface’s IP address must be different from the management interface’s
IP address and may or may not be on the same subnet as the management interface. However,
we recommend that both interfaces be on the same subnet for optimum access point
association.
•
Primary and secondary DHCP servers
•
Access control list (ACL) name, if required
Note
To create ACLs, follow the instructions in Chapter 7, “Configuring Security Solutions.”
Step 4
Click Save Configuration to save your changes.
Step 5
If you made any changes to the management or virtual interface, reboot the controller so that your
changes take effect.
Configuring the AP-Manager Interface (CLI)
Step 1
Enter the show interface summary command to view the current interfaces.
Note
If the system is operating in Layer 2 mode, the AP-manager interface is not listed.
Step 2
Enter the show interface detailed ap-manager command to view the current AP-manager interface
settings.
Step 3
Enter the config wlan disable wlan-number command to disable each WLAN that uses the AP-manager
interface for distribution system communication.
Step 4
Enter these commands to define the AP-manager interface:
•
config interface address ap-manager ip-addr ip-netmask gateway
•
config interface vlan ap-manager {vlan-id | 0}
Note
•
Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using
tagged VLANs for the AP-manager interface.
config interface port ap-manager physical-ds-port-number
Cisco Wireless LAN Controller Configuration Guide
4-10
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Virtual Interfaces
•
config interface dhcp ap-manager ip-address-of-primary-dhcp-server
[ip-address-of-secondary-dhcp-server]
•
config interface acl ap-manager access-control-list-name
Note
See Chapter 7, “Configuring Security Solutions,” for more information on ACLs.
Step 5
Enter the save config command to save your changes.
Step 6
Enter the show interface detailed ap-manager command to verify that your changes have been saved.
Additional References
See the “Configuring Multiple AP-Manager Interfaces” section on page 4-32 for information on creating
and using multiple AP-manager interfaces.
Configuring Virtual Interfaces
This section contains the following topics:
•
Information About Virtual Interfaces, page 4-11
•
Guidelines and Limitations, page 4-11
•
Configuring Virtual Interfaces, page 4-12
Information About Virtual Interfaces
A virtual interface is used to support mobility management, Dynamic Host Configuration Protocol
(DHCP) relay, and embedded Layer 3 security such as guest web authentication and VPN termination.
It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify
the source of certificates when Layer 3 web authorization is enabled.
Specifically, a virtual interface plays these two primary roles:
•
Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP
server.
•
Serves as the redirect address for the web authentication login page.
Note
See Chapter 7, “Configuring Security Solutions,” for additional information on web
authentication.
Guidelines and Limitations
•
A virtual interface IP address is used only in communications between the controller and wireless
clients. It never appears as the source or destination address of a packet that goes out a distribution
system port and onto the switched network. For the system to operate correctly, a virtual interface
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-11
Chapter 4
Configuring Ports and Interfaces
Configuring Virtual Interfaces
IP address must be set (it cannot be 0.0.0.0), and no other device on the network can have the same
address as the virtual interface. A virtual interface must be configured with an unassigned and
unused gateway IP address. A virtual interface IP address is not pingable and should not exist in any
routing table in your network. In addition, a virtual interface cannot be mapped to a backup port.
•
All controllers within a mobility group must be configured with the same virtual interface IP
address. Otherwise, inter-controller roaming may appear to work, but the handoff does not complete,
and the client loses connectivity for a period of time.
Configuring Virtual Interfaces
This section contains the following topics:
•
Configuring Virtual Interfaces (GUI), page 4-12
•
Configuring Virtual Interfaces (CLI), page 4-13
Configuring Virtual Interfaces (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Figure 4-4
Interfaces Page
This page shows the current controller interface settings.
Step 2
Click Virtual. The Interfaces > Edit page appears.
Step 3
Enter the following parameters:
•
Any fictitious, unassigned, and unused gateway IP address
•
DNS gateway hostname
Note
To ensure connectivity and web authentication, the DNS server should always point to the
virtual interface. If a DNS hostname is configured for the virtual interface, then the same
DNS host name must be configured on the DNS server(s) used by the client.
Step 4
Click Save Configuration to save your changes.
Step 5
If you made any changes to the management or virtual interface, reboot the controller so that your
changes take effect.
Cisco Wireless LAN Controller Configuration Guide
4-12
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Service-Port Interfaces
Configuring Virtual Interfaces (CLI)
Step 1
Enter the show interface detailed virtual command to view the current virtual interface settings.
Step 2
Enter the config wlan disable wlan-number command to disable each WLAN that uses the virtual
interface for distribution system communication.
Step 3
Enter these commands to define the virtual interface:
•
config interface address virtual ip-address
Note
•
For ip-address, enter any fictitious, unassigned, and unused gateway IP address.
config interface hostname virtual dns-host-name
Step 4
Enter the reset system command. At the confirmation prompt, enter Y to save your configuration
changes to NVRAM. The controller reboots.
Step 5
Enter the show interface detailed virtual command to verify that your changes have been saved.
Configuring Service-Port Interfaces
This section contains the following topics:
•
Information About Service-Port Interfaces, page 4-13
•
Guidelines and Limitations, page 4-13
•
Configuring Service-Port Interfaces, page 4-13
Information About Service-Port Interfaces
A service-port interface controls communications through and is statically mapped by the system to the
service port. The service port can obtain an IP address using DHCP, or it can be assigned a static IP
address, but a default gateway cannot be assigned to the service-port interface. Static routes can be
defined through the controller for remote network access to the service port.
Guidelines and Limitations
•
Only Cisco 5500 Series Controller and Cisco 7500 Series Controller have service-port interfaces.
•
You must configure an IP address on the service-port interface of both Cisco WiSM controllers.
Otherwise, the neighbor switch is unable to check the status of each controller.
Configuring Service-Port Interfaces
This section contains the following topics:
•
Configuring Service-Port Interfaces (GUI), page 4-14
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-13
Chapter 4
Configuring Ports and Interfaces
Configuring Service-Port Interfaces
•
Configuring Service-Port Interfaces (CLI), page 4-14
Configuring Service-Port Interfaces (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Figure 4-5
Interfaces Page
This page shows the current controller interface settings.
Step 2
Click the service-port link to open the Interfaces > Edit page.
Step 3
Enter the Service-Port Interface parameters:
Note
The service-port interface uses the factory-set service-port MAC address of the controller.
•
DHCP protocol (enabled)
•
DHCP protocol (disabled) and IP address and IP netmask
Step 4
Click Save Configuration to save your changes.
Step 5
If you made any changes to the management or virtual interface, reboot the controller so that your
changes take effect.
Configuring Service-Port Interfaces (CLI)
Step 1
Enter the show interface detailed service-port command to view the current service-port interface
settings.
Note
Step 2
The service-port interface uses the controller’s factory-set service-port MAC address.
Enter these commands to define the service-port interface:
•
To configure the DHCP server: config interface dhcp service-port ip-address-of-primary-dhcpserver [ip-address-of-secondary-dhcp-server]
•
To disable the DHCP server: config interface dhcp service-port none
•
To configure the IP address: config interface address service-port ip-addr ip-netmask
Cisco Wireless LAN Controller Configuration Guide
4-14
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Dynamic Interfaces
Step 3
The service port is used for out-of-band management of the controller. If the management workstation
is in a remote subnet, you may need to add a route on the controller in order to manage the controller
from that remote workstation. To do so, enter this command:
config route add network-ip-addr ip-netmask gateway
Step 4
Enter the save config command to save your changes.
Step 5
Enter the show interface detailed service-port command to verify that your changes have been saved.
Configuring Dynamic Interfaces
This section contains the following topics:
•
Information About Dynamic Interfaces, page 4-15
•
Guidelines and Limitations, page 4-15
•
Configuring Dynamic Interfaces, page 4-16
Information About Dynamic Interfaces
Dynamic interfaces, also known as VLAN interfaces, are created by users and designed to be analogous
to VLANs for wireless LAN clients. A controller can support up to 512 dynamic interfaces (VLANs).
Each dynamic interface is individually configured and allows separate communication streams to exist
on any or all of a controller’s distribution system ports. Each dynamic interface controls VLANs and
other communications between controllers and all other network devices, and each acts as a DHCP relay
for wireless clients associated to WLANs mapped to the interface. You can assign dynamic interfaces to
distribution system ports, WLANs, the Layer 2 management interface, and the Layer 3 AP-manager
interface, and you can map the dynamic interface to a backup port.
You can configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all
dynamic interfaces must be on a different VLAN or IP subnet from all other interfaces configured on the
port. If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other
interface configured on the port.
Guidelines and Limitations
•
If you are using DHCP proxy and/or a RADIUS source interface, ensure that the dynamic interface
has a valid routable address. Duplicate or overlapping addresses across controller interfaces are not
supported.
•
We recommend using tagged VLANs for dynamic interfaces.
•
You must not configure a dynamic interface in the same sub-network as a server that should be
reachable by the controller CPU, like a RADIUS server, as it might cause asymmetric routing issues.
•
For SNMP requests that come from a subnet that is configured as a dynamic interface, the controller
responds but the response does not reach the device that initiated the conversation.
•
Wired clients cannot access management interface of the Cisco WLC 2500 series using the IP
address of the AP Manager interface – when dynamic AP management is enabled on dynamic
VLAN.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-15
Chapter 4
Configuring Ports and Interfaces
Configuring Dynamic Interfaces
Configuring Dynamic Interfaces
This section contains the following topics:
•
Configuring Dynamic Interfaces (GUI), page 4-16
•
Configuring Dynamic Interfaces (CLI), page 4-18
Configuring Dynamic Interfaces (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Figure 4-6
Step 2
Interfaces > New Page
Perform one of the following:
•
To create a new dynamic interface, click New. The Interfaces > New page appears. Go to Step 3.
•
To modify the settings of an existing dynamic interface, click the name of the interface. The
Interfaces > Edit page for that interface appears. Go to Step 5.
•
To delete an existing dynamic interface, hover your cursor over the blue drop-down arrow for the
desired interface and choose Remove.
Step 3
Enter an interface name and a VLAN identifier, as shown in Figure 4-6.
Step 4
Click Apply to commit your changes. The Interfaces > Edit page appears.
Step 5
Configure the following parameters:
•
Guest LAN, if applicable
•
Quarantine and quarantine VLAN ID, if applicable
Note
Select the Quarantine check box if you want to configure this VLAN as unhealthy or you
want to configure network access control (NAC) out-of-band integration. Doing so causes
the data traffic of any client that is assigned to this VLAN to pass through the controller. See
Chapter 8, “Working with WLANs,” for more information about NAC out-of-band
integration.
•
Physical port assignment (for all controllers except the 5500 series)
•
NAT address (only for Cisco 5500 Series Controllers configured for dynamic AP management)
Cisco Wireless LAN Controller Configuration Guide
4-16
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Dynamic Interfaces
•
Note
Select the Enable NAT Address check box and enter the external NAT IP address if you
want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway
device that is using one-to-one mapping network address translation (NAT). NAT allows a
device, such as a router, to act as an agent between the Internet (public) and a local network
(private). In this case, it maps the controller’s intranet IP addresses to a corresponding
external address. The controller’s dynamic AP-manager interface must be configured with
the external NAT IP address so that the controller can send the correct IP address in the
Discovery Response.
Note
The NAT parameters are supported for use only with one-to-one-mapping NAT, where each
private client has a direct and fixed mapping to a global address. The NAT parameters do not
support one-to-many NAT, which uses source port mapping to enable a group of clients to
be represented by a single IP address.
Dynamic AP management
Note
When you enable this feature, this dynamic interface is configured as an AP-manager
interface (only one AP-manager interface is allowed per physical port). A dynamic interface
that is marked as an AP-manager interface cannot be used as a WLAN interface.
Note
Set the APs in a VLAN that is different than the dynamic interface configured on the
controller. If the APs are in the same VLAN as the dynamic interface, the APs are not
registered on the controller and the “LWAPP discovery rejected” and “Layer 3 discovery
request not received on management VLAN” errors are logged on the controller.
•
VLAN identifier
•
Fixed IP address, IP netmask, and default gateway
•
Primary and secondary DHCP servers
•
Access control list (ACL) name, if required
Note
Note
See Chapter 7, “Configuring Security Solutions,” for more information on ACLs.
To ensure proper operation, you must set the Port Number and Primary DHCP Server
parameters.
Step 6
Click Save Configuration to save your changes.
Step 7
Repeat this procedure for each dynamic interface that you want to create or edit.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-17
Chapter 4
Configuring Ports and Interfaces
Configuring Dynamic Interfaces
Note
When you apply a flow policer or an aggregate policer at the ingress of a Dynamic Interface VLAN for
the Upstream (wireless to wired) traffic, it is not possible to police because the VLAN based policy has
no effect and no policing occurs. When the traffic comes out of the WiSM LAG (L2) and hits the Switch
Virtual Interface (SVI) (L3), the QoS policy applied is a VLAN-based policy that has no effect on the
policing.
To enable an ingress L3 VLAN-based policy on the SVI, you must enable a VLAN-based QoS equivalent
to the mls qos-vlan-based command on the WiSM LAG. All the previous 12.2(33)SXI releases, which
support Auto LAG for WiSM only, such as 12.2(33)SXI, 12.2(33)SXI1, 12.2(33)SXI2a, 12.2(33)SXI3,
and so on, do not have this WiSM CLI. Therefore, the VLAN-based QoS policy applied at the ingress of
the SVI for wireless to wired traffic never polices any traffic coming out of the WiSM LAG that hits the
SVI. The commands that are equivalent to the mls qos-vlan-based command are as follows:
Standalone: wism module module_no controller controller_no qos-vlan-based
Virtual Switching System: wism switch switch_no module module_no controller controller_no
qos-vlan-based
Configuring Dynamic Interfaces (CLI)
Step 1
Enter the show interface summary command to view the current dynamic interfaces.
Step 2
View the details of a specific dynamic interface by entering this command:
show interface detailed operator_defined_interface_name.
Note
Interface names that contain spaces must be enclosed in double quotes. For example: config interface
create "vlan 25".
Step 3
Enter the config wlan disable wlan_id command to disable each WLAN that uses the dynamic interface
for distribution system communication.
Step 4
Enter these commands to configure dynamic interfaces:
•
config interface create operator_defined_interface_name {vlan_id | x}
•
config interface address operator_defined_interface_name ip_addr ip_netmask [gateway]
•
config interface vlan operator_defined_interface_name {vlan_id | 0}
•
config interface port operator_defined_interface_name physical_ds_port_number
•
config interface ap-manager operator_defined_interface_name {enable | disable}
Note
•
Use the config interface ap-manager operator_defined_interface_name {enable | disable}
command to enable or disable dynamic AP management. When you enable this feature, this
dynamic interface is configured as an AP-manager interface (only one AP-manager interface
is allowed per physical port). A dynamic interface that is marked as an AP-manager interface
cannot be used as a WLAN interface.
config interface dhcp operator_defined_interface_name ip_address_of_primary_dhcp_server
[ip_address_of_secondary_dhcp_server]
Cisco Wireless LAN Controller Configuration Guide
4-18
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Dynamic Interfaces
•
config interface quarantine vlan interface_name vlan_id
Note
•
config interface acl operator_defined_interface_name access_control_list_name
Note
Step 5
Use the config interface quarantine vlan interface_name vlan_id command to configure a
quarantine VLAN on any interface.
See Chapter 7, “Configuring Security Solutions,” for more information on ACLs.
Enter these commands if you want to be able to deploy your Cisco 5500 Series Controller behind a router
or other gateway device that is using one-to-one mapping network address translation (NAT):
•
config interface nat-address dynamic-interface operator_defined_interface_name {enable |
disable}
•
config interface nat-address dynamic-interface operator_defined_interface_name set
public_IP_address
NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network
(private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address.
The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so
that the controller can send the correct IP address in the Discovery Response.
Note
These NAT commands can be used only on Cisco 5500 Series Controllers and only if the
dynamic interface is configured for dynamic AP management.
Note
These commands are supported for use only with one-to-one-mapping NAT, whereby each
private client has a direct and fixed mapping to a global address. These commands do not support
one-to-many NAT, which uses source port mapping to enable a group of clients to be represented
by a single IP address.
Step 6
Enter the config wlan enable wlan_id command to reenable each WLAN that uses the dynamic interface
for distribution system communication.
Step 7
Enter the save config command to save your changes.
Step 8
Enter the show interface detailed operator_defined_interface_name command and show interface
summary command to verify that your changes have been saved.
Note
If desired, you can enter the config interface delete operator_defined_interface_name
command to delete a dynamic interface.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-19
Chapter 4
Configuring Ports and Interfaces
Information About Dynamic AP Management
Information About Dynamic AP Management
A dynamic interface is created as a WLAN interface by default. However, any dynamic interface can be
configured as an AP-manager interface, with one AP-manager interface allowed per physical port. A
dynamic interface with the Dynamic AP Management option enabled is used as the tunnel source for
packets from the controller to the access point and as the destination for CAPWAP packets from the
access point to the controller. The dynamic interfaces for AP management must have a unique IP address
and are usually configured on the same subnet as the management interface.
Note
If link aggregation (LAG) is enabled, there can be only one AP-manager interface.
We recommend having a separate dynamic AP-manager interface per controller port. See the
“Configuring Multiple AP-Manager Interfaces” section on page 4-32 for instructions on configuring
multiple dynamic AP-manager interfaces.
Information About WLANs
A WLAN associates a service set identifier (SSID) to an interface. It is configured with security, quality
of service (QoS), radio policies, and other wireless network parameters. Up to 512 access point WLANs
can be configured per controller.
Figure 4-7 shows the relationship between ports, interfaces, and WLANs.
Cisco Wireless LAN Controller Configuration Guide
4-20
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Information About WLANs
Figure 4-7
Ports, Interfaces, and WLANs
As shown in Figure 4-7, each controller port connection is an 802.1Q trunk and should be configured as
such on the neighbor switch. On Cisco switches, the native VLAN of an 802.1Q trunk is an untagged
VLAN. If you configure an interface to use the native VLAN on a neighboring Cisco switch, make sure
you configure the interface on the controller to be untagged.
Note
A zero value for the VLAN identifier (on the Controller > Interfaces page) means that the interface is
untagged.
The default (untagged) native VLAN on Cisco switches is VLAN 1. When controller interfaces are
configured as tagged (meaning that the VLAN identifier is set to a nonzero value), the VLAN must be
allowed on the 802.1Q trunk configuration on the neighbor switch and not be the native untagged VLAN.
We recommend that tagged VLANs be used on the controller. You should also allow only relevant
VLANs on the neighbor switch’s 802.1Q trunk connections to controller ports. All other VLANs should
be disallowed or pruned in the switch port trunk configuration. This practice is extremely important for
optimal performance of the controller.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-21
Chapter 4
Configuring Ports and Interfaces
Configuring Ports
Note
We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for
management interfaces to ensure that controllers properly route VLAN traffic.
Configuring Ports
This section contains the following topics:
•
Information About Configuring Ports, page 4-22
•
Configuring Ports (GUI), page 4-22
Information About Configuring Ports
The ports of the controller are preconfigured with factory-default settings designed to make the ports of
the controller operational without additional configuration. However, you can view the status of the ports
of the controller and edit their configuration parameters at any time.
Configuring Ports (GUI)
Step 1
Choose Controller > Ports to open the Ports page.
Figure 4-8
Ports Page
This page shows the current configuration for each of the controller’s ports.
If you want to change the settings of any port, click the number for that specific port. The Port >
Configure page appears.
Note
If the management and AP-manager interfaces are mapped to the same port and are members of
the same VLAN, you must disable the WLAN before making a port-mapping change to either
interface. If the management and AP-manager interfaces are assigned to different VLANs, you
do not need to disable the WLAN.
Cisco Wireless LAN Controller Configuration Guide
4-22
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Ports
Note
The number of parameters available on the Port > Configure page depends on your controller
type.
The following show the current status of the port:
•
Port Number—Number of the current port.
•
Admin Status—Current state of the port. Values:Enable or Disable
•
Physical Mode—Configuration of the port physical interface. The mode varies by the controller
type. Values:Auto, 100 Mbps Full Duplex, 100 Mbps Half Duplex, 10 Mbps Full Duplex, or 10
Mbps Half Duplex
Note
•
In Cisco Wireless LAN Controller Module (NM-AIR-WLC6-K9), Cisco 5500 Series Controller,
and Cisco Flex 7500 Series Controllers, the physical mode is always set to auto.
Physical Status—The data rate being used by the port. The available data rates vary based on
controller type. The following options are available:
– 5500 series—1000 Mbps full duplex
– WiSM—1000 Mbps full duplex
– Controller network module—100 Mbps full duplex
– Catalyst 3750G Integrated Wireless LAN Controller Switch—1000 Mbps full duplex
Step 2
•
Link Status—Port’s link status. Values:Link Up or Link Down
•
Link Trap—Whether the port is set to send a trap when the link status changes. Values:Enable or
Disable
•
Power over Ethernet (PoE)—If the connecting device is equipped to receive power through the
Ethernet cable and if so, provides –48 VDC. Values:Enable or Disable
Note
Some older Cisco access points do not draw PoE even if it is enabled on the controller port. In
such cases, contact the Cisco Technical Assistance Center (TAC).
Note
The controller in the Catalyst 3750G Integrated Wireless LAN Controller Switch supports PoE
on all ports.
The following is a list of the port’s configurable parameters.
•
Note
Admin Status—Enables or disables the flow of traffic through the port. Options:Enable or Disable
Default:Enable.
Administratively disabling the port on a controller does not affect the port’s link status. The link
can be brought down only by other Cisco devices. On other Cisco products, however,
administratively disabling a port brings the link down.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-23
Chapter 4
Configuring Ports and Interfaces
Using the Cisco 5500 Series Controller USB Console Port
Note
•
When a primary port link goes down, messages may get logged internally only and not be posted
to a syslog server. It may take up to 40 seconds to restore logging to the syslog server.
Physical Mode—Determines whether the port’s data rate is set automatically or specified by the
user. The supported data rates vary based on the controller type. Default: Auto.
– 5500 series—Fixed 1000 Mbps full duplex
– WiSM—Auto or 1000 Mbps full duplex
– Controller network module—Auto or 100 Mbps full duplex
– Catalyst 3750G Integrated Wireless LAN Controller Switch—Auto or 1000 Mbps full duplex
Note
You will be prompted with a warning message when the following events occur:
1. When the traffic rate from the data ports exceeds 300 Mbps.
2. When the traffic rate from the data ports exceeds 250 Mbps constantly for 1 minute.
3. When the traffic rate from the data ports falls back to normal from one of the above states for
1 minute.
•
Link Trap—Causes the port to send a trap when the port’s link status changes. Options:Enable or
Disable Default:Enable.
•
Multicast Appliance Mode—Enables or disables the multicast appliance service for this port.
Options:Enable or Disable Default:Enable.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Step 5
Click Back to return to the Ports page and review your changes.
Step 6
Repeat this procedure for each additional port that you want to configure.
Using the Cisco 5500 Series Controller USB Console Port
The USB console port on the Cisco 5500 Series Controllers connects directly to the USB connector of
a PC using a USB Type A-to-5-pin mini Type B cable.
Note
The 4-pin mini Type B connector is easily confused with the 5-pin mini Type B connector. They are not
compatible. Only the 5-pin mini Type B connector can be used.
For operation with Microsoft Windows, the Cisco Windows USB console driver must be installed on any
PC connected to the console port. With this driver, you can plug and unplug the USB cable into and from
the console port without affecting Windows HyperTerminal operations.
Cisco Wireless LAN Controller Configuration Guide
4-24
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Using the Cisco 5500 Series Controller USB Console Port
Note
Only one console port can be active at a time. When a cable is plugged into the USB console port, the
RJ-45 port becomes inactive. Conversely, when the USB cable is removed from the USB port, the RJ-45
port becomes active.
USB Console OS Compatibility
These operating systems are compatible with the USB console:
•
Microsoft Windows 2000, XP, Vista (Cisco Windows USB console driver required)
•
Apple Mac OS X 10.5.2 (no driver required)
•
Linux (no driver required)
Installing the Cisco Windows USB Console Driver
Step 1
Download the USB_Console.inf driver file as follows:
a.
Click this URL to go to the Software Center:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278875243
b.
Click Wireless LAN Controllers.
c.
Click Standalone Controllers.
d.
Click Cisco 5500 Series Wireless LAN Controllers.
e.
Click Cisco 5508 Wireless LAN Controller.
f.
Choose the USB driver file.
g.
Save the file to your hard drive.
Step 2
Connect the Type A connector to a USB port on your PC.
Step 3
Connect the mini Type B connector to the USB console port on the controller.
Step 4
When prompted for a driver, browse to the USB_Console.inf file on your PC. Follow the prompts to
install the USB driver.
Note
Some systems might also require an additional system file. You can download the Usbser.sys file
from this URL:
http://support.microsoft.com/kb/918365
Changing the Cisco USB Systems Management Console COM Port to an Unused
Port
The USB driver is mapped to COM port 6. Some terminal emulation programs do not recognize a port
higher than COM 4. If necessary, change the Cisco USB systems management console COM port to an
unused port of COM 4 or lower.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-25
Chapter 4
Configuring Ports and Interfaces
Choosing Between Link Aggregation and Multiple AP-Manager Interfaces
Step 1
From your Windows desktop, right-click My Computer and choose Manage.
Step 2
From the list on the left side, choose Device Manager.
Step 3
From the device list on the right side, double-click Ports (COM & LPT).
Step 4
Right-click Cisco USB System Management Console 0108 and choose Properties.
Step 5
Click the Port Settings tab and click the Advanced button.
Step 6
From the COM Port Number drop-down list, choose an unused COM port of 4 or lower.
Step 7
Click OK to save and then close the Advanced Settings dialog box.
Step 8
Click OK to save and then close the Communications Port Properties dialog box.
Choosing Between Link Aggregation and Multiple AP-Manager
Interfaces
Cisco 5500 Series Controllers have no restrictions on the number of access points per port, but we
recommend using link aggregation (LAG) or multiple AP-manager interfaces on each Gigabit Ethernet
port to automatically balance the load.
The following factors should help you decide which method to use if your controller is set for Layer 3
operation:
•
With LAG, all of the controller ports need to connect to the same neighbor switch. If the neighbor
switch goes down, the controller loses connectivity.
•
With multiple AP-manager interfaces, you can connect your ports to different neighbor devices. If
one of the neighbor switches goes down, the controller still has connectivity. However, using
multiple AP-manager interfaces presents certain challenges (as discussed in the “Configuring
Multiple AP-Manager Interfaces” section) when port redundancy is a concern.
Follow the instructions on the page indicated for the method you want to use:
•
Configuring Link Aggregation, page 4-26
•
Configuring Multiple AP-Manager Interfaces, page 4-32
Configuring Link Aggregation
This section contains the following topics:
•
Information About Link Aggregation, page 4-27
•
Guidelines and Limitations, page 4-27
•
Enabling Link Aggregation, page 4-30
•
Verifying Link Aggregation Settings (CLI), page 4-31
•
Configuring Neighbor Devices to Support Link Aggregation, page 4-31
Cisco Wireless LAN Controller Configuration Guide
4-26
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Link Aggregation
Information About Link Aggregation
Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles
all of the controller’s distribution system ports into a single 802.3ad port channel, thereby reducing the
number of IP addresses needed to configure the ports on your controller. When LAG is enabled, the system
dynamically manages port redundancy and load balances access points transparently to the user.
Figure 4-9 shows LAG.
Figure 4-9
Link Aggregation
LAG simplifies controller configuration because you no longer need to configure primary and secondary
ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the
other ports. As long as at least one controller port is functioning, the system continues to operate, access
points remain connected to the network, and wireless clients continue to send and receive data.
Note
LAG is supported across switches.
Guidelines and Limitations
•
You can bundle all eight ports on a Cisco 5508 Controller into a single link.
•
Cisco 5500 Series Controllers support LAG in software release 6.0 or later releases, Catalyst 3750G
Integrated Wireless LAN Controller Switch. With LAG enabled, the logical port on the Catalyst
3750G Integrated Wireless LAN Controller Switch and on each Cisco WiSM controller supports up
to 150 access points.
•
Terminating on two different modules within a single Catalyst 6500 series switch provides
redundancy and ensures that connectivity between the switch and the controller is maintained when
one module fails. Figure 4-10 shows this use of redundant modules. A Cisco 4402-50 Controller is
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-27
Chapter 4
Configuring Ports and Interfaces
Configuring Link Aggregation
connected to two different Gigabit modules (slots 2 and 3) within the Catalyst 6500 Series Switch.
The controller’s port 1 is connected to Gigabit interface 3/1, and the controller’s port 2 is connected
to Gigabit interface 2/1 on the Catalyst 6500 series switch. Both switch ports are assigned to the
same channel group.
When a Cisco 5500 Series Controller LAG port is connected to a Catalyst 3750G or a 6500 or 7600
channel group employing load balancing, note the following:
•
LAG requires the EtherChannel to be configured for the on mode on both the controller and the
Catalyst switch.
•
Once the EtherChannel is configured as on at both ends of the link, it does not matter if the Catalyst
switch is configured for either Link Aggregation Control Protocol (LACP) or Cisco proprietary Port
Aggregation Protocol (PAgP) because no channel negotiation is done between the controller and the
switch. Additionally, LACP and PAgP are not supported on the controller.
•
The load-balancing method configured on the Catalyst switch must be a load-balancing method that
terminates all IP datagram fragments on a single controller port. Not following this recommendation
may result in problems with access point association.
•
The recommended load-balancing method for Catalyst switches is src-dst-ip (enter the
port-channel load-balance src-dst-ip command).
•
The Catalyst 6500 series switches running in PFC3 or PFC3CXL mode implement enhanced
EtherChannel load balancing. The enhanced EtherChannel load balancing adds the VLAN number
to the hash function, which is incompatible with LAG. From Release 12.2(33)SXH and later
releases, Catalyst 6500 IOS software offers the exclude vlan keyword to the port-channel
load-balance command to implement src-dst-ip load distribution. See the Cisco IOS Interface and
Hardware Component Command Reference for more information.
•
Enter the show platform hardware pfc mode command on the Catalyst 6500 switch to confirm the
PFC operating mode.
The following example shows a Catalyst 6500 series switch in PFC3B mode when you enter the
global configuration port-channel load-balance src-dst-ip command for proper LAG
functionality:
# show platform hardware pfc mode PFC operating mode
PFC operating mode : PFC3B
# show EtherChannel load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip
The following example shows Catalyst 6500 series switch in PFC3C mode when you enter the
exclude vlan keyword in the port-channel load- balance src-dst-ip exclude vlan command:
# show platform hardware pfc mode
PFC operating mode : PFC3C
# show EtherChannel load-balance
EtherChannel Load-Balancing Configuration:
src-ip enhanced
# mpls label-ip
•
If the recommended load-balancing method cannot be configured on the Catalyst switch, then
configure the LAG connection as a single member link or disable LAG on the controller.
Cisco Wireless LAN Controller Configuration Guide
4-28
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Link Aggregation
Figure 4-10
•
Link Aggregation with the Catalyst 6500 Series Neighbor Switch
You cannot configure the controller’s ports into separate LAG groups. Only one LAG group is
supported per controller. Therefore, you can connect a controller in LAG mode to only one neighbor
device.
Note
The two internal Gigabit ports on the controller within the Catalyst 3750G Integrated
Wireless LAN Controller Switch are always assigned to the same LAG group.
•
When you enable LAG or make any changes to the LAG configuration, you must immediately reboot
the controller.
•
When you enable LAG, you can configure only one AP-manager interface because only one logical
port is needed. LAG removes the requirement for supporting multiple AP-manager interfaces.
•
When you enable LAG, all dynamic AP-manager interfaces and untagged interfaces are deleted, and
all WLANs are disabled and mapped to the management interface. Also, the management, static
AP-manager, and VLAN-tagged dynamic interfaces are moved to the LAG port.
•
Multiple untagged interfaces to the same port are not allowed.
•
When you enable LAG, you cannot create interfaces with a primary port other than 29.
•
When you enable LAG, all ports participate in LAG by default. You must configure LAG for all of
the connected ports in the neighbor switch.
•
When you enable LAG, if any single link goes down, traffic migrates to the other links.
•
When you enable LAG, only one functional physical port is needed for the controller to pass client
traffic.
•
When you enable LAG, access points remain connected to the switch, and data service for users
continues uninterrupted.
•
When you enable LAG, you eliminate the need to configure primary and secondary ports for each
interface.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-29
Chapter 4
Configuring Ports and Interfaces
Configuring Link Aggregation
•
When you enable LAG, the controller sends packets out on the same port on which it received them.
If a CAPWAP packet from an access point enters the controller on physical port 1, the controller
removes the CAPWAP wrapper, processes the packet, and forwards it to the network on physical
port 1. This may not be the case if you disable LAG.
•
When you disable LAG, the management, static AP-manager, and dynamic interfaces are moved to
port 1.
•
When you disable LAG, you must configure primary and secondary ports for all interfaces.
•
When you disable LAG, you must assign an AP-manager interface to each port on the controller.
Otherwise, access points are unable to join.
•
Cisco 5500 Series Controllers support a single static link aggregation bundle.
•
LAG is typically configured using the Startup Wizard, but you can enable or disable it at any time
through either the GUI or CLI.
Note
LAG is enabled by default and is the only option on the Catalyst 3750G Integrated Wireless
LAN Controller Switch.
Enabling Link Aggregation
This section contains the following topics:
•
Enabling Link Aggregation (GUI), page 4-30
•
Enabling Link Aggregation (CLI), page 4-31
Enabling Link Aggregation (GUI)
Step 1
Choose Controller > General to open the General page.
Figure 4-11
General Page
Cisco Wireless LAN Controller Configuration Guide
4-30
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Link Aggregation
Step 2
Set the LAG Mode on Next Reboot parameter to Enabled.
Note
Choose Disabled if you want to disable LAG. LAG is disabled by default on the Cisco 5500 but
enabled by default on the Catalyst 3750G Integrated Wireless LAN Controller Switch.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Step 5
Reboot the controller.
Step 6
Assign the WLAN to the appropriate VLAN.
Enabling Link Aggregation (CLI)
Step 1
Enter the config lag enable command to enable LAG.
Note
Enter the config lag disable command if you want to disable LAG.
Step 2
Enter the save config command to save your settings.
Step 3
Reboot the controller.
Verifying Link Aggregation Settings (CLI)
To verify your LAG settings, enter this command:
show lag summary
Information similar to the following appears:
LAG Enabled
Configuring Neighbor Devices to Support Link Aggregation
The controller’s neighbor devices must also be properly configured to support LAG.
•
Each neighbor port to which the controller is connected should be configured as follows:
interface GigabitEthernet <interface id>
switchport
channel-group <id> mode on
no shutdown
•
The port channel on the neighbor switch should be configured as follows:
interface port-channel <id>
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan <native vlan id>
switchport trunk allowed vlan <allowed vlans>
switchport mode trunk
no shutdown
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-31
Chapter 4
Configuring Ports and Interfaces
Configuring Multiple AP-Manager Interfaces
Configuring Multiple AP-Manager Interfaces
This section contains the following topics:
•
Information About Multiple AP-Manager Interfaces, page 4-32
•
Guidelines and Limitations, page 4-33
•
Creating Multiple AP-Manager Interfaces, page 4-35
Information About Multiple AP-Manager Interfaces
When you create two or more AP-manager interfaces, each one is mapped to a different port (see
Figure 4-12). The ports should be configured in sequential order so that AP-manager interface 2 is on
port 2, AP-manager interface 3 is on port 3, and AP-manager interface 4 is on port 4.
Before an access point joins a controller, it sends out a discovery request. From the discovery response
that it receives, the access point can tell the number of AP-manager interfaces on the controller and the
number of access points on each AP-manager interface. The access point generally joins the AP-manager
with the least number of access points. In this way, the access point load is dynamically distributed
across the multiple AP-manager interfaces.
Note
Access points may not be distributed completely evenly across all of the AP-manager interfaces, but a
certain level of load balancing occurs.
Figure 4-12
Three AP-Manager Interfaces
Cisco Wireless LAN Controller Configuration Guide
4-32
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Multiple AP-Manager Interfaces
This configuration has the advantage of load balancing all 100 access points evenly across all four
AP-manager interfaces. If one of the AP-manager interfaces fails, all of the access points connected
to the controller would be evenly distributed among the three available AP-manager interfaces. For
example, if AP-manager interface 2 fails, the remaining AP-manager interfaces (1, 3, and 4) would
each manage approximately 33 access points.
Guidelines and Limitations
•
Only Cisco 2500 and 5500 Series Controllers support the use of multiple AP-manager interfaces.
•
AP-manager interfaces do not need to be on the same VLAN or IP subnet, and they may or may not
be on the same VLAN or IP subnet as the management interface. However, we recommend that you
configure all AP-manager interfaces on the same VLAN or IP subnet.
•
You must assign an AP-manager interface to each port on the controller.
•
Before implementing multiple AP-manager interfaces, you should consider how they would impact
your controller’s port redundancy.
Examples:
– The Cisco 4404-100 Controller supports up to 100 access points and has four ports. To support
the maximum number of access points, you would need to create three (or more) AP-manager
interfaces (see Figure 4-14). If the port of one of the AP-manager interfaces fails, the controller
clears the access points’ state, and the access points must reboot to reestablish communication
with the controller using the normal controller join process. The controller no longer includes
the failed AP-manager interface in the CAPWAP or LWAPP discovery responses. The access
points then rejoin the controller and are load balanced among the available AP-manager
interfaces.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-33
Chapter 4
Configuring Ports and Interfaces
Configuring Multiple AP-Manager Interfaces
Figure 4-13
Two AP-Manager Interfaces
Figure 4-14
Four AP-Manager Interfaces
Cisco Wireless LAN Controller Configuration Guide
4-34
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Multiple AP-Manager Interfaces
Creating Multiple AP-Manager Interfaces
This section contains the following topics:
•
Creating Multiple AP-Manager Interfaces (GUI), page 4-35
•
Creating Multiple AP-Manager Interfaces (CLI), page 4-37
Creating Multiple AP-Manager Interfaces (GUI)
Step 1
Choose Controller > Interfaces to open the Interfaces page.
Step 2
Click New. The Interfaces > New page appears.
Figure 4-15
Interfaces > New Page
Step 3
Enter an AP-manager interface name and a VLAN identifier.
Step 4
Click Apply to commit your changes. The Interfaces > Edit page appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-35
Chapter 4
Configuring Ports and Interfaces
Configuring Multiple AP-Manager Interfaces
Figure 4-16
Step 5
Enter the appropriate interface parameters.
Note
Step 6
Interfaces > Edit Page
Do not define a backup port for an AP-manager interface. Port redundancy is not supported for
AP-manager interfaces. If the AP-manager interface fails, all of the access points connected to
the controller through that interface are evenly distributed among the other configured
AP-manager interfaces.
To make this interface an AP-manager interface, select the Enable Dynamic AP Management check
box.
Note
Only one AP-manager interface is allowed per physical port. A dynamic interface that is marked
as an AP-manager interface cannot be used as a WLAN interface.
Step 7
Click Save Configuration to save your settings.
Step 8
Repeat this procedure for each additional AP-manager interface that you want to create.
Cisco Wireless LAN Controller Configuration Guide
4-36
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
Creating Multiple AP-Manager Interfaces (CLI)
Step 1
Enter these commands to create a new interface:
•
config interface create operator_defined_interface_name {vlan_id | x}
•
config interface address operator_defined_interface_name ip_addr ip_netmask [gateway]
•
config interface vlan operator_defined_interface_name {vlan_id | 0}
•
config interface port operator_defined_interface_name physical_ds_port_number
•
config interface dhcp operator_defined_interface_name ip_address_of_primary_dhcp_server
[ip_address_of_secondary_dhcp_server]
•
config interface quarantine vlan interface_name vlan_id
Note
•
config interface acl operator_defined_interface_name access_control_list_name
Note
Step 2
Use this command to configure a quarantine VLAN on any interface.
See Chapter 7, “Configuring Security Solutions,” for more information on ACLs.
To make this interface an AP-manager interface, enter this command:
config interface ap-manager operator_defined_interface_name {enable | disable}
Note
Step 3
Only one AP-manager interface is allowed per physical port. A dynamic interface that is marked
as an AP-manager interface cannot be used as a WLAN interface.
To save your changes, enter this command:
save config
Step 4
Repeat this procedure for each additional AP-manager interface that you want to create.
Configuration Example: Configuring AP-Manager on a Cisco
5500 Series Controller
For a Cisco 5500 Series Controller, we recommend having eight dynamic AP-manager interfaces and
associating them to the controller’s eight Gigabit ports. If you are using the management interface, which
acts like an AP-manager interface by default, you need to create only seven more dynamic AP-manager
interfaces and associate them to the remaining seven Gigabit ports. For example, Figure 4-17 shows a
dynamic interface that is enabled as a dynamic AP-manager interface and associated to port number 2,
and Figure 4-18 shows a Cisco 5500 Series Controller with LAG disabled, the management interface
used as one dynamic AP-manager interface, and seven additional dynamic AP-manager interfaces, each
mapped to a different Gigabit port.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-37
Chapter 4
Configuring Ports and Interfaces
Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller
Figure 4-17
Dynamic Interface Example with Dynamic AP Management
Figure 4-18
Cisco 5500 Series Controller Interface Configuration Example
Cisco Wireless LAN Controller Configuration Guide
4-38
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring VLAN Select
Configuring VLAN Select
This section contains the following topics:
•
Information About VLAN Select, page 4-39
•
Guidelines and Limitations, page 4-39
Information About VLAN Select
Whenever a wireless client connects to a wireless network (WLAN), the client is placed in a VLAN that
is associated with the WLAN. In a large venue such as an auditorium, a stadium, or a conference where
there may be numerous wireless clients, having only a single WLAN to accommodate many clients
might be a challenge.
The VLAN select feature enables you to use a single WLAN that can support multiple VLANs. Clients
can get assigned to one of the configured VLANs. This feature enables you to map a WLAN to a single
or multiple interface VLANs using interface groups. Wireless clients that associate to the WLAN get an
IP address from a pool of subnets identified by the interfaces. The IP address is derived by an algorithm
based on the MAC address of the wireless client. This feature also extends the current AP group
architecture where AP groups can override an interface or interface group to which the WLAN is mapped
to, with multiple interfaces using the interface groups. This feature also provides the solution to auto
anchor restrictions where a wireless guest user on a foreign location can get an IP address from multiple
subnets based on their foreign locations or foreign controllers from the same anchor controller.
When a client roams from one controller to another, the foreign controller sends the VLAN information
as part of the mobility announce message. Based on the VLAN information received, the anchor decides
whether the tunnel should be created between the anchor controller and the foreign controller. If the
same VLAN is available on the foreign controller, the client context is completely deleted from the
anchor and the foreign controller becomes the new anchor controller for the client.
If an interface (int-1) in a subnet is untagged in one controller (Vlan ID 0) and the interface (int-2) in
the same subnet is tagged to another controller (Vlan ID 1), then with the VLAN select, client joining
the first controller over this interface may not undergo an L2 roam while it moves to the second
controller. Hence, for L2 roaming to happen between two controllers with VLAN select, all the
interfaces in the same subnet should be either tagged or untagged.
As part of the VLAN select feature, the mobility announce message carries an additional vendor payload
that contains the list of VLAN interfaces in an interface group mapped to a foreign controller’s WLAN.
This VLAN list enables the anchor to differentiate from a local to local or local to foreign handoff.
Note
VLAN pooling applies to wireless clients and centrally switched WLANs.
Guidelines and Limitations
•
Release 7.0.116.0 and prior releases of the controller software enabled you to associate one VLAN
with a WLAN. Each VLAN required a single IP subnet. As a result, a WLAN required a large subnet
to accommodate more clients. The VLAN select feature enables you to use a single WLAN that can
support multiple VLANs.
•
The following lightweight access points are supported: Cisco Aironet 1130, 1040, 1140, 1240, 1250,
1260, 3500, 3600, 1522/1524 Access Points, and 800 Series access points.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-39
Chapter 4
Configuring Ports and Interfaces
Configuring Interface Groups
•
The following controllers are supported: Cisco Flex 7500, Cisco 5508, WiSM-2, 2500 Series
Controllers.
Configuring Interface Groups
This section contains the following topics:
•
Information About Interface Groups, page 4-40
•
Guidelines and Limitations, page 4-40
•
Configuring Interface Groups, page 4-41
Information About Interface Groups
Interface groups are logical groups of interfaces. Interface groups facilitate user configuration where the
same interface group can be configured on multiple WLANs or while overriding a WLAN interface per
AP group. An interface group can exclusively contain either quarantine or nonquarantine interfaces. An
interface can be part of multiple interface groups.
A WLAN can be associated with an interface or interface group. The interface group name and the
interface name cannot be the same.
This feature also enables you to associate a client to specific subnets based on the foreign controller that
they are connected to. The anchor controller WLAN can be configured to maintain a mapping between
foreign controller MAC and a specific interface or interface group (Foreign maps) as needed. If this
mapping is not configured, clients on that foreign controller gets VLANs associated from interface group
configured on WLAN.
You can also configure AAA override for interface groups. This feature extends the current access point
group and AAA override architecture where access point groups and AAA override can be configured
to override the interface group WLAN that the interface is mapped to. This is done with multiple
interfaces using interface groups.
This feature enables network administrators to confirure guest anchor restrictions where a wireless guest
user at a foreign location can obtain an IP address from multiple subnets on the foreign location and
controllers from within the same anchor controller.
Guidelines and Limitations
Table 4-1 lists the platform support for interface and interface groups:
Table 4-1
Platform Support for Interface and Interface groups
Platform
Interface Groups
Interfaces per Interface
Group
WiSM2, Cisco 5508 Series
Controller, Cisco Flex 7500
Series Controller, Cisco 2500
Series Controller.
64
64
NM6 series
4
4
Cisco Wireless LAN Controller Configuration Guide
4-40
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Configuring Interface Groups
Configuring Interface Groups
This section contains the following topics:
•
Creating Interface Groups (GUI), page 4-41
•
Creating Interface Groups (CLI), page 4-41
•
Adding Interfaces to Interface Groups (GUI), page 4-41
•
Adding Interfaces to Interface Groups (CLI), page 4-42
•
Adding an Interface Group to a WLAN (GUI), page 4-42
•
Adding an Interface Group to a WLAN (CLI), page 4-42
•
Viewing VLANs in Interface Groups (CLI), page 4-42
Creating Interface Groups (GUI)
Step 1
Choose Controller > Interface Groups from the left navigation pane.
The Interface Groups page appears with the list of interface groups already created.
Note
Step 2
To remove an interface group, hover your mouse pointer over the blue drop-down icon and choose
Remove.
Click Add Group to add a new group.
The Add New Interface Group page appears.
Step 3
Step 4
Enter the details of the interface group:
•
Interface Group Name—Specify the name of the interface group.
•
Description—Add a brief description of the interface group.
Click Add.
Creating Interface Groups (CLI)
•
config interface group {create| delete} interface_group_name—Creates or deletes an interface
group
•
config interface group description interface_group_name “description”—Adds a description to
the interface group
Adding Interfaces to Interface Groups (GUI)
Step 1
Choose Controller > Interface Groups.
The Interface Groups page appears with a list of all interface groups.
Step 2
Click the name of the interface group to which you want to add interfaces.
The Interface Groups > Edit page appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-41
Chapter 4
Configuring Ports and Interfaces
Multicast Optimization
Step 3
Choose the interface name that you want to add to this interface group from the Interface Name
drop-down list.
Step 4
Click Add Interface to add the interface to the Interface group.
Step 5
Repeat Steps 2 and 3 if you want to add multiple interfaces to this interface group.
Note
To remove an interface from the interface group, hover your mouse pointer over the blue drop-down
arrow and choose Remove.
Adding Interfaces to Interface Groups (CLI)
To add interfaces to interface groups, use the config interface group interface add interface_group
interface_name command.
Viewing VLANs in Interface Groups (CLI)
To view a list of VLANs in the interface groups, use the show interface group detailed
interface-group-name command.
Adding an Interface Group to a WLAN (GUI)
Step 1
Choose the WLAN tab.
The WLANs page appears listing the available WLANs.
Step 2
Click the WLAN ID of the WLAN to which you want to add the interface group.
Step 3
In the General tab, choose the interface group from the Interface/Interface Group (G) drop-down list.
Step 4
Click Apply.
Adding an Interface Group to a WLAN (CLI)
To add an interface group to a WLAN, use the command config wlan interface wlan_id
interface_group_name.
Multicast Optimization
This section contains the following topics:
•
Information About Multicast Optimization, page 4-43
•
Configuring Multicast VLAN, page 4-43
Cisco Wireless LAN Controller Configuration Guide
4-42
OL-21524-03
Chapter 4
Configuring Ports and Interfaces
Multicast Optimization
Information About Multicast Optimization
Prior to the 7.0.116.0 release, multicast was based on the grouping of the multicast address and the
VLAN as one entity, MGID. With VLAN select and VLAN pooling, there is a possibility that you might
increase duplicate packets. With the VLAN select feature, every client listens to the multicast stream on
a different VLAN. As a result, the controller creates different MGIDs for each multicast address and
VLAN. Therefore, the upstream router sends one copy for each VLAN, which results, in the worst case,
in as many copies as there are VLANs in the pool. Since the WLAN is still the same for all clients,
multiple copies of the multicast packet are sent over the air. To suppress the duplication of a multicast
stream on the wireless medium and between the controller and access points, you can use the multicast
optimization feature.
Multicast optimization enables you to create a multicast VLAN which you can use for multicast traffic.
You can configure one of the VLANs of the WLAN as a multicast VLAN where multicast groups are
registered. Clients are allowed to listen to a multicast stream on the multicast VLAN. The MGID is
generated using mulicast VLAN and multicast IP addresses. If multiple clients on the VLAN pool of the
same WLAN are listening to a single multicast IP address, a single MGID is generated. The controller
makes sure that all multicast streams from the clients on this VLAN pool always go out on the multicast
VLAN to ensure that the upstream router has one entry for all the VLANs of the VLAN pool. Only one
multicast stream hits the VLAN pool even if the clients are on different VLANs. Therefore, the multicast
packets that are sent out over the air is just one stream.
Configuring Multicast VLAN
This section contains the following topics:
•
Configuring Multicast VLAN (GUI), page 4-43
•
Configuring Multicast VLAN (CLI), page 4-43
Configuring Multicast VLAN (GUI)
Step 1
Choose the WLANs tab.
The WLANs tab appears.
Step 2
Click on the WLAN ID of the WLAN that you want to choose for a multicast VLAN.
The WLANs > Edit page appears.
Step 3
Enable the multicast VLAN feature by selecting the Multicast VLAN feature check box.
The Multicast Interface drop-down list appears.
Step 4
Choose the VLAN from the Multicast Interface drop-down list.
Step 5
Click Apply.
Configuring Multicast VLAN (CLI)
Use the config wlan multicast interface wlan_id enable interface_name command to configure the
multicast VLAN feature.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-43
Chapter 4
Configuring Ports and Interfaces
Multicast Optimization
Cisco Wireless LAN Controller Configuration Guide
4-44
OL-21524-03
CH A P T E R
4
Configuring Controller Settings
This chapter contains these sections:
•
Installing and Configuring Licenses, page 4-2
•
Configuring 802.11 Bands, page 4-25
•
Configuring 802.11n Parameters, page 4-29
•
Configuring 802.11h Parameters, page 4-34
•
Configuring DHCP Proxy, page 4-36
•
Configuring Administrator Usernames and Passwords, page 4-38
•
Configuring SNMP, page 4-39
•
SNMP Community Strings, page 4-40
•
Changing the Default Values for SNMP v3 Users, page 4-42
•
Configuring Aggressive Load Balancing, page 4-44
•
Configuring Band Selection, page 4-48
•
Configuring Fast SSID Changing, page 4-50
•
Enabling 802.3X Flow Control, page 4-51
•
Configuring 802.3 Bridging, page 4-51
•
Configuring Multicast Mode, page 4-54
•
Configuring Client Roaming, page 4-59
•
Configuring IP-MAC Address Binding, page 4-64
•
Configuring Quality of Service, page 4-66
•
Configuring Voice and Video Parameters, page 4-73
•
Configuring SIP Based CAC, page 4-88
•
Configuring Voice Prioritization Using Preferred Call Numbers, page 4-88
•
Configuring EDCA Parameters, page 4-90
•
Configuring the Cisco Discovery Protocol, page 4-93
•
Configuring Authentication for the Controller and NTP Server, page 4-101
•
Configuring RFID Tag Tracking, page 4-102
•
Configuring and Viewing Location Settings, page 4-110
•
Using the Wireless LAN Controller Network Module, page 4-116
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-1
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
•
Resetting the Controller to Default Settings, page 4-116
Installing and Configuring Licenses
This section contains the following topics:
•
Information About Installing and Configuring Licenses, page 4-2
•
Guidelines and Limitations, page 4-2
•
Obtaining an Upgrade or Capacity Adder License, page 4-4
•
Installing a License, page 4-7
•
Viewing Licenses, page 4-9
•
Activating an AP-Count Evaluation License, page 4-13
•
Rehosting Licenses, page 4-16
•
Configuring the License Agent, page 4-22
Information About Installing and Configuring Licenses
You can order Cisco 5500 Series Controllers with support for 12, 25, 50, 100, 250, or 500 access points
as the controller’s base capacity. You can add additional access point capacity through capacity adder
licenses available at 25, 50, 100, and 250 access point capacities. You can add the capacity adder licenses
to any base license in any combination to arrive at the maximum capacity of 500 access points. The base
and adder licenses are supported through both rehosting and RMAs.
Guidelines and Limitations
•
These controller platforms do not require licenses: Cisco 2100 and Cisco 4400 Series Controllers,
Cisco WiSMs, Controller Network Modules, and Catalyst 3750G Integrated Wireless LAN
Controller Switches.
•
All features included in a Wireless LAN Controller Wplus license are now included in the base
license; this change is introduced in release 6.0.196.0. There are no changes to WCS BASE and
PLUS licensing.
•
The base license supports the standard base software set and, for releases 6.0196.0 and later, the
premium software set is included as part of the base feature set, which includes this functionality:
•
Datagram Transport Layer Security (DTLS) data encryption for added security across remote WAN
and LAN links. For more information about data encryption, see the “Configuring Data Encryption”
section on page 9-3.
•
The Availability of data DTLS for the 7.0.116.0 release is as follows:
Cisco 5500 Series Controller—The Cisco 5500 Series Controller will be available with two
licensing options: One with data DTLS capabilities and another image without data DTLS.
2500, WiSM2, WLC2—These platforms by default will not contain DTLS. To turn on data DTLS,
you must install a license. These platforms will have a single image with data DTLS turned off. To
use data DTLS you will need to have a license.
Cisco Wireless LAN Controller Configuration Guide
4-2
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
•
Support for OfficeExtend access points, which are used for secure mobile teleworking. For more
information about the OfficeExtend access points, see the “Configuring OfficeExtend Access
Points” section on page 9-62.
•
Support for the 1130AG and 1240AG series indoor mesh access points, which dynamically establish
wireless connections in locations where it might be difficult to connect to the wired network. For
more information about mesh access points, see Chapter 10, “Controlling Mesh Access Points.”
•
All features included in a Wireless LAN Controller WPLUS license are now included in the base
license; this change is introduced in release 6.0.196.0. There are no changes to WCS BASE and
PLUS licensing. These WPlus license features are included in the base license:
– OfficeExtend AP
– Enterprise Mesh
– CAPWAP Data Encryption
•
The licensing change can affect features on your wireless LAN when you upgrade or downgrade
software releases, so you should be aware of these guidelines:
– If you have a WPlus license and you upgrade from 6.0 or later to 7.0.98.0, your license file
contains both Basic and WPlus license features. You will not see any disruption in feature
availability and operation.
– If you have a WPlus license and you downgrade from 7.0.98.0 to 6.0.196.0 or 6.0.188 or
6.0.182, your license file contains only base license, and you will lose all WPlus features.
– If you have a base license and you downgrade from 6.0.196.0 to 6.0.188 or 6.0.182, when you
downgrade, you lose all WPlus features.
•
In the controller software 7.0.116.0 and later releases, the AP association trap is
ciscoLwappApAssociated. In prior releases, the trap was bsnAPAssociated.
•
To view the controller trap log, choose Monitor and click View All under “Most Recent Traps” on
the controller GUI.
Note
You can also view traps by using SNMP-based management tools.
Figure 4-1
Trap Logs Page
•
The ap-count licenses and their corresponding image-based licenses are installed together. The
controller keeps track of the licensed access point count and does not allow more than the number
of access points to associate to it.
•
The Cisco 5500 Series Controller is shipped with both permanent and evaluation base and
base-ap-count licenses. If desired, you can activate the evaluation licenses, which are designed for
temporary use and set to expire after 60 days.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-3
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Note
•
See the “Activating an AP-Count Evaluation License” section on page 4-13 for instructions on
activating an ap-count evaluation license.
No licensing steps are required after you receive your Cisco 5500 Series Controller because the
licenses you ordered are installed at the factory. In addition, licenses and product authorization keys
(PAKs) are preregistered to serial numbers. However, as your wireless network evolves, you might
want to add support for additional access points or upgrade from the standard software set to the
base software set. To do so, you need to obtain and install an upgrade license.
Obtaining an Upgrade or Capacity Adder License
This section contains the following topics:
•
Information About Obtaining an Upgrade or Capacity Adder License, page 4-4
•
Obtaining and Registering a PAK Certificate, page 4-6
Information About Obtaining an Upgrade or Capacity Adder License
A certificate with a product authorization key (PAK) is required before you can obtain an upgrade
license.
You can use the capacity adder licenses to increase the number of access points supported by the
controller up to a maximum of 500 access points. The capacity adder licenses are available in access
point capacities of 10, 25, 50, 100 and 250 access points. You can add these licenses to any of the base
capacity licenses of 12, 25, 50, 100 and 250 access points.
For example, if your controller was initially ordered with support for 100 access points (base license
AIR-CT5508-100-K9), you could increase the capacity to 500 access points by purchasing a 250 access
point, 100 access point, and a 50 access point additive capacity license (LIC-CT5508-250A,
LIC-CT5508-100A, and LIC-CT5508-50A).
You can find more information on ordering capacity adder licenses at this URL:
http://www.cisco.com/en/US/products/ps10315/products_data_sheets_list.html
Note
If you skip any tiers when upgrading (for example, if you do not install the -25U and -50U licenses along
with the -100U), the license registration for the upgraded capacity fails.
For a single controller, you can order different upgrade licenses in one transaction (for example, -25U,
-50U, -100U, and -250U), for which you receive one PAK with one license. Then you have only one
license (instead of four) to install on your controller.
If you have multiple controllers and want to upgrade all of them, you can order multiple quantities of
each upgrade license in one transaction (for example, you can order 10 each of the -25U, -50U, -100U,
and -250 upgrade licenses), for which you receive one PAK with one license. You can continue to register
the PAK for multiple controllers until it is exhausted.
Base license SKUs for the Cisco 5500 Series Controllers are as follows:
•
AIR-CT5508-12-K9
•
AIR-CT5508-25-K9
•
AIR-CT5508-50-K9
Cisco Wireless LAN Controller Configuration Guide
4-4
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
•
AIR-CT5508-100-K9
•
AIR-CT5508-250-K9
•
AIR-CT5508-500-K9
Base license SKUs for the Cisco 2500 Series Controllers are as follows:
•
AIR-CT2504-5-K9
•
AIR-CT2504-15-K9
•
AIR-CT2504-25-K9
•
AIR-CT2504-50-K9
Base license SKUs for the Cisco WiSM2 Controllers are as follows:
•
WS-SVC-WISM2-1-K9—WiSM2 with 100 AP support.
•
WS-SVC-WISM2-3-K9—WiSM2 with 300 AP support
•
WS-SVC-WISM2-5-K9—WiSM2 with 500 AP support
Table 4-1 lists the available adder licenses for the 5500 and 2500 Series Controllers.
Table 4-1
Available Capacity Adder Licenses
Type
Part Number
Description
e-mail
L-LIC-CT5508-UPG
Primary upgrade SKU: Pick any number or
combination of the following options under this
SKU to upgrade one or many controllers under
one product authorization key
L-LIC-CT5508-25A
25 AP Adder License for the 5508 Controller
(eDelivery)
L-LIC-CT5508-50A
50 AP Adder License for the 5508 Controller
(eDelivery)
L-LIC-CT5508-100A
100 AP Adder License for the 5508 Controller
(eDelivery)
L-LIC-CT5508-250A
250 AP Adder License for the 5508 Controller
(eDelivery)
L-LIC-CT2504-UPG
Primary upgrade SKU: Pick any number or
combination of the following options under this
SKU to upgrade one or many controllers under
one product authorization key
L-LIC-CT2504-5A
5 AP Adder License for Cisco 2504 Wireless
Controller (e-Delivery)
L-LIC-CT2504-25A
25 AP Adder License for Cisco 2504 Wireless
Controller (e-Delivery)
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-5
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Table 4-1
Available Capacity Adder Licenses (continued)
Type
Part Number
Description
paper
LIC-CT5508-UPG
Primary upgrade SKU: Pick any number or
combination of the following options under this
SKU, to upgrade one or many controllers under
one product authorization key
LIC-CT5508-25A
25 AP Adder License for the 5508 Controller
LIC-CT5508-50A
50 AP Adder License for the 5508 Controller
LIC-CT5508-100A
100 AP Adder License for the 5508 Controller
LIC-CT5508-250A
250 AP Adder License for the 5508 Controller
LIC-CT2504-UPG
Primary upgrade SKU: Pick any number or
combination of the following options under this
SKU to upgrade one or many controllers under
one product authorization key
LIC-CT2504-5A
5 AP Adder License for Cisco 2504 Controller
(Paper Certificate - US Mail)
LIC-CT2504-25A
25 AP Adder License for Cisco 2504 Controller
(Paper Certificate - US Mail)
Obtaining and Registering a PAK Certificate
Step 1
Order the PAK certificate for an upgrade license through your Cisco channel partner or your Cisco sales
representative, or order it online at this URL:
http://www.cisco.com/go/ordering
Step 2
If you are ordering online, begin by choosing the primary upgrade SKU L-LIC-CT5508-UPG or LIC
CT5508-UPG. Then, choose any number of the following options to upgrade one or more controllers
under one PAK. Table 4-1 lists the capacity adder licenses available through e-mail or on paper: After
you receive the certificate, use one of two methods to register the PAK:
•
Cisco License Manager (CLM)—This method automates the process of obtaining licenses and
deploying them on Cisco devices. For deployments with more than five controllers, we recommend
using CLM to register PAKs and install licenses. You can also use CLM to rehost or RMA a license.
Note
You cannot use CLM to change the licensed feature set or activate an ap-count evaluation
license. To perform these operations, you must follow the instructions in the “Activating an
AP-Count Evaluation License” section on page 4-13. Because you can use CLM to perform
all other license operations, you can disregard the remaining licensing information in this
chapter except these two sections and the “Configuring the License Agent” section on
page 4-22 if you want your controller to use HTTP to communicate with CLM.
Note
You can download the CLM software and access user documentation at this URL:
http://www.cisco.com/go/clm
Cisco Wireless LAN Controller Configuration Guide
4-6
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
•
Step 3
Licensing portal—This alternative method enables you to manually obtain and install licenses on
your controller. If you want to use the licensing portal to register the PAK, follow the instructions
in Step 3.
Use the licensing portal to register the PAK as follows:
a.
Go to http://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet
b.
On the main Product License Registration page, enter the PAK mailed with the certificate in the
Product Authorization Key (PAK) text box and click Submit.
c.
On the Validate Features page, enter the number of licenses that you want to register in the Qty text
box and click Update.
d.
To determine the controller’s product ID and serial number, choose Controller > Inventory on the
controller GUI or enter the show license udi command on the controller CLI.
Information similar to the following appears on the controller CLI:
Device# PID
SN
UDI
------- -------------------- ----------------------- --------------------------------*0
AIR-CT5508-K9
FCW1308L030
AIR-CT5508-K9:FCW1308L030
e.
On the Designate Licensee page, enter the product ID and serial number of the controller on which
you plan to install the license, read and accept the conditions of the end-user license agreement
(EULA), complete the rest of the text boxes on this page, and click Submit.
f.
On the Finish and Submit page, verify that all information is correct and click Submit.
g.
When a message appears indicating that the registration is complete, click Download License. The
license is e-mailed within 1 hour to the address that you specified.
h.
When the e-mail arrives, follow the instructions provided.
i.
Copy the license file to your TFTP server.
Installing a License
This section contains the following topics:
•
Installing a License (GUI), page 4-7
•
Installing a License (CLI), page 4-8
•
Additional References, page 4-9
Installing a License (GUI)
Step 1
Choose Management > Software Activation > Commands to open the License Commands page.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-7
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Figure 4-2
License Commands Page
Step 2
From the Action drop-down list, choose Install License. The Install License from a File section appears.
Step 3
In the File Name to Install text box, enter the path to the license (*.lic) on the TFTP server.
Step 4
Click Install License. A message appears to show whether the license was installed successfully. If the
installation fails, the message provides the reason for the failure, such as the license is an existing
license, the path was not found, the license does not belong to this device, you do not have correct
permissions for the license, and so on.
Step 5
If the end-user license agreement (EULA) acceptance dialog box appears, read the agreement and click
Accept to accept the terms of the agreement.
Note
Step 6
Typically, you are prompted to accept the EULA for evaluation, extension, and rehost licenses.
The EULA is also required for permanent licenses, but it is accepted during license generation.
Save a backup copy of all installed licenses as follows:
a.
From the Action drop-down list, choose Save License.
b.
In the File Name to Save text box, enter the path on the TFTP server where you want the licenses to
be saved.
Note
c.
Step 7
You cannot save evaluation licenses.
Click Save Licenses.
Reboot the controller.
Installing a License (CLI)
Step 1
Install a license on the controller by entering this command:
license install url
where url is tftp://server_ip/path/filename.
Cisco Wireless LAN Controller Configuration Guide
4-8
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
To remove a license from the controller, enter the license clear license_name command. For
example, you might want to delete an expired evaluation license or any unused license. You
cannot delete unexpired evaluation licenses, the permanent base image license, or licenses that
are in use by the controller.
Note
Step 2
If you are prompted to accept the end-user license agreement (EULA), read and accept the terms of the
agreement.
Typically, you are prompted to accept the EULA for evaluation, extension, and rehost licenses.
The EULA is also required for permanent licenses, but it is accepted during license generation.
Note
Step 3
Add comments to a license or delete comments from a license by entering this command:
license comment {add | delete} license_name comment_string
Step 4
Save a backup copy of all installed licenses by entering this command:
license save url
where url is tftp://server_ip/path/filename.
Step 5
Reboot the controller by entering this command:
reset system.
Additional References
•
To see the status of the license that is installed, see “Viewing Licenses” section on page 4-9.
•
To modify the license that is used by the controller, see the “Activating an AP-Count Evaluation
License” section on page 4-13.
Viewing Licenses
This section contains the following topics:
•
Viewing Licenses (GUI), page 4-9
•
Viewing Licenses (CLI), page 4-11
Viewing Licenses (GUI)
Step 1
Choose Management > Software Activation > Licenses to open the Licenses page.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-9
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Figure 4-3
Licenses Page
This page lists all of the licenses installed on the controller. For each license, it shows the license type,
expiration, count (the maximum number of access points allowed for this license), priority (low,
medium, or high), and status (in use, not in use, inactive, or EULA not accepted).
Step 2
Note
Controller platforms do not support the status of “grace period” or “extension” as a license type.
The license status will always show “evaluation” even if a grace period or an extension
evaluation license is installed.
Note
If you ever want to remove a license from the controller, hover your cursor over the blue
drop-down arrow for the license and click Remove. For example, you might want to delete an
expired evaluation license or any unused license. You cannot delete unexpired evaluation
licenses, the permanent base image license, or licenses that are in use by the controller.
Click the link for the desired license to view more details for a particular license. The License Detail
page appears.
This page shows the following additional information for the license:
•
The license type (permanent, evaluation, or extension)
•
The license version
•
The status of the license (in use, not in use, inactive, or EULA not accepted)
•
The length of time before the license expires
Note
Step 3
Permanent licenses never expire.
•
Whether the license is a built-in license
•
The maximum number of access points allowed for this license
•
The number of access points currently using this license
If you want to enter a comment for this license, type it in the Comment text box and click Apply.
Cisco Wireless LAN Controller Configuration Guide
4-10
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Step 4
Click Save Configuration to save your changes.
Viewing Licenses (CLI)
•
See the license level, license type, and number of access points licensed on the controller by entering
this command:
show sysinfo
Information similar to the following appears:
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0
RTOS Version..................................... 7.0
Bootloader Version............................... 5.2
Emergency Image Version.......................... N/A
Build Type....................................... DATA + WPS
System Name...................................... Cisco 69
System Location.................................. na
System Contact................................... abc@cisco.com
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 10.10.10.10
System Up Time................................... 3 days 1 hrs 12 mins 42 secs
System Timezone Location.........................
CurrentBoot License Level..........................base
CurrentBoot License Type...........................Permanent
NextBoot License Level............................base
NextBoot License Type.............................Permanent
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +40 C
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 4
Number of Active Clients......................... 0
Burned-in MAC Address............................ 00:1A:6D:DD:1E:40
Crypto Accelerator 1............................. Absent
Crypto Accelerator 2............................. Absent
Power Supply 1................................... Absent
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 12
Note
•
The Operating Environment and Internal Temp Alarm Limits data are not displayed for Cisco
Flex 7500 Series Controllers.
See a brief summary of all active licenses installed on the controller by entering this command:
show license summary
Information similar to the following appears:
Index 1 Feature: wplus
Period left: 0 minute 0 second
Index 2 Feature: wplus-ap-count
Period left: 0 minute 0 second
Index3 Feature: base
Period left: Life time
License Type: Permanent
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-11
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 4 Feature: base-ap-count
Period left: 6 weeks, 4 days
License Type: Evaluation
License State: Active, In Use
License Count: 250/250/0
License Priority: High
•
See all of the licenses installed on the controller by entering this command:
show license all
Information similar to the following appears:
License Store: Primary License Storage
StoreIndex: 1 Feature: base
Version: 1.0
License Type: Permanent
License State: Active, Not in Use
License Count: Non-Counted
License Priority: Medium
StoreIndex: 3 Feature: base-ap-count
Version: 1.0
License Type: Evaluation
License State: Active, In Use
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 3 days
License Count: 250/0/0
License Priority: High
•
See the details for a particular license by entering this command:
show license detail license_name
Information similar to the following appears:
•
Index:
1
Feature: base-ap-count
Version: 1.0
License Type: Permanent
License State: Active, Not in Use
License Count: 12/0/0
License Priority: Medium
Store Index: 0
Store Name: Primary License Storage
Index:
2
Feature: base-ap-count
Version: 1.0
License Type: Evaluation
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License Count: 250/0/0
License Priority: Low
Store Index: 3
Store Name: Evaluation License Storage
See all expiring, evaluation, permanent, or in-use licenses by entering this command:
show license {expiring | evaluation | permanent | in-use}
Information similar to the following appears for the show license in-use command:
StoreIndex: 2
License
License
License
License
Feature: base-ap-count
Type: Permanent
State: Active, In Use
Count: 12/12/0
Priority: Medium
Version: 1.0
Cisco Wireless LAN Controller Configuration Guide
4-12
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
StoreIndex: 3
License
License
License
Note
•
Feature: base Version: 1.0
Type: Permanent
State: Active, In Use
Count: Non-Counted License Priority: Medium
Controller platforms do not support the status of “grace period” or “extension” as a license type.
The license status will always show “evaluation” even if a grace period or an extension
evaluation license is installed.
See the maximum number of access points allowed for this license on the controller, the number of
access points currently joined to the controller, and the number of access points that can still join
the controller by entering this command:
show license capacity
Information similar to the following appears:
Licensed Feature
Max Count
Current Count
Remaining Count
----------------- --------------- ------------------- -------------------AP Count
250
4
246
•
See statistics for all licenses on the controller by entering this command:
show license statistics
Information similar to the following appears:
Administrative statistics
Install success count:
Install failure count:
Install duplicate count:
Comment add count:
Comment delete count:
Clear count:
Save count:
Save cred count:
Client status
Request success count
Request failure count
Release count
Global Notify count
•
2
0
0
0
0
0
2
0
2
0
0
6
See a summary of license-enabled features by entering this command:
show license feature
Information similar to the following appears:
Feature name
base
base-ap-count
Enforcement
yes
yes
Evaluation
yes
yes
Clear Allowed
yes
yes
Enabled
yes
no
Activating an AP-Count Evaluation License
This section contains the following topics:
•
Information About Activating an AP-Count Evaluation License, page 4-14
•
Activating an AP-Count Evaluation License, page 4-14
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-13
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Information About Activating an AP-Count Evaluation License
If you are considering upgrading to a license with a higher access point count, you can try an evaluation
license before upgrading to a permanent version of the license. For example, if you are using a permanent
license with a 50-access-point count and want to try an evaluation license with a 100-access-point count,
you can try out the evaluation license for 60 days.
AP-count evaluation licenses are set to low priority by default so that the controller uses the ap-count
permanent license. If you want to try an evaluation license with an increased access point count, you
must change its priority to high. If you no longer want to have this higher capacity, you can lower the
priority of the ap-count evaluation license, which forces the controller to use the permanent license.
Note
To prevent disruptions in operation, the controller does not switch licenses when an evaluation license
expires. You must reboot the controller in order to return to a permanent license. Following a reboot, the
controller defaults to the same feature set level as the expired evaluation license. If no permanent license
at the same feature set level is installed, the controller uses a permanent license at another level or an
unexpired evaluation license.
Activating an AP-Count Evaluation License
This section contains the following topics:
•
Activating an AP-Count Evaluation License (GUI), page 4-14
•
Activating an AP-Count Evaluation License (CLI), page 4-15
Activating an AP-Count Evaluation License (GUI)
Step 1
Choose Management > Software Activation > Licenses to open the Licenses page.
Figure 4-4
Licenses Page
The Status column shows which licenses are currently in use, and the Priority column shows the current
priority of each license.
Cisco Wireless LAN Controller Configuration Guide
4-14
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Step 2
Activate an ap-count evaluation license as follows:
a.
Click the link for the ap-count evaluation license that you want to activate. The License Detail page
appears.
b.
Choose High from the Priority drop-down list and click Set Priority.
Note
Step 3
You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses
always have a medium priority, which cannot be configured.
c.
Click OK when prompted to confirm your decision about changing the priority of the license.
d.
When the EULA appears, read the terms of the agreement and then click Accept.
e.
When prompted to reboot the controller, click OK.
f.
Reboot the controller in order for the priority change to take effect.
g.
Click Licenses to open the Licenses page and verify that the ap-count evaluation license now has a
high priority and is in use. You can use the evaluation license until it expires.
If you decide to stop using the ap-count evaluation license and want to revert to using an ap-count
permanent license, follow these steps:
a.
On the Licenses page, click the link for the ap-count evaluation license that is in use.
b.
Choose Low from the Priority drop-down list and click Set Priority.
Note
You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses
always have a medium priority, which cannot be configured.
c.
Click OK when prompted to confirm your decision about changing the priority of the license.
d.
When the EULA appears, read the terms of the agreement and then click Accept.
e.
When prompted to reboot the controller, click OK.
f.
Reboot the controller in order for the priority change to take effect.
g.
Click Licenses to open the Licenses page and verify that the ap-count evaluation license now has a
low priority and is not in use. Instead, the ap-count permanent license should be in use.
Activating an AP-Count Evaluation License (CLI)
Step 1
See the current status of all the licenses on your controller by entering this command:
show license all
Information similar to the following appears:
License Store: Primary License Storage
StoreIndex: 0 Feature: base-ap-count
Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: 12/0/0
License Priority: Medium
StoreIndex: 1 Feature: base
Version: 1.0
License Type: Permanent
License State: Active, In Use
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-15
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
License Count: Non-Counted
License Priority: Medium
StoreIndex: 2 Feature: base
Version: 1.0
License Type: Evaluation
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License Count: Non-Counted
License Priority: Low
StoreIndex: 3 Feature: base-ap-count
Version: 1.0
License Type: Evaluation
License State: Inactive
Evaluation total period: 8 weeks 4 days
Evaluation period left: 8 weeks 4 days
License Count: 250/0/0
License Priority: Low
The License State text box shows the licenses that are in use, and the License Priority text box shows the
current priority of each license.
Step 2
Activate an ap-count evaluation license as follows:
a.
To raise the priority of the base-ap-count evaluation license, enter this command:
license modify priority license_name high
Note
b.
You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses
always have a medium priority, which cannot be configured.
To reboot the controller in order for the priority change to take effect, enter this command:
reset system
c.
To verify that the ap-count evaluation license now has a high priority and is in use, enter this
command:
show license all
You can use the evaluation license until it expires.
Step 3
If you decide to stop using the ap-count evaluation license and want to revert to using an ap-count
permanent license, follow these steps:
a.
To lower the priority of the ap-count evaluation license, enter this command:
license modify priority license_name low
b.
To reboot the controller in order for the priority change to take effect, enter this command:
reset system
c.
To verify that the ap-count evaluation license now has a low priority and is not in use, enter this
command:
show license all
Instead, the ap-count permanent license should be in use.
Rehosting Licenses
This section contains the following topics:
Cisco Wireless LAN Controller Configuration Guide
4-16
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
•
Information About Rehosting Licenses, page 4-17
•
Rehosting a License, page 4-17
Information About Rehosting Licenses
Revoking a license from one controller and installing it on another is called rehosting. You might want
to rehost a license in order to change the purpose of a controller. For example, if you want to move your
OfficeExtend or indoor mesh access points to a different controller, you could transfer the adder license
from one controller to another controller of the same model, say from one 5500 series controller to
another 5500 series controller (intramodel transfer). This can be done in the case of RMA or a network
rearchitecture that requires you to transfer licenses from one appliance to another. It is not possible to
rehost base licenses in normal scenarios of network rearchitecture. The only exception where the transfer
of base licenses is allowed is for RMA when you get a replacement hardware when your existing
appliance has a failure.
Evaluation licenses cannot be rehosted.
In order to rehost a license, you must generate credential information from the controller and use it to
obtain a permission ticket to revoke the license from the Cisco licensing site. Next, you must obtain a
rehost ticket and use it to obtain a license installation file for the controller on which you want to install
the license.
Note
A revoked license cannot be reinstalled on the same controller
Rehosting a License
This section contains the following topics:
•
Rehosting a License (GUI), page 4-17
•
Rehosting a License (CLI), page 4-19
Rehosting a License (GUI)
Step 1
Choose Management > Software Activation > Commands to open the License Commands page.
Step 2
From the Action drop-down list, choose Rehost. The Revoke a License from the Device and Generate
Rehost Ticket area appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-17
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Figure 4-5
License Commands (Rehost) Page
Step 3
In the File Name to Save Credentials text box, enter the path on the TFTP server where you want the
device credentials to be saved and click Save Credentials.
Step 4
To obtain a permission ticket to revoke the license, follow these steps:
a.
Click Cisco Licensing (https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet).
b.
On the Product License Registration page, click Look Up a License under Manage Licenses.
c.
Enter the product ID and serial number for your controller.
Note
To find the controller’s product ID and serial number, choose Controller > Inventory on the
controller GUI.
d.
Open the device credential information file that you saved in Step 3 and copy and paste the contents
of the file into the Device Credentials text box.
e.
Enter the security code in the blank box and click Continue.
f.
Choose the licenses that you want to revoke from this controller and click Start License Transfer.
g.
On the Rehost Quantities page, enter the number of licenses that you want to revoke in the To Rehost
text box and click Continue.
h.
On the Designate Licensee page, enter the product ID and serial number of the controller for which
you plan to revoke the license, read and accept the conditions of the end-user license agreement
(EULA), complete the rest of the text boxes on this page, and click Continue.
i.
On the Review and Submit page, verify that all information is correct and click Submit.
j.
When a message appears indicating that the registration is complete, click Download Permission
Ticket. The rehost permission ticket is e-mailed within 1 hour to the address that you specified.
k.
After the e-mail arrives, copy the rehost permission ticket to your TFTP server.
Cisco Wireless LAN Controller Configuration Guide
4-18
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Step 5
Step 6
Use the rehost permission ticket to revoke the license from this controller and generate a rehost ticket as
follows:
a.
In the Enter Saved Permission Ticket File Name text box, enter the TFTP path and filename (*.lic)
for the rehost permission ticket that you generated in Step 4.
b.
In the Rehost Ticket File Name text box, enter the TFTP path and filename (*.lic) for the ticket that
will be used to rehost this license on another controller.
c.
Click Generate Rehost Ticket.
d.
When the end-user license agreement (EULA) acceptance dialog box appears, read the agreement
and click Accept to accept the terms of the agreement.
Use the rehost ticket generated in Step 5 to obtain a license installation file, which can then be installed
on another controller as follows:
a.
Click Cisco Licensing.
b.
On the Product License Registration page, click Upload Rehost Ticket under Manage Licenses.
c.
On the Upload Ticket page, enter the rehost ticket that you generated in Step 5 in the Enter Rehost
Ticket text box and click Continue.
d.
On the Validate Features page, verify that the license information for your controller is correct, enter
the rehost quantity, and click Continue.
e.
On the Designate Licensee page, enter the product ID and serial number of the controller on which
you plan to use the license, read and accept the conditions of the end-user license agreement
(EULA), complete the rest of the text boxes on this page, and click Continue.
f.
On the Review and Submit page, verify that all information is correct and click Submit.
g.
When a message appears indicating that the registration is complete, click Download License. The
rehost license key is e-mailed within 1 hour to the address that you specified.
h.
After the e-mail arrives, copy the rehost license key to your TFTP server.
i.
Follow the instructions in the “Installing a License (GUI)” section on page 4-7 to install this license
on another controller.
Rehosting a License (CLI)
Step 1
Save device credential information to a file by entering this command:
license save credential url
where url is tftp://server_ip/path/filename.
Step 2
Obtain a permission ticket to revoke the license as follows:
a.
Go to https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet. The Product License
Registration page appears.
b.
Under Manage Licenses, click Look Up a License.
c.
Enter the product ID and serial number for your controller.
Note
To find the controller’s product ID and serial number, enter the show license udi command
on the controller CLI.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-19
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Step 3
d.
Open the device credential information file that you saved in Step 1 and copy and paste the contents
of the file into the Device Credentials text box.
e.
Enter the security code in the blank box and click Continue.
f.
Choose the licenses that you want to revoke from this controller and click Start License Transfer.
g.
On the Rehost Quantities page, enter the number of licenses that you want to revoke in the To Rehost
text box and click Continue.
h.
On the Designate Licensee page, enter the product ID and serial number of the controller for which
you plan to revoke the license, read and accept the conditions of the end-user license agreement
(EULA), complete the rest of the text boxes on this page, and click Continue.
i.
On the Review and Submit page, verify that all information is correct and click Submit.
j.
When a message appears indicating that the registration is complete, click Download Permission
Ticket. The rehost permission ticket is e-mailed within 1 hour to the address that you specified.
k.
After the e-mail arrives, copy the rehost permission ticket to your TFTP server.
Use the rehost permission ticket to revoke the license from this controller and generate a rehost ticket as
follows:
a.
To revoke the license from the controller, enter this command:
license revoke permission_ticket_url
where permission_ticket_url is tftp://server_ip/path/filename.
b.
To generate the rehost ticket, enter this command:
license revoke rehost rehost_ticket_url
where rehost_ticket_url is tftp://server_ip/path/filename.
c.
Step 4
If prompted, read and accept the terms of the end-user license agreement (EULA).
Use the rehost ticket generated in Step 3 to obtain a license installation file, which can then be installed
on another controller as follows:
a.
Go to https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet.
b.
On the Product License Registration page, click Upload Rehost Ticket under Manage Licenses.
c.
On the Upload Ticket page, enter the rehost ticket that you generated in Step 3 in the Enter Rehost
Ticket text box and click Continue.
d.
On the Validate Features page, verify that the license information for your controller is correct, enter
the rehost quantity, and click Continue.
e.
On the Designate Licensee page, enter the product ID and serial number of the controller on which
you plan to use the license, read and accept the conditions of the end-user license agreement
(EULA), complete the rest of the text boxes on this page, and click Continue.
f.
On the Review and Submit page, verify that all information is correct and click Submit.
g.
When a message appears indicating that the registration is complete, click Download License. The
rehost license key is e-mailed within 1 hour to the address that you specified.
h.
After the e-mail arrives, copy the rehost license key to your TFTP server.
i.
Follow the instructions in the “Installing a License (GUI)” section on page 4-7 to install this license
on another controller.
Cisco Wireless LAN Controller Configuration Guide
4-20
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Transferring Licenses to a Replacement Controller after an RMA
This section contains the following topics:
•
Information About Transferring Licenses to a Replacement Controller after an RMA, page 4-21
•
Transferring a License to a Replacement Controller after an RMA, page 4-21
Information About Transferring Licenses to a Replacement Controller after an RMA
If you return a Cisco 5500 Series Controller to Cisco as part of the Return Material Authorization (RMA)
process, you must transfer that controller’s licenses within 60 days to a replacement controller that you
receive from Cisco.
Replacement controllers come preinstalled with the following licenses: permanent base and evaluation
base, base-ap-count. No other permanent licenses are installed. The SKU for replacement controllers is
AIR-CT5508-CA-K9.
Because licenses are registered to the serial number of a controller, you can use the licensing portal on
Cisco.com to request that the license from your returned controller be revoked and authorized for use on
the replacement controller. After your request is approved, you can install the old license on the
replacement controller. Before you begin, you need the product ID and serial number of both the returned
controller and the replacement controller. This information is included in your purchase records.
Note
The evaluation licenses on the replacement controller are designed for temporary use and expire after 60
days. To prevent disruptions in operation, the controller does not switch licenses when an evaluation
license expires. You must reboot the controller in order to return to a permanent license. If the evaluation
licenses expire before you transfer the permanent licenses from your defective controller to your
replacement controller, the replacement controller remains up and running using the permanent base
license, but access points are no longer able to join the controller.
Transferring a License to a Replacement Controller after an RMA
Step 1
Go to https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet.
Step 2
On the main Product License Registration page, click Register for an RMA License under RMA
License Transfer.
Step 3
In the Select a Product drop-down list, choose Cisco 5500 Series Wireless Controllers.
Step 4
Enter the security code in the blank box and click Go to RMA Portal.
Step 5
On the RMA License Transfer page, enter the product ID and serial number of the controller that you
returned and your RMA service contract number, and click Continue.
Step 6
On the Validate Features page, verify that the license information for your controller is correct, and click
Continue.
Step 7
On the Designate Licensee page, enter the product ID and serial number of the replacement controller.
Step 8
Read and accept the conditions of the end-user license agreement (EULA), complete the rest of the text
boxes on this page, and click Submit.
Step 9
On the Review and Submit page, verify that all information is correct and click Submit. A message
appears indicating that your registration request has been submitted, and you will receive an e-mail that
contains your RMA request ID.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-21
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Step 10
Select the status of your RMA registration request by following the instructions in the e-mail.
Step 11
After you receive another e-mail notifying you that your RMA registration request is approved (usually
within 1 hour), follow the instructions in the “Installing a License (GUI)” section on page 4-7 to install
the license on the replacement controller.
Configuring the License Agent
This section contains the following topics:
•
Information About Configuring the License Agent, page 4-22
•
Configuring the License Agent, page 4-22
Information About Configuring the License Agent
If your network contains various Cisco-licensed devices, you might want to consider using the Cisco
License Manager (CLM) to manage all of the licenses using a single application. CLM is a secure
client/server application that manages Cisco software licenses network wide.
The license agent is an interface module that runs on the controller and mediates between CLM and the
controller’s licensing infrastructure. CLM can communicate with the controller using various channels,
such as HTTP, Telnet, and so on. If you want to use HTTP as the communication method, you must
enable the license agent on the controller.
The license agent receives requests from CLM and translates them into license commands. It also sends
notifications to CLM. It uses XML messages over HTTP or HTTPS to receive the requests and send the
notifications. For example, CLM sends a license install command, and the agent notifies CLM after the
license expires.
Note
You can download the CLM software and access user documentation at http://www.cisco.com/go/clm.
Configuring the License Agent
This section contains the following topics:
•
Configuring the License Agent (GUI), page 4-22
•
Configuring the License Agent (CLI), page 4-24
Configuring the License Agent (GUI)
Step 1
Choose Management > Software Activation > License Agent to open the License Agent Configuration
page.
Cisco Wireless LAN Controller Configuration Guide
4-22
OL-21524-03
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
Figure 4-6
License Agent Configuration Page
Step 2
Select the Enable Default Authentication check box to enable the license agent, or leave it unselected
to disable this feature. The default value is unselected.
Step 3
In the Maximum Number of Sessions text box, enter the maximum number of sessions for the license
agent. The valid range is 1 to 25 sessions (inclusive).
Step 4
Configure the license agent to listen for requests from the CLM as follows:
a.
Select the Enable Listener check box to enable the license agent to receive license requests from
the CLM, or unselect this check box to disable this feature. The default value is unselected.
b.
In the Listener Message Processing URL text box, enter the URL where the license agent receives
license requests (for example, http://209.165.201.30/licenseAgent/custom). The Protocol parameter
indicates whether the URL requires HTTP or HTTPS.
Note
Step 5
You can specify the protocol to use on the HTTP Configuration page. For more information,
see the “Enabling Web and Secure Web Modes” section on page 3-18.
c.
Select the Enable Authentication for Listener check box to enable authentication for the license
agent when it is receiving license requests, or unselect this check box to disable this feature. The
default value is unselected.
d.
In the Max HTTP Message Size text box, enter the maximum size for license requests. The valid
range is 0 to 9999 bytes, and the default value is 0.
Configure the license agent to send license notifications to the CLM as follows:
a.
Select the Enable Notification check box to enable the license agent to send license notifications
to the CLM, or unselect this check box to disable this feature. The default value is unselected.
b.
In the URL to Send the Notifications text box, enter the URL where the license agent sends the
notifications (for example, http://www.cisco.com/license/notify).
c.
In the User Name text box, enter the username required in order to view the notification messages
at this URL.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-23
Chapter 4
Configuring Controller Settings
Installing and Configuring Licenses
d.
In the Password and Confirm Password text boxes, enter the password required in order to view the
notification messages at this URL.
Step 6
Click Apply to commit your changes.
Step 7
Click Save Configuration to save your changes.
Configuring the License Agent (CLI)
Step 1
Step 2
Enable the license agent by entering one of these commands:
•
config license agent default authenticate—Enables the license agent default listener with
authentication.
•
config license agent default authenticate none—Enables the license agent default listener without
authentication.
Note
To disable the license agent default listener, enter the config license agent default disable
command. The default value is disabled.
Specify the maximum number of sessions for the license agent by entering this command:
config license agent max-sessions sessions
The valid range for the sessions parameter is 1 to 25 (inclusive), and the default value is 9.
Step 3
Enable the license agent to receive license requests from the CLM and to specify the URL where the
license agent receives the requests by entering this command:
config license agent listener http {plaintext | encrypt} url authenticate [none] [max-message size]
[acl acl]
The valid range for the size parameter is 0 to 65535 bytes, and the default value is 0.
Note
Step 4
To prevent the license agent from receiving license requests from the CLM, enter the config
license agent listener http disable command. The default value is disabled.
Configure the license agent to send license notifications to the CLM and to specify the URL where the
license agent sends the notifications by entering this command:
config license agent notify url username password
Note
Step 5
To prevent the license agent from sending license notifications to the CLM, enter the config
license agent notify disable username password command. The default value is disabled.
Save your changes by entering this command:
save config
Step 6
See statistics for the license agent’s counters or sessions by entering this command:
show license agent {counters | sessions}
Information similar to the following appears for the show license agent counters command:
License Agent Counters
Cisco Wireless LAN Controller Configuration Guide
4-24
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring 802.11 Bands
Request Messages Received:10: Messages with Errors:1
Request Operations Received:9: Operations with Errors:0
Notification Messages Sent:12: Transmission Errors:0: Soap Errors:0
Information similar to the following appears for the show license agent sessions command:
License Agent Sessions: 1 open, maximum is 9
Note
To clear the license agent’s counter or session statistics, enter the clear license agent {counters
| sessions} command.
Configuring 802.11 Bands
This section contains the following topics:
•
Information About Configuring 802.11 Bands, page 4-25
•
Configuring 802.11 Bands, page 4-25
Information About Configuring 802.11 Bands
You can configure the 802.11b/g/n (2.4-GHz) and 802.11a/n (5-GHz) bands for the controller to comply
with the regulatory requirements in your country. By default, both 802.11b/g/n and 802.11a/n are
enabled.
Configuring 802.11 Bands
This section contains the following topics:
•
Configuring 802.11 Bands (GUI), page 4-25
•
Configuring 802.11 Bands (CLI), page 4-27
Configuring 802.11 Bands (GUI)
Step 1
Choose Wireless > 802.11a/n or 802.11b/g/n > Network to open the 802.11a (or 802.11b/g) Global
Parameters page.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-25
Chapter 4
Configuring Controller Settings
Configuring 802.11 Bands
Figure 4-7
802.11a Global Parameters Page
Step 2
Select the 802.11a (or 802.11b/g) Network Status check box to enable the 802.11a or 802.11b/g band.
To disable the band, unselect the check box. The default value is enabled. You can enable both the
802.11a and 802.11b/g bands.
Step 3
If you enabled the 802.11b/g band in Step 2, select the 802.11g Support check box if you want to enable
802.11g network support. The default value is enabled. If you disable this feature, the 802.11b band is
enabled without 802.11g support.
Step 4
Specify the rate at which the SSID is broadcast by the access point by entering a value between 100 and
600 milliseconds (inclusive) in the Beacon Period text box. The default value is 100 milliseconds.
Note
The beacon period in controllers is listed in terms of milliseconds. The beacon period can also be
measured in time units, where one time unit equals 1024 microseconds or 102.4 milliseconds. If a beacon
interval is listed as 100 milliseconds in a controller, it is only a rounded off value for 102.4 milliseconds.
Due to hardware limitation in certain radios, even though the beacon interval is, say 100 time units, it is
adjusted to 102 time units, which roughly equals 104.448 milliseconds. When the beacon period is to be
represented in terms of time units, the value is adjusted to the nearest multiple of 17.
Step 5
Specify the size at which packets are fragmented by entering a value between 256 and 2346 bytes
(inclusive) in the Fragmentation Threshold text box. Enter a low number for areas where communication
is poor or where there is a great deal of radio interference.
Step 6
Make access points advertise their channel and transmit power level in beacons and probe responses.
Select the DTPC Support check box. Otherwise, unselect this check box. The default value is enabled.
Client devices using dynamic transmit power control (DTPC) receive the channel and power level
information from the access points and adjust their settings automatically. For example, a client device
used primarily in Japan could rely on DTPC to adjust its channel and power settings automatically when
it travels to Italy and joins a network there.
Cisco Wireless LAN Controller Configuration Guide
4-26
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring 802.11 Bands
Note
On access points that run Cisco IOS software, this feature is called world mode.
Note
DTPC and 801.11h power constraint cannot be enabled simultaneously.
Step 7
Specify the maximum allowed clients by entering a value between 1 to 200 in the Maximum Allowed
Client text box. The default value is 200.
Step 8
Use the Data Rates options to specify the rates at which data can be transmitted between the access point
and the client. These data rates are available:
•
802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps
•
802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps
For each data rate, choose one of these options:
•
Mandatory—Clients must support this data rate in order to associate to an access point on the
controller.
•
Supported—Any associated clients that support this data rate may communicate with the access
point using that rate. However, the clients are not required to be able to use this rate in order to
associate.
•
Disabled—The clients specify the data rates used for communication.
Step 9
Click Apply to commit your changes.
Step 10
Click Save Configuration to save your changes.
Configuring 802.11 Bands (CLI)
Step 1
Disable the 802.11a band by entering this command:
config 802.11a disable network
Note
Step 2
The 802.11a band must be disabled before you can configure the 802.11a network parameters in
this section.
Disable the 802.11b/g band by entering this command:
config 802.11b disable network
Note
Step 3
The 802.11b band must be disabled before you can configure the 802.11b network parameters
in this section.
Specify the rate at which the SSID is broadcast by the access point by entering this command:
config {802.11a | 802.11b} beaconperiod time_unit
where time_unit is the beacon interval in time units (TUs). One TU is 1024 microseconds. You can
configure the access point to send a beacon every 20 to 1000 milliseconds.
Step 4
Specify the size at which packets are fragmented by entering this command:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-27
Chapter 4
Configuring Controller Settings
Configuring 802.11 Bands
config {802.11a | 802.11b} fragmentation threshold
where threshold is a value between 256 and 2346 bytes (inclusive). Specify a low number for areas where
communication is poor or where there is a great deal of radio interference.
Step 5
Make access points advertise their channel and transmit power level in beacons and probe responses by
entering this command:
config {802.11a | 802.11b} dtpc {enable | disable}
The default value is enabled. Client devices using dynamic transmit power control (DTPC) receive the
channel and power level information from the access points and adjust their settings automatically. For
example, a client device used primarily in Japan could rely on DTPC to adjust its channel and power
settings automatically when it travels to Italy and joins a network there.
On access points that run Cisco IOS software, this feature is called world mode.
Note
Step 6
Specify the maximum allowed clients that can be configured using the command:
config {802.11a | 802.11b} max-clients max_allow_clients
Step 7
Specify the rates at which data can be transmitted between the controller and the client by entering this
command:
config {802.11a | 802.11b} rate {disabled | mandatory | supported} rate
where
•
disabled—Clients specify the data rates used for communication.
•
mandatory—Clients support this data rate in order to associate to an access point on the controller.
•
supported—Any associated clients that support this data rate may communicate with the access
point using that rate. However, the clients are not required to be able to use this rate in order to
associate.
•
rate—The rate at which data is transmitted:
– 6, 9, 12, 18, 24, 36, 48, and 54 Mbps (802.11a)
– 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps (802.11b/g)
Step 8
Enable the 802.11a band by entering this command:
config 802.11a enable network
The default value is enabled.
Step 9
Enable the 802.11b band by entering this command:
config 802.11b enable network
The default value is enabled.
Step 10
Enable or disable 802.11g network support by entering this command:
config 802.11b 11gSupport {enable | disable}
The default value is enabled. You can use this command only if the 802.11b band is enabled. If you
disable this feature, the 802.11b band is enabled without 802.11g support.
Step 11
Save your changes by entering this command:
save config
Step 12
View the configuration settings for the 802.11a or 802.11b/g band by entering this command:
show {802.11a | 802.11b}
Cisco Wireless LAN Controller Configuration Guide
4-28
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring 802.11n Parameters
Information similar to the following appears:
802.11a Network............................... Enabled
11nSupport.................................... Enabled
802.11a Low Band........................... Enabled
802.11a Mid Band........................... Enabled
802.11a High Band.......................... Enabled
802.11a Operational Rates
802.11a 6M Rate.............................. Mandatory
802.11a 9M Rate.............................. Supported
802.11a 12M Rate............................. Mandatory
802.11a 18M Rate............................. Supported
802.11a 24M Rate............................. Mandatory
802.11a 36M Rate............................. Supported
802.11a 48M Rate............................. Supported
802.11a 54M Rate............................. Supported
...
Beacon Interval.................................. 100
...
Default Channel............................... 36
Default Tx Power Level........................ 1
DTPC Status................................... Enabled
Fragmentation Threshold....................... 2346
Maximum Number of Clients per AP................. 200
...
Configuring 802.11n Parameters
This section contains the following topics:
•
Information About Configuring 802.11n Parameters, page 4-29
•
Configuring 802.11n Parameters, page 4-29
•
Additional References, page 4-34
Information About Configuring 802.11n Parameters
This section provides instructions for managing 802.11n devices such as the Cisco Aironet 1140 and
1250 Series Access Points on your network. The 802.11n devices support the 2.4- and 5-GHz bands and
offer high-throughput data rates.
The 802.11n high-throughput rates are available on 1040, 1140, 1250, 1260, 3500, and 3600 series
access points for WLANs using WMM with no Layer 2 encryption or with WPA2/AES encryption
enabled.
Configuring 802.11n Parameters
This section contains the following topics:
•
Configuring 802.11n Parameters (GUI), page 4-30
•
Configuring 802.11n Parameters (CLI), page 4-31
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-29
Chapter 4
Configuring Controller Settings
Configuring 802.11n Parameters
Configuring 802.11n Parameters (GUI)
Step 1
Choose Wireless > 802.11a/n or 802.11b/g/n > High Throughput (802.11n) to open the 802.11n (5
GHz or 2.4 GHz) High Throughput page.
Figure 4-8
802.11n (2.4 GHz) High Throughput Page
Step 2
Select the 11n Mode check box to enable 802.11n support on the network. The default value is enabled.
Step 3
Select the check boxes of the desired rates to specify the modulation and coding scheme (MCS) rates at
which data can be transmitted between the access point and the client. These data rates, which are
calculated for a 20-MHz channel width using a short guard interval, are available:
•
0 (7 Mbps)
•
1 (14 Mbps)
•
2 (21 Mbps)
•
3 (29 Mbps)
•
4 (43 Mbps)
•
5 (58 Mbps)
•
6 (65 Mbps)
•
7 (72 Mbps)
•
8 (14 Mbps)
•
9 (29 Mbps)
Cisco Wireless LAN Controller Configuration Guide
4-30
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring 802.11n Parameters
•
10 (43 Mbps)
•
11 (58 Mbps)
•
12 (87 Mbps)
•
13 (116 Mbps)
•
14 (130 Mbps)
•
15 (144 Mbps)
Any associated clients that support the selected rates may communicate with the access point using those
rates. However, the clients are not required to be able to use this rate in order to associate. The MCS
settings determine the number of spatial streams, the modulation, the coding rate, and the data rate values
that are used.
Step 4
Click Apply to commit your changes.
Step 5
Use the 802.11n data rates that you configured by enabling WMM on the WLAN as follows:
Step 6
a.
Choose WLANs to open the WLANs page.
b.
Click the ID number of the WLAN for which you want to configure WMM mode.
c.
When the WLANs > Edit page appears, choose the QoS tab to open the WLANs > Edit (Qos) page.
d.
From the WMM Policy drop-down list, choose Required or Allowed to require or allow client
devices to use WMM. Devices that do not support WMM cannot join the WLAN.
e.
Click Apply to commit your changes.
Click Save Configuration to save your changes.
Note
To determine if an access point supports 802.11n, look at the 11n Supported text box on either
the 802.11a/n (or 802.11b/g/n) Cisco APs > Configure page or the 802.11a/n (or 802.11b/g/n)
AP Interfaces > Details page.
Configuring 802.11n Parameters (CLI)
Step 1
Enable 802.11n support on the network by entering this command:
config {802.11a | 802.11b} 11nsupport {enable | disable}
Step 2
Specify the modulation and coding scheme (MCS) rates at which data can be transmitted between the
access point and the client by entering this command:
config {802.11a | 802.11b} 11nsupport mcs tx {0-15} {enable | disable}
See the descriptions of the 0 through 15 MCS data rates in the “Configuring 802.11n Parameters (GUI)”
section on page 4-30.
Step 3
Use the 802.11n data rates that you configured by enabling WMM on the WLAN as follows:
config wlan wmm required wlan_id
The required parameter requires client devices to use WMM. Devices that do not support WMM cannot
join the WLAN.
Step 4
Specify the aggregation method used for 802.11n packets as follows:
a.
Disable the network by entering this command:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-31
Chapter 4
Configuring Controller Settings
Configuring 802.11n Parameters
config {802.11a | 802.11b} disable network
b.
Specify the aggregation method entering this command:
config {802.11a | 802.11b} 11nsupport a-mpdu tx priority {0-7 | all} {enable | disable}
Aggregation is the process of grouping packet data frames together rather than transmitting them
separately. Two aggregation methods are available: Aggregated MAC Protocol Data Unit
(A-MPDU) and Aggregated MAC Service Data Unit (A-MSDU). Both A-MPDU and A-MSDU are
performed in the software.
You can specify the aggregation method for various types of traffic from the access point to the
clients. Table 4-2 defines the priority levels (0-7) assigned per traffic type.
Table 4-2
Traffic Type Priority Levels
User Priority
Traffic Type
0
Best effort
1
Background
2
Spare
3
Excellent effort
4
Controlled load
5
Video, less than 100-ms latency and jitter
6
Voice, less than 10-ms latency and jitter
7
Network control
You can configure each priority level independently, or you can use the all parameter to configure
all of the priority levels at once. When you use the enable command, the traffic associated with that
priority level uses A-MPDU transmission. When you use the disable command, the traffic
associated with that priority level uses A-MSDU transmission. Configure the priority levels to match
the aggregation method used by the clients. By default, A-MPDU is enabled for priority level 0, 4
and 5 and the rest are disabled. By default, A-MPDU is enabled for all priorities except 6 and 7.
c.
Reenable the network by entering this command:
config {802.11a | 802.11b} enable network
Step 5
Configure the 802.11n-5 GHz A-MPDU transmit aggregation scheduler by entering this command:
config 802.11{a | b} 11nsupport a-mpdu tx scheduler {enable | disable | timeout rt timeout-value}
The timeout value is in milliseconds. The valid range is between 1 millisecond to 1000 milliseconds.
Step 6
Configure the guard interval for the network by entering this command:
config 802.11{a | b} 11nsupport guard-interval {any | long}
Step 7
Configure the Reduced Interframe Space (RIFS) for the network by entering this command:
config 802.11{a | b} 11nsupport rifs rx {enable | disable}
Step 8
Enter the save config command to save your configuration.
Step 9
View the configuration settings for the 802.11a/n or 802.11b/g/n band by entering this command:
show {802.11a | 802.11b}
Information similar to the following appears:
802.11a Network............................... Enabled
Cisco Wireless LAN Controller Configuration Guide
4-32
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring 802.11n Parameters
11nSupport.................................... Enabled
802.11a Low Band........................... Enabled
802.11a Mid Band........................... Enabled
802.11a High Band.......................... Enabled
802.11a Operational Rates
802.11a 6M Rate.............................. Mandatory
802.11a 9M Rate.............................. Supported
802.11a 12M Rate............................. Mandatory
802.11a 18M Rate............................. Supported
802.11a 24M Rate............................. Mandatory
802.11a 36M Rate............................. Supported
802.11a 48M Rate............................. Supported
802.11a 54M Rate............................. Supported
802.11n MCS Settings:
MCS 0........................................ Supported
MCS 1...................................... Supported
MCS 2...................................... Supported
MCS 3...................................... Supported
MCS 4...................................... Supported
MCS 5...................................... Supported
MCS 6...................................... Supported
MCS 7...................................... Supported
MCS 8...................................... Supported
MCS 9...................................... Supported
MCS 10..................................... Supported
MCS 11..................................... Supported
MCS 12..................................... Supported
MCS 13..................................... Supported
MCS 14..................................... Supported
MCS 15........................................ Supported
802.11n Status:
A-MPDU Tx .................................. Enabled
Priority 0............................... Enabled
Priority 1............................... Enabled
Priority 2............................... Enabled
Priority 3............................... Enabled
Priority 4............................... Enabled
Priority 5............................... Disabled
Priority 6............................... Disabled
Priority 7............................... Enabled
A-MSDU Tx .................................. Enabled
Rifs Tx ..................................... Enabled
Guard Interval ............................. Short
Beacon Interval................................ 100
CF Pollable mandatory.......................... Disabled
CF Poll Request mandatory...................... Disabled
CFP Period......................................... 4
CFP Maximum Duration............................. 60
Default Channel.................................. 36
Default Tx Power Level........................... 1
DTPC Status...................................Enabled
Fragmentation Threshold....................... 2346
Long Retry Limit.................................. 4
Maximum Rx Life Time........................... 512
Max Tx MSDU Life Time............................ 512
Medium Occupancy Limit........................... 100
RTS Threshold.................................... 2347
Short Retry Limit................................ 7
TI Threshold..................................... -50
Traffic Stream Metrics Status.................... Enabled
Expedited BW Request Status...................... Disabled
EDCA profile type................................ default-wmm
Voice MAC optimization status.................... Disabled
Call Admission Control (CAC) configuration
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-33
Chapter 4
Configuring Controller Settings
Configuring 802.11h Parameters
Voice AC - Admission control (ACM)............ Enabled
Voice max RF bandwidth........................ 75
Voice reserved roaming bandwidth.............. 6
Voice load-based CAC mode..................... Disabled
Voice tspec inactivity timeout................ Disabled
Video AC - Admission control (ACM)............ Enabled
Voice Stream-Size............................. 84000
Voice Max-Streams............................. 2
Video max RF bandwidth........................ Infinite
Video reserved roaming bandwidth........... 0
Additional References
For information about configuring radio resource management (RRM) parameters or statically assigning
radio parameters for 802.11n access points, see Chapter 13, “Configuring Radio Resource
Management.”
Configuring 802.11h Parameters
This section contains the following topics:
•
Information About Configuring 802.11h Parameters, page 4-34
•
Configuring 802.11h Parameters, page 4-34
Information About Configuring 802.11h Parameters
802.11h informs client devices about channel changes and can limit the transmit power of those client
devices.
Configuring 802.11h Parameters
This section contains the following topics:
•
Configuring 802.11h Parameters (GUI), page 4-34
•
Configuring 802.11h Parameters (CLI), page 4-35
Configuring 802.11h Parameters (GUI)
Step 1
Step 2
Disable the 802.11a band as follows:
a.
Choose Wireless > 802.11a/n > Network to open the 802.11a Global Parameters page.
b.
Unselect the 802.11a Network Status check box.
c.
Click Apply to commit your change.
Choose Wireless > 802.11a/n > DFS (802.11h) to open the 802.11h Global Parameters page.
Cisco Wireless LAN Controller Configuration Guide
4-34
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring 802.11h Parameters
Figure 4-9
802.11h Global Parameters Page
Step 3
Select the Channel Announcement check box if you want the access point to announce when it is
switching to a new channel and the new channel number, or unselect this check box to disable the
channel announcement. The default value is disabled.
Step 4
If you enabled the channel announcement in Step 3, the Channel Quiet Mode check box appears. Select
this check box if you want the access point to stop transmitting on the current channel, or unselect this
check box to disable quiet mode. The default value is disabled.
Step 5
Click Apply to commit your changes.
Step 6
Reenable the 802.11a band as follows:
Step 7
a.
Choose Wireless > 802.11a/n > Network to open the 802.11a Global Parameters page.
b.
Select the 802.11a Network Status check box.
c.
Click Apply to commit your change.
Click Save Configuration to save your changes.
Configuring 802.11h Parameters (CLI)
Step 1
Disable the 802.11a network by entering this command:
config 802.11a disable network
Step 2
Enable or disable the access point to announce when it is switching to a new channel and the new channel
number by entering this command:
config 802.11h channelswitch {enable | disable} switch_mode
You can enter a 0 or 1 for the switch_mode parameter to specify whether transmissions are restricted
until the actual channel switch (0) or are not restricted (1). The default value is disabled.
Step 3
Configure a new channel using the 802.11h channel announcement by entering this command:
config 802.11h setchannel channel channel
Step 4
Configure the 802.11h power constraint value by entering this command:
config 802.11h powerconstraint value
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-35
Chapter 4
Configuring Controller Settings
Configuring DHCP Proxy
The default value for the value parameter is 3 dB.
Step 5
Reenable the 802.11a network by entering this command:
config 802.11a enable network
Step 6
See the status of 802.11h parameters by entering this command:
show 802.11h
Information similar to the following appears:
Power Constraint................................. 0
Channel Switch................................... Disabled
Channel Switch Mode.............................. 0
Configuring DHCP Proxy
This section contains the following topics:
•
Information About Configuring DHCP Proxy, page 4-36
•
Guidelines and Limitations, page 4-36
•
Configuring DHCP Proxy, page 4-37
Information About Configuring DHCP Proxy
When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client
to the configured servers. Consequently, at least one DHCP server must be configured on either the
interface associated with the WLAN or the WLAN itself.
When DHCP proxy is disabled on the controller, those DHCP packets transmitted to and from the clients
are bridged by the controller without any modification to the IP portion of the packet. Packets received
from the client are removed from the CAPWAP tunnel and transmitted on the upstream VLAN. DHCP
packets directed to the client are received on the upstream VLAN, converted to 802.11, and transmitted
through a CAPWAP tunnel toward the client. As a result, the internal DHCP server cannot be used when
DHCP proxy is disabled. The ability to disable DHCP proxy allows organizations to use DHCP servers
that do not support Cisco’s native proxy mode of operation. It should be disabled only when required by
the existing infrastructure.
Guidelines and Limitations
Note
•
DHCP proxy is enabled by default.
•
DHCP proxy must be enabled in order for DHCP option 82 to operate correctly.
•
All controllers that will communicate must have the same DHCP proxy setting.
For information about configuring DHCP servers, see Chapter 8, “Working with WLANs,”
Cisco Wireless LAN Controller Configuration Guide
4-36
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring DHCP Proxy
Configuring DHCP Proxy
This section contains the following topics:
•
Configuring DHCP Proxy (GUI), page 4-37
•
Configuring DHCP Proxy (CLI), page 4-37
•
Configuring DHCP Timeout (GUI), page 4-37
•
Configuring DHCP Timeout (CLI), page 4-38
Configuring DHCP Proxy (GUI)
Step 1
Choose Controller > Advanced > DHCP to open the DHCP Parameters page.
Figure 4-10
DHCP Parameters Page
Step 2
Select the Enable DHCP Proxy check box to enable DHCP proxy on a global basis. Otherwise, unselect
the check box. The default value is selected.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Configuring DHCP Proxy (CLI)
Step 1
Enable or disable DHCP proxy by entering this command:
config dhcp proxy {enable | disable}
Step 2
View the DHCP proxy configuration by entering this command:
show dhcp proxy
Information similar to the following appears:
DHCP Proxy Behavior: enabled
Configuring DHCP Timeout (GUI)
Step 1
Choose Controller > Advanced > DHCP to open the DHCP Parameters page.
Step 2
Select the DHCP Timeout (5 - 120 seconds) check box to enable a DHCP timeout on a global basis.
Otherwise, unselect the check box. The valid range is 5 through 120 seconds.
Step 3
Click Apply to commit your changes.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-37
Chapter 4
Configuring Controller Settings
Configuring Administrator Usernames and Passwords
Step 4
Click Save Configuration to save your changes.
Configuring DHCP Timeout (CLI)
To configure a DHCP timeout using the controller CLI, use the following command:
config dhcp timeout seconds
Configuring Administrator Usernames and Passwords
This section contains the following topics:
•
Information About Configuring Administrator Usernames and Passwords, page 4-38
•
Configuring Usernames and Passwords, page 4-38
Information About Configuring Administrator Usernames and Passwords
You can configure administrator usernames and passwords to prevent unauthorized users from
reconfiguring the controller and viewing configuration information. This section provides instructions
for initial configuration and for password recovery.
Configuring Usernames and Passwords
This section contains the following topics:
•
Configuring Usernames and Passwords (CLI), page 4-38
•
Restoring Passwords (CLI), page 4-39
Configuring Usernames and Passwords (CLI)
Step 1
Configure a username and password by entering one of these commands:
•
config mgmtuser add username password read-write—Creates a username-password pair with
read-write privileges.
•
config mgmtuser add username password read-only—Creates a username-password pair with
read-only privileges.
Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames and
passwords cannot contain spaces.
Note
Step 2
If you ever need to change the password for an existing username, enter the
config mgmtuser password username new_password command.
List the configured users by entering this command:
Cisco Wireless LAN Controller Configuration Guide
4-38
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring SNMP
show mgmtuser
Restoring Passwords (CLI)
Step 1
After the controller boots up, enter Restore-Password at the User prompt.
Note
For security reasons, the text that you enter does not appear on the controller console.
Step 2
At the Enter User Name prompt, enter a new username.
Step 3
At the Enter Password prompt, enter a new password.
Step 4
At the Re-enter Password prompt, reenter the new password. The controller validates and stores your
entries in the database.
Step 5
When the User prompt reappears, enter your new username.
Step 6
When the Password prompt appears, enter your new password. The controller logs you in with your new
username and password.
Configuring SNMP
This section contains the following topic:
•
Configuring SNMP (CLI), page 4-39
Configuring SNMP (CLI)
Step 1
Enter the config snmp community create name command to create an SNMP community name.
Step 2
Enter the config snmp community delete name command to delete an SNMP community name.
Step 3
Enter the config snmp community accessmode ro name command to configure an SNMP community
name with read-only privileges. Enter config snmp community accessmode rw name to configure an
SNMP community name with read-write privileges.
Step 4
Enter the config snmp community ipaddr ip-address ip-mask name command to configure an IP
address and subnet mask for an SNMP community.
Note
This command behaves like an SNMP access list. It specifies the IP address from which the
device accepts SNMP packets with the associated community. An AND operation is performed
between the requesting entity’s IP address and the subnet mask before being compared to the IP
address. If the subnet mask is set to 0.0.0.0, an IP address of 0.0.0.0 matches to all IP addresses.
The default value is 0.0.0.0.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-39
Chapter 4
Configuring Controller Settings
SNMP Community Strings
Note
The controller can use only one IP address range to manage an SNMP community.
Step 5
Enter the config snmp community mode enable command to enable a community name. Enter the
config snmp community mode disable command to disable a community name.
Step 6
Enter the config snmp trapreceiver create name ip-address command to configure a destination for a
trap.
Step 7
Enter the config snmp trapreceiver delete name command to delete a trap.
Step 8
Enter the config snmp trapreceiver ipaddr old-ip-address name new-ip-address command to change
the destination for a trap.
Step 9
Enter the config snmp trapreceiver mode enable command to enable traps. Enter the config snmp
trapreceiver mode disable command to disable traps.
Step 10
Enter config snmp syscontact syscontact-name to configure the name of the SNMP contact. Enter up to
31 alphanumeric characters for the contact name.
Step 11
Enter the config snmp syslocation syslocation-name command to configure the SNMP system location.
Enter up to 31 alphanumeric characters for the location.
Step 12
Use the show snmpcommunity and the show snmptrap commands to verify that the SNMP traps and
communities are correctly configured.
Step 13
Use the show trapflags command to see the enabled and disabled trap flags. If necessary, use the
config trapflags command to enable or disable trapflags.
Step 14
Starting in release 7.0.116.0, you can also configure the SNMP engine ID. Use the config snmp
engineID engine-id-string command to configure the SNMP engine ID.
Note
Step 15
The engine ID string can be a maximum of 24 characters.
Use the show engineID command to view the engine ID.
SNMP Community Strings
This section contains the following topics:
•
Information About SNMP Community Strings, page 4-40
•
Changing the SNMP Community String Default Values, page 4-41
Information About SNMP Community Strings
The controller has commonly known default values of “public” and “private” for the read-only and
read-write SNMP community strings. Using these standard values presents a security risk. If you use the
default community names, and since these are known, the community names could be used to
communicate to the controller using the SNMP protocol. Therefore, we strongly advise that you change
these values.
Cisco Wireless LAN Controller Configuration Guide
4-40
OL-21524-03
Chapter 4
Configuring Controller Settings
SNMP Community Strings
Changing the SNMP Community String Default Values
This section contains the following topics:
•
Changing the SNMP Community String Default Values (GUI), page 4-41
•
Changing the SNMP Community String Default Values (CLI), page 4-41
Changing the SNMP Community String Default Values (GUI)
Step 1
Choose Management and then Communities under SNMP. The SNMP v1 / v2c Community page
appears.
Figure 4-11
SNMP v1 / v2c Community Page
Step 2
If “public” or “private” appears in the Community Name column, hover your cursor over the blue
drop-down arrow for the desired community and choose Remove to delete this community.
Step 3
Click New to create a new community. The SNMP v1 / v2c Community > New page appears.
Step 4
In the Community Name text box, enter a unique name containing up to 16 alphanumeric characters. Do
not enter “public” or “private.”
Step 5
In the next two text boxes, enter the IP address from which this device accepts SNMP packets with the
associated community and the IP mask.
Step 6
Choose Read Only or Read/Write from the Access Mode drop-down list to specify the access level for
this community.
Step 7
Choose Enable or Disable from the Status drop-down list to specify the status of this community.
Step 8
Click Apply to commit your changes.
Step 9
Click Save Configuration to save your settings.
Step 10
Repeat this procedure if a “public” or “private” community still appears on the SNMP v1 / v2c
Community page.
Changing the SNMP Community String Default Values (CLI)
Step 1
See the current list of SNMP communities for this controller by entering this command:
show snmp community
Step 2
If “public” or “private” appears in the SNMP Community Name column, enter this command to delete
this community:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-41
Chapter 4
Configuring Controller Settings
Changing the Default Values for SNMP v3 Users
config snmp community delete name
The name parameter is the community name (in this case, “public” or “private”).
Step 3
Create a new community by entering this command:
config snmp community create name
Enter up to 16 alphanumeric characters for the name parameter. Do not enter “public” or “private.”
Step 4
Enter the IP address from which this device accepts SNMP packets with the associated community by
entering this command:
config snmp community ipaddr ip_address ip_mask name
Step 5
Specify the access level for this community by entering this command, where ro is read-only mode and
rw is read/write mode:
config snmp community accessmode {ro | rw} name
Step 6
Enable or disable this SNMP community by entering this command:
config snmp community mode {enable | disable} name
Step 7
Save your changes by entering save config.
Step 8
Repeat this procedure if you still need to change the default values for a “public” or “private” community
string.
Changing the Default Values for SNMP v3 Users
This section contains the following topics:
•
Information About Changing the Default Values for SNMP v3 Users, page 4-42
•
Changing the SNMP v3 User Default Values, page 4-42
Information About Changing the Default Values for SNMP v3 Users
The controller uses a default value of “default” for the username, authentication password, and privacy
password for SNMP v3 users. Using these standard values presents a security risk. Therefore, Cisco
strongly advises that you change these values.
Note
SNMP v3 is time sensitive. Ensure that you configure the correct time and time zone on your controller.
Changing the SNMP v3 User Default Values
This section contains the following topics:
•
Changing the SNMP v3 User Default Values (GUI), page 4-43
•
Changing the SNMP v3 User Default Values (CLI), page 4-43
Cisco Wireless LAN Controller Configuration Guide
4-42
OL-21524-03
Chapter 4
Configuring Controller Settings
Changing the Default Values for SNMP v3 Users
Changing the SNMP v3 User Default Values (GUI)
Step 1
Choose Management > SNMP > SNMP V3 Users to open the SNMP V3 Users page.
Figure 4-12
SNMP V3 Users Page
Step 2
If “default” appears in the User Name column, hover your cursor over the blue drop-down arrow for the
desired user and choose Remove to delete this SNMP v3 user.
Step 3
Click New to add a new SNMP v3 user. The SNMP V3 Users > New page appears.
Step 4
In the User Profile Name text box, enter a unique name. Do not enter “default.”
Step 5
Choose Read Only or Read Write from the Access Mode drop-down list to specify the access level for
this user. The default value is Read Only.
Step 6
From the Authentication Protocol drop-down list, choose the desired authentication method: None,
HMAC-MD5 (Hashed Message Authentication Coding-Message Digest 5), or HMAC-SHA (Hashed
Message Authentication Coding-Secure Hashing Algorithm). The default value is HMAC-SHA.
Step 7
In the Auth Password and Confirm Auth Password text boxes, enter the shared secret key to be used for
authentication. You must enter at least 12 characters.
Step 8
From the Privacy Protocol drop-down list, choose the desired encryption method: None, CBC-DES
(Cipher Block Chaining-Digital Encryption Standard), or CFB-AES-128 (Cipher Feedback
Mode-Advanced Encryption Standard-128). The default value is CFB-AES-128.
Note
In order to configure CBC-DES or CFB-AES-128 encryption, you must have selected either
HMAC-MD5 or HMAC-SHA as the authentication protocol in Step 6.
Step 9
In the Priv Password and Confirm Priv Password text boxes, enter the shared secret key to be used for
encryption. You must enter at least 12 characters.
Step 10
Click Apply to commit your changes.
Step 11
Click Save Configuration to save your settings.
Step 12
Reboot the controller so that the SNMP v3 user that you added takes effect.
Changing the SNMP v3 User Default Values (CLI)
Step 1
See the current list of SNMP v3 users for this controller by entering this command:
show snmpv3user
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-43
Chapter 4
Configuring Controller Settings
Configuring Aggressive Load Balancing
Step 2
If “default” appears in the SNMP v3 User Name column, enter this command to delete this user:
config snmp v3user delete username
The username parameter is the SNMP v3 username (in this case, “default”).
Step 3
Create a new SNMP v3 user by entering this command:
config snmp v3user create username {ro | rw} {none | hmacmd5 | hmacsha} {none | des | aescfb128}
auth_key encrypt_key
where
•
username is the SNMP v3 username.
•
ro is read-only mode and rw is read-write mode.
•
none, hmacmd5, and hmacsha are the authentication protocol options.
•
none, des, and aescfb128 are the privacy protocol options.
•
auth_key is the authentication shared secret key.
•
encrypt_key is the encryption shared secret key.
Do not enter “default” for the username, auth_key, and encrypt_key parameters.
Step 4
Save your changes by entering the save config command.
Step 5
Reboot the controller so that the SNMP v3 user that you added takes effect by entering reset system
command.
Configuring Aggressive Load Balancing
This section contains the following topics:
•
Information About Configuring Aggressive Load Balancing, page 4-44
•
Guidelines and Limitations, page 4-45
•
Configuring Aggressive Load Balancing, page 4-46
Information About Configuring Aggressive Load Balancing
Enabling aggressive load balancing on the controller allows lightweight access points to load balance
wireless clients across access points. You can enable aggressive load balancing using the controller.
Note
Clients are load balanced between access points on the same controller. Load balancing does not occur
between access points on different controllers.
When a wireless client attempts to associate to a lightweight access point, association response packets
are sent to the client with an 802.11 response packet including status code 17. This code indicates
whether the access point can accept any more associations. If the access point is too busy, the client
attempts to associate to a different access point in the area. The system determines if an access point is
relatively more busy than its neighbor access points that are also accessible to the client.
Cisco Wireless LAN Controller Configuration Guide
4-44
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Aggressive Load Balancing
For example, if the number of clients on AP1 is more than the number of clients on AP2 plus the
load-balancing window, then AP1 is considered to be busier than AP2. When a client attempts to
associate to AP1, it receives an 802.11 response packet with status code 17, indicating that the access
point is busy, and the client attempts to associate to a different access point.
You can configure the controller to deny client associations up to 10 times (if a client attempted to
associate 11 times, it would be allowed to associate on the 11th try). You can also enable or disable load
balancing on a particular WLAN, which is useful if you want to disable load balancing for a select group
of clients (such as time-sensitive voice clients).
Note
Cisco Aironet 600 OfficeExtend Access Points and FlexConnect access points do not support client load
balancing.
Guidelines and Limitations
•
Client Association Limits—The maximum number of client associations that the access points can
support is dependent upon the following factors:
– The maximum number of client associations differs for lightweight and autonomous Cisco IOS
access points.
– There may be a limit per radio and an overall limit per AP.
– AP hardware (the 16-MB APs have a lower limit than the 32-MB and higher APs)
•
Client Association Limits for Lightweight Access Points—The Per-AP limits are as follows:
– For 16-MB APs, the limit is 128 clients per AP. This limit is applicable to 1100 and 1200 series
APs.
– For 32-MB and higher APs, there is no per-AP limit.
The per-radio limits are as follows:
– For all Cisco IOS APs, the limit is 200 associations per radio.
– For all 1000 and 1500 series APs, which are not supported beyond release 4.2, the limit is 250
associations per radio.
Note
•
With 32-MB and higher lightweight Cisco IOS APs, with two radios, up to 200 + 200 = 400
associations are supported.
Client Association Limits for Autonomous Cisco IOS Access Points—The limit is around 80 to 127
clients per AP. This number varies depending on the following factors:
– AP model (whether it is 16 MB or 32 MB or higher)
– Cisco IOS version
– Hardware configuration (two radios use more memory than one)
– Enabled features (WDS functionality in particular)
The per-radio limit is about 200 associations. One association will likely hit the per-AP limit first.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-45
Chapter 4
Configuring Controller Settings
Configuring Aggressive Load Balancing
Note
Unlike Cisco Unified Wireless Network, autonomous Cisco IOS supports per-SSID/per-AP
association limits. This limit is configured using the max-associations CLI, under dot11
SSID. The maximum number is 255 associations (which is also the default number).
Configuring Aggressive Load Balancing
This section contains the following topics:
•
Configuring Aggressive Load Balancing (GUI), page 4-46
•
Configuring Aggressive Load Balancing (CLI), page 4-47
Configuring Aggressive Load Balancing (GUI)
Step 1
Choose Wireless > Advanced > Load Balancing to open the Load Balancing page.
Figure 4-13
Step 2
Wireless > Advanced > Load Balancing Page
In the Client Window Size text box, enter a value between 1 and 20. The window size becomes part of
the algorithm that determines whether an access point is too heavily loaded to accept more client
associations:
load-balancing window + client associations on AP with highest load = load-balancing threshold
In the group of access points accessible to a client device, each access point has a different number of
client associations. The access point with the lowest number of clients has the lightest load. The client
window size plus the number of clients on the access point with the lightest load forms the threshold.
Access points with more client associations than this threshold is considered busy, and clients can
associate only to access points with client counts lower than the threshold.
Cisco Wireless LAN Controller Configuration Guide
4-46
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Aggressive Load Balancing
Step 3
In the Maximum Denial Count text box, enter a value between 0 and 10. The denial count sets the
maximum number of association denials during load balancing.
Step 4
Click Apply to commit your changes.
Step 5
Click Save Configuration to save your changes.
Step 6
To enable or disable aggressive load balancing on specific WLANs, choose WLANs > WLAN ID. The
WLANs > Edit page appears.
Step 7
Click the Advanced tab.
Step 8
Click Apply to commit your changes.
Step 9
Click Save Configuration to save your settings
Configuring Aggressive Load Balancing (CLI)
Step 1
Set the client window for aggressive load balancing by entering this command:
config load-balancing window client_count
You can enter a value between 0 and 20 for the client_count parameter.
Step 2
Set the denial count for load balancing by entering this command:
config load-balancing denial denial_count
You can enter a value between 1 and 10 for the denial_count parameter.
Step 3
Save your changes by entering this command:
save config
Step 4
Enable or disable aggressive load balancing on specific WLANs by entering this command:
config wlan load-balance allow {enable | disable} wlan_ID
You can enter a value between 1 and 512 for wlan_ID parameter.
Step 5
Verify your settings by entering this command:
show load-balancing
Information similar to the following appears:
Aggressive Load Balancing........................ Enabled
Aggressive Load Balancing Window................. 1 clients
Aggressive Load Balancing Denial Count........... 3
Total Denied Count...............................
Total Denial Sent................................
Exceeded Denial Max Limit Count..................
None 5G Candidate Count..........................
None 2.4G Candidate Count........................
Step 6
Statistics
5 clients
10 messages
0 times
0 times
0 times
Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-47
Chapter 4
Configuring Controller Settings
Configuring Band Selection
Configuring Band Selection
This section contains the following topics:
•
Information About Configuring Band Selection, page 4-48
•
Guidelines and Limitations, page 4-48
•
Configuring Band Selection, page 4-48
Information About Configuring Band Selection
Band selection enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move
to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band
typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well
as co-channel interference from other access points because of the 802.11b/g limit of three
nonoverlapping channels. To combat these sources of interference and improve overall network
performance, you can configure band selection on the controller.
Band selection works by regulating probe responses to clients. It makes 5-GHz channels more attractive
to clients by delaying probe responses to clients on 2.4-GHz channels.
Guidelines and Limitations
•
Band selection is enabled globally by default.
•
Band-selection enabled WLANs do not support time-sensitive applications like voice and video
because of roaming delays.
•
Band selection can be used only with Cisco Aironet 1040, 1140, 1250, 1260, 3500, and the 3600
series access points.
•
Band selection operates only on access points that are connected to a controller. A flexconnect
access point without a controller connection does not perform band selection after a reboot.
Note
OEAP 600 Series access points do not support band select.
•
The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz
radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz
radios are up and running.
•
You can enable both band selection and aggressive load balancing on the controller. They run
independently and do not impact one another.
Configuring Band Selection
This section contains the following topics:
•
Configuring Band Selection (GUI), page 4-49
•
Configuring Band Selection (CLI), page 4-50
Cisco Wireless LAN Controller Configuration Guide
4-48
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Band Selection
Configuring Band Selection (GUI)
Step 1
Choose Wireless > Advanced > Band Select to open the Band Select page.
Figure 4-14
Wireless > Advanced > Band Select Page
Step 2
In the Probe Cycle Count text box, enter a value between 1 and 10. The cycle count sets the number of
suppression cycles for a new client. The default cycle count is 2.
Step 3
In the Scan Cycle Period Threshold (milliseconds) text box, enter a value between 1 and 1000
milliseconds for the scan cycle period threshold. This setting determines the time threshold during which
new probe requests from a client come from a new scanning cycle. The default cycle threshold is 200
milliseconds.
Step 4
In the Age Out Suppression (seconds) text box, enter a value between 10 and 200 seconds. Age-out
suppression sets the expiration time for pruning previously known 802.11b/g clients. The default value
is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.
Step 5
In the Age Out Dual Band (seconds) text box, enter a value between 10 and 300 seconds. The age-out
period sets the expiration time for pruning previously known dual-band clients. The default value is 60
seconds. After this time elapses, clients become new and are subject to probe response suppression.
Step 6
In the Acceptable Client RSSI (dBm) text box, enter a value between –20 and –90 dBm. This parameter
sets the minimum RSSI for a client to respond to a probe. The default value is –80 dBm.
Step 7
Click Apply to commit your changes.
Step 8
Click Save Configuration to save your changes.
Step 9
To enable or disable aggressive load balancing on specific WLANs, choose WLANs > WLAN ID. The
WLANs > Edit page appears.
Step 10
Click the Advanced tab.
Step 11
Click Save Configuration to save your changes.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-49
Chapter 4
Configuring Controller Settings
Configuring Fast SSID Changing
Configuring Band Selection (CLI)
Step 1
Set the probe cycle count for band select by entering this command:
config band-select cycle-count cycle_count
You can enter a value between 1 and 10 for the cycle_count parameter.
Step 2
Set the time threshold for a new scanning cycle period by entering this command:
config band-select cycle-threshold milliseconds
You can enter a value for threshold between 1 and 1000 for the milliseconds parameter.
Step 3
Set the suppression expire to the band select by entering this command:
config band-select expire suppression seconds
You can enter a value for suppression between 10 to 200 for the seconds parameter.
Step 4
Set the dual band expire by entering this command:
config band-select expire dual-band seconds
You can enter a value for dual band between 10 and 300 for the seconds parameter.
Step 5
Set the client RSSI threshold by entering this command:
config band-select client-rssi client_rssi
You can enter a value for minimum dBm of a client RSSI to respond to a probe between 20 and 90 for
the client_rssi parameter.
Step 6
Enter the save config command to save your changes.
Step 7
Enable or disable band selection on specific WLANs by entering this command:
config wlan band-select allow {enable | disable} wlan_ID
You can enter a value between 1 and 512 for wlan_ID parameter.
Step 8
Verify your settings by entering this command:
show band-select
Information similar to the following appears:
Band Select Probe Response.......................
Cycle Count...................................
Cycle Threshold...............................
Age Out Suppression...........................
Age Out Dual Band.............................
Client RSSI...................................
Step 9
Enabled
3 cycles
300 milliseconds
20 seconds
20 seconds
-30 dBm
Save your changes by entering this command:
save config
Configuring Fast SSID Changing
This section contains the following topics:
•
Information About Configuring Fast SSID Changing, page 4-51
•
Configuring Fast SSID, page 4-51
Cisco Wireless LAN Controller Configuration Guide
4-50
OL-21524-03
Chapter 4
Configuring Controller Settings
Enabling 802.3X Flow Control
Information About Configuring Fast SSID Changing
When fast SSID changing is enabled, the controller allows clients to move between SSIDs. When the
client sends a new association for a different SSID, the client entry in the controller connection table is
cleared before the client is added to the new SSID. When fast SSID changing is disabled, the controller
enforces a delay before clients are allowed to move to a new SSID.
Configuring Fast SSID
This section contains the following topics:
•
Configuring Fast SSID Changing (GUI), page 4-51
•
Configuring Fast SSID Changing (CLI), page 4-51
Configuring Fast SSID Changing (GUI)
Step 1
Choose Controller to open the General page.
Step 2
From the Fast SSID Change drop-down list, choose Enabled to enable this feature or Disabled to disable
it. The default value is disabled.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Configuring Fast SSID Changing (CLI)
Step 1
Enable or disable fast SSID changing by entering this command:
config network fast-ssid-change {enable | disable}
Step 2
Enter the save config command to save your settings.
Enabling 802.3X Flow Control
802.3X Flow Control is disabled by default. To enable it, enter the config switchconfig flowcontrol
enable command.
Configuring 802.3 Bridging
This section contains the following topics:
•
Information About Configuring 802.3 Bridging, page 4-52
•
Guidelines and Limitations, page 4-52
•
Configuring 802.3 Bridging, page 4-52
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-51
Chapter 4
Configuring Controller Settings
Configuring 802.3 Bridging
Information About Configuring 802.3 Bridging
The controller supports 802.3 frames and the applications that use them, such as those typically used for
cash registers and cash register servers. However, to make these applications work with the controller,
the 802.3 frames must be bridged on the controller.
Guidelines and Limitations
•
Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not
running over IP. Only this raw 802.3 frame format is currently supported:
+-------------------+---------------------+-----------------+------------------------+
| Destination
| Source
| Total packet | Payload .....
| MAC address | MAC address | length
|
+-------------------+----------------------+-----------------+------------------------
•
You can configure 802.3 bridging through the controller GUI in software release 4.1 or later releases
and through the controller CLI in software release 4.0 or later releases.
•
In controller software release 5.2 or later releases, the software-based forwarding architecture for
2100-series-based controllers is being replaced with a new forwarding plane architecture. As a
result, Cisco 2100 Series Controller and the Cisco Wireless LAN Controller Network Module for
Cisco Integrated Services Routers (as well as Cisco 5500 Series Controllers) bridge 802.3 packets
by default. Therefore, 802.3 bridging can now be disabled only on 4400 series controllers, the Cisco
WiSM, and the Catalyst 3750G Wireless LAN Controller Switch.
•
By default, Cisco 2100 Series Controllers that run software release 5.2 or later releases and Cisco
5500 Series Controllers bridge all non-IPv4 packets (such as AppleTalk, and so on). If desired, you
can use ACLs to block the bridging of these protocols.
•
You can also configure 802.3 bridging using the Cisco Wireless Control System (WCS). See the
Cisco Wireless Control System Configuration Guide for instructions.
Configuring 802.3 Bridging
This section contains the following topics:
•
Configuring 802.3 Bridging (GUI), page 4-52
•
Configuring 802.3 Bridging (CLI), page 4-53
Configuring 802.3 Bridging (GUI)
Step 1
Choose Controller > General to open the General page.
Cisco Wireless LAN Controller Configuration Guide
4-52
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring 802.3 Bridging
Figure 4-15
Step 2
General Page
From the 802.3 Bridging drop-down list, choose Enabled to enable 802.3 bridging on your controller or
Disabled to disable this feature. The default value is Disabled.
Note
In controller software release 5.2 or later releases, you can disable 802.3 bridging only for 4400
series controllers, the Cisco WiSM, and the Catalyst 3750G Wireless LAN Controller Switch.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Configuring 802.3 Bridging (CLI)
Step 1
See the current status of 802.3 bridging for all WLANs by entering this command:
show network
Step 2
Enable or disable 802.3 bridging globally on all WLANs by entering this command:
config network 802.3-bridging {enable | disable}
The default value is disabled.
Note
Step 3
In controller software release 5.2 or later releases, you can disable 802.3 bridging only for 4400
series controllers, the Cisco WiSM, and the Catalyst 3750G Wireless LAN Controller Switch.
Enter the save config command to save your settings.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-53
Chapter 4
Configuring Controller Settings
Configuring Multicast Mode
Configuring Multicast Mode
This section contains the following topics:
•
Information About Configuring Multicast Mode, page 4-54
•
Guidelines and Limitations, page 4-55
•
Configuring Multicast Mode, page 4-56
Information About Configuring Multicast Mode
If your network supports packet multicasting, you can configure the multicast method that the controller
uses. The controller performs multicasting in two modes:
•
Unicast mode—In this mode, the controller unicasts every multicast packet to every access point
associated to the controller. This mode is inefficient but might be required on networks that do not
support multicasting.
•
Multicast mode—In this mode, the controller sends multicast packets to a CAPWAP multicast
group. This method reduces overhead on the controller processor and shifts the work of packet
replication to your network, which is much more efficient than the unicast method.
When you enable multicast mode and the controller receives a multicast packet from the wired LAN, the
controller encapsulates the packet using CAPWAP and forwards the packet to the CAPWAP multicast
group address. The controller always uses the management interface for sending multicast packets.
Access points in the multicast group receive the packet and forward it to all the BSSIDs mapped to the
interface on which clients receive multicast traffic. From the access point perspective, the multicast
appears to be a broadcast to all SSIDs.
The controller supports Multicast Listener Discovery (MLD) v1 snooping for IPv6 multicast. This
feature keeps track of and delivers IPv6 multicast flows to the clients that request them. To support IPv6
multicast, you must enable Global Multicast Mode.
In controller software release 4.2 or later releases, Internet Group Management Protocol (IGMP)
snooping is introduced to better direct multicast packets. When this feature is enabled, the controller
gathers IGMP reports from the clients, processes them, creates unique multicast group IDs (MGIDs)
from the IGMP reports after selecting the Layer 3 multicast address and the VLAN number, and sends
the IGMP reports to the infrastructure switch. The controller sends these reports with the source address
as the interface address on which it received the reports from the clients. The controller then updates the
access point MGID table on the access point with the client MAC address. When the controller receives
multicast traffic for a particular multicast group, it forwards it to all the access points, but only those
access points that have active clients listening or subscribed to that multicast group send multicast traffic
on that particular WLAN. IP packets are forwarded with an MGID that is unique for an ingress VLAN
and the destination multicast group. Layer 2 multicast packets are forwarded with an MGID that is
unique for the ingress interface.
When IGMP snooping is disabled, the following is true:
•
The controller always uses Layer 2 MGID when it sends multicast data to the access point. Every
interface created is assigned one Layer 2 MGID. For example, the management interface has an
MGID of 0, and the first dynamic interface created is assigned an MGID of 8, which increments as
each dynamic interface is created.
•
The IGMP packets from clients are forwarded to the router. As a result, the router IGMP table is
updated with the IP address of the clients as the last reporter.
When IGMP snooping is enabled, the following is true:
Cisco Wireless LAN Controller Configuration Guide
4-54
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Multicast Mode
•
The controller always uses Layer 3 MGID for all Layer 3 multicast traffic sent to the access point.
For all Layer 2 multicast traffic, it continues to use Layer 2 MGID.
•
IGMP report packets from wireless clients are consumed or absorbed by the controller, which
generates a query for the clients. After the router sends the IGMP query, the controller sends the
IGMP reports with its interface IP address as the listener IP address for the multicast group. As a
result, the router IGMP table is updated with the controller IP address as the multicast listener.
•
When the client that is listening to the multicast groups roams from one controller to another, the
first controller transmits all the multicast group information for the listening client to the second
controller. As a result, the second controller can immediately create the multicast group information
for the client. The second controller sends the IGMP reports to the network for all multicast groups
to which the client was listening. This process aids in the seamless transfer of multicast data to the
client.
•
If the listening client roams to a controller in a different subnet, the multicast packets are tunneled
to the anchor controller of the client to avoid the reverse path filtering (RPF) check. The anchor then
forwards the multicast packets to the infrastructure switch.
Note
The MGIDs are controller specific. The same multicast group packets coming from the same VLAN in
two different controllers may be mapped to two different MGIDs.
Note
If Layer 2 multicast is enabled, a single MGID is assigned to all the multicast addresses coming from an
interface.
Guidelines and Limitations
•
The Cisco Unified Wireless Network solution uses some IP address ranges for specific purposes,
and you should keep these ranges in mind when configuring a multicast group:
– 224.0.0.0 through 224.0.0.255—Reserved link local addresses
– 224.0.1.0 through 238.255.255.255—Globally scoped addresses
– 239.0.0.0 through 239.255.x.y /16—Limited scope addresses
•
When you enable multicast mode on the controller, you also must configure a CAPWAP multicast
group address. Access points subscribe to the CAPWAP multicast group using IGMP.
•
Cisco 1100, 1130, 1200, 1230, and 1240 access points use IGMP versions 1, 2, and 3.
•
Access points in monitor mode, sniffer mode, or rogue detector mode do not join the CAPWAP
multicast group address.
•
The CAPWAP multicast group configured on the controllers should be different for different
controllers.
•
Multicast mode does not operate across intersubnet mobility events such as guest tunneling. It does,
however, operate with interface overrides using RADIUS (but only when IGMP snooping is
enabled) and with site-specific VLANs (access point group VLANs).
•
For LWAPP, the controller drops multicast packets sent to UDP control port 12223. For CAPWAP,
the controller drops multicast packets sent to UDP control and data ports 5246 and 5247,
respectively. Therefore, you may want to consider not using these port numbers with the multicast
applications on your network.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-55
Chapter 4
Configuring Controller Settings
Configuring Multicast Mode
•
We recommend that any multicast applications on your network not use the multicast address
configured as the CAPWAP multicast group address on the controller.
•
Cisco 2100 Series Controllers do not support multicast-unicast mode. They do, however, support
multicast-multicast mode, except when access points are connected directly to the local port of a
2100 series controller.
•
For multicast to work on 2500 series controller, you have to configure the multicast IP address.C
•
Multicast mode is not supported on Cisco Flex 7500 Series Controllers.
Configuring Multicast Mode
This section contains the following topics:
•
Enabling Multicast Mode (GUI), page 4-56
•
Enabling Multicast Mode (CLI), page 4-57
•
Viewing Multicast Groups (GUI), page 4-58
•
Viewing Multicast Groups (CLI), page 4-58
•
Viewing an Access Point’s Multicast Client Table (CLI), page 4-59
Enabling Multicast Mode (GUI)
Step 1
Choose Controller > Multicast to open the Multicast page.
Figure 4-16
Step 2
Multicast Page
Select the Enable Global Multicast Mode check box to configure sending multicast packets. The
default value is disabled.
Note
FlexConnect supports unicast mode only.
Step 3
If you want to enable IGMP snooping, select the Enable IGMP Snooping check box. If you want to
disable IGMP snooping, leave the check box unselected. The default value is disabled.
Step 4
To set the IGMP timeout, enter a value between 30 and 7200 seconds in the IGMP Timeout text box. The
controller sends three queries in one timeout value at an interval of timeout/ 3 to see if any clients exist
for a particular multicast group. If the controller does not receive a response through an IGMP report
from the client, the controller times out the client entry from the MGID table. When no clients are left
for a particular multicast group, the controller waits for the IGMP timeout value to expire and then
deletes the MGID entry from the controller. The controller always generates a general IGMP query (that
is, to destination address 224.0.0.1) and sends it on all WLANs with an MGID value of 1.
Cisco Wireless LAN Controller Configuration Guide
4-56
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Multicast Mode
Step 5
Enter the IGMP Query Interval (seconds).
Step 6
Select the Enable MLD Snooping check box to support IPv6 forwarding decisions.
Note
To enable MLD Snooping, you must enable Global Multicast Mode of the controller.
Step 7
In the MLD Timeout text box, enter a value between 30 and 7200 seconds to set the MLD timeout.
Step 8
Enter the MLD Query Interval (seconds). The range is from 15 to 2400 seconds.
Step 9
Click Apply to commit your changes.
Step 10
Click Save Configuration to save your changes.
Enabling Multicast Mode (CLI)
Step 1
Enable or disable multicasting on the controller by entering this command:
config network multicast global {enable | disable}
The default value is disabled.
Note
Step 2
The config network broadcast {enable | disable} command allows you to enable or disable
broadcasting without enabling or disabling multicasting as well. This command uses the
multicast mode currently on the controller to operate.
Perform either of the following:
a.
Configure the controller to use the unicast method to send multicast packets by entering this
command:
config network multicast mode unicast
b.
Configure the controller to use the multicast method to send multicast packets to a CAPWAP
multicast group by entering this command:
config network multicast mode multicast multicast_group_ip_address
Step 3
Enable or disable IGMP snooping by entering this command:
config network multicast igmp snooping {enable | disable}
The default value is disabled.
Step 4
Set the IGMP timeout value by entering this command:
config network multicast igmp timeout timeout
You can enter a timeout value between 30 and 7200 seconds. The controller sends three queries in one
timeout value at an interval of timeout/3 to see if any clients exist for a particular multicast group. If the
controller does not receive a response through an IGMP report from the client, the controller times out
the client entry from the MGID table. When no clients are left for a particular multicast group, the
controller waits for the IGMP timeout value to expire and then deletes the MGID entry from the
controller. The controller always generates a general IGMP query (that is, to destination address
224.0.0.1) and sends it on all WLANs with an MGID value of 1.
Step 5
Enable or disable MLD Snooping by entering this command:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-57
Chapter 4
Configuring Controller Settings
Configuring Multicast Mode
config network multicast mld snooping {enable | disable}
The default value is disabled.
Note
Step 6
To enable MLD Snooping, you must enable Global Multicast Mode of the controller.
Set the MLD timeout value by entering this command:
config network multicast mld timeout timeout
You can enter a timeout value between 30 and 7200 seconds.
Step 7
Configure the Layer 2 multicast on an interface or all interfaces by entering this command:
config network multicast l2mcast {enable | disable} {all | interface-name}
Step 8
Enter the save config command to save your settings.
Viewing Multicast Groups (GUI)
Step 1
Choose Monitor > Multicast. The Multicast Groups page appears.
Figure 4-17
Multicast Groups Page
This page shows all the multicast groups and their corresponding MGIDs.
Step 2
Click the link for a specific MGID (such as MGID 550) to see a list of all the clients joined to the
multicast group in that particular MGID.
Viewing Multicast Groups (CLI)
•
See all the multicast groups and their corresponding MGIDs by entering this command:
show network multicast mgid summary
Information similar to the following appears:
Layer2 MGID Mapping:
------------------InterfaceName
vlanId
MGID
Cisco Wireless LAN Controller Configuration Guide
4-58
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Client Roaming
-------------------------------management
test
wired
-----0
0
20
---0
9
8
Layer3 MGID Mapping:
------------------Number of Layer3 MGIDs........................... 1
Group address
--------------239.255.255.250
•
Vlan
---0
MGID
---550
See all the clients joined to the multicast group in a specific MGID by entering this command:
show network multicast mgid detail mgid_value
where the mgid_value parameter is a number between 550 and 4095.
Information similar to the following appears:
Mgid........................................ 550
Multicast Group Address..................... 239.255.255.250
Vlan........................................ 0
Rx Packet Count............................. 807399588
No of clients............................... 1
Client List.................................
Client MAC
Expire Time (mm:ss)
00:13:02:23:82:ad
0:20
Viewing an Access Point’s Multicast Client Table (CLI)
Step 1
Initiate a remote debug of the access point by entering this command:
debug ap enable Cisco_AP
Step 2
See all of the MGIDs on the access point and the number of clients per WLAN by entering this
command:
debug ap command “show capwap mcast mgid all” Cisco_AP
Step 3
See all of the clients per MGID on the access point and the number of clients per WLAN by entering this
command:
debug ap command “show capwap mcast mgid id mgid_value” Cisco_AP
Configuring Client Roaming
This section contains the following topics:
•
Information About Client Roaming, page 4-60
•
Guidelines and Limitations, page 4-62
•
Configuring CCX Client Roaming Parameters, page 4-62
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-59
Chapter 4
Configuring Controller Settings
Configuring Client Roaming
Information About Client Roaming
The Cisco UWN Solution supports seamless client roaming across lightweight access points managed
by the same controller, between controllers in the same mobility group on the same subnet, and across
controllers in the same mobility group on different subnets. Also, in controller software release 4.1 or
later releases, client roaming with multicast packets is supported.
You can adjust the default RF settings (RSSI, hysteresis, scan threshold, and transition time) to fine-tune
the operation of client roaming using the controller GUI or CLI.
This section contains the following topics:
•
Intra-Controller Roaming, page 4-60
•
Inter-Controller Roaming, page 4-60
•
Inter-Subnet Roaming, page 4-60
•
Voice-over-IP Telephone Roaming, page 4-60
•
CCX Layer 2 Client Roaming, page 4-61
Intra-Controller Roaming
Each controller supports same-controller client roaming across access points managed by the same
controller. This roaming is transparent to the client as the session is sustained, and the client continues
using the same DHCP-assigned or client-assigned IP address. The controller provides DHCP
functionality with a relay function. Same-controller roaming is supported in single-controller
deployments and in multiple-controller deployments.
Inter-Controller Roaming
Multiple-controller deployments support client roaming across access points managed by controllers in
the same mobility group and on the same subnet. This roaming is also transparent to the client because
the session is sustained and a tunnel between controllers allows the client to continue using the same
DHCP- or client-assigned IP address as long as the session remains active. The tunnel is torn down, and
the client must reauthenticate when the client sends a DHCP Discover with a 0.0.0.0 client IP address or
a 169.254.*.* client auto-IP address or when the operator-set session timeout is exceeded.
Inter-Subnet Roaming
Multiple-controller deployments support client roaming across access points managed by controllers in
the same mobility group on different subnets. This roaming is transparent to the client because the
session is sustained and a tunnel between the controllers allows the client to continue using the same
DHCP-assigned or client-assigned IP address as long as the session remains active. The tunnel is torn
down, and the client must reauthenticate when the client sends a DHCP Discover with a 0.0.0.0 client IP
address or a 169.254.*.* client auto-IP address or when the operator-set user timeout is exceeded.
Voice-over-IP Telephone Roaming
802.11 voice-over-IP (VoIP) telephones actively seek out associations with the strongest RF signal to
ensure the best quality of service (QoS) and the maximum throughput. The minimum VoIP telephone
requirement of 20-millisecond or shorter latency time for the roaming handover is easily met by the
Cisco Wireless LAN Controller Configuration Guide
4-60
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Client Roaming
Cisco UWN Solution, which has an average handover latency of 5 or fewer milliseconds when open
authentication is used. This short latency period is controlled by controllers rather than allowing
independent access points to negotiate roaming handovers.
The Cisco UWN Solution supports 802.11 VoIP telephone roaming across lightweight access points
managed by controllers on different subnets, as long as the controllers are in the same mobility group.
This roaming is transparent to the VoIP telephone because the session is sustained and a tunnel between
controllers allows the VoIP telephone to continue using the same DHCP-assigned IP address as long as
the session remains active. The tunnel is torn down, and the VoIP client must reauthenticate when the
VoIP telephone sends a DHCP Discover with a 0.0.0.0 VoIP telephone IP address or a 169.254.*.* VoIP
telephone auto-IP address or when the operator-set user timeout is exceeded.
CCX Layer 2 Client Roaming
The controller supports five CCX Layer 2 client roaming enhancements:
•
Access point assisted roaming—This feature helps clients save scanning time. When a CCXv2 client
associates to an access point, it sends an information packet to the new access point listing the
characteristics of its previous access point. Roaming time decreases when the client recognizes and
uses an access point list built by compiling all previous access points to which each client was
associated and sent (unicast) to the client immediately after association. The access point list
contains the channels, BSSIDs of neighbor access points that support the client’s current SSID(s),
and time elapsed since disassociation.
•
Enhanced neighbor list—This feature focuses on improving a CCXv4 client’s roam experience and
network edge performance, especially when servicing voice applications. The access point provides
its associated client information about its neighbors using a neighbor-list update unicast message.
•
Enhanced neighbor list request (E2E)—The End-2-End specification is a Cisco and Intel joint
program that defines new protocols and interfaces to improve the overall voice and roaming
experience. It applies only to Intel clients in a CCX environment. Specifically, it enables Intel clients
to request a neighbor list at will. When this occurs, the access point forwards the request to the
controller. The controller receives the request and replies with the current CCX roaming sublist of
neighbors for the access point to which the client is associated.
Note
To see whether a particular client supports E2E, choose Wireless > Clients on the controller
GUI, click the Detail link for the desired client, and look at the E2E Version text box under
Client Properties.
•
Roam reason report—This feature enables CCXv4 clients to report the reason why they roamed to
a new access point. It also allows network administrators to build and monitor a roam history.
•
Directed roam request—This feature enables the controller to send directed roam requests to the
client in situations when the controller can better service the client on an access point different from
the one to which it is associated. In this case, the controller sends the client a list of the best access
points that it can join. The client can either honor or ignore the directed roam request. Non-CCX
clients and clients running CCXv3 or below must not take any action. No configuration is required
for this feature.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-61
Chapter 4
Configuring Controller Settings
Configuring Client Roaming
Guidelines and Limitations
•
Controller software release 4.2 or later releases support CCX versions 1 through 5. CCX support is
enabled automatically for every WLAN on the controller and cannot be disabled. The controller
stores the CCX version of the client in its client database and uses it to generate and respond to CCX
frames appropriately. Clients must support CCXv4 or v5 (or CCXv2 for access point assisted
roaming) in order to utilize these roaming enhancements. See the “Configuring Cisco Client
Extensions” section on page 7-57 for more information on CCX.
The roaming enhancements mentioned above are enabled automatically, with the appropriate CCX
support.
•
FlexConnect access points in standalone mode do not support CCX Layer 2 roaming.
•
Client roaming between 600 Series Access points is not supported.
Configuring CCX Client Roaming Parameters
This section contains the following topics:
•
Configuring CCX Client Roaming Parameters (GUI), page 4-62
•
Configuring CCX Client Roaming Parameters (CLI), page 4-63
•
Obtaining CCX Client Roaming Information (CLI), page 4-64
•
Debugging CCX Client Roaming Issues (CLI), page 4-64
Configuring CCX Client Roaming Parameters (GUI)
Step 1
Choose Wireless > 802.11a/n (or 802.11b/g/n) > Client Roaming. The 802.11a (or 802.11b) > Client
Roaming page appears.
Figure 4-18
Step 2
802.11a > Client Roaming Page
If you want to fine-tune the RF parameters that affect client roaming, choose Custom from the Mode
drop-down list and go to Step 3. If you want to leave the RF parameters at their default values, choose
Default and go to Step 8.
Cisco Wireless LAN Controller Configuration Guide
4-62
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Client Roaming
Step 3
In the Minimum RSSI text box, enter a value for the minimum received signal strength indicator (RSSI)
required for the client to associate to an access point. If the client’s average received signal power dips
below this threshold, reliable communication is usually impossible. Therefore, clients must already have
found and roamed to another access point with a stronger signal before the minimum RSSI value is
reached.
The range is –80 to –90 dBm.
The default is –85 dBm.
Step 4
In the Hysteresis text box, enter a value to indicate how much greater the signal strength of a neighboring
access point must be in order for the client to roam to it. This parameter is intended to reduce the amount
of roaming between access points if the client is physically located on or near the border between two
access points.
The range is 3 to 20 dB.
The default is 3 dB.
Step 5
In the Scan Threshold text box, enter the minimum RSSI that is allowed before the client should roam
to a better access point. When the RSSI drops below the specified value, the client must be able to roam
to a better access point within the specified transition time. This parameter also provides a power-save
method to minimize the time that the client spends in active or passive scanning. For example, the client
can scan slowly when the RSSI is above the threshold and scan more rapidly when the RSSI is below the
threshold.
The range is –70 to –77 dBm.
The default is –72 dBm.
Step 6
In the Transition Time text box, enter the maximum time allowed for the client to detect a suitable
neighboring access point to roam to and to complete the roam, whenever the RSSI from the client’s
associated access point is below the scan threshold.
The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming
performance. Together with the highest expected client speed and roaming hysteresis, these parameters
make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain
minimum overlap distance between access points.
The range is 1 to 10 seconds.
The default is 5 seconds.
Step 7
Click Apply to commit your changes.
Step 8
Click Save Configuration to save your changes.
Step 9
Repeat this procedure if you want to configure client roaming for another radio band (802.11a or
802.11b/g).
Configuring CCX Client Roaming Parameters (CLI)
Configure CCX Layer 2 client roaming parameters by entering this command:
config {802.11a | 802.11b} l2roam rf-params {default | custom min_rssi roam_hyst scan_thresh
trans_time}
Note
See the description, range, and default value of each RF parameter in the “Configuring CCX
Client Roaming Parameters” section on page 4-62.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-63
Chapter 4
Configuring Controller Settings
Configuring IP-MAC Address Binding
Obtaining CCX Client Roaming Information (CLI)
Step 1
View the current RF parameters configured for client roaming for the 802.11a or 802.11b/g network by
entering this command:
show {802.11a | 802.11b} l2roam rf-param
Step 2
View the CCX Layer 2 client roaming statistics for a particular access point by entering this command:
show {802.11a | 802.11b} l2roam statistics ap_mac
This command provides the following information:
Step 3
•
The number of roam reason reports received
•
The number of neighbor list requests received
•
The number of neighbor list reports sent
•
The number of broadcast neighbor updates sent
View the roaming history for a particular client by entering this command:
show client roam-history client_mac
This command provides the following information:
•
The time when the report was received
•
The MAC address of the access point to which the client is currently associated
•
The MAC address of the access point to which the client was previously associated
•
The channel of the access point to which the client was previously associated
•
The SSID of the access point to which the client was previously associated
•
The time when the client disassociated from the previous access point
•
The reason for the client roam
Debugging CCX Client Roaming Issues (CLI)
If you experience any problems with CCX Layer 2 client roaming, enter this command:
debug l2roam [detail | error | packet | all] {enable | disable}
Configuring IP-MAC Address Binding
This section contains the following topics:
•
Information About Configuring IP-MAC Address Binding, page 4-65
•
Configuring IP-MAC Address Binding (CLI), page 4-65
Cisco Wireless LAN Controller Configuration Guide
4-64
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring IP-MAC Address Binding
Information About Configuring IP-MAC Address Binding
In the controller software Release 5.2 or later releases, the controller enforces strict IP address-to-MAC
address binding in client packets. The controller checks the IP address and MAC address in a packet,
compares them to the addresses that are registered with the controller, and forwards the packet only if
they both match. In previous releases, the controller checks only the MAC address of the client and
ignores the IP address.
Note
If the IP address or MAC address of the packet has been spoofed, the check does not pass, and the
controller discards the packet. Spoofed packets can pass through the controller only if both the IP and
MAC addresses are spoofed together and changed to that of another valid client on the same controller.
Configuring IP-MAC Address Binding (CLI)
Step 1
Enable or disable IP-MAC address binding by entering this command:
config network ip-mac-binding {enable | disable}
The default value is enabled.
Step 2
Note
You might want to disable this binding check if you have a routed network behind a workgroup
bridge (WGB).
Note
You must disable this binding check in order to use an access point in sniffer mode if the access
point is joined to a Cisco 5500 Series Controller, a Cisco 2100 Series Controller, or a controller
network module that runs software release 6.0 or later releases.
Save your changes by entering this command:
save config
Step 3
View the status of IP-MAC address binding by entering this command:
show network summary
Information similar to the following appears:
RF-Network Name............................. ctrl4404
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Enable
...
IP/MAC Addr Binding Check ............... Enabled
...
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-65
Chapter 4
Configuring Controller Settings
Configuring Quality of Service
Configuring Quality of Service
This section contains the following topics:
•
Information About Configuring Quality of Service Profiles, page 4-66
•
Configuring Quality of Service Profiles, page 4-66
Information About Configuring Quality of Service Profiles
Quality of service (QoS) refers to the capability of a network to provide better service to selected
network traffic over various technologies. The primary goal of QoS is to provide priority including
dedicated bandwidth, controlled jitter and latency (required by some real-time and interactive traffic),
and improved loss characteristics.
The controller supports four QoS profiles:
Note
•
Platinum/Voice—Ensures a high quality of service for voice over wireless.
•
Gold/Video—Supports high-quality video applications.
•
Silver/Best Effort—Supports normal bandwidth for clients. This is the default setting.
•
Bronze/Background—Provides the lowest bandwidth for guest services.
VoIP clients should be set to Platinum.
You can configure the bandwidth of each QoS level using QoS profiles and then apply the profiles to
WLANs. The profile settings are pushed to the clients associated to that WLAN. In addition, you can
create QoS roles to specify different bandwidth levels for regular and guest users. Follow the instructions
in this section to configure QoS profiles and QoS roles. You can also define the maximum and default
QoS levels for unicast and multicast traffic when you assign a QoS profile to a WLAN.
Configuring Quality of Service Profiles
This section contains the following topics:
•
Configuring QoS Profiles (GUI), page 4-66
•
Configuring QoS Profiles (CLI), page 4-68
Configuring QoS Profiles (GUI)
Step 1
Disable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles.
To disable the radio networks, choose Wireless > 802.11a/n or 802.11b/g/n > Network, unselect the
802.11a (or 802.11b/g) Network Status check box, and click Apply.
Step 2
Choose Wireless > QoS > Profiles to open the QoS Profiles page.
Step 3
Click the name of the profile that you want to configure to open the Edit QoS Profile page.
Cisco Wireless LAN Controller Configuration Guide
4-66
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Quality of Service
Figure 4-19
Edit QoS Profile Page
Step 4
Change the description of the profile by modifying the contents of the Description text box.
Step 5
Define the average data rate for TCP traffic per user by entering the rate in Kbps in the Average Data
Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no
bandwidth restriction on the profile.
Step 6
Define the peak data rate for TCP traffic per user by entering the rate in Kbps in the Burst Data Rate text
box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth
restriction on the profile.
Note
The Burst Data Rate should be greater than or equal to the Average Data Rate. Otherwise, the
QoS policy may block traffic to and from the wireless client.
Step 7
Define the average real-time rate for UDP traffic on a per-user basis by entering the rate in Kbps in the
Average Real-Time Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value
of 0 imposes no bandwidth restriction on the profile.
Note
Average Data Rate is used to measure TCP traffic while Average Real-time rate is used for UDP traffic.
They are measured in kbps for all the entries. The values for Average Data Rate and Average Real-time
rate can be different because they are applied to different upper layer protocols such as TCP and UDP.
These different values for the rates do not impact the bandwidth.
Step 8
Define the peak real-time rate for UDP traffic on a per-user basis by entering the rate in Kbps in the Burst
Real-Time Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0
imposes no bandwidth restriction on the profile.
Note
The Burst Real-Time Rate should be greater than or equal to the Average Real-Time Rate.
Otherwise, the QoS policy may block traffic to and from the wireless client.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-67
Chapter 4
Configuring Controller Settings
Configuring Quality of Service
Step 9
Define the maximum and default QoS levels for unicast and multicast traffic when you assign a QoS
profile to a WLAN as follows:
a.
From the Maximum Priority drop-down list, choose the maximum QoS priority for any data frames
transmitted by the AP to any station in the WLAN.
For example, a QoS profile named ‘gold’ targeted for video applications has the maximum priority
set to video by default.
b.
From the Unicast Default Priority drop-down list, choose the QoS priority for unicast data frames
transmitted by the AP to non-WMM stations in the WLAN.
c.
From the Multicast Default Priority drop-down list, choose the QoS priority for multicast data
frames transmitted by the AP to stations in the WLAN.
Note
Step 10
You cannot use the default unicast priority for non-WMM clients in a mixed WLAN.
Choose 802.1p from the Protocol Type drop-down list and enter the maximum priority value in the
802.1p Tag text box to define the maximum value (0–7) for the priority tag associated with packets that
fall within the profile.
The tagged packets include CAPWAP data packets (between access points and the controller) and
packets sent toward the core network.
Note
If a QoS profile has 802.1p tagging configured and if this QoS profile is assigned to a WLAN
that uses an untagged interface on the controller, the client traffic will be blocked.
Step 11
Click Apply to commit your changes.
Step 12
Click Save Configuration to save your changes.
Step 13
Reenable the 802.11a and 802.11b/g networks.
To enable the radio networks, choose Wireless > 802.11a/n or 802.11b/g/n > Network, select the
802.11a (or 802.11b/g) Network Status check box, and click Apply.
Step 14
Follow the instructions in the “Assigning a QoS Profile to a WLAN” section on page 8-38 to assign a
QoS profile to a WLAN.
Configuring QoS Profiles (CLI)
Step 1
Disable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles by entering these
commands:
config 802.11a disable network
config 802.11b disable network
Step 2
Change the profile description by entering this command:
config qos description {bronze | silver | gold | platinum} description
Step 3
Define the average data rate in Kbps for TCP traffic per user by entering this command:
config qos average-data-rate {bronze | silver | gold | platinum} rate
Cisco Wireless LAN Controller Configuration Guide
4-68
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Quality of Service
Note
Step 4
For the rate parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of
0 imposes no bandwidth restriction on the QoS profile.
Define the peak data rate in Kbps for TCP traffic per user by entering this command:
config qos burst-data-rate {bronze | silver | gold | platinum} rate
Step 5
Define the average real-time rate in Kbps for UDP traffic per user by entering this command:
config qos average-realtime-rate {bronze | silver | gold | platinum} rate
Step 6
Define the peak real-time rate in Kbps for UDP traffic per user by entering this command:
config qos burst-realtime-rate {bronze | silver | gold | platinum} rate
Step 7
Define the maximum and default QoS levels for unicast and multicast traffic when you assign a QoS
profile to a WLAN by entering this command:
config qos priority {bronze | gold | platinum | silver} {maximum priority} {default unicast priority}
{default multicast priority}
You choose from the following options for the maximum priority, default unicast priority, and default
multicast priority parameters:
Step 8
•
besteffort
•
background
•
video
•
voice
Define the maximum value (0–7) for the priority tag associated with packets that fall within the profile,
by entering these commands:
config qos protocol-type {bronze | silver | gold | platinum} dot1p
config qos dot1p-tag {bronze | silver | gold | platinum} tag
The tagged packets include CAPWAP data packets (between access points and the controller) and
packets sent toward the core network.
Step 9
Note
The 802.1p tagging has impact only on wired packets. Wireless packets are impacted only by the
maximum priority level set for a QoS profile.
Note
If a QoS profile has 802.1p tagging configured and if this QoS profile is assigned to a WLAN
that uses an untagged interface on the controller, the client traffic will be blocked.
Reenable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles by entering
these commands:
config 802.11a enable network
config 802.11b enable network
Step 10
Follow the instructions in the “Assigning a QoS Profile to a WLAN” section on page 8-38 to assign a
QoS profile to a WLAN.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-69
Chapter 4
Configuring Controller Settings
Configuring Quality of Service Roles
Configuring Quality of Service Roles
This section contains the following topics:
•
Information About Configuring Quality of Service Roles, page 4-70
•
Configuring QoS Roles, page 4-70
Information About Configuring Quality of Service Roles
After you configure a QoS profile and apply it to a WLAN, it limits the bandwidth level of clients
associated to that WLAN. Multiple WLANs can be mapped to the same QoS profile, which can result in
bandwidth contention between regular users (such as employees) and guest users. In order to prevent
guest users from using the same level of bandwidth as regular users, you can create QoS roles with
different (and presumably lower) bandwidth contracts and assign them to guest users.
You can configure up to ten QoS roles for guest users.
Note
If you choose to create an entry on the RADIUS server for a guest user and enable RADIUS
authentication for the WLAN on which web authentication is performed rather than adding a guest user
to the local user database from the controller, you need to assign the QoS role on the RADIUS server
itself. To do so, a “guest-role” Airespace attribute needs to be added on the RADIUS server with a
datatype of “string” and a return value of “11.” This attribute is sent to the controller when authentication
occurs. If a role with the name returned from the RADIUS server is found configured on the controller,
the bandwidth associated to that role is enforced for the guest user after authentication completes
successfully.
Configuring QoS Roles
This section contains the following topics:
•
Configuring QoS Roles (GUI), page 4-70
•
Configuring QoS Roles (CLI), page 4-72
Configuring QoS Roles (GUI)
Note
Step 1
Guest User role is not supported on Cisco 2106 Controller.
Choose Wireless > QoS > Roles to open the QoS Roles for Guest Users page.
Cisco Wireless LAN Controller Configuration Guide
4-70
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Quality of Service Roles
Figure 4-20
QoS Roles for Guest Users Page
This page shows any existing QoS roles for guest users.
Note
If you want to delete a QoS role, hover your cursor over the blue drop-down arrow for that role
and choose Remove.
Step 2
Click New to create a new QoS role. The QoS Role Name > New page appears.
Step 3
In the Role Name text box, enter a name for the new QoS role. The name should uniquely identify the
role of the QoS user (such as Contractor, Vendor, and so on).
Step 4
Click Apply to commit your changes.
Step 5
Click the name of the QoS role to edit the bandwidth of a QoS role. The Edit QoS Role Data Rates page
appears.
Note
The values that you configure for the per-user bandwidth contracts affect only the amount of
bandwidth going downstream (from the access point to the wireless client). They do not affect
the bandwidth for upstream traffic (from the client to the access point).
Step 6
Define the average data rate for TCP traffic on a per-user basis by entering the rate in Kbps in the
Average Data Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0
imposes no bandwidth restriction on the QoS role.
Step 7
Define the peak data rate for TCP traffic on a per-user basis by entering the rate in Kbps in the Burst
Data Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes
no bandwidth restriction on the QoS role.
Note
The Burst Data Rate should be greater than or equal to the Average Data Rate. Otherwise, the
QoS policy may block traffic to and from the wireless client.
Step 8
Define the average real-time rate for UDP traffic on a per-user basis by entering the rate in Kbps in the
Average Real-Time Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value
of 0 imposes no bandwidth restriction on the QoS role.
Step 9
Define the peak real-time rate for UDP traffic on a per-user basis by entering the rate in Kbps in the Burst
Real-Time Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0
imposes no bandwidth restriction on the QoS role.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-71
Chapter 4
Configuring Controller Settings
Configuring Quality of Service Roles
Note
The Burst Real-Time Rate should be greater than or equal to the Average Real-Time Rate.
Otherwise, the QoS policy may block traffic to and from the wireless client.
Step 10
Click Apply to commit your changes.
Step 11
Click Save Configuration to save your changes.
Step 12
Apply a QoS role to a guest user, by following the steps in the “Configuring Local Network Users on the
Controller” section on page 7-27.
Configuring QoS Roles (CLI)
Step 1
Create a QoS role for a guest user by entering this command:
config netuser guest-role create role_name
Note
Step 2
If you want to delete a QoS role, enter the config netuser guest-role delete role_name
command.
Configure the bandwidth contracts for a QoS role by entering these commands:
•
config netuser guest-role qos data-rate average-data-rate role_name rate—Configures the
average data rate for TCP traffic on a per-user basis.
•
config netuser guest-role qos data-rate burst-data-rate role_name rate—Configures the peak
data rate for TCP traffic on a per-user basis.
Note
•
config netuser guest-role qos data-rate average-realtime-rate role_name rate—Configures the
average real-time rate for UDP traffic on a per-user basis.
•
config netuser guest-role qos data-rate burst-realtime-rate role_name rate—Configures the peak
real-time rate for UDP traffic on a per-user basis.
Note
Note
Step 3
The Burst Data Rate should be greater than or equal to the Average Data Rate. Otherwise,
the QoS policy may block traffic to and from the wireless client.
The Burst Real-Time Rate should be greater than or equal to the Average Real-Time Rate.
Otherwise, the QoS policy may block traffic to and from the wireless client.
For the role_name parameter in each of these commands, enter a name for the new QoS role. The
name should uniquely identify the role of the QoS user (such as Contractor, Vendor, and so on).
For the rate parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of
0 imposes no bandwidth restriction on the QoS role.
Apply a QoS role to a guest user by entering this command:
config netuser guest-role apply username role_name
Cisco Wireless LAN Controller Configuration Guide
4-72
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
For example, the role of Contractor could be applied to guest user jsmith.
Step 4
Note
If you do not assign a QoS role to a guest user, the Role text box in the User Details shows the
role as “default.” The bandwidth contracts for this user are defined in the QoS profile for the
WLAN.
Note
If you want to unassign a QoS role from a guest user, enter the config netuser guest-role apply
username default command. This user now uses the bandwidth contracts defined in the QoS
profile for the WLAN.
Save your changes by entering this command:
save config
Step 5
See a list of the current QoS roles and their bandwidth parameters by entering this command:
show netuser guest-roles
Information similar to the following appears:
Role Name........................................
Average Data Rate...........................
Burst Data Rate.............................
Average Realtime Rate.......................
Burst Realtime Rate.........................
Contractor
10
10
100
100
Role Name........................................ Vendor
Average Data Rate........................... unconfigured
Burst Data Rate............................. unconfigured
Average Realtime Rate....................... unconfigured
Burst Realtime Rate...................... unconfigured
Configuring Voice and Video Parameters
This section contains the following topics:
•
Information About Configuring Voice and Video Parameters, page 4-73
•
Configuring Voice Parameters, page 4-77
•
Configuring Video Parameters, page 4-80
•
Viewing Voice and Video Settings, page 4-82
•
Configuring Media Parameters (GUI), page 4-87
Information About Configuring Voice and Video Parameters
Three parameters on the controller affect voice and/or video quality:
•
Call admission control
•
Expedited bandwidth requests
•
Unscheduled automatic power save delivery
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-73
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
Each of these parameters is supported in Cisco Compatible Extensions (CCX) v4 and v5. See the
“Configuring AP Groups” section on page 8-58 for more information on CCX.
Note
CCX is not supported on the AP1030.
Traffic stream metrics (TSM) can be used to monitor and report issues with voice quality.
This section contains the following topics:
•
Call Admission Control, page 4-74
•
Expedited Bandwidth Requests, page 4-75
•
U-APSD, page 4-76
•
Traffic Stream Metrics, page 4-76
Call Admission Control
Call admission control (CAC) enables an access point to maintain controlled quality of service (QoS)
when the wireless LAN is experiencing congestion. The Wi-Fi Multimedia (WMM) protocol deployed
in CCXv3 ensures sufficient QoS as long as the wireless LAN is not congested. However, in order to
maintain QoS under differing network loads, CAC in CCXv4 is required. Two types of CAC are
available: bandwidth-based CAC and load-based CAC.
Bandwidth-Based CAC
Bandwidth-based, or static, CAC enables the client to specify how much bandwidth or shared medium
time is required to accept a new call and in turn enables the access point to determine whether it is
capable of accommodating this particular call. The access point rejects the call if necessary in order to
maintain the maximum allowed number of calls with acceptable quality.
The QoS setting for a WLAN determines the level of bandwidth-based CAC support. To use
bandwidth-based CAC with voice applications, the WLAN must be configured for Platinum QoS. To use
bandwidth-based CAC with video applications, the WLAN must be configured for Gold QoS. Also,
make sure that WMM is enabled for the WLAN. See the “Configuring 802.3 Bridging” section on
page 4-51 for QoS and WMM configuration instructions.
Note
You must enable admission control (ACM) for CCXv4 clients that have WMM enabled. Otherwise,
bandwidth-based CAC does not operate properly.
Load-Based CAC
Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed
by all traffic types (including that from clients), co-channel access point loads, and collocated channel
interference, for voice applications. Load-based CAC also covers the additional bandwidth consumption
resulting from PHY and channel impairment.
In load-based CAC, the access point continuously measures and updates the utilization of the RF channel
(that is, the percentage of bandwidth that has been exhausted), channel interference, and the additional
calls that the access point can admit. The access point admits a new call only if the channel has enough
unused bandwidth to support that call. By doing so, load-based CAC prevents oversubscription of the
channel and maintains QoS under all conditions of WLAN loading and interference.
Cisco Wireless LAN Controller Configuration Guide
4-74
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
Note
Load-based CAC is supported only on lightweight access points. If you disable load-based CAC, the
access points start using bandwidth-based CAC.
Expedited Bandwidth Requests
The expedited bandwidth request feature enables CCXv5 clients to indicate the urgency of a WMM
traffic specifications (TSPEC) request (for example, an e911 call) to the WLAN. When the controller
receives this request, it attempts to facilitate the urgency of the call in any way possible without
potentially altering the quality of other TSPEC calls that are in progress.
You can apply expedited bandwidth requests to both bandwidth-based and load-based CAC. Expedited
bandwidth requests are disabled by default. When this feature is disabled, the controller ignores all
expedited requests and processes TSPEC requests as normal TSPEC requests.
See Table 4-3 for examples of TSPEC request handling for normal TSPEC requests and expedited
bandwidth requests.
Table 4-3
CAC Mode
TSPEC Request Handling Examples
Reserved bandwidth for
voice calls1
Bandwidth- 75% (default setting)
based CAC
Load-based
CAC
Usage2
Normal TSPEC TSPEC with Expedited
Request
Bandwidth Request
Less than 75%
Admitted
Admitted
Between 75% and 90%
(reserved bandwidth for voice
calls exhausted)
Rejected
Admitted
More than 90%
Rejected
Rejected
Less than 75%
Admitted
Admitted
Between 75% and 85%
(reserved bandwidth for voice
calls exhausted)
Rejected
Admitted
More than 85%
Rejected
Rejected
1. For bandwidth-based CAC, the voice call bandwidth usage is per access point and does not take into account co-channel access points. For load-based
CAC, the voice call bandwidth usage is measured for the entire channel.
2. Bandwidth-based CAC (consumed voice and video bandwidth) or load-based CAC (channel utilization [Pb]).
Note
Controller software release 6.0 or later releases support admission control for TSPEC g711-40ms codec
type.
Note
When video ACM is enabled, the controller rejects a video TSPEC if the non-MSDU size in the TSPEC
is greater than 149 or the mean data rate is greater than 1 Kbps.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-75
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
U-APSD
Unscheduled automatic power save delivery (U-APSD) is a QoS facility defined in IEEE 802.11e that
extends the battery life of mobile clients. In addition to extending battery life, this feature reduces the
latency of traffic flow delivered over the wireless media. Because U-APSD does not require the client to
poll each individual packet buffered at the access point, it allows delivery of multiple downlink packets
by sending a single uplink trigger packet. U-APSD is enabled automatically when WMM is enabled.
Traffic Stream Metrics
In a voice-over-wireless LAN (VoWLAN) deployment, traffic stream metrics (TSM) can be used to
monitor voice-related metrics on the client-access point air interface. It reports both packet latency and
packet loss. You can isolate poor voice quality issues by studying these reports.
The metrics consist of a collection of uplink (client side) and downlink (access point side) statistics
between an access point and a client device that supports CCX v4 or later releases. If the client is not
CCX v4 or CCXv5 compliant, only downlink statistics are captured. The client and access point measure
these metrics. The access point also collects the measurements every 5 seconds, prepares 90-second
reports, and then sends the reports to the controller. The controller organizes the uplink measurements
on a client basis and the downlink measurements on an access point basis and maintains an hour’s worth
of historical data. To store this data, the controller requires 32 MB of additional memory for uplink
metrics and 4.8 MB for downlink metrics.
TSM can be configured through either the GUI or the CLI on a per radio-band basis (for example, all
802.11a radios). The controller saves the configuration in flash memory so that it persists across reboots.
After an access point receives the configuration from the controller, it enables TSM on the specified
radio band.
Note
Access points support TSM entries in both local and FlexConnect modes.
Table 4-4 shows the upper limit for TSM entries in different controller series.
Table 4-4
Note
Upper Limit for TSM Entries
TSM Entries
5500 Series Controller
7500 Series Controller
MAX AP TSM entries
100
100
MAX Client TSM entries
250
250
MAX TSM entries
100*250=25000
100*250=25000
Once the upper limit is reached, additional TSM entries cannot be stored and sent to WCS or NCS. If
client TSM entries are full and AP TSM entries are available, only the AP entries are stored, and vice
versa. This situation leads to partial output.
A TSM cleanup occurs every hour. Entries are removed only for those APs and clients that are not in the
system.
Cisco Wireless LAN Controller Configuration Guide
4-76
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
Configuring Voice Parameters
This section contains the following topics:
•
Configuring Voice Parameters (GUI), page 4-77
•
Configuring Voice Parameters (CLI), page 4-79
Configuring Voice Parameters (GUI)
Step 1
Ensure that the WLAN is configured for WMM and the Platinum QoS level.
Step 2
Disable all WLANs with WMM enabled and click Apply.
Step 3
Choose Wireless and then Network under 802.11a/n or 802.11b/g/n, unselect the 802.11a (or
802.11b/g) Network Status check box, and click Apply to disable the radio network.
Step 4
Choose Wireless > 802.11a/n or 802.11b/g/n > Media. The 802.11a (or 802.11b) > Media page appears.
The Voice tab is displayed by default.
Figure 4-21
802.11a/n > Voice Parameters Page
Step 5
Select the Admission Control (ACM) check box to enable bandwidth-based CAC for this radio band.
The default value is disabled.
Step 6
Select the Admission Control (ACM) you want to use by choosing from the following choices:
Step 7
•
Load-based—To enable channel-based CAC. This is the default option.
•
Static—To enable radio-based CAC.
In the Max RF Bandwidth text box, enter the percentage of the maximum bandwidth allocated to clients
for voice applications on this radio band. Once the client reaches the value specified, the access point
rejects new calls on this radio band.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-77
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
The range is 5 to 85%. The sum of max bandwidth% of voice and video should not exceed 85%.
The default is 75%.
Step 8
In the Reserved Roaming Bandwidth text box, enter the percentage of maximum allocated bandwidth
that is reserved for roaming voice clients. The controller reserves this bandwidth from the maximum
allocated bandwidth for roaming voice clients.
The range is 0 to 25%.
The default is 6%.
Step 9
To enable expedited bandwidth requests, select the Expedited Bandwidth check box. By default, this
text box is disabled.
Step 10
To enable SIP CAC support, select the SIP CAC Support check box. By default, SIP CAC this check
box is disabled.
Step 11
From the SIP Codec drop-down list, choose one of the following options to set the codec name. The
default value is G.711. The options are as follows:
Step 12
•
User Defined
•
G.711
•
G.729
In the SIP Bandwidth (kbps) text box, enter the bandwidth in kilo bits per second.
The possible range is 8 to 64.
The default value is 64.
Note
The SIP Bandwidth (kbps) text box is highlighted only when you select the SIP codec as User-Defined.
If you choose the SIP codec as G.711, the SIP Bandwidth (kbps) text box is set to 64. If you choose the
SIP codec as G.729, the SIP Bandwidth (kbps) text box is set to 8.
Step 13
In the SIP Voice Sample Interval (msecs) text box, enter the value for the sample interval.
Step 14
In the Maximum Calls text box, enter the maximum number of calls that can be made to this radio. The
maximum call limit includes both direct and roaming-in calls. If the maximum call limit is reached, new
or roaming-in calls will fail.
The possible range is 0 to 25.
The default value is 0, which indicates that there is no check for maximum call limit.
Note
If SIP CAC is supported and the CAC method is static, the Maximum Possible Voice Calls and Maximum
Possible Roaming Reserved Calls fields appear.
Step 15
Select the Metrics Collection check box to collect Traffic Stream Metrics. By default, this box is
unselected. That is, the traffic stream metrics is not collected by default.
Step 16
Click Apply to commit your changes.
Step 17
Reenable all WMM WLANs and click Apply.
Step 18
Choose Network under 802.11a/n or 802.11b/g/n, select the 802.11a (or 802.11b/g) Network Status
check box, and click Apply to reenable the radio network.
Step 19
Click Save Configuration to save your changes.
Cisco Wireless LAN Controller Configuration Guide
4-78
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
Step 20
Repeat this procedure if you want to configure voice parameters for another radio band (802.11a or
802.11b/g).
Configuring Voice Parameters (CLI)
Ensure that you have configured SIP-based CAC. For instructions, see the “Configuring SIP-Based CAC
(CLI)” section on page 4-88.
Step 1
See all of the WLANs configured on the controller by entering this command:
show wlan summary
Step 2
Make sure that the WLAN that you are planning to modify is configured for WMM and the QoS level is
set to Platinum by entering this command:
show wlan wlan_id
Step 3
Disable all WLANs with WMM enabled prior to changing the voice parameters by entering the
command:
config wlan disable wlan_id
Step 4
Enable or Disable bandwidth-based voice CAC for the 802.11a or 802.11b/g network by entering this
command:
config {802.11a | 802.11b} {enable | disable} network
Step 5
Save your settings by entering this command:
save config
Step 6
Enable or disable bandwidth-based voice CAC for the 802.11a/n or 802.11b/g/n network by entering this
command:
config {802.11a | 802.11b} cac voice acm {enable | disable}
Step 7
Set the percentage of maximum bandwidth allocated to clients for voice applications on the 802.11a/n
or 802.11b/g/n network by entering this command:
config {802.11a | 802.11b} cac voice max-bandwidth bandwidth
The bandwidth range is 5 to 85%, and the default value is 75%. Once the client reaches the value
specified, the access point rejects new calls on this network.
Step 8
Set the percentage of maximum allocated bandwidth reserved for roaming voice clients by entering this
command:
config {802.11a | 802.11b} cac voice roam-bandwidth bandwidth
The bandwidth range is 0 to 25%, and the default value is 6%. The controller reserves this much
bandwidth from the maximum allocated bandwidth for roaming voice clients.
Step 9
Configure the codec name and sample interval as parameters and to calculate the required bandwidth per
call by entering this command:
config {802.11a | 802.11b} cac voice sip codec {g711 | g729} sample-interval number_msecs
Step 10
Configure the bandwidth that is required per call by entering this command:
config {802.11a | 802.11b} cac voice sip bandwidth bandwidth_kbps sample-interval number_msecs
Step 11
Reenable all WLANs with WMM enabled by entering this command:
config wlan enable wlan_id
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-79
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
Step 12
Reenable the radio network by entering this command:
config {802.11a | 802.11b} enable network
Step 13
To view the TSM voice metrics, by entering this command:
show [802.11a | 802.11b] cu-metrics AP_Name
The command also displays the channel utilization metrics.
Step 14
Save your changes by entering this command:
save config
Configuring Video Parameters
This section contains the following topics:
•
Configuring Video Parameters (GUI), page 4-80
•
Configuring Video Parameters (CLI), page 4-81
Configuring Video Parameters (GUI)
Step 1
Ensure that the WLAN is configured for WMM and the Gold QoS level.
Step 2
Disable all WLANs with WMM enabled and click Apply.
Step 3
Choose Wireless and then Network under 802.11a/n or 802.11b/g/n, unselect the 802.11a (or
802.11b/g) Network Status check box, and click Apply to disable the radio network.
Step 4
Choose Wireless > 802.11a/n or 802.11b/g/n > Media. The 802.11a (or 802.11b) > Media page appears.
Figure 4-22
802.11a > Video Parameters Page
Step 5
Choose the Video tab to configure the CAC for Video parameters.
Step 6
Select the Admission Control (ACM) check box to enable video CAC for this radio band. The default
value is disabled.
Cisco Wireless LAN Controller Configuration Guide
4-80
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
Step 7
In the Max RF Bandwidth text box, enter the percentage of the maximum bandwidth allocated to clients
for video applications on this radio band. Once the client reaches the value specified, the access point
rejects new requests on this radio band.
The range is 5 to 85%. The sum of maximum bandwidth% of voice and video should not exceed 85%.
The default is 0%.
Step 8
Click Apply to commit your changes.
Step 9
Reenable all WMM WLANs and click Apply.
Step 10
Choose Network under 802.11a/n or 802.11b/g/n, select the 802.11a (or 802.11b/g) Network Status
check box, and click Apply to reenable the radio network.
Step 11
Click Save Configuration to save your changes.
Step 12
Repeat this procedure if you want to configure video parameters for another radio band (802.11a or
802.11b/g).
Configuring Video Parameters (CLI)
Prerequisites
Ensure that you have configured SIP-based CAC. For instructions, see the “Configuring SIP-Based CAC
(CLI)” section on page 4-88.
Step 1
See all of the WLANs configured on the controller by entering this command:
show wlan summary
Step 2
Make sure that the WLAN that you are planning to modify is configured for WMM and the QoS level is
set to Gold by entering this command:
show wlan wlan_id
Step 3
Disable all WLANs with WMM enabled prior to changing the video parameters by entering this
command:
config wlan disable wlan_id
Step 4
Disable the radio network by entering this command:
config {802.11a | 802.11b} disable network
Step 5
Save your settings by entering this command:
save config
Step 6
Enable or disable video CAC for the 802.11a or 802.11b/g network by entering this command:
config {802.11a | 802.11b} cac video acm {enable | disable}
Step 7
Set the percentage of maximum bandwidth allocated to clients for video applications on the 802.11a or
802.11b/g network by entering this command:
config {802.11a | 802.11b} cac video max-bandwidth bandwidth
The bandwidth range is 5 to 85%, and the default value is 5%. However, the maximum RF bandwidth
cannot exceed 85% for voice and video. Once the client reaches the value specified, the access point
rejects new calls on this network.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-81
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
Note
Step 8
If this parameter is set to zero (0), the controller assumes that you do not want to do any bandwidth
allocation and, therefore, allows all bandwidth requests.
Process or ignore the TSPEC inactivity timeout received from an access point by entering this command:
config {802.11a | 802.11b} cac video tspec-inactivity-timeout {enable | ignore}
Step 9
Reenable all WLANs with WMM enabled by entering this command:
config wlan enable wlan_id
Step 10
Reenable the radio network by entering this command:
config {802.11a | 802.11b} enable network
Step 11
Enter the save config command to save your settings.
Viewing Voice and Video Settings
This section contains the following topics:
•
Viewing Voice and Video Settings (GUI), page 4-82
•
Viewing Voice and Video Settings (CLI), page 4-83
Viewing Voice and Video Settings (GUI)
Step 1
Choose Monitor > Clients to open the Clients page.
Figure 4-23
Step 2
Clients Page
Click the MAC address of the desired client to open the Clients > Detail page.
This page shows the U-APSD status (if enabled) for this client under Quality of Service Properties.
Step 3
Click Back to return to the Clients page.
Cisco Wireless LAN Controller Configuration Guide
4-82
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
Step 4
See the TSM statistics for a particular client and the access point to which this client is associated as
follows:
a.
Hover your cursor over the blue drop-down arrow for the desired client and choose 802.11aTSM or
802.11b/g TSM. The Clients > AP page appears.
b.
Click the Detail link for the desired access point to open the Clients > AP > Traffic Stream Metrics
page.
This page shows the TSM statistics for this client and the access point to which it is associated. The
statistics are shown in 90-second intervals. The timestamp text box shows the specific interval when
the statistics were collected.
Step 5
See the TSM statistics for a particular access point and a particular client associated to this access point,
as follows:
a.
Choose Wireless > Access Points > Radios > 802.11a/n or 802.11b/g/n. The 802.11a/n Radios or
802.11b/g/n Radios page appears.
b.
Hover your cursor over the blue drop-down arrow for the desired access point and choose
802.11aTSM or 802.11b/g TSM. The AP > Clients page appears.
c.
Click the Detail link for the desired client to open the AP > Clients > Traffic Stream Metrics page.
This page shows the TSM statistics for this access point and a client associated to it. The statistics
are shown in 90-second intervals. The timestamp text box shows the specific interval when the
statistics were collected.
Viewing Voice and Video Settings (CLI)
Step 1
See the CAC configuration for the 802.11a or 802.11b/g network by entering this command:
show ap stats {802.11a | 802.11b}
Step 2
See the CAC statistics for a particular access point by entering this command:
show ap stats {802.11a | 802.11b} ap_name
Information similar to the following appears:
Call Admission Control (CAC) Stats
Voice Bandwidth in use(% of config bw)......... 0
Total channel MT free........................ 0
Total voice MT free.......................... 0
Na Direct.................................... 0
Na Roam...................................... 0
Video Bandwidth in use(% of config bw)......... 0
Total num of voice calls in progress........... 0
Num of roaming voice calls in progress......... 0
Total Num of voice calls since AP joined....... 0
Total Num of roaming calls since AP joined..... 0
Total Num of exp bw requests received.......... 5
Total Num of exp bw requests admitted.......... 2
Num of voice calls rejected since AP joined...... 0
Num of roam calls rejected since AP joined..... 0
Num of calls rejected due to insufficient bw....0
Num of calls rejected due to invalid params.... 0
Num of calls rejected due to PHY rate.......... 0
Num of calls rejected due to QoS policy..... 0
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-83
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
In the example above, “MT” is medium time, “Na” is the number of additional calls, and “exp bw” is
expedited bandwidth.
Note
Step 3
Suppose an AP has to be rebooted when a voice client associated with the AP is on an active call. After
the AP is rebooted, the client continues to maintain the call, and during the time the AP is down, the
database is not refreshed by the controller. Therefore, we recommend that all active calls are ended
before the AP is taken down.
See the U-APSD status for a particular client by entering this command:
show client detail client_mac
Step 4
See the TSM statistics for a particular client and the access point to which this client is associated by
entering this command:
show client tsm {802.11a | 802.11b} client_mac {ap_mac | all}
The optional all command shows all access points to which this client has associated. Information
similar to the following appears:
Client Interface Mac:
Measurement Duration:
00:01:02:03:04:05
90 seconds
Timestamp
1st Jan 2006, 06:35:80
UpLink Stats
================
Average Delay (5sec intervals)............................35
Delay less than 10 ms.....................................20
Delay bet 10 - 20 ms......................................20
Delay bet 20 - 40 ms......................................20
Delay greater than 40 ms..................................20
Total packet Count.........................................80
Total packet lost count (5sec).............................10
Maximum Lost Packet count(5sec)............................5
Average Lost Packet count(5secs)...........................2
DownLink Stats
================
Average Delay (5sec intervals)............................35
Delay less than 10 ms.....................................20
Delay bet 10 - 20 ms......................................20
Delay bet 20 - 40 ms......................................20
Delay greater than 40 ms..................................20
Total packet Count.........................................80
Total packet lost count (5sec).............................10
Maximum Lost Packet count(5sec)............................5
Average Lost Packet count(5secs)...........................2
Step 5
Note
The statistics are shown in 90-second intervals. The timestamp text box shows the specific
interval when the statistics were collected.
Note
To clear the TSM statistics for a particular access point or all the access points to which this
client is associated, enter the clear client tsm {802.11a | 802.11b} client_mac {ap_mac | all}
command.
See the TSM statistics for a particular access point and a particular client associated to this access point
by entering this command:
Cisco Wireless LAN Controller Configuration Guide
4-84
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
show ap stats {802.11a | 802.11b} ap_name tsm {client_mac | all}
The optional all command shows all clients associated to this access point. Information similar to the
following appears:
AP Interface Mac:
Client Interface Mac:
Measurement Duration:
00:0b:85:01:02:03
00:01:02:03:04:05
90 seconds
Timestamp
1st Jan 2006, 06:35:80
UpLink Stats
================
Average Delay (5sec intervals)............................35
Delay less than 10 ms.....................................20
Delay bet 10 - 20 ms......................................20
Delay bet 20 - 40 ms......................................20
Delay greater than 40 ms..................................20
Total packet Count.........................................80
Total packet lost count (5sec).............................10
Maximum Lost Packet count(5sec)............................5
Average Lost Packet count(5secs)...........................2
DownLink Stats
================
Average Delay (5sec intervals)............................35
Delay less than 10 ms.....................................20
Delay bet 10 - 20 ms......................................20
Delay bet 20 - 40 ms......................................20
Delay greater than 40 ms..................................20
Total packet Count.........................................80
Total packet lost count (5sec).............................10
Maximum Lost Packet count(5sec)............................5
Average Lost Packet count(5secs)...........................2
Note
The statistics are shown in 90-second intervals. The timestamp text box shows the specific interval when
the statistics were collected.
Step 6
Enable or disable debugging for call admission control (CAC) messages, events, or packets by entering
this command:
debug cac {all | event | packet}{enable | disable}
where all configures debugging for all CAC messages, event configures debugging for all CAC events,
and packet configures debugging for all CAC packets.
Step 7
Use the following command to perform voice diagnostics and to view the debug messages between a
maximum of two 802.11 clients:
debug client voice-diag {enable | disable} mac-id mac-id2 [verbose]
The verbose mode is an optional argument. When the verbose option is used, all debug messages are
displayed in the console. You can use this command to monitor a maximum of two 802.11 clients. If one
of the clients is a non-WiFi client, only the 802.11 client is monitored for debug messages.
Note
It is implicitly assumed that the clients being monitored are on call.
Note
The debug command automatically stops after 60 minutes.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-85
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
Step 8
Use the following commands to view various voice-related parameters:
– show client voice-diag status
Displays information about whether voice diagnostics is enabled or disabled. If enabled, will
also displays information about the clients in the watch list and the time remaining for the
diagnostics of the voice call.
If voice diagnostics is disabled when the following commands are invoked, a message indicating that
voice diagnostics is disabled appears.
– show client voice-diag tspec
Displays the TSPEC information sent from the clients that are enabled for voice diagnostics.
– show client voice-diag qos-map
Displays information about the QoS/DSCP mapping and packet statistics in each of the four
queues: VO, VI, BE, BK. The different DSCP values are also displayed.
– show client voice-diag avrg_rssi
Display the client’s RSSI values in the last 5 seconds when voice diagnostics is enabled.
– show client voice-diag roam-history
Displays information about the last three roaming calls. The output contains the timestamp,
access point associated with roaming, roaming reason, and if there is a roaming failure, reason
for roaming-failure.
– show client calls {active | rejected} {802.11a | 802.11bg | all}
This command lists the details of active TSPEC and SIP calls on the controller.
Step 9
Use the following commands to troubleshoot video debug messages and statistics:
– debug ap show stats {802.11b | 802.11a} ap-name multicast—Displays the access point’s
supported multicast rates.
– debug ap show stats {802.11b | 802.11a} ap-name load—Displays the access point’s QBSS
and other statistics.
– debug ap show stats {802.11b | 802.11a} ap-name tx-queue—Displays the access point’s
transmit queue traffic statistics.
– debug ap show stats {802.11b | 802.11a} ap-name client {all | video |
<client-mac>}—Displays the access point’s client metrics.
– debug ap show stats {802.11b | 802.11a} ap-name packet—Displays the access point’s packet
statistics.
– debug ap show stats {802.11b | 802.11a} ap-name video metrics—Displays the access point’s
video metrics.
– debug ap show stats video ap-name multicast mgid number —Displays an access point’s
Layer 2 MGID database number.
– debug ap show stats video ap-name admission—Displays an access point’s admission control
statistics.
– debug ap show stats video ap-name bandwidth—Displays an access point’s video bandwidth.
Cisco Wireless LAN Controller Configuration Guide
4-86
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Voice and Video Parameters
Configuring Media Parameters (GUI)
Step 1
Make sure that the WLAN is configured for WMM and the Gold QoS level.
Step 2
Disable all WLANs with WMM enabled and click Apply.
Step 3
Choose Wireless and then Network under 802.11a/n or 802.11b/g/n, unselect the 802.11a (or
802.11b/g) Network Status check box, and click Apply to disable the radio network.
Step 4
Choose Wireless > 802.11a/n or 802.11b/g/n > Media. The 802.11a (or 802.11b) > Media > Parameters
page appears.
Figure 4-24
802.11a > Media Parameters Page
Step 5
Choose the Media tab to open the Media page.
Step 6
Select the Unicast Video Redirect check box to enable Unicast Video Redirect. The default value is
disabled.
Step 7
In the Maximum Media Bandwidth (0-85%) text box, enter the percentage of the maximum bandwidth
to be allocated for media applications on this radio band. Once the client reaches the specified value, the
access point rejects new calls on this radio band.
The default value is 85%; valid values are from 0 to 85%.
Step 8
In the Client Phy Rate text box, enter the value for the rate in kilobits per second at which the client
operates.
Step 9
In the Maximum Retry Percent (0-100%) text box, enter the percentage of the maximum retry. The
default value is 80.
Step 10
Select the Multicast Direct Enable check box to enable the Multicast Direct Enable text box. The
default value is enabled.
Step 11
From the Max Streams per Radio drop-down list, choose the maximum number of allowed multicast
direct streams per radio. Choose a value between 1 to 20 or No Limit. The default value is set to No
Limit.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-87
Chapter 4
Configuring Controller Settings
Configuring SIP Based CAC
Step 12
From the Max Streams per Client drop-down list, choose the maximum number of allowed clients per
radio. Choose a value between 1 to 20 or No Limit. The default value is set to No Limit.
Step 13
If you want to enable the best radio queue for this radio, select the Best Effort QoS Admission check
box. The default value is disabled.
Configuring SIP Based CAC
This section contains the following topics:
•
Guidelines and Limitations, page 4-88
•
Configuring SIP-Based CAC (CLI), page 4-88
Guidelines and Limitations
•
SIPs are available only on the Cisco 4400 Series and Cisco 5500 Series Controllers, and on the 1240,
1130, and 11n access points.
•
SIP CAC should only be used for phones that support status code 17 and do not support
TSPEC-based admission control.
•
SIP CAC will be supported only if SIP snooping is enabled.
Configuring SIP-Based CAC (CLI)
Step 1
Set the voice to the platinum QoS level by entering this command:
config wlan qos wlan-id Platinum
Step 2
Enable the call-snooping feature for a particular WLAN by entering this command:
config wlan call-snoop enable wlan-id
Step 3
Enable the ACM to this radio by entering this command:
config {802.11a | 802.11b} cac {voice | video} acm enable
Configuring Voice Prioritization Using Preferred Call Numbers
This section contains the following topics:
•
Information About Configuring Voice Prioritization Using Preferred Call Numbers, page 4-89
•
Guidelines and Limitations, page 4-89
•
Configuring a Preferred Call Number, page 4-89
Cisco Wireless LAN Controller Configuration Guide
4-88
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Voice Prioritization Using Preferred Call Numbers
Information About Configuring Voice Prioritization Using Preferred Call
Numbers
You can configure a controller to support calls from clients that do not support TSPEC-based calls. This
feature is known as voice prioritization. These calls are given priority over other clients utilizing the
voice pool. Voice prioritization is available only for SIP-based calls and not for TSPEC-based calls. If
the bandwidth is available, it takes the normal flow and allocates the bandwidth to those calls.
You can configure up to six preferred call numbers. When a call comes to one of the configured preferred
numbers, the controller does not check on the maximum call limit. It invokes the CAC to allocate
bandwidth for the preferred call. The bandwidth allocation is 85 percent of the entire bandwidth pool,
not just from the maximum configured voice pool. The bandwidth allocation is the same even for
roaming calls.
Guidelines and Limitations
•
You must configure the following before configuring voice prioritization:
– Set WLAN QoS to platinum.
– Enable ACM for the radio.
– Enable SIP call snoopint on the WLAN.
•
Cisco 5500 Series Controllers and all nonmesh access points do not support voice prioritization.
Configuring a Preferred Call Number
This section contains the following topics:
•
Configuring a Preferred Call Number (GUI), page 4-89
•
Configuring a Preferred Call Number (CLI), page 4-90
Configuring a Preferred Call Number (GUI)
Step 1
Set the WLAN QoS profile to Platinum. See the “Assigning a QoS Profile to a WLAN” section on
page 8-38.
Step 2
Enable ACM for the WLAN radio. See the “Configuring Voice and Video Parameters” section on
page 4-73.
Step 3
Enable SIP call snooping for the WLAN. See the “Configuring Media Session Snooping and Reporting”
section on page 8-43.
Step 4
Choose Wireless > Advanced > Preferred Call to open the Preferred Call page.
All calls configured on the controller appear.
Note
Step 5
To remove a preferred call, hover your cursor over the blue drop-down arrow and choose Remove.
Click Add Number to add a new preferred call.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-89
Chapter 4
Configuring Controller Settings
Configuring EDCA Parameters
Step 6
In the Call Index text box, enter the index that you want to assign to the call. Valid values are from 1
through 6.
Step 7
In the Call Number text box, enter the number.
Step 8
Click Apply to add the new number.
Configuring a Preferred Call Number (CLI)
Step 1
Set the voice to the platinum QoS level by entering this command:
config wlan qos wlan-id Platinum
Step 2
Enable the ACM to this radio by entering this command:
config {802.11a | 802.11b} cac {voice | video} acm enable
Step 3
Enable the call-snooping feature for a particular WLAN by entering this command:
config wlan call-snoop enable wlan-id
Step 4
Add a new preferred call by entering this command:
config advanced sip-preferred-call-no call_index {call_number | none}
Step 5
Remove a preferred call by entering this command:
config advanced sip-preferred-call-no call_index none
Step 6
View the preferred call statistics by entering the following command:
show ap stats {802.11{a | b} | wlan} ap_name
Step 7
Enter the following command to list the preferred call numbers:
show advanced sip-preferred-call-no
Configuring EDCA Parameters
This section contains the following topics:
•
Information About EDCA Parameters, page 4-90
•
Configuring EDCA Parameters, page 4-90
Information About EDCA Parameters
Enhanced distributed channel access (EDCA) parameters are designed to provide preferential wireless
channel access for voice, video, and other quality-of-service (QoS) traffic. Follow the instructions in this
section to configure EDCA parameters using the controller GUI or CLI.
Configuring EDCA Parameters
This section contains the following topics:
Cisco Wireless LAN Controller Configuration Guide
4-90
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring EDCA Parameters
•
Configuring EDCA Parameters (GUI), page 4-91
•
Configuring EDCA Parameters (CLI), page 4-92
Configuring EDCA Parameters (GUI)
Step 1
Choose Wireless and then Network under 802.11a/n or 802.11b/g/n, unselect the 802.11a (or
802.11b/g) Network Status check box, and click Apply to disable the radio network.
Step 2
Choose EDCA Parameters under 802.11a/n or 802.11b/g/n. The 802.11a (or 802.11b/g) > EDCA
Parameters page appears.
Figure 4-25
Step 3
Choose one of the following options from the EDCA Profile drop-down list:
•
WMM—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value.
Choose this option when voice or video services are not deployed on your network.
•
Spectralink Voice Priority—Enables SpectraLink voice priority parameters. Choose this option if
SpectraLink phones are deployed on your network to improve the quality of calls.
•
Voice Optimized—Enables EDCA voice-optimized profile parameters. Choose this option when
voice services other than SpectraLink are deployed on your network.
•
Voice & Video Optimized—Enables EDCA voice- and video-optimized profile parameters. Choose
this option when both voice and video services are deployed on your network.
•
Custom Voice—Enables custom voice EDCA parameters for 802.11a. The EDCA parameters under
this option also match the 6.0 WMM EDCA parameters when this profile is applied.
Note
Step 4
802.11a > EDCA Parameters Page
If you deploy video services, admission control (ACM) must be disabled.
If you want to enable MAC optimization for voice, select the Enable Low Latency MAC check box.
Otherwise, leave this check box unselected, which is the default value. This feature enhances voice
performance by controlling packet retransmits and appropriately aging out voice packets on lightweight
access points, which improves the number of voice calls serviced per access point.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-91
Chapter 4
Configuring Controller Settings
Configuring EDCA Parameters
Note
We do not recommend you to enable low latency MAC. You should enable low latency MAC
only if the WLAN allows WMM clients. If WMM is enabled, then low latency MAC can be used
with any of the EDCA profiles. See the “Assigning a QoS Profile to a WLAN” section on
page 8-38 for instructions on enabling WMM.
Step 5
Click Apply to commit your changes.
Step 6
To reenable the radio network, choose Network under 802.11a/n or 802.11b/g/n, select the 802.11a (or
802.11b/g) Network Status check box, and click Apply.
Step 7
Click Save Configuration to save your changes.
Configuring EDCA Parameters (CLI)
Step 1
Disable the radio network by entering this command:
config {802.11a | 802.11b} disable network
Step 2
Save your settings by entering this command:
save config
Step 3
Enable a specific EDCA profile by entering this command:
config advanced {802.11a | 802.11b} edca-parameters {wmm-default | svp-voice| optimized-voice|
optimzed-voice-video| custom-voice}
•
wmm-default—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value.
Choose this option when voice or video services are not deployed on your network.
•
svp-voice—Enables SpectraLink voice priority parameters. Choose this option if SpectraLink
phones are deployed on your network to improve the quality of calls.
•
optimized-voice—Enables EDCA voice-optimized profile parameters. Choose this option when
voice services other than SpectraLink are deployed on your network.
•
optimized-video-voice—Enables EDCA voice- and video-optimized profile parameters. Choose
this option when both voice and video services are deployed on your network.
•
custom-voice—Enables custom voice EDCA parameters for 802.11a. The EDCA parameters under
this option also match the 6.0 WMM EDCA parameters when this profile is applied.
Note
Step 4
If you deploy video services, admission control (ACM) must be disabled.
View the current status of MAC optimization for voice by entering this command:
show {802.11a | 802.11b}
Information similar to the following appears:
Voice-mac-optimization...................Disabled
Step 5
Enable or disable MAC optimization for voice by entering this command:
config advanced {802.11a | 802.11b} voice-mac-optimization {enable | disable}
Cisco Wireless LAN Controller Configuration Guide
4-92
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring the Cisco Discovery Protocol
This feature enhances voice performance by controlling packet retransmits and appropriately aging out
voice packets on lightweight access points, which improves the number of voice calls serviced per access
point. The default value is disabled.
Step 6
Reenable the radio network by entering this command:
config {802.11a | 802.11b} enable network
Step 7
Save your settings by entering this command:
save config
Configuring the Cisco Discovery Protocol
This section contains the following topics:
•
Information About Configuring the Cisco Discovery Protocol, page 4-93
•
Guidelines and Limitations, page 4-93
•
Configuring the Cisco Discovery Protocol, page 4-95
•
Viewing Cisco Discovery Protocol Information, page 4-98
Information About Configuring the Cisco Discovery Protocol
The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco-manufactured
equipment. A device enabled with CDP sends out periodic interface updates to a multicast address in
order to make itself known to neighboring devices.
The default value for the frequency of periodic transmissions is 60 seconds, and the default advertised
time-to-live value is 180 seconds. The second and latest version of the protocol, CDPv2, introduces new
time-length-values (TLVs) and provides a reporting mechanism that allows for more rapid error tracking,
which reduces downtime.
Guidelines and Limitations
•
CDPv1 and CDPv2 are supported on the following devices:
– Cisco 5500, 4400, 2500, and 2100 Series Controllers
Note
CDP is not supported on the controllers that are integrated into Cisco switches and routers,
including those in the Catalyst 3750G Integrated Wireless LAN Controller Switch, the Cisco
WiSM, and the Cisco 28/37/38xx Series Integrated Services Router. However, you can use
the show ap cdp neighbors detail {Cisco_AP | all} command on these controllers in order
to see the list of CDP neighbors for the access points that are connected to the controller.
– CAPWAP-enabled access points
– An access point connected directly to a Cisco 5500, 4400, or 2100 Series Controller
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-93
Chapter 4
Configuring Controller Settings
Configuring the Cisco Discovery Protocol
Note
To use the Intelligent Power Management feature, ensure that CDPv2 is enabled on the Cisco
2100 and 2500 Series Controllers. CDP v2 is enabled by default.
•
The OEAP 600 access points do not support CDP.
•
The support of CDPv1 and CDPv2 enables network management applications to discover Cisco
devices.
•
The following TLVs are supported by both the controller and the access point:
– Device-ID TLV: 0x0001—The host name of the controller, the access point, or the CDP
neighbor.
– Address TLV: 0x0002—The IP address of the controller, the access point, or the CDP neighbor.
– Port-ID TLV: 0x0003—The name of the interface on which CDP packets are sent out.
– Capabilities TLV: 0x0004—The capabilities of the device. The controller sends out this TLV
with a value of Host: 0x10, and the access point sends out this TLV with a value of Transparent
Bridge: 0x02.
– Version TLV: 0x0005—The software version of the controller, the access point, or the CDP
neighbor.
– Platform TLV: 0x0006—The hardware platform of the controller, the access point, or the CDP
neighbor.
– Power Available TLV: 0x001a— The amount of power available to be transmitted by power
sourcing equipment to permit a device to negotiate and select an appropriate power setting.
– Full/Half Duplex TLV: 0x000b—The full- or half-duplex mode of the Ethernet link on which
CDP packets are sent out.
•
These TLVs are supported only by the access point:
– Power Consumption TLV: 0x0010—The maximum amount of power consumed by the access
point.
– Power Request TLV:0x0019—The amount of power to be transmitted by a powerable device in
order to negotiate a suitable power level with the supplier of the network power.
•
You can configure CDP and view CDP information using the GUI in controller software release 4.1
or later or the CLI in controller software release 4.0 or later releases. Figure 4-26 shows a sample
network that you can use as a reference when performing the procedures in this section.
•
Changing the CDP configuration on the controller does not change the CDP configuration on the
access points that are connected to the controller. You must enable and disable CDP separately for
each access point.
•
You can enable or disable the CDP state on all or specific interfaces and radios. This configuration
can be applied to all access points or a specific access point. For more information on how to
configure CDP on the interfaces and radios, see the “Configuring the Cisco Discovery Protocol”
section on page 4-95 and the “Configuring the Cisco Discovery Protocol (CLI)” section on
page 4-97.
•
The following is the behavior assumed for various interfaces and access points:
– CDP is disabled on radio interfaces on indoor (nonindoor mesh) access points.
– Nonmesh access points have CDPs disabled on radio interfaces when they join the controller.
The persistent CDP configuration is used for the APs that had CDP support in its previous
image.
Cisco Wireless LAN Controller Configuration Guide
4-94
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring the Cisco Discovery Protocol
– CDP is enabled on radio interfaces on indoor-mesh and mesh access points.
– Mesh access points will have CDP enabled on their radio interfaces when they join the
controller. The persistent CDP configuration is used for the access points that had CDP support
in a previous image. The CDP configuration for radio interfaces is applicable only for mesh
APs.
Figure 4-26
Sample Network Illustrating CDP
Configuring the Cisco Discovery Protocol
This section contains the following topics:
•
Configuring the Cisco Discovery Protocol (GUI), page 4-95
•
Configuring the Cisco Discovery Protocol (CLI), page 4-97
Configuring the Cisco Discovery Protocol (GUI)
Step 1
Choose Controller > CDP > Global Configuration to open the CDP > Global Configuration page.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-95
Chapter 4
Configuring Controller Settings
Configuring the Cisco Discovery Protocol
Figure 4-27
Step 2
CDP > Global Configuration Page
Select the CDP Protocol Status check box to enable CDP on the controller or unselect it to disable this
feature. The default value is selected.
Enabling or disabling this feature is applicable to all controller ports.
Note
Step 3
From the CDP Advertisement Version drop-down list, choose v1 or v2 to specify the highest CDP
version supported on the controller. The default value is v1.
Step 4
In the Refresh-time Interval text box, enter the interval at which CDP messages are to be generated. The
range is 5 to 254 seconds, and the default value is 60 seconds.
Step 5
In the Holdtime text box, enter the amount of time to be advertised as the time-to-live value in generated
CDP packets. The range is 10 to 255 seconds, and the default value is 180 seconds.
Step 6
Click Apply to commit your changes.
Step 7
Click Save Configuration to save your changes.
Step 8
Perform one of the following:
•
To enable or disable CDP on a specific access point, follow these steps:
a.
Choose Wireless > Access Points > All APs to open the All APs page.
b.
Click the link for the desired access point.
c.
Choose the Advanced tab to open the All APs > Details for (Advanced) page.
d.
Select the Cisco Discovery Protocol check box to enable CDP on this access point or unselect
it to disable this feature. The default value is enabled.
Note
•
If CDP is disabled in Step 2, a message indicating that the Controller CDP is disabled
appears.
Enable CDP for a specific Ethernet interface, radio, or slot as follows:
a.
Choose Wireless > Access Points > All APs to open the All APs page.
b.
Click the link for the desired access point.
c.
Choose the Interfaces tab and select the corresponding check boxes for the radios or slots from
the CDP Configuration section.
Cisco Wireless LAN Controller Configuration Guide
4-96
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring the Cisco Discovery Protocol
Note
d.
•
Step 9
Configuration for radios is only applicable for mesh access points.
Click Apply to commit your changes.
To enable or disable CDP on all access points currently associated to the controller, follow these
steps:
a.
Choose Wireless > Access Points > Global Configuration to open the Global Configuration
page.
b.
Select the CDP State check box to enable CDP on all access points associated to the controller
or unselect it to disable CDP on all access points. The default value is selected. You can enable
CDP on a specific Ethernet interface, radio, or slot by selecting the corresponding check box.
This configuration will be applied to all access points associated with the controller.
c.
Click Apply to commit your changes.
Click Save Configuration to save your changes.
Configuring the Cisco Discovery Protocol (CLI)
Step 1
Enable or disable CDP on the controller by entering this command:
config cdp {enable | disable}
CDP is enabled by default.
Step 2
Specify the interval at which CDP messages are to be generated by entering this command:
config cdp timer seconds
The range is 5 to 254 seconds, and the default value is 60 seconds.
Step 3
Specify the amount of time to be advertised as the time-to-live value in generated CDP packets by
entering this command:
config cdp holdtime seconds
The range is 10 to 255 seconds, and the default value is 180 seconds.
Step 4
Specify the highest CDP version supported on the controller by entering this command:
config cdp advertise {v1 | v2}
The default value is v1.
Step 5
Enable or disable CDP on all access points that are joined to the controller by entering the config ap cdp
{enable | disable} all command.
The config ap cdp disable all command disables CDP on all access points that are joined to the
controller and all access points that join in the future. CDP remains disabled on both current and future
access points even after the controller or access point reboots. To enable CDP, enter the config ap cdp
enable all command.
Note
After you enable CDP on all access points joined to the controller, you may disable and then reenable
CDP on individual access points using the command in Step 6. After you disable CDP on all access
points joined to the controller, you may not enable and then disable CDP on individual access points.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-97
Chapter 4
Configuring Controller Settings
Configuring the Cisco Discovery Protocol
Step 6
Enable or disable CDP on a specific access point by entering this command:
config ap cdp {enable | disable} Cisco_AP
Step 7
Configure CDP on a specific or all access points for a specific interface by entering this command:
config ap cdp {ethernet | radio} interface_number slot_id {enable | disable} {all | Cisco_AP}
Note
Step 8
When you use the config ap cdp command to configure CDP on radio interfaces, a warning message
appears indicating that the configuration is applicable only for mesh access points.
Save your changes by entering this command:
save config
Viewing Cisco Discovery Protocol Information
This section contains the following topics:
•
Viewing Cisco Discovery Protocol Information (GUI), page 4-98
•
Viewing Cisco Discovery Protocol Information (CLI), page 4-100
•
Getting CDP Debug Information, page 4-101
Viewing Cisco Discovery Protocol Information (GUI)
Step 1
Choose Monitor > CDP > Interface Neighbors to open the CDP > Interface Neighbors page appears.
Figure 4-28
CDP > Interface Neighbors Page
This page shows the following information:
•
The controller port on which the CDP packets were received
•
The name of each CDP neighbor
Cisco Wireless LAN Controller Configuration Guide
4-98
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring the Cisco Discovery Protocol
Step 2
•
The IP address of each CDP neighbor
•
The port used by each CDP neighbor for transmitting CDP packets
•
The time left (in seconds) before each CDP neighbor entry expires
•
The functional capability of each CDP neighbor, defined as follows: R - Router, T - Trans Bridge,
B - Source Route Bridge, S - Switch, H - Host, I - IGMP, r - Repeater, or M - Remotely Managed
Device
•
The hardware platform of each CDP neighbor device
Click the name of the desired interface neighbor to see more detailed information about each interface’s
CDP neighbor. The CDP > Interface Neighbors > Detail page appears.
This page shows the following information:
•
The controller port on which the CDP packets were received
•
The name of the CDP neighbor
•
The IP address of the CDP neighbor
•
The port used by the CDP neighbor for transmitting CDP packets
•
The CDP version being advertised (v1 or v2)
•
The time left (in seconds) before the CDP neighbor entry expires
•
The functional capability of the CDP neighbor, defined as follows: Router, Trans Bridge,
Source Route Bridge, Switch, Host, IGMP, Repeater, or Remotely Managed Device
•
The hardware platform of the CDP neighbor device
•
The software running on the CDP neighbor
Step 3
Choose AP Neighbors to see a list of CDP neighbors for all access points connected to the controller.
The CDP AP Neighbors page appears.
Step 4
Click the CDP Neighbors link for the desired access point to see a list of CDP neighbors for a specific
access point. The CDP > AP Neighbors page appears.
This page shows the following information:
Step 5
•
The name of each access point
•
The IP address of each access point
•
The name of each CDP neighbor
•
The IP address of each CDP neighbor
•
The port used by each CDP neighbor
•
The CDP version being advertised (v1 or v2)
Click the name of the desired access point to see detailed information about an access point’s CDP
neighbors. The CDP > AP Neighbors > Detail page appears.
This page shows the following information:
•
The name of the access point
•
The MAC address of the access point’s radio
•
The IP address of the access point
•
The interface on which the CDP packets were received
•
The name of the CDP neighbor
•
The IP address of the CDP neighbor
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-99
Chapter 4
Configuring Controller Settings
Configuring the Cisco Discovery Protocol
Step 6
•
The port used by the CDP neighbor
•
The CDP version being advertised (v1 or v2)
•
The time left (in seconds) before the CDP neighbor entry expires
•
The functional capability of the CDP neighbor, defined as follows: R - Router, T - Trans Bridge,
B - Source Route Bridge, S - Switch, H - Host, I - IGMP, r - Repeater, or M - Remotely Managed
Device
•
The hardware platform of the CDP neighbor device
•
The software running on the CDP neighbor
Choose Traffic Metrics to see CDP traffic information. The CDP > Traffic Metrics page appears.
This page shows the following information:
•
The number of CDP packets received by the controller
•
The number of CDP packets sent from the controller
•
The number of packets that experienced a checksum error
•
The number of packets dropped due to insufficient memory
•
The number of invalid packets
Viewing Cisco Discovery Protocol Information (CLI)
Step 1
See the status of CDP and to view CDP protocol information by entering this command:
show cdp
Step 2
See a list of all CDP neighbors on all interfaces by entering this command:
show cdp neighbors [detail]
The optional detail command provides detailed information for the controller’s CDP neighbors.
Note
Step 3
This command shows only the CDP neighbors of the controller. It does not show the CDP neighbors of
the controller’s associated access points. Additional commands are provided below to show the list of
CDP neighbors per access point.
See all CDP entries in the database by entering this command:
show cdp entry all
Step 4
See CDP traffic information on a given port (for example, packets sent and received, CRC errors, and so
on) by entering this command:
show cdp traffic
Step 5
See the CDP status for a specific access point by entering this command:
show ap cdp ap-name Cisco_AP
Step 6
See the CDP status for all access points that are connected to the controller by entering this command:
show ap cdp all
Step 7
See a list of all CDP neighbors for a specific access point by entering these commands:
Cisco Wireless LAN Controller Configuration Guide
4-100
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring Authentication for the Controller and NTP Server
Note
Step 8
•
show ap cdp neighbors ap-name Cisco_AP
•
show ap cdp neighbors detail Cisco_AP
The access point sends CDP neighbor information to the controller only when the information changes.
See a list of all CDP neighbors for all access points connected to the controller by entering these
commands:
•
show ap cdp neighbors all
•
show ap cdp neighbors detail all
Information similar to the following appears when you enter the show ap cdp neighbors all command:
AP Name
-------AP0013.601c.0a0
AP0013.601c.0b0
AP0013.601c.0c0
AP IP
-------10.76.108.123
10.76.108.111
10.76.108.125
Neighbor Name
------------6500-1
6500-1
6500-1
Neighbor IP
----------10.76.108.207
10.76.108.207
10.76.108.207
Neighbor Port
------------GigabitEthernet1/26
GigabitEthernet1/27
GigabitEthernet1/28
Information similar to the following appears when you enter the show ap cdp neighbors detail all
command:
AP Name: AP0013.601c.0a0
AP IP Address: 10.76.108.125
---------------------------------Device ID: 6500-1
Entry address(es): 10.76.108.207
Platform: cisco WS-C6506-E, Capabilities: Router Switch IGMP
Interface: Port - 1, Port ID (outgoing port): GigabitEthernet1/26
Holdtime: 157 sec
Version:
Cisco Internetwork Operating System Software IOS (tm) s72033_rp Software
(s72033_rp-PSV-M), Version 12.2(18)SXD5, RELEASE SOFTWARE (fc3) Technical Support:
http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 13-Ma
Note
The access point sends CDP neighbor information to the controller only when the information changes.
Getting CDP Debug Information
•
Get debug information related to CDP packets by entering by entering this command:
debug cdp packets
•
Get debug information related to CDP events by entering this command:
debug cdp events
Configuring Authentication for the Controller and NTP Server
This section contains the following topics:
•
Information About Configuring Authentication for the Controller and NTP Server, page 4-102
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-101
Chapter 4
Configuring Controller Settings
Configuring RFID Tag Tracking
•
Configuring Authentication for the Controller and NTP Server, page 4-102
Information About Configuring Authentication for the Controller and NTP Server
Starting in release 7.0.116.0, the controller software is now compliant with RFC 1305. As per this
requirement, controllers must synonymize time with an NTP server by authentication. By default, an
MD5 checksum is used.
Configuring Authentication for the Controller and NTP Server
This section contains the following topics:
•
Configuring the NTP Server for Authentication (GUI), page 4-102
•
Configuring the NTP Server for Authentication (CLI), page 4-102
Configuring the NTP Server for Authentication (GUI)
Step 1
Choose Controller > NTP > Severs to open the NTP Severs page.
Step 2
Click New to add a new NTP Server.
Step 3
In the Server Index (Priority) text box, enter the NTP server index.
The controller tries Index 1 first, then Index 2 through 3, in a descending order. Set this to 1 if your
network is using only one NTP server.
Step 4
Enter the server IP address in the Server IP Address field.
Step 5
Select the Enable NTP Authentication check box to enable NTP Authentication.
Step 6
Enter the Key index.
Step 7
Click Apply.
Configuring the NTP Server for Authentication (CLI)
•
config time ntp auth enable server-index key-index—Enables NTP authentication on a given NTP
server.
•
config time ntp key-auth add key-index md5 key-format key—Adds an authentication key. By
default MD5 is used. The key format can be "ascii" or "hex".
•
config time ntp key-auth delete key-index—Deletes authentication keys.
•
config time ntp auth disable server-index—Disables NTP authentication.
•
show ntp-keys—Displays the NTP authentication related parameter.
Configuring RFID Tag Tracking
This section contains the following topics:
Cisco Wireless LAN Controller Configuration Guide
4-102
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring RFID Tag Tracking
•
Information About Configuring RFID Tag Tracking, page 4-103
•
Configuring RFID Tag Tracking, page 4-104
Information About Configuring RFID Tag Tracking
The controller enables you to configure radio-frequency identification (RFID) tag tracking. RFID tags
are small wireless devices that are affixed to assets for real-time location tracking. They operate by
advertising their location using special 802.11 packets, which are processed by access points, the
controller, and the location appliance.
To know more about the tags supported by controller, see
http://www.cisco.com/web/partners/pr46/pr147/ccx_wifi_tags.html. See Table 4-5 for details. The
location appliance receives telemetry and chokepoint information from tags that are compliant with this
CCX specification
Table 4-5
Cisco Compatible Extensions for RFID Tags Summary
Partners
AeroScout
WhereNet
Pango (InnerWireless)
Product Name
T2
T3
Wheretag IV
V3
Temperature
X
X
—
X
Pressure
—
—
—
—
Humidity
—
—
—
—
Status
—
—
—
—
Fuel
—
—
—
—
Quantity
—
—
—
—
Distance
—
—
—
—
Motion Detection
X
X
—
X
Number of Panic
Buttons
1
2
0
1
X
X
X
X
X
X
X
X
X
X
Telemetry
Tampering
Battery Information
Multiple-Frequency Tags
1
1. For chokepoint systems, note that the tag can work only with chokepoints coming from the same vendor.
Note
The Network Mobility Services Protocol (NMSP) runs on location appliance software release 3.0 or later
releases. In order for NMSP to function properly, the TCP port (16113) over which the controller and
location appliance communicate must be open (not blocked) on any firewall that exists between these
two devices. See the Cisco Location Appliance Configuration Guide for additional information on
NMSP and RFID tags.
The Cisco-approved tags support these capabilities:
•
Information notifications—Enable you to view vendor-specific and emergency information.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-103
Chapter 4
Configuring Controller Settings
Configuring RFID Tag Tracking
•
Information polling—Enables you to monitor battery status and telemetry data. Many telemetry
data types provide support for sensory networks and a large range of applications for RFID tags.
•
Measurement notifications—Enable you to deploy chokepoints at strategic points within your
buildings or campuses. Whenever an RFID tag moves to within a defined proximity of a chokepoint,
the tag begins transmitting packets that advertise its location in relation to the chokepoint.
The number of tags supported varies depending on controller platform. Table 4-6 lists the number of tags
supported per controller.
Table 4-6
RFID Tags Supported per Controller
Controller
Number of RFID Tags Supported
5508
2500
Catalyst 3750G Integrated Wireless LAN
Controller Switch
1250
Controller Network Module within the Cisco
28/37/38xx Series Integrated Services Routers
500
2500
500
You can configure and view RFID tag tracking information through the controller CLI.
Configuring RFID Tag Tracking
This section contains the following topics:
•
Configuring RFID Tag Tracking (CLI), page 4-104
•
Viewing RFID Tag Tracking Information (CLI), page 4-105
•
Debugging RFID Tag Tracking Issues (CLI), page 4-106
•
Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues (CLI), page 4-107
•
Viewing NMSP Settings (CLI), page 4-107
•
Debugging NMSP Issues, page 4-110
Configuring RFID Tag Tracking (CLI)
Step 1
Enable or disable RFID tag tracking by entering this command:
config rfid status {enable | disable}
The default value is enabled.
Step 2
Specify a static timeout value (between 60 and 7200 seconds) by entering this command:
config rfid timeout seconds
The static timeout value is the amount of time that the controller maintains tags before expiring them.
For example, if a tag is configured to beacon every 30 seconds, we recommend that you set the timeout
value to 90 seconds (approximately three times the beacon value). The default value is 1200 seconds.
Step 3
Enable or disable RFID tag mobility for specific tags by entering these commands:
Cisco Wireless LAN Controller Configuration Guide
4-104
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring RFID Tag Tracking
•
config rfid mobility vendor_name enable—Enables client mobility for a specific vendor’s tags.
When you enter this command, tags are unable to obtain a DHCP address for client mode when
attempting to select and/or download a configuration.
•
config rfid mobility vendor_name disable—Disables client mobility for a specific vendor’s tags.
When you enter this command, tags can obtain a DHCP address. If a tag roams from one subnet to
another, it obtains a new address rather than retaining the anchor state.
Note
These commands can be used only for Pango tags. Therefore, the only valid entry for
vendor_name is “pango” in all lowercase letters.
Viewing RFID Tag Tracking Information (CLI)
Step 1
See the current configuration for RFID tag tracking by entering this command:
show rfid config
Information similar to the following appears:
RFID Tag data Collection......................... Enabled
RFID timeout..................................... 1200 seconds
RFID mobility................................. Oui:00:14:7e : Vendor:pango
State:Disabled
Step 2
See detailed information for a specific RFID tag by entering this command:
show rfid detail mac_address
where mac_address is the tag’s MAC address.
Information similar to the following appears:
RFID address.....................................
Vendor...........................................
Last Heard.......................................
Packets Received.................................
Bytes Received...................................
Cisco Type.......................................
Content Header
=================
Version..........................................
Tx Power.........................................
Channel..........................................
Reg Class........................................
Burst Length.....................................
00:12:b8:00:20:52
G2
51 seconds ago
2
324
1
12 dBm
1
12
1
CCX Payload
===========
Last Sequence Control............................ 0
Payload length................................... 127
Payload Data Hex Dump
01
7f
50
00
05
09
ff
ba
03
04
00
ff
5b
05
42
00
ff
97
02
96
00
03
27
42
00
00
14
80
5c
00
0b
00
00
00
03
85
12
67
00
05
52
7b
00
03
05
52
10
01
05
00
52
48
03
03
00
02
53
05
42
00
07
c1
01
82
55
4b
f7
42
00
03
ff
51
34
00
05
ff
4b
00
03
06
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-105
Chapter 4
Configuring Controller Settings
Configuring RFID Tag Tracking
42 be 00 00 03 02 07 05 03 12 08 10 00 01 02 03
04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 03 0d 09 03
08 05 07 a8 02 00 10 00 23 b2 4e 03 02 0a 03
Nearby AP Statistics:
lap1242-2(slot 0, chan 1) 50 seconds ag.... -76 dBm
lap1242(slot 0, chan 1) 50 seconds ago..... -65 dBm
Step 3
See a list of all RFID tags currently connected to the controller by entering this command:
show rfid summary
Information similar to the following appears:
Total Number of RFID
: 24
----------------- -------- ------------------ ------ --------------------RFID ID
VENDOR
Closest AP
RSSI Time Since Last Heard
----------------- -------- ------------------ ------ --------------------00:04:f1:00:00:03 Wherenet flexconnect
-70
151 seconds ago
00:04:f1:00:00:05 Wherenet flexconnect
-66
251 seconds ago
00:0c:cc:5b:f8:1e Aerosct flexconnect
-40
5 seconds ago
00:0c:cc:5c:05:10 Aerosct flexconnect
-68
25 seconds ago
00:0c:cc:5c:06:69 Aerosct flexconnect
-54
7 seconds ago
00:0c:cc:5c:06:6b Aerosct flexconnect
-68
245 seconds ago
00:0c:cc:5c:06:b5 Aerosct cisco1242
-67
70 seconds ago
00:0c:cc:5c:5a:2b Aerosct cisco1242
-68
31 seconds ago
00:0c:cc:5c:87:34 Aerosct flexconnect
-40
5 seconds ago
00:14:7e:00:05:4d Pango
cisco1242
-66
298 seconds ago
Step 4
See a list of RFID tags that are associated to the controller as clients by entering this command:
show rfid client
When the RFID tag is in client mode, information similar to the following appears:
------------------ -------- --------- ----------------- ------ ---------------Heard
RFID Mac
VENDOR
Sec Ago
Associated AP
Chnl
Client State
------------------ -------- --------- ----------------- ------ ---------------00:14:7e:00:0b:b1
Pango
35
AP0019.e75c.fef4
1
Probing
When the RFID tag is not in client mode, the above text boxes are blank.
Debugging RFID Tag Tracking Issues (CLI)
If you experience any problems with RFID tag tracking, use these debug commands.
•
Configure MAC address debugging by entering this command:
debug mac addr mac_address
Note
•
We recommend that you perform the debugging on a per-tag basis. If you enable debugging
for all of the tags, the console or Telnet screen is inundated with messages.
Enable or disable debugging for the 802.11 RFID tag module by entering this command:
debug dot11 rfid {enable | disable}
•
Enable or disable RFID debug options by entering this command:
Cisco Wireless LAN Controller Configuration Guide
4-106
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring RFID Tag Tracking
debug rfid {all | detail | error | nmsp | receive} {enable | disable}
where
– all configures debugging of all RFID messages.
– detail configures debugging of RFID detailed messages.
– error configures debugging of RFID error messages.
– nmsp configures debugging of RFID NMSP messages.
– receive configures debugging of incoming RFID tag messages.
Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues (CLI)
The Network Mobility Services Protocol (NMSP) manages communication between the location
appliance and the controller for incoming and outgoing traffic. If your application requires more frequent
location updates, you can modify the NMSP notification interval (to a value between 1 and 180 seconds)
for clients, active RFID tags, and rogue access points and clients.
Note
Step 1
Step 2
The TCP port (16113) that the controller and location appliance communicate over must be open (not
blocked) on any firewall that exists between the controller and the location appliance for NMSP to
function.
Set the NMSP notification interval value for clients, RFID tags, and rogue clients and access points by
entering these commands, where interval is a value between 1 and 180 seconds:
•
config nmsp notification interval rssi clients interval
•
config nmsp notification interval rssi rfid interval
•
config nmsp notification interval rssi rogues interval
See the NMSP notification intervals by entering this command:
show nmsp notification interval
Information similar to the following appears:
NMSP Notification Interval Summary
RSSI Interval:
Client..........................................
RFID............................................
Rogue AP........................................
Rogue Client....................................
2
0
2
2
sec
sec
sec
sec
Viewing NMSP Settings (CLI)
To view NMSP information, use these CLI commands:
•
See the status of active NMSP connections by entering this command:
show nmsp status
Information similar to the following appears:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-107
Chapter 4
Configuring Controller Settings
Configuring RFID Tag Tracking
MSE IP Address
-------------171.71.132.107
•
Tx Echo Resp
-----------39046
Rx Echo Req
----------39046
Tx Data
------103742
Rx Data
------1
See the NMSP capabilities by entering this command:
show nmsp capability
Information similar to the following appears:
Service
------RSSI
Info
Statistics
IDS Services
•
Subservice
---------Mobile Station, Tags, Rogue,
Mobile Station, Rogue,
Mobile Station, Tags,
WIPS
See the NMSP counters by entering this command:
show nmsp statistics {summary | connection}
where
– summary shows the common NMSP counters.
– connection shows the connection-specific NMSP counters.
Information similar to the following appears for the show nmsp statistics summary command:
NMSP Global Counters
Client Measure Send Fail.........................
Send RSSI with no entry..........................
APP msg too big..................................
Failed Select on Accept Socket...................
Failed SSL write.................................
Partial SSL write................................
SSL write returned zero..........................
SSL write attempts to want read..................
SSL write attempts to want write.................
SSL write got default error......................
SSL write max data length sent...................
SSL write max attempts to write in loop..........
SSL read returned zero...........................
SSL read attempts to want read...................
SSL read attempts to want write..................
SSL read got default error.......................
Failed SSL read - Con Rx buf freed...............
Failed SSL read - Con/SSL freed..................
Max records read before exiting SSL read.........
Normal Prio Tx Q full............................
Highest Prio Tx Q count..........................
Normal Prio Tx Q count...........................
Messages sent by APPs to Highest Prio TxQ........
Max Measure Notify Msg...........................
Max Info Notify Msg..............................
Max Highest Prio Tx Q Size.......................
Max Normal Prio Tx Q Size........................
Max Rx Size......................................
Max Info Notify Q Size...........................
Max Client Info Notify Delay.....................
Max Rogue AP Info Notify Delay...................
Max Rogue Client Info Notify Delay...............
Max Client Measure Notify Delay..................
Max Tag Measure Notify Delay.....................
Max Rogue AP Measure Notify Delay................
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
Cisco Wireless LAN Controller Configuration Guide
4-108
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring RFID Tag Tracking
Max Rogue Client Measure Notify Delay............
Max Client Stats Notify Delay....................
Max Client Stats Notify Delay....................
RFID Measurement Periodic........................
RFID Measurement Immediate.......................
SSL Handshake failed.............................
NMSP Rx detected con failure.....................
NMSP Tx detected con failure.....................
NMSP Tx buf size exceeded........................
Reconnect Before Conn Timeout................. 0
0
0
0
0
0
0
0
0
0
Information similar to the following appears for each active connection when you enter the show
nmsp statistics connection command:
NMSP Connection Counters
MSE IP: 171.71.132.107
Connection status:
Tx message count
---------------WLC Capability:
Service Subscr Rsp:
Measure Rsp:
Measure Notify:
Info Rsp:
Info Notify:
Stats Rsp:
Stats Notify:
Loc Req:
Loc Subscr Req:
Loc Unsubscr Req:
AP Monitor Rsp:
AP Monitor Notify:
IDS Get Rsp:
IDS Notif:
IDS Set Rsp:
•
UP
1
1
0
0
0
0
0
0
0
0
0
0
64677
0
Rx message count
---------------MSE Capability:
Service Subscr Req:
Measure Req:
0
1
0
Info Req:
0
Stats Req:
0
Loc Rsp:
Loc Subscr Rsp:
Loc Notify:
Loc Unsubscr Rsp:
AP Monitor Req:
0
0
0
0
0
IDS Get Req:
0
IDS Set Req:
0
0
0
See the mobility services that are active on the controller by entering this command:
show nmsp subscription {summary | detail | detail ip_addr}
where
– summary shows all of the mobility services to which the controller is subscribed.
– detail shows details for all of the mobility services to which the controller is subscribed.
– detail ip_addr shows details only for the mobility services subscribed to by a specific IP
address.
Information similar to the following appears for the show nmsp subscription summary command:
Mobility Services Subscribed:
Server IP
--------1.4.93.31
Services
-------RSSI, Info, Statistics
Information similar to the following appears for the show nmsp subscription detail ip_addr
command:
Mobility Services Subscribed by 1.4.93.31
Services
--------
Sub-services
------------
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-109
Chapter 4
Configuring Controller Settings
Configuring and Viewing Location Settings
RSSI
Info
Statistics
•
Mobile Station, Tags,
Mobile Station,
Mobile Station, Tags,
Clear all NMSP statistics by entering this command:
clear nmsp statistics
Debugging NMSP Issues
Use these CLI commands if you experience any problems with NMSP:
•
Configure NMSP debug options by entering this command:
debug nmsp ?
where ? is one of the following:
– all {enable | disable}—Enables or disables debugging for all NMSP messages.
– connection {enable | disable}—Enables or disables debugging for NMSP connection events.
– detail {enable | disable}—Enables or disables debugging for NMSP detailed events.
– error {enable | disable}—Enables or disables debugging for NMSP error messages.
– event {enable | disable}—Enables or disables debugging for NMSP events.
– message {tx | rx} {enable | disable}—Enables or disables debugging for NMSP transmit or
receive messages.
– packet {enable | disable}—Enables or disables debugging for NMSP packet events.
•
Enable or disable debugging for NMSP interface events by entering this command:
debug dot11 nmsp {enable | disable}
•
Enable or disable debugging for IAPP NMSP events by entering this command:
debug iapp nmsp {enable | disable}
•
Enable or disable debugging for RFID NMSP messages by entering this command:
debug rfid nmsp {enable | disable}
•
Enable or disable debugging for access point monitor NMSP events by entering this command:
debug service ap-monitor nmsp {enable | disable}
•
Enable or disable debugging for wIPS NMSP events by entering this command:
debug wips nmsp {enable | disable}
Configuring and Viewing Location Settings
This section contains the following topics:
•
Information About Configuring and Viewing Location Settings, page 4-111
•
Installing the Location Appliance Certificate, page 4-111
•
Synchronizing the Controller and Location Appliance, page 4-112
•
Configuring Location Settings, page 4-112
Cisco Wireless LAN Controller Configuration Guide
4-110
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring and Viewing Location Settings
Information About Configuring and Viewing Location Settings
This section provides instructions to configure and view location settings from the controller CLI.
Note
Access points in monitor mode should not be used for location purposes.
Installing the Location Appliance Certificate
A self-signed certificate (SSC) is required on the location appliance. This certificate, which is comprised
of the location appliance MAC address and a 20-byte key hash, must be present on the controller.
Otherwise, the controller cannot authenticate the location appliance, and they can never establish a
connection. WCS usually pushes the certificate to the controller automatically, but you can install the
certificate on the controller using the controller CLI if necessary (for example, if the controller is not
connected to WCS or if an error or certificate mismatch occurs on WCS).
Note
If an error occurs on WCS and prevents the location appliance certificate from being pushed to the
controller, make sure that the time zone has been synchronized on the controller and the location
appliance before following this procedure. Follow the instructions in the “Viewing Location Settings
(CLI)” section on page 4-114 to do so.
To install the location appliance certificate on the controller using the controller CLI, follow these steps:
Step 1
Obtain the key hash value of the location appliance certificate by entering this command:
debug pm pki enable
Information similar to the following appears:
Thu Oct 11 08:52:26 2007: sshpmGetIssuerHandles:
Thu Oct 11 08:52:26 2007: sshpmGetIssuerHandles:
f70d0101
Thu Oct 11 08:52:26 2007: sshpmGetIssuerHandles:
02820101
Thu Oct 11 08:52:26 2007: sshpmGetIssuerHandles:
5bd20e5a
Thu Oct 11 08:52:26 2007: sshpmGetIssuerHandles:
09b723aa
Thu Oct 11 08:52:26 2007: sshpmGetIssuerHandles:
573f2c5e
Thu Oct 11 08:52:30 2007: sshpmGetIssuerHandles:
Thu Oct 11 08:52:30 2007: sshpmGetIssuerHandles:
4869b32638c00ffca88abe9b1a8e0525b9344b8b
Step 2
Calculate SHA1 hash on Public Key Data
Key Data 30820122 300d0609 2a864886
Key Data
01050003 82010f00 3082010a
Key Data
009a98b5 d2b7c77b 036cdb87
Key Data
894c66f4 df1cbcfb fe2fcf01
Key Data
5c0917f1 ec1d5061 2d386351
Key Data b9020301 0001
SSC Key Hash is
Install the location appliance certificate on the controller by entering this command:
config auth-list add lbs-ssc lbs_mac lbs_key
where
Step 3
•
lbs_mac is the MAC address of the location appliance.
•
lbs_key is the 20-byte key hash value of the certificate.
Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-111
Chapter 4
Configuring Controller Settings
Configuring and Viewing Location Settings
Step 4
Verify that the location appliance certificate is installed on the controller by entering this command:
show auth-list
Information similar to the following appears:
Authorize APs against AAA ....................... disabled
Allow APs with Self-Signed Certificate (SSC) .... disabled
Mac Addr
----------------------00:16:36:91:9a:27
Cert Type
Key Hash
----------------------------------------------------LBS-SSC
593f34e7cb151997a28cc7da2a6cac040b329636
Synchronizing the Controller and Location Appliance
For controller software release 4.2 or later releases, if a location appliance (release 3.1 or later releases)
is installed on your network, the time zone must be set on the controller to ensure proper synchronization
between the two systems. Also, the times must be synchronized on the two devices. We recommend that
you set the time even for networks that do not have location appliances. See the “Configuring 802.11
Bands” section on page 4-25 for instructions on setting the time and date on the controller.
Note
The time zone can be different for the controller and the location appliance, but the time zone delta must
be configured accordingly, based on GMT.
Configuring Location Settings
This section contains the following topics:
•
Configuring Location Settings (CLI), page 4-112
•
Viewing Location Settings (CLI), page 4-114
Configuring Location Settings (CLI)
The controller determines the location of client devices by gathering received signal strength indication
(RSSI) measurements from access points all around the client of interest. The controller can obtain
location reports from up to 16 access points for clients, RFID tags, and rogue access points.
Improve location accuracy by configuring the path loss measurement (S60) request for normal clients or
calibrating clients by entering this command:
config location plm ?
where ? is one of the following:
•
client {enable | disable} burst_interval—Enables or disables the path loss measurement request for
normal, noncalibrating clients. The valid range for the burst_interval parameter is 1 to 3600
seconds, and the default value is 60 seconds.
•
calibrating {enable | disable} {uniband | multiband}—Enables or disables the path loss
measurement request for calibrating clients on the associated 802.11a or 802.11b/g radio or on the
associated 802.11a/b/g radio.
Cisco Wireless LAN Controller Configuration Guide
4-112
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring and Viewing Location Settings
If a client does not send probes often or sends them only on a few channels, its location cannot be
updated or cannot be updated accurately. The config location plm command forces clients to send more
packets on all channels. When a CCXv4 (or higher) client associates, the controller sends it a path loss
measurement request, which instructs the client to transmit on the bands and channels that the access
points are on (typically, channels 1, 6, and 11 for 2.4-GHz-only access points) at a configurable interval
(such as 60 seconds) indefinitely.
These four additional location CLI commands are available; however, they are set to optimal default
values, so we do not recommend that you use or modify them:
•
Configure the RSSI timeout value for various devices by entering this command:
config location expiry ?
where? is one of the following:
– client timeout—Configures the RSSI timeout value for clients. The valid range for the timeout
parameter is 5 to 3600 seconds, and the default value is 5 seconds.
– calibrating-client timeout—Configures the RSSI timeout value for calibrating clients. The
valid range for the timeout parameter is 0 to 3600 seconds, and the default value is 5 seconds.
– tags timeout—Configures the RSSI timeout value for RFID tags. The valid range for the timeout
parameter is 5 to 300 seconds, and the default value is 5 seconds.
– rogue-aps timeout—Configures the RSSI timeout value for rogue access points. The valid
range for the timeout parameter is 5 to 3600 seconds, and the default value is 5 seconds.
Ensuring that recent, strong RSSIs are retained by the CPU is critical to location accuracy. The
config location expiry command enables you to specify the length of time after which old RSSI
averages expire.
Note
•
We recommend that you do not use or modify the config location expiry command.
Configure the RSSI half life for various devices by entering this command:
config location rssi-half-life ?
where ? is one of the following:
– client half_life—Configures the RSSI half life for clients. The valid range for the half_life
parameter is 0, 1, 2, 5, 10, 20, 30, 60, 90, 120, 180, or 300 seconds, and the default value is 0
seconds.
– calibrating-client half_life—Configures the RSSI half life for calibrating clients. The valid
range for the half_life parameter is 0, 1, 2, 5, 10, 20, 30, 60, 90, 120, 180, or 300 seconds, and
the default value is 0 seconds.
– tags half_life—Configures the RSSI half life for RFID tags. The valid range for the half_life
parameter is 0, 1, 2, 5, 10, 20, 30, 60, 90, 120, 180, or 300 seconds, and the default value is 0
seconds.
– rogue-aps half_life—Configures the RSSI half life for rogue access points. The valid range for
the half_life parameter is 0, 1, 2, 5, 10, 20, 30, 60, 90, 120, 180, or 300 seconds, and the default
value is 0 seconds.
Some client devices transmit at reduced power immediately after changing channels, and RF is
variable, so RSSI values might vary considerably from packet to packet. The config location
rssi-half-life command increases accuracy by averaging nonuniformly arriving data using a
configurable forget period (or half life).
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-113
Chapter 4
Configuring Controller Settings
Configuring and Viewing Location Settings
Note
•
We recommend that you do not use or modify the config location rssi-half-life command.
Configure the NMSP notification threshold for RSSI measurements by entering this command:
config location notify-threshold ?
where ? is one of the following:
– client threshold—Configures the NMSP notification threshold (in dB) for clients and rogue
clients. The valid range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.
– tags threshold—Configures the NMSP notification threshold (in dB) for RFID tags. The valid
range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.
– rogue-aps threshold—Configures the NMSP notification threshold (in dB) for rogue access
points. The valid range for the threshold parameter is 0 to 10 dB, and the default value is 0 dB.
Note
•
We recommend that you do not use or modify the config location notify-threshold
command.
Configure the algorithm used to average RSSI and signal-to-noise ratio (SNR) values by entering
this command:
config location algorithm ?
where ? is one of the following:
– simple—Specifies a faster algorithm that requires low CPU overhead but provides less
accuracy.
– rssi-average—Specifies a more accurate algorithm but requires more CPU overhead.
Note
We recommend that you do not use or modify the config location algorithm command.
Viewing Location Settings (CLI)
To view location information, use these CLI commands:
•
View the current location configuration values by entering this command:
show location summary
Information similar to the following appears:
Location Summary
Algorithm used:
Client
RSSI expiry timeout:
Half life:
Notify Threshold:
Calibrating Client
RSSI expiry timeout:
Half life:
Rogue AP
RSSI expiry timeout:
Average
5 sec
0 sec
0 db
5 sec
0 sec
5 sec
Cisco Wireless LAN Controller Configuration Guide
4-114
OL-21524-03
Chapter 4
Configuring Controller Settings
Configuring and Viewing Location Settings
Half life:
Notify Threshold:
RFID Tag
RSSI expiry timeout:
Half life:
Notify Threshold:
•
0 sec
0 db
5 sec
0 sec
0 db
See the RSSI table for a particular client by entering this command:
show location detail client_mac_addr
Information similar to the following appears:
...
[11] AP 00:00:00:00:00:00 :
(antenna-B 0), band 0 rssi
[12] AP 00:00:00:00:00:00 :
(antenna-B 0), band 0 rssi
[13] AP 00:00:00:00:00:00 :
(antenna-B 0), band 0 rssi
[14] AP 00:00:00:00:00:00 :
(antenna-B 0), band 0 rssi
[15] AP 00:00:00:00:00:00 :
(antenna-B 0), band 0 rssi
•
Slot 0 inUse 0, expired 0, Timestamp (antenna-A 0)
(antenna-A 0) (antenna-B 0), snr 0, acceptable 0
Slot 0 inUse 0, expired 0, Timestamp (antenna-A 0)
(antenna-A 0) (antenna-B 0), snr 0, acceptable 0
Slot 0 inUse 0, expired 0, Timestamp (antenna-A 0)
(antenna-A -1) (antenna-B 0), snr 0, acceptable 0
Slot 0 inUse 0, expired 0, Timestamp (antenna-A 0)
(antenna-A 0) (antenna-B 0), snr 0, acceptable 0
Slot 0 inUse 0, expired 0, Timestamp (antenna-A 0)
(antenna-A 0) (antenna-B 0), snr 0, acceptable 0
See the location-based RFID statistics by entering this command:
show location statistics rfid
Information similar to the following appears:
RFID Statistics
Database Full :
Null Bufhandle:
Bad LWAPP Data:
Off Channel:
Bad AP Info :
Above Max RSSI:
Invalid RSSI:
Oldest Expired RSSI:
•
0
0
0
0
0
0
0
0
Failed Delete:
Bad Packet:
Bad LWAPP Encap:
Bad CCX Version:
Below Max RSSI:
Add RSSI Failed:
Smallest Overwrite:
0
0
0
0
0
0
0
Clear the location-based RFID statistics by entering this command:
clear location statistics rfid
•
Clear a specific RFID tag or all of the RFID tags in the entire database by entering this command:
clear location rfid {mac_address | all}
•
See whether location presence (S69) is supported on a client by entering this command:
show client detail client_mac
When location presence is supported by a client and enabled on a location appliance, the location
appliance can provide the client with its location upon request. Location presence is enabled
automatically on CCXv5 clients.
Information similar to the following appears:
Client MAC Address...............................
Client Username .................................
AP MAC Address...................................
Client State.....................................
Wireless LAN Id..................................
BSSID............................................
Channel..........................................
00:40:96:b2:a3:44
N/A
00:18:74:c7:c0:90
Associated
1
00:18:74:c7:c0:9f
56
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-115
Chapter 4
Configuring Controller Settings
Using the Wireless LAN Controller Network Module
IP Address.......................................
Association Id...................................
Authentication Algorithm.........................
Reason Code......................................
Status Code......................................
Session Timeout..................................
Client CCX version...............................
Client E2E version...............................
Diagnostics Capability...........................
S69 Capability...................................
Mirroring........................................
QoS Level........................................
...
Note
192.168.10.28
1
Open System
0
0
0
5
No E2E support
Supported
Supported
Disabled
Silver
See the Cisco Wireless Control System Configuration Guide for instructions to enable location presence
on a location appliance.
Using the Wireless LAN Controller Network Module
Follow these guidelines when using a wireless LAN controller network module (CNM) installed in a
Cisco Integrated Services Router:
•
The CNM does not support IPsec. To use IPsec with the CNM, configure IPsec on the router in
which the CNM is installed. Click this link to browse to IPsec configuration instructions for routers:
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_guides_list.html
•
The CNM does not have a battery and cannot save a time setting. It must receive a time setting from
an external NTP server when it powers up. When you install the module, the configuration wizard
prompts you for NTP server information.
•
To access the CNM bootloader, we recommend that you reset the CNM from the router. If you reset
the CNM from a CNM user interface, the router might reset the CNM while you are using the
bootloader.
When you reset the CNM from a CNM interface, you have 17 minutes to use the bootloader before
the router automatically resets the CNM. The CNM bootloader does not run the Router Blade
Configuration Protocol (RBCP), so the RBCP heartbeat running on the router times out after 17
minutes, triggering a reset of the CNM.
If you reset the CNM from the router, the router stops the RBCP heartbeat exchange and does not
restart it until the CNM boots up. To reset the CNM from the router, enter one of these commands
on the router CLI:
service-module wlan-controller 1/0 reset (for Fast Ethernet CNM versions)
service-module integrated-service-engine 1/0 reset (for Gigabit Ethernet CNM versions)
•
Gigabit Ethernet versions of the Controller Network Module are supported on Cisco 28/37/38xx
Series Integrated Services Routers running Cisco IOS Release 12.4(11)T2 or later.
Resetting the Controller to Default Settings
This section contains the following topics:
Cisco Wireless LAN Controller Configuration Guide
4-116
OL-21524-03
Chapter 4
Configuring Controller Settings
Resetting the Controller to Default Settings
•
Information About Resetting the Controller to Default Settings, page 4-117
•
Resetting the Controller to Default Settings, page 4-117
Information About Resetting the Controller to Default Settings
You can return the controller to its original configuration by resetting the controller to factory-default
settings.
Resetting the Controller to Default Settings
This section contains the following topics:
•
Resetting the Controller to Default Settings (GUI), page 4-117
•
Resetting the Controller to Default Settings (CLI), page 4-117
Resetting the Controller to Default Settings (GUI)
Step 1
Start your Internet browser.
Step 2
Enter the controller IP address in the browser address line and press Enter. An Enter Network Password
dialog box appears.
Step 3
Enter your username in the User Name text box. The default username is admin.
Step 4
Enter the wireless device password in the Password text box and press Enter. The default password is
admin.
Step 5
Choose Commands > Reset to Factory Default.
Step 6
Click Reset.
Step 7
When prompted, confirm the reset.
Step 8
Reboot the controller without saving the configuration.
Step 9
Use the configuration wizard to enter configuration settings. See the “Configuring the Controller Using
the GUI Configuration Wizard” section on page 3-1 for instructions.
Resetting the Controller to Default Settings (CLI)
Step 1
Enter the reset system command. At the prompt that asks whether you need to save changes to the
configuration, enter N. The unit reboots.
Step 2
When you are prompted for a username, enter the recover-config command to restore the factory-default
configuration. The controller reboots and displays this message:
Welcome to the Cisco WLAN Solution Wizard Configuration Tool
Step 3
Use the configuration wizard to enter configuration settings. See the “Configuring the Controller Using
the GUI Configuration Wizard” section on page 3-1 for instructions.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
4-117
Chapter 4
Configuring Controller Settings
Resetting the Controller to Default Settings
Cisco Wireless LAN Controller Configuration Guide
4-118
OL-21524-03
CH A P T E R
6
Configuring VideoStream
This chapter contains these sections:
•
Information About VideoStream, page 6-1
•
Guidelines and Limitations, page 6-1
•
Configuring VideoStream, page 6-2
Information About VideoStream
The IEEE 802.11 wireless multicast delivery mechanism does not provide a reliable way to acknowledge
lost or corrupted packets. As a result, if any multicast packet is lost in the air, it is not sent again which
may cause an IP multicast stream unviewable.
The VideoStream feature makes the IP multicast stream delivery reliable over the air, by converting the
broadcast frame over the air to a unicast frame. Each VideoStream client acknowledges receiving a video
IP multicast stream.
Guidelines and Limitations
Follow these guidelines when you configure VideoStream on the controller:
•
The AP1100 and AP1200 do not support the reliable multicast feature.
•
Make sure that the multicast feature is enabled. We recommend configuring IP multicast on the
controller with multicast-multicast mode.
•
Check for the IP address on the client machine. The machine should have an IP address from the
respective VLAN.
•
If there is a mismatch in the version of code on your controller, upgrade the controller code to
7.0.98.0 or later.
•
Verify that the access points have joined the controllers.
•
Make sure that the clients are able to associate to the configured WLAN at 802.11n speed.
•
VideoStream is supported on the following access points: Cisco Aironet 3600, 3500, 1260, 1250,
1240, 1140, 1130, and 1040.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
6-1
Chapter 6
Configuring VideoStream
Configuring VideoStream
Configuring VideoStream
This section contains the following topics:
•
Configuring the VideoStream on the Controller (GUI), page 6-2
•
Configuring the VideoStream on the Controller (CLI), page 6-6
•
Viewing and Debugging Media Streams, page 6-7
Configuring the VideoStream on the Controller (GUI)
Step 1
Enable the multicast feature:
a.
Note
Step 2
Select the Multicast Direct Feature check box to enable the multicast direct feature. The default
value is disabled.
Enabling the Multicast Direct feature does not automatically reset the existing client state. The
wireless clients must rejoin the multicast stream after enabling the Multicast Direct feature on
the controller.
b.
Under the Session Message Config, select Session announcement State to enable the session
announcement mechanism. If this feature is enabled, clients are informed each time a controller is
not able to serve the multicast direct data to the client.
c.
In the Session announcement URL text box, enter the URL where the client can find more
information when an error occurs during the multicast media stream transmission.
d.
In the Session announcement e-mail text box, enter the e-mail address of the person who can be
contacted.
e.
In the Session announcement Phone text box, enter the phone number of the person who can be
contacted.
f.
In the Session announcement Note text box, enter a reason as to why a particular client cannot be
served with a multicast media.
g.
Click Apply to commit your changes.
Add a media stream:
a.
Choose Wireless > Media Stream > Streams to open the Media Stream page.
b.
Click Add New to configure a new media stream. The Media Stream > New page appears.
Note
The Stream Name, Multicast Destination Start IP Address (IPv4 or IPv6), and Multicast
Destination End IP Address (IPv4 or IPv6) text boxes are mandatory. You must enter information
in these text boxes.
c.
In the Stream Name text box, enter the media stream name. The stream name can be up to 64
characters.
d.
In the Multicast Destination Start IP Address (IPv4 or IPv6) text box, enter the start IPv4 or IPv6
address of the multicast media stream.
Cisco Wireless LAN Controller Configuration Guide
6-2
OL-21524-03
Chapter 6
Configuring VideoStream
Configuring VideoStream
e.
In the Multicast Destination End IP Address (IPv4 or IPv6) text box, enter the end IPv4 or IPv6
address of the multicast media stream.
f.
In the Maximum Expected Bandwidth text box, enter the maximum expected bandwidth that you
want to assign to the media stream. The values can range between 1 to 35000 kbps.
We recommend that you use a template to add a media stream to the controller.
Note
g.
From the Select from Predefined Templates drop-down list under Resource Reservation Control
(RRC) Parameters, choose one of the following options to specify the details about the resource
reservation control:
– Very Coarse (below 300 kbps)
– Coarse (below 500 kbps)
– Ordinary (below 750 kbps)
– Low (below 1 Mbps)
– Medium (below 3 Mbps)
– High (below 5 Mbps)
Note
When you select a predefined template from the drop-down list, the following text boxes
under the Resource Reservation Control (RRC) Parameters list their default values that are
assigned with the template.
– Average Packet Size (100-1500 bytes)—Specifies the average packet size. The value can be in
the range of 100 to 1500 bytes. The default value is 1200.
– RRC Periodic update—Enables the RRC (Resource Reservation Control Check) Periodic
update. By default, this option is enabled. RRC periodically updates the admission decision on
the admitted stream according to the correct channel load. As a result, it may deny certain low
priority admitted stream requests.
– RRC Priority (1-8)—Specifies the priority bit set in the media stream. The priority can be any
number between 1 and 8. The larger the value means the higher the priority is. For example, a
priority of 1 is the lowest value and a value of 8 is the highest value. The default priority is 4.
The low priority stream may be denied in the RRC periodic update.
– Traffic Profile Violation—Specifies the action to perform in case of a violation after a re-RRC.
Choose an action from the drop-down list. The possible values are as follows:
•
Drop —Specifies that a stream is dropped on periodic revaluation.
•
Fallback—Specifies that a stream is demoted to Best Effort class on periodic reevaluation.
The default value is drop.
h.
Step 3
Click Apply to save the configuration changes.
Enable the media stream for multicast-direct:
a.
Choose WLANs > WLAN ID to open the WLANs > Edit page.
b.
Choose the QoS tab and select Gold (Video) from the Quality of Service (QoS) drop-down list.
c.
Enable Multicast Direct.
d.
Click Apply to save the configuration changes.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
6-3
Chapter 6
Configuring VideoStream
Configuring VideoStream
Step 4
Step 5
Note
Step 6
Step 7
Set the EDCA parameters to voice and video optimized (optional):
a.
Choose Wireless > 802.11a/n or 802.11b/g/n > EDCA Parameters.
b.
From the EDCA Profile drop-down list, choose the Voice and Video Optimized option.
c.
Click Apply to save the changes made.
Enable the admission control on a band for video (optional):
Keep the voice bandwidth allocation to a minimum for better performance.
a.
Choose Wireless > 802.11a/n or 802.11b/g/n > Media to open the 802.11a/n (5 GHZ) or
802.11b/g/n > Media page.
b.
Choose the Video tab.
c.
Select the Admission Control (ACM) check box to enable bandwidth-based CAC for this radio
band. The default value is disabled.
d.
Click Apply to save the configuration changes.
Configure the video bandwidth:
Note
The template bandwidth that is configured for a media stream should be more than the bandwidth
for the source media stream.
Note
The voice configuration is optional. Keep the voice bandwidth allocation to a minimum for
better performance.
a.
Choose Wireless > 802.11a/n or 802.11b/g/n > Media to open the 802.11a/n (5 GHZ) or
802.11b/g/n > Media page.
b.
Choose the Video tab.
c.
Select the Admission Control (ACM) check box to enable the video CAC for this radio band. The
default value is disabled.
d.
In the Max RF Bandwidth field, enter the percentage of the maximum bandwidth allocated to clients
for video applications on this radio band. Once the client reaches the value specified, the access
point rejects new requests on this radio band.
e.
The range is 5 to 85%.
f.
The default value is 9%.
g.
Click Apply to commit your changes.
h.
Reenable all WMM WLANs and click Apply.
Configure the media bandwidth:
a.
Choose Wireless > 802.11a/n or 802.11b/g/n > Media to open the 802.11a (or 802.11b) > Media >
Parameters page.
b.
Choose the Media tab to open the Media page.
c.
Select the Unicast Video Redirect check box to enable Unicast Video Redirect. The default value
is disabled.
Cisco Wireless LAN Controller Configuration Guide
6-4
OL-21524-03
Chapter 6
Configuring VideoStream
Configuring VideoStream
Step 8
Step 9
Step 10
d.
In the Maximum Media Bandwidth (0-85%) text box, enter the percentage of the maximum
bandwidth to be allocated for media applications on this radio band. Once the client reaches a
specified value, the access point rejects new calls on this radio band.
e.
The default value is 85%; valid values are from 0 to 85%.
f.
In the Client Phy Rate field, enter the minimum transmission data rate to the client. If the
transmission data rate is below the phy rate, either the video will not start or the client may be
classified as a bad client. The bad client video can be demoted for better effort QoS or subject to
denial.
g.
In the Maximum Retry Percent (0-100%) field, enter the percentage of maximum retries that are
allowed. The default value is 80. If it exceeds 80, either the video will not start or the client might
be classified as a bad client. The bad client video can be demoted for better effort QoS or subject to
denial.
h.
Select the Multicast Direct Enable check box to enable the Multicast Direct Enable field. The
default value is enabled.
i.
From the Max Streams per Radio drop-down list, choose the maximum number of streams allowed
per radio from the range 0 to 20. The default value is set to auto. If you choose auto, there is no limit
set for the number of client subscriptions.
j.
From the Max Streams per Client drop-down list, choose the maximum number of streams allowed
per client from the range 0 to 20. The default value is set to auto. If you choose auto, there is no limit
set for the number of client subscriptions.
k.
Select the Best Effort QoS Admission check box to enable best-effort QoS admission.
l.
Click Apply to save the configuration changes
Enable WLANs:
a.
Choose WLANS > WLAN ID. The WLANs > Edit page appears.
b.
Enable the VideoStream feature for the WLAN.
c.
Select the Status check box to enable the WLAN.
d.
Click Apply to commit your changes.
Enable the 802.11 a/n or 802.11 b/g/n network:
a.
Choose Wireless > Wireless > 802.11a/n or 802.11b/g/n > Network.
b.
Select the 802.11a or 802.11b/g Network Status check box to enable the network status.
c.
Click Apply to commit your changes.
Verify that the clients are associated with the multicast groups and group-ides:
a.
Choose Monitor > Clients. The Clients page appears.
b.
Check if the 802.11a or 802.11b/g network clients have the associated access points.
c.
Choose Monitor > Multicast. The Multicast Groups page appears.
d.
Select the MGID check box for the VideoStream to the clients.
e.
Click MGID. The Multicast Group Detail page appears. Check the Multicast Status details.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
6-5
Chapter 6
Configuring VideoStream
Configuring VideoStream
Configuring the VideoStream on the Controller (CLI)
Step 1
Configure the multicast-direct feature on WLANs media stream by entering this command:
config wlan media-stream multicast-direct {wlan_id | all} {enable | disable}
Step 2
Enable or disable the multicast feature by entering this command:
config media-stream multicast-direct {enable | disable}
Step 3
Configure various message configuration parameters by entering this command:
config media-stream message {state [enable | disable] | url url | email email |
phone phone _number | note note}
Step 4
Save your changes by entering this command:
save config
Step 5
Configure various global media-stream configurations by entering this command:
config media-stream add multicast-direct stream-name media_stream_name start_IP end_IP
[template {very-coarse | coarse | ordinary | low-resolution | med-resolution | high-resolution} |
detail {Max_bandwidth bandwidth | packet size packet_size | Re-evaluation re-evaluation {periodic |
initial}} video video priority {drop | fallback}
Note
•
The Resource Reservation Control (RRC) parameters are assigned with the predefined values based
on the values assigned to the template.
•
The following templates are used to assign RRC parameters to the media stream:
– Very Coarse (below 3000 kbps)
– Coarse (below 500 kbps)
– Ordinary (below 750 kbps)
– Low Resolution (below 1 mbps)
– Medium Resolution (below 3 mbps)
– High Resolution (below 5 mbps)
Step 6
Delete a media stream by entering this command:
config media-stream delete media_stream_name
Step 7
Enable a specific enhanced distributed channel access (EDC) profile by entering this command:
config advanced {801.11a | 802.11b} edca-parameters optimized-video-voice
Step 8
Enable the admission control on the desired bandwidth by entering the following commands:
•
Enable bandwidth-based voice CAC for 802.11a or 802.11b/g network by entering this command:
config {802.11a | 802.11b} cac voice acm enable
•
Set the percentage of the maximum bandwidth allocated to clients for voice applications on the
802.11a or 802.11b/g network by entering this command:
config {802.11a | 802.11b} cac voice max-bandwidth bandwidth
•
Configure the percentage of the maximum allocated bandwidth reserved for roaming voice clients
on the 802.11a or 802.11b/g network by entering this command:
config {802.11a | 802.11b} cac voice roam-bandwidth bandwidth
Cisco Wireless LAN Controller Configuration Guide
6-6
OL-21524-03
Chapter 6
Configuring VideoStream
Configuring VideoStream
Step 9
Set the maximum number of streams per radio and/or per client by entering these commands:
•
Set the maximum limit to the number multicast streams per radio by entering this command:
config {802.11a | 802.11b} media-stream multicast-direct radio-maximum [value | ‘no-limit’]
•
Set the maximum number of multicast streams per client by entering this command:
config {802.11a | 802.11b} media-stream multicast-direct client-maximum [value | ‘no-limit’]
Step 10
Save your changes by entering this command:
save config
Viewing and Debugging Media Streams
•
See the configured media streams by entering this command:
show wlan wlan_id
•
See the details of the media stream name by entering this command:
show 802.11{a | b | h} media-stream media-stream_name
•
See the clients for a media stream by entering this command:
show 802.11a media-stream client media-stream-name
•
See a summary of the media stream and client information by entering this command:
show media-stream group summary
•
See details about a particular media stream group by entering this command:
show media-stream group detail media_stream_name
•
See details of the 802.11a or 802.11b media resource reservation configuration by entering this
command:
show {802.11a | 802.11b} media-stream rrc
•
Enable debugging of the media stream history by entering this command:
debug media-stream history {enable | disable}
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
6-7
Chapter 6
Configuring VideoStream
Configuring VideoStream
Cisco Wireless LAN Controller Configuration Guide
6-8
OL-21524-03
CH A P T E R
7
Configuring Security Solutions
This chapter contains the following sections:
•
Information about Cisco Unified Wireless Network Solution Security, page 7-2
•
Configuring RADIUS, page 7-3
•
Configuring TACACS+, page 7-17
•
Configuring Maximum Local Database Entries, page 7-26
•
Configuring Local Network Users on the Controller, page 7-27
•
Configuring Password Policies, page 7-30
•
Configuring LDAP, page 7-31
•
Configuring Local EAP, page 7-36
•
Configuring the System for SpectraLink NetLink Telephones, page 7-47
•
Using Management Over Wireless, page 7-51
•
Using Dynamic Interfaces for Management, page 7-52
•
Configuring DHCP Option 82, page 7-53
•
Configuring and Applying Access Control Lists, page 7-56
•
Configuring Management Frame Protection, page 7-66
•
Configuring Client Exclusion Policies, page 7-72
•
Configuring Identity Networking, page 7-75
•
Managing Rogue Devices, page 7-81
•
Configuring Cisco TrustSec SXP, page 7-102
•
Configuring Cisco Intrusion Detection System, page 7-106
•
Configuring wIPS, page 7-121
•
Configuring Wi-Fi Direct Client Policy, page 7-129
•
Configuring Web Auth Proxy, page 7-130
•
Detecting Active Exploits, page 7-132
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-1
Chapter 7
Configuring Security Solutions
Information about Cisco Unified Wireless Network Solution Security
Information about Cisco Unified Wireless Network Solution
Security
This section contains the following topics:
•
Security Overview, page 7-2
•
Layer 1 Solutions, page 7-2
•
Layer 2 Solutions, page 7-2
•
Layer 3 Solutions, page 7-3
•
Integrated Security Solutions, page 7-3
Security Overview
The Cisco Unified Wireless Network (UWN) security solution bundles potentially complicated Layer 1,
Layer 2, and Layer 3 802.11 Access Point security components into a simple policy manager that
customizes system-wide security policies on a per-WLAN basis. The Cisco UWN security solution
provides simple, unified, and systematic security management tools.
One of the biggest hurdles to WLAN deployment in the enterprise is WEP encryption, which is a weak
standalone encryption method. A newer problem is the availability of low-cost access points, which can
be connected to the enterprise network and used to mount man-in-the-middle and denial-of-service
attacks.
Layer 1 Solutions
The Cisco UWN security solution ensures that all clients gain access within a user-set number of
attempts. If a client fails to gain access within that limit, it is automatically excluded (blocked from
access) until the user-set timer expires. The operating system can also disable SSID broadcasts on a
per-WLAN basis.
Layer 2 Solutions
If a higher level of security and encryption is required, you can also implement industry-standard
security solutions such as Extensible Authentication Protocol (EAP), Wi-Fi Protected Access (WPA),
and WPA2. The Cisco UWN solution WPA implementation includes AES (Advanced Encryption
Standard), TKIP and Michael (temporal key integrity protocol and message integrity code checksum)
dynamic keys, or WEP (Wired Equivalent Privacy) static keys. Disabling is also used to automatically
block Layer 2 access after a user-set number of failed authentication attempts.
Regardless of the wireless security solution selected, all Layer 2 wired communications between
controllers and lightweight access points are secured by passing data through CAPWAP tunnels.
Cisco Aironet client adapter version 4.2 does not authenticate if WPA/WPA2 is used with CCKM as auth
key management and a 2 second latency between the controller and AP.
Cisco Wireless LAN Controller Configuration Guide
7-2
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Layer 3 Solutions
The WEP problem can be further solved using industry-standard Layer 3 security solutions such as
passthrough VPNs (virtual private networks).
The Cisco UWN solution supports local and RADIUS MAC (media access control) filtering. This
filtering is best suited to smaller client groups with a known list of 802.11 access card MAC addresses.
The Cisco UWN solution supports local and RADIUS user/password authentication. This authentication
is best suited to small to medium client groups.
Integrated Security Solutions
The integrated security solutions are as follows:
•
Cisco Unified Wireless Network (UWN) solution operating system security is built around a 802.1X
AAA (authorization, authentication and accounting) engine, which allows users to rapidly configure
and enforce a variety of security policies across the Cisco UWN solution.
•
The controllers and lightweight access points are equipped with system-wide authentication and
authorization protocols across all ports and interfaces, maximizing system security.
•
Operating system security policies are assigned to individual WLANs, and lightweight access points
simultaneously broadcast all (up to 16) configured WLANs, which can eliminate the need for
additional access points, which can increase interference and degrade system throughput.
•
Operating system security uses the RRM function to continually monitor the air space for
interference and security breaches and to notify the user when they are detected.
•
Operating system security works with industry-standard authorization, authentication, and
accounting (AAA) servers.
Configuring RADIUS
This section contains the following topics:
•
Information About RADIUS, page 7-3
•
Guidelines and Limitations, page 7-4
•
Configuring RADIUS on the ACS, page 7-5
•
Configuring RADIUS, page 7-6
•
RADIUS Authentication Attributes Sent by the Access Point, page 7-14
•
RADIUS Accounting Attributes, page 7-16
Information About RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides
centralized security for users attempting to gain management access to a network. It serves as a backend
database similar to local and TACACS+ and provides authentication and accounting services:
•
Authentication—The process of verifying users when they attempt to log into the controller.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-3
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Users must enter a valid username and password in order for the controller to authenticate users to
the RADIUS server. If multiple databases are configured, you can specify the sequence in which the
backend database must be tired.
•
Accounting—The process of recording user actions and changes.
Whenever a user successfully executes an action, the RADIUS accounting server logs the changed
attributes, the user ID of the person who made the change, the remote host where the user is logged
in, the date and time when the command was executed, the authorization level of the user, and a
description of the action performed and the values provided. If the RADIUS accounting server
becomes unreachable, users are able to continue their sessions uninterrupted.
RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on
UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting
requests. The controller, which requires access control, acts as the client and requests AAA services from
the server. The traffic between the controller and the server is encrypted by an algorithm defined in the
protocol and a shared secret key configured on both devices.
You can configure multiple RADIUS accounting and authentication servers.For example, you may want
to have one central RADIUS authentication server but several RADIUS accounting servers in different
regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable,
the controller automatically tries the second one, then the third one if necessary, and so on.
Guidelines and Limitations
This section contains the following topics:
•
RADIUS Server Support, page 7-4
•
Radius ACS Support, page 7-4
•
Primary and Fallback RADIUS Servers, page 7-5
RADIUS Server Support
•
You can configure up to 17 RADIUS authentication and accounting servers each.
•
If multiple RADIUS servers are configured for redundancy, the user database must be identical in
all the servers for the backup to work properly.
•
To create a read-only controller user on the RADIUS sever, you must set the service type to NAS
prompt instead of Callback NAS prompt. If you set the service type to Callback NAS Prompt, the
user authentication fails while setting it to NAS prompt gives the user read-only access to the
controller.
Also, the Callback Administrative service type gives the user the lobby ambassador privileges to the
controller.
Radius ACS Support
•
You must configure RADIUS on both your CiscoSecure Access Control Server (ACS) and your
controller.
•
RADIUS is supported on CiscoSecure ACS version 3.2 and later releases. See the CiscoSecure ACS
documentation for the version that you are running.
Cisco Wireless LAN Controller Configuration Guide
7-4
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Primary and Fallback RADIUS Servers
The primary RADIUS server (the server with the lowest server index) is assumed to be the most
preferable server for the controller. If the primary server becomes unresponsive, the controller switches
to the next active backup server (the server with the next lowest server index). The controller continues
to use this backup server, unless you configure the controller to fall back to the primary RADIUS server
when it recovers and becomes responsive or to a more preferable server from the available backup
servers.
Configuring RADIUS on the ACS
Step 1
Choose Network Configuration on the ACS main page.
Step 2
Choose Add Entry under AAA Clients to add your controller to the server. The Add AAA Client page
appears.
Figure 7-1
Add AAA Client Page on CiscoSecure ACS
Step 3
In the AAA Client Hostname text box, enter the name of your controller.
Step 4
In the AAA Client IP Address text box, enter the IP address of your controller.
Step 5
In the Shared Secret text box, enter the shared secret key to be used for authentication between the server
and the controller.
Note
The shared secret key must be the same on both the server and the controller.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-5
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Step 6
From the Authenticate Using drop-down list, choose RADIUS (Cisco Aironet).
Step 7
Click Submit + Apply to save your changes.
Step 8
Choose Interface Configuration on the ACS main page.
Step 9
Choose RADIUS (Cisco Aironet). The RADIUS (Cisco Aironet) page appears.
Step 10
Under User Group, select the Cisco-Aironet-Session-Timeout check box.
Step 11
Click Submit to save your changes.
Step 12
On the ACS main page, from the left navigation pane, choose System Configuration.
Step 13
Choose Logging.
Step 14
When the Logging Configuration page appears, enable all of the events that you want to be logged and
save your changes.
Step 15
On the ACS main page, from the left navigation pane, choose Group Setup.
Step 16
Choose a previously created group from the Group drop-down list.
Note
This step assumes that you have already assigned users to groups on the ACS according to the
roles to which they will be assigned.
Step 17
Click Edit Settings. The Group Setup page appears.
Step 18
Under Cisco Aironet Attributes, select the Cisco-Aironet-Session-Timeout check box and enter a
session timeout value in the edit box.
Step 19
Specify read-only or read-write access to controllers through RADIUS authentication, by setting the
Service-Type attribute (006) to Callback NAS Prompt for read-only access or to Administrative for
read-write privileges. If you do not set this attribute, the authentication process completes successfully
(without an authorization error on the controller), but you might be prompted to authenticate again.
Step 20
Note
If you set the Service-Type attribute on the ACS, make sure to select the Management check
box on the RADIUS Authentication Servers page of the controller GUI. See Step 16 in the next
section for more information.
Note
The “RADIUS Authentication Attributes Sent by the Access Point” section on page 7-14 lists
the RADIUS attributes that are sent by a lightweight access point to a client in access-request
and access-accept packets.
Click Submit to save your changes.
Configuring RADIUS
This section contains the following topics:
•
Configuring RADIUS (GUI), page 7-7
•
Configuring RADIUS (CLI), page 7-10
Cisco Wireless LAN Controller Configuration Guide
7-6
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Configuring RADIUS (GUI)
Step 1
Choose Security > AAA > RADIUS.
Step 2
Perform one of the following:
•
If you want to configure a RADIUS server for authentication, choose Authentication.
•
If you want to configure a RADIUS server for accounting, choose Accounting.
Note
The pages used to configure authentication and accounting contain mostly the same text boxes.
Therefore, these instructions walk through the configuration only once, using the Authentication
pages as examples. You would follow the same steps to configure multiple services and/or
multiple servers.
The RADIUS Authentication (or Accounting) Servers page appears.
Figure 7-2
RADIUS Authentication Servers Page
This page lists any RADIUS servers that have already been configured.
•
If you want to delete an existing server, hover your cursor over the blue drop-down arrow for that
server and choose Remove.
•
If you want to make sure that the controller can reach a particular server, hover your cursor over the
blue drop-down arrow for that server and choose Ping.
Step 3
From the Call Station ID Type drop-down list, choose IP Address, System MAC Address, or AP MAC
Address to specify whether the IP address, system MAC address, or AP MAC address of the originator
will be sent to the RADIUS server in the Access-Request message.
Step 4
Enable RADIUS-to-controller key transport using AES key wrap protection by selecting the Use AES
Key Wrap check box. The default value is unselected. This feature is required for FIPS customers.
Step 5
Click Apply to commit your changes. Perform one of the following:
Step 6
•
To edit an existing RADIUS server, click the server index number for that server. The RADIUS
Authentication (or Accounting) Servers > Edit page appears.
•
To add a RADIUS server, click New. The RADIUS Authentication (or Accounting) Servers > New
page appears.
If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to
specify the priority order of this server in relation to any other configured RADIUS servers providing
the same service.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-7
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Step 7
If you are adding a new server, enter the IP address of the RADIUS server in the Server IP Address text
box.
Step 8
From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared
secret key to be used between the controller and the RADIUS server. The default value is ASCII.
Step 9
In the Shared Secret and Confirm Shared Secret text boxes, enter the shared secret key to be used for
authentication between the controller and the server.
Note
The shared secret key must be the same on both the server and the controller.
Step 10
If you are configuring a new RADIUS authentication server and want to enable AES key wrap, which
makes the shared secret between the controller and the RADIUS server more secure, follow these steps:
Note
AES key wrap is designed for Federal Information Processing Standards (FIPS) customers and requires
a key-wrap compliant RADIUS authentication server.
a.
Select the Key Wrap check box.
b.
From the Key Wrap Format drop-down list, choose ASCII or HEX to specify the format of the AES
key wrap keys: Key Encryption Key (KEK) and Message Authentication Code Key (MACK).
c.
In the Key Encryption Key (KEK) text box, enter the 16-byte KEK.
d.
In the Message Authentication Code Key (MACK) text box, enter the 20-byte KEK.
Step 11
If you are adding a new server, enter the RADIUS server’s UDP port number for the interface protocols
in the Port Number text box. The valid range is 1 to 65535, and the default value is 1812 for
authentication and 1813 for accounting.
Step 12
From the Server Status text box, choose Enabled to enable this RADIUS server or choose Disabled to
disable it. The default value is enabled.
Step 13
If you are configuring a new RADIUS authentication server, choose Enabled from the Support for RFC
3576 drop-down list to enable RFC 3576, which is an extension to the RADIUS protocol that allows
dynamic changes to a user session, or choose Disabled to disable this feature. The default value is
Enabled. RFC 3576 includes support for disconnecting users and changing authorizations applicable to
a user session and supports disconnect and change-of-authorization (CoA) messages. Disconnect
messages cause a user session to be terminated immediately where CoA messages modify session
authorization attributes such as data filters.
Step 14
In the Server Timeout text box, enter the number of seconds between retransmissions. The valid range
is 2 to 30 seconds, and the default value is 2 seconds.
Note
Step 15
We recommend that you increase the timeout value if you experience repeated reauthentication
attempts or the controller falls back to the backup server when the primary server is active and
reachable.
Select the Network User check box to enable network user authentication (or accounting), or unselect
it to disable this feature. The default value is selected. If you enable this feature, this entry is considered
the RADIUS authentication (or accounting) server for network users. If you did not configure a RADIUS
server entry on the WLAN, you must enable this option for network users.
Cisco Wireless LAN Controller Configuration Guide
7-8
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Step 16
If you are configuring a RADIUS authentication server, select the Management check box to enable
management authentication, or unselect it to disable this feature. The default value is selected. If you
enable this feature, this entry is considered the RADIUS authentication server for management users,
and authentication requests go to the RADIUS server.
Step 17
Select the IPSec check box to enable the IP security mechanism, or unselect it to disable this feature.
The default value is unselected.
The IPsec option appears only if a crypto card is installed in the controller.
Note
Step 18
If you enabled IPsec in Step 17, follow these steps to configure additional IPsec parameters:
a.
From the IPSec drop-down list, choose one of the following options as the authentication protocol
to be used for IP security: HMAC MD5 or HMAC SHA1. The default value is HMAC SHA1.
A message authentication code (MAC) is used between two parties that share a secret key to validate
information transmitted between them. HMAC (Hash MAC) is based on cryptographic hash
functions. It can be used in combination with any iterated cryptographic hash function. HMAC MD5
and HMAC SHA1 are two constructs of the HMAC using the MD5 hash function and the SHA1 hash
function. HMAC also uses a secret key for calculation and verification of the message authentication
values.
b.
c.
From the IPSec Encryption drop-down list, choose one of the following options to specify the IP
security encryption mechanism:
•
DES—Data Encryption Standard that is a method of data encryption using a private (secret) key.
DES applies a 56-bit key to each 64-bit block of data.
•
3DES—Data Encryption Standard that applies three keys in succession. This is the default
value.
•
AES CBS—Advanced Encryption Standard that uses keys with a length of 128, 192, or 256 bits
to encrypt data blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data
path in Cipher Clock Chaining (CBC) mode.
From the IKE Phase 1 drop-down list, choose one of the following options to specify the Internet
Key Exchange (IKE) protocol: Aggressive or Main. The default value is Aggressive.
IKE Phase 1 is used to negotiate how IKE should be protected. Aggressive mode passes more
information in fewer packets with the benefit of slightly faster connection establishment at the cost
of transmitting the identities of the security gateways in the clear.
d.
In the Lifetime text box, enter a value (in seconds) to specify the timeout interval for the session.
The valid range is 1800 to 57600 seconds, and the default value is 1800 seconds.
e.
From the IKE Diffie Hellman Group drop-down list, choose one of the following options to specify
the IKE Diffie Hellman group: Group 1 (768 bits), Group 2 (1024 bits), or Group 5 (1536 bits).
The default value is Group 1 (768 bits).
Diffie-Hellman techniques are used by two devices to generate a symmetric key through which they
can publicly exchange values and generate the same symmetric key. Although all three groups
provide security from conventional attacks, Group 5 is considered more secure because of its larger
key size. However, computations involving Group 1 and Group 2 based keys might occur slightly
faster because of their smaller prime number size.
Step 19
Click Apply to commit your changes.
Step 20
Click Save Configuration to save your changes.
Step 21
Repeat the previous steps if you want to configure any additional services on the same server or any
additional RADIUS servers.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-9
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Step 22
Specify the RADIUS server fallback behavior, as follows:
a.
Choose Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters to
open the fallback parameters page.
b.
From the Fallback Mode drop-down list, choose one of the following options:
•
Off—Disables RADIUS server fallback. This is the default value.
•
Passive—Causes the controller to revert to a server with a lower priority from the available
backup servers without using extraneous probe messages. The controller ignores all inactive
servers for a time period and retries later when a RADIUS message needs to be sent.
•
Active—Causes the controller to revert to a server with a lower priority from the available
backup servers by using RADIUS probe messages to proactively determine whether a server
that has been marked inactive is back online. The controller ignores all inactive servers for all
active RADIUS requests. Once the primary server receives a response from the recovered ACS
server, the active fallback RADIUS server no longer sends probe messages to the server
requesting the active probe authentication.
c.
If you enabled Active fallback mode in Step b, enter the name to be sent in the inactive server probes
in the Username text box. You can enter up to 16 alphanumeric characters. The default value is
“cisco-probe.”
d.
If you enabled Active fallback mode in Step b, enter the probe interval value (in seconds) in the
Interval in Sec text box. The interval serves as inactive time in passive mode and probe interval in
active mode. The valid range is 180 to 3600 seconds, and the default value is 300 seconds.
Step 23
Specify the order of authentication when multiple databases are configured by choosing Security >
Priority Order > Management User. The Priority Order > Management User page appears.
Step 24
In the Order Used for Authentication text box, specify which servers have priority when the controller
attempts to authenticate management users. Use the > and < buttons to move servers between the Not
Used and Order Used for Authentication text boxes. After the desired servers appear in the Order Used
for Authentication text box, use the Up and Down buttons to move the priority server to the top of the
list.
By default, the local database is always queried first. If the username is not found, the controller switches
to the RADIUS server if configured for RADIUS or to the TACACS+ server if configured for TACACS+.
The default setting is local and then RADIUS.
Step 25
Click Apply to commit your changes.
Step 26
Click Save Configuration to save your changes.
Configuring RADIUS (CLI)
Step 1
Specify whether the IP address, system MAC address, or AP MAC address of the originator will be sent
to the RADIUS server in the Access-Request message by entering this command:
config radius callStationIdType {ip_address | mac_address | ap_mac_address | ap_macaddr_ssid}
Note
The default is MAC address.
Cisco Wireless LAN Controller Configuration Guide
7-10
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Note
Step 2
Do not use callStation IdType for IPv6-only clients.
Specify the delimiter to be used in the MAC addresses that are sent to the RADIUS authentication or
accounting server in Access-Request messages by entering this command:
config radius {auth | acct} mac-delimiter {colon | hyphen | single-hyphen | none}
where
Step 3
•
colon sets the delimiter to a colon (the format is xx:xx:xx:xx:xx:xx).
•
hyphen sets the delimiter to a hyphen (the format is xx-xx-xx-xx-xx-xx). This is the default value.
•
single-hyphen sets the delimiter to a single hyphen (the format is xxxxxx-xxxxxx).
•
none disables delimiters (the format is xxxxxxxxxxxx).
Configure a RADIUS authentication server by entering these commands:
•
config radius auth add index server_ip_address port# {ascii | hex} shared_secret—Adds a
RADIUS authentication server.
•
config radius auth keywrap {enable | disable}—Enables AES key wrap, which makes the shared
secret between the controller and the RADIUS server more secure. AES key wrap is designed for
Federal Information Processing Standards (FIPS) customers and requires a key-wrap compliant
RADIUS authentication server.
•
config radius auth keywrap add {ascii | hex} kek mack index—Configures the AES key wrap
attributes
where
– kek specifies the 16-byte Key Encryption Key (KEK).
– mack specifies the 20-byte Message Authentication Code Key (MACK).
– index specifies the index of the RADIUS authentication server on which to configure the AES
key wrap.
•
config radius auth rfc3576 {enable | disable} index—Enables or disables RFC 3576, which is an
extension to the RADIUS protocol that allows dynamic changes to a user session. RFC 3576
includes support for disconnecting users and changing authorizations applicable to a user session
and supports disconnect and change-of-authorization (CoA) messages. Disconnect messages cause
a user session to be terminated immediately where CoA messages modify session authorization
attributes such as data filters.
•
config radius auth retransmit-timeout index timeout—Configures the network login
retransmission timeout value for a RADIUS authentication server.
•
config radius auth mgmt-retransmit-timeout index timeout—Configures the management login
retransmission timeout value for a RADIUS authentication server.
•
config radius auth network index {enable | disable}—Enables or disables network user
authentication. If you enable this feature, this entry is considered the RADIUS authentication server
for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable
this option for network users.
•
config radius auth management index {enable | disable}—Enables or disables management
authentication. If you enable this feature, this entry is considered the RADIUS authentication server
for management users, and authentication requests go to the RADIUS server.
•
config radius auth ipsec {enable | disable} index—Enables or disables the IP security mechanism.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-11
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Step 4
Step 5
•
config radius auth ipsec authentication {hmac-md5 | hmac-sha1} index—Configures the
authentication protocol to be used for IP security.
•
config radius auth ipsec encryption {3des | aes | des | none} index—Configures the IP security
encryption mechanism.
•
config radius auth ipsec ike dh-group {group-1 | group-2 | group-5} index—Configures the IKE
Diffie Hellman group.
•
config radius auth ipsec ike lifetime interval index—Configures the timeout interval for the
session.
•
config radius auth ipsec ike phase1{aggressive | main} index—Configures the Internet Key
Exchange (IKE) protocol.
•
config radius auth {enable | disable} index—Enables or disables a RADIUS authentication server.
•
config radius auth delete index—Deletes a previously added RADIUS authentication server.
Configure a RADIUS accounting server by entering these commands:
•
config radius acct add index server_ip_address port# {ascii | hex} shared_secret—Adds a
RADIUS accounting server.
•
config radius acct server-timeout index timeout—Configures the retransmission timeout value for
a RADIUS accounting server.
•
config radius acct network index {enable | disable}—Enables or disables network user
accounting. If you enable this feature, this entry is considered the RADIUS accounting server for
network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this
option for network users.
•
config radius acct ipsec {enable | disable} index—Enables or disables the IP security mechanism.
•
config radius acct ipsec authentication {hmac-md5 | hmac-sha1} index—Configures the
authentication protocol to be used for IP security.
•
config radius acct ipsec encryption {3des | aes | des | none} index—Configures the IP security
encryption mechanism.
•
config radius acct ipsec ike dh-group {group-1 | group-2 | group-5} index—Configures the IKE
Diffie Hellman group.
•
config radius acct ipsec ike lifetime interval index—Configures the timeout interval for the
session.
•
config radius acct ipsec ike phase1{aggressive | main} index—Configures the Internet Key
Exchange (IKE) protocol.
•
config radius acct {enable | disable} index—Enables or disables a RADIUS accounting server.
•
config radius acct delete index—Deletes a previously added RADIUS accounting server.
Configure the RADIUS server fallback behavior by entering this command:
config radius fallback-test mode {off | passive | active}
where
•
off disables RADIUS server fallback.
•
passive causes the controller to revert to a server with a lower priority from the available backup
servers without using extraneous probe messages. The controller simply ignores all inactive servers
for a time period and retries later when a RADIUS message needs to be sent.
Cisco Wireless LAN Controller Configuration Guide
7-12
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring RADIUS
•
Step 6
Step 7
active causes the controller to revert to a server with a lower priority from the available backup
servers by using RADIUS probe messages to proactively determine whether a server that has been
marked inactive is back online. The controller simply ignores all inactive servers for all active
RADIUS requests. Once the primary server receives a response from the recovered ACS server, the
active fallback RADIUS server no longer sends probe messages to the server requesting the active
probe authentication.
If you enabled Active mode in Step 5, enter these commands to configure additional fallback parameters:
•
config radius fallback-test username username—Specifies the name to be sent in the inactive
server probes. You can enter up to 16 alphanumeric characters for the username parameter.
•
config radius fallback-test interval interval—Specifies the probe interval value (in seconds).
Save your changes by entering this command:
save config
Step 8
Configure the order of authentication when multiple databases are configured by entering this command:
config aaa auth mgmt AAA_server_type AAA_server_type
where AAA_server_type is local, radius, or tacacs.
To see the current management authentication server order, enter the show aaa auth command.
Step 9
Step 10
Step 11
See RADIUS statistics by entering these commands:
•
show radius summary—Shows a summary of RADIUS servers and statistics.
•
show radius auth statistics—Shows the RADIUS authentication server statistics.
•
show radius acct statistics—Shows the RADIUS accounting server statistics.
•
show radius rfc3576 statistics—Shows a summary of the RADIUS RFC-3576 server.
See active security associations by entering these commands:
•
show ike {brief | detailed} ip_or_mac_addr—Shows a brief or detailed summary of active IKE
security associations.
•
show ipsec {brief | detailed} ip_or_mac_addr—Shows a brief or detailed summary of active IPSec
security associations.
Clear the statistics for one or more RADIUS servers by entering this command:
clear stats radius {auth | acct} {index | all}
Step 12
Make sure that the controller can reach the RADIUS server by entering this command:
ping server_ip_address
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-13
Chapter 7
Configuring Security Solutions
Configuring RADIUS
RADIUS Authentication Attributes Sent by the Access Point
Table 7-1 through Table 7-5 identify the RADIUS authentication attributes sent by a lightweight access
point to a client in access-request and access-accept packets.
Table 7-1
Authentication Attributes Sent in Access-Request Packets
Attribute ID
Description
1
User-Name
2
Password
3
CHAP-Password
4
NAS-IP-Address
5
NAS-Port
6
Service-Type1
12
Framed-MTU
30
Called-Station-ID (MAC address)
31
Calling-Station-ID (MAC address)
32
NAS-Identifier
33
Proxy-State
60
CHAP-Challenge
61
NAS-Port-Type
79
EAP-Message
243
TPLUS-Role
1. To specify read-only or read-write access to controllers through RADIUS authentication, you must set the
Service-Type attribute (6) on the RADIUS server to Callback NAS Prompt for read-only access or to
Administrative for read-write privileges. See Step 19 in the “Configuring RADIUS on the ACS” section for
more information.
Table 7-2
Authentication Attributes Honored in Access-Accept Packets (Cisco)
Attribute ID
Description
1
Cisco-LEAP-Session-Key
2
Cisco-Keywrap-Msg-Auth-Code
3
Cisco-Keywrap-NonCE
4
Cisco-Keywrap-Key
5
Cisco-URL-Redirect
6
Cisco-URL-Redirect-ACL
Note
These Cisco-specific attributes are not supported: Auth-Algo-Type and SSID.
Cisco Wireless LAN Controller Configuration Guide
7-14
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Table 7-3
Authentication Attributes Honored in Access-Accept Packets (Standard)
Attribute ID
Description
6
Service-Type. To specify read-only or read-write access to
controllers through RADIUS authentication, you must set the
Service-Type attribute (6) on the RADIUS server to Callback NAS
Prompt for read-only access or to Administrative for read-write
privileges.
8
Framed-IP-Address
25
Class
26
Vendor-Specific
27
Timeout
29
Termination-Action
40
Acct-Status-Type
64
Tunnel-Type
79
EAP-Message
81
Tunnel-Group-ID
Note
Message authentication is not supported.
Table 7-4
Authentication Attributes Honored in Access-Accept Packets (Microsoft)
Attribute ID
Description
11
MS-CHAP-Challenge
16
MS-MPPE-Send-Key
17
MS-MPPE-Receive-Key
25
MS-MSCHAP2-Response
26
MS-MSCHAP2-Success
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-15
Chapter 7
Configuring Security Solutions
Configuring RADIUS
Table 7-5
Authentication Attributes Honored in Access-Accept Packets (Airespace)
Attribute ID
Description
1
VAP-ID
2
QoS-Level
3
DSCP
4
8021P-Type
5
VLAN-Interface-Name
6
ACL-Name
7
Data-Bandwidth-Average-Contract
8
Real-Time-Bandwidth-Average-Contract
9
Data-Bandwidth-Burst-Contract
10
Real-Time-Bandwidth-Burst-Contract
11
Guest-Role-Name
RADIUS Accounting Attributes
Table 7-6 identifies the RADIUS accounting attributes for accounting requests sent from a controller to
the RADIUS server. Table 7-7 lists the different values for the Accounting-Status-Type attribute (40).
Table 7-6
Accounting Attributes for Accounting Requests
Attribute ID
Description
1
User-Name
4
NAS-IP-Address
5
NAS-Port
8
Framed-IP-Address
25
Class
30
Called-Station-ID (MAC address)
31
Calling-Station-ID (MAC address)
32
NAS-Identifier
40
Accounting-Status-Type
41
Accounting-Delay-Time (Stop and interim messages only)
42
Accounting-Input-Octets (Stop and interim messages only)
43
Accounting-Output-Octets (Stop and interim messages only)
44
Accounting-Session-ID
45
Accounting-Authentic
46
Accounting-Session-Time (Stop and interim messages only)
47
Accounting-Input-Packets (Stop and interim messages only)
48
Accounting-Output-Packets (Stop and interim messages only)
49
Accounting-Terminate-Cause (Stop messages only)
Cisco Wireless LAN Controller Configuration Guide
7-16
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring TACACS+
Table 7-6
Accounting Attributes for Accounting Requests (continued)
Attribute ID
Description
64
Tunnel-Type
65
Tunnel-Medium-Type
81
Tunnel-Group-ID
Table 7-7
Accounting-Status-Type Attribute Values
Attribute ID
Description
1
Start
2
Stop
3
Interim-Update
7
Accounting-On
8
Accounting-Off
9-14
Reserved for Tunneling Accounting
15
Reserved for Failed
Configuring TACACS+
This section contains the following topics:
•
Information About TACACS+, page 7-17
•
Guidelines and Limitations, page 7-19
•
Configuring TACACS+ on the ACS, page 7-19
•
Configuring TACACS+, page 7-21
•
Viewing the TACACS+ Administration Server Logs, page 7-24
Information About TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is a client/server protocol that
provides centralized security for users attempting to gain management access to a controller. It serves as
a backend database similar to local and RADIUS. However, local and RADIUS provide only
authentication support and limited authorization support while TACACS+ provides three services:
•
Authentication—The process of verifying users when they attempt to log into the controller.
Users must enter a valid username and password in order for the controller to authenticate users to
the TACACS+ server. The authentication and authorization services are tied to one another. For
example, if authentication is performed using the local or RADIUS database, then authorization
would use the permissions associated with the user in the local or RADIUS database (which are
read-only, read-write, and lobby-admin) and not use TACACS+. Similarly, when authentication is
performed using TACACS+, authorization is tied to TACACS+.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-17
Chapter 7
Configuring Security Solutions
Configuring TACACS+
Note
•
When multiple databases are configured, you can use the controller GUI or CLI to specify
the sequence in which the backend databases should be tried.
Authorization—The process of determining the actions that users are allowed to take on the
controller based on their level of access.
For TACACS+, authorization is based on privilege (or role) rather than specific actions. The
available roles correspond to the seven menu options on the controller GUI: MONITOR, WLAN,
CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, and COMMANDS. An additional
role, LOBBY, is available for users who require only lobby ambassador privileges. The roles to
which users are assigned are configured on the TACACS+ server. Users can be authorized for one
or more roles. The minimum authorization is MONITOR only, and the maximum is ALL, which
authorizes the user to execute the functionality associated with all seven menu options. For example,
a user who is assigned the role of SECURITY can make changes to any items appearing on the
Security menu (or designated as security commands in the case of the CLI). If users are not
authorized for a particular role (such as WLAN), they can still access that menu option in read-only
mode (or the associated CLI show commands). If the TACACS+ authorization server becomes
unreachable or unable to authorize, users are unable to log into the controller.
Note
•
If users attempt to make changes on a controller GUI page that are not permitted for their
assigned role, a message appears indicating that they do not have sufficient privilege. If users
enter a controller CLI command that is not permitted for their assigned role, a message may
appear indicating that the command was successfully executed although it was not. In this
case, the following additional message appears to inform users that they lack sufficient
privileges to successfully execute the command: “Insufficient Privilege! Cannot execute
command!”
Accounting—The process of recording user actions and changes.
Whenever a user successfully executes an action, the TACACS+ accounting server logs the changed
attributes, the user ID of the person who made the change, the remote host where the user is logged
in, the date and time when the command was executed, the authorization level of the user, and a
description of the action performed and the values provided. If the TACACS+ accounting server
becomes unreachable, users are able to continue their sessions uninterrupted.
TACACS+ uses Transmission Control Protocol (TCP) for its transport, unlike RADIUS which uses User
Datagram Protocol (UDP). It maintains a database and listens on TCP port 49 for incoming requests. The
controller, which requires access control, acts as the client and requests AAA services from the server.
The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and
a shared secret key configured on both devices.
You can configure up to three TACACS+ authentication, authorization, and accounting servers each. For
example, you may want to have one central TACACS+ authentication server but several TACACS+
authorization servers in different regions. If you configure multiple servers of the same type and the first
one fails or becomes unreachable, the controller automatically tries the second one and then the third
one if necessary.
Note
If multiple TACACS+ servers are configured for redundancy, the user database must be identical in all
the servers for the backup to work properly.
Cisco Wireless LAN Controller Configuration Guide
7-18
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring TACACS+
TACACS+ VSA
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific attributes (VSAs) between the network access server and the TACACS+ server. The
IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable
for general use.
The Cisco TACACS+ implementation supports one vendor-specific option using the format
recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor
type 1, which is named cisco-av-pair. The value is a string with the following format:
protocol : attribute separator value *
The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for
mandatory attributes, and * (asterisk) indicates optional attributes.
Guidelines and Limitations
•
You must configure TACACS+ on both your CiscoSecure Access Control Server (ACS) and your
controller. You can configure the controller through either the GUI or the CLI.
•
TACACS+ is supported on CiscoSecure ACS version 3.2 and later releases. See the CiscoSecure
ACS documentation for the version that you are running.
Configuring TACACS+ on the ACS
Step 1
Choose Network Configuration on the ACS main page.
Step 2
Choose Add Entry under AAA Clients to add your controller to the server. The Add AAA Client page
appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-19
Chapter 7
Configuring Security Solutions
Configuring TACACS+
Figure 7-3
Add AAA Client Page on CiscoSecure ACS
Step 3
In the AAA Client Hostname text box, enter the name of your controller.
Step 4
In the AAA Client IP Address text box, enter the IP address of your controller.
Step 5
In the Shared Secret text box, enter the shared secret key to be used for authentication between the server
and the controller.
Note
The shared secret key must be the same on both the server and the controller.
Step 6
From the Authenticate Using drop-down list, choose TACACS+ (Cisco IOS).
Step 7
Click Submit + Apply to save your changes.
Step 8
On the ACS main page, in the left navigation pane, choose Interface Configuration.
Step 9
Choose TACACS+ (Cisco IOS). The TACACS+ (Cisco) page appears.
Step 10
Under TACACS+ Services, select the Shell (exec) check box.
Step 11
Under New Services, select the first check box and enter ciscowlc in the Service text box and common
in the Protocol text box.
Step 12
Under Advanced Configuration Options, select the Advanced TACACS+ Features check box.
Step 13
Click Submit to save your changes.
Step 14
On the ACS main page, in the left navigation pane, choose System Configuration.
Step 15
Choose Logging.
Step 16
When the Logging Configuration page appears, enable all of the events that you want to be logged and
save your changes.
Step 17
On the ACS main page, in the left navigation pane, choose Group Setup.
Cisco Wireless LAN Controller Configuration Guide
7-20
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring TACACS+
Step 18
From the Group drop-down list, choose a previously created group.
Note
This step assumes that you have already assigned users to groups on the ACS according to the
roles to which they will be assigned.
Step 19
Click Edit Settings. The Group Setup page appears.
Step 20
Under TACACS+ Settings, select the ciscowlc common check box.
Step 21
Select the Custom Attributes check box.
Step 22
In the text box below Custom Attributes, specify the roles that you want to assign to this group. The
available roles are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT,
COMMANDS, ALL, and LOBBY. The first seven correspond to the menu options on the controller GUI
and allow access to those particular controller features. You can enter one or multiple roles, depending
on the group’s needs. Use ALL to specify all seven roles or LOBBY to specify the lobby ambassador
role. Enter the roles using this format:
rolex=ROLE
For example, to specify the WLAN, CONTROLLER, and SECURITY roles for a particular user group,
you would enter the following text:
role1=WLAN
role2=CONTROLLER
role3=SECURITY
To give a user group access to all seven roles, you would enter the following text:
role1=ALL
Step 23
Note
Make sure to enter the roles using the format shown above. The roles must be in all uppercase
letters, and there can be no spaces within the text.
Note
You should not combine the MONITOR role or the LOBBY role with any other roles. If you
specify one of these two roles in the Custom Attributes text box, users will have MONITOR or
LOBBY privileges only, even if additional roles are specified.
Click Submit to save your changes.
Configuring TACACS+
This section contains the following topics:
•
Configuring TACACS+ (GUI), page 7-21
•
Configuring TACACS+ (CLI), page 7-23
Configuring TACACS+ (GUI)
Step 1
Choose Security > AAA > TACACS+.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-21
Chapter 7
Configuring Security Solutions
Configuring TACACS+
Step 2
Perform one of the following:
•
If you want to configure a TACACS+ server for authentication, choose Authentication.
•
If you want to configure a TACACS+ server for authorization, choose Authorization.
•
If you want to configure a TACACS+ server for accounting, choose Accounting.
Note
The pages used to configure authentication, authorization, and accounting all contain the same
text boxes. Therefore, these instructions walk through the configuration only once, using the
Authentication pages as examples. You would follow the same steps to configure multiple
services and/or multiple servers.
Note
For basic management authentication via TACACS+ to succeed, it is required to configure
authentication and authorization servers on the WLC. Accounting configuration is optional.
The TACACS+ (Authentication, Authorization, or Accounting) Servers page appears. This page lists any
TACACS+ servers that have already been configured.
Step 3
•
If you want to delete an existing server, hover your cursor over the blue drop-down arrow for that
server and choose Remove.
•
If you want to make sure that the controller can reach a particular server, hover your cursor over the
blue drop-down arrow for that server and choose Ping.
Perform one of the following:
•
To edit an existing TACACS+ server, click the server index number for that server. The TACACS+
(Authentication, Authorization, or Accounting) Servers > Edit page appears.
•
To add a TACACS+ server, click New. The TACACS+ (Authentication, Authorization, or
Accounting) Servers > New page appears.
Step 4
If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to
specify the priority order of this server in relation to any other configured TACACS+ servers providing
the same service. You can configure up to three servers. If the controller cannot reach the first server, it
tries the second one in the list and then the third if necessary.
Step 5
If you are adding a new server, enter the IP address of the TACACS+ server in the Server IP Address text
box.
Step 6
From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared
secret key to be used between the controller and the TACACS+ server. The default value is ASCII.
Step 7
In the Shared Secret and Confirm Shared Secret text boxes, enter the shared secret key to be used for
authentication between the controller and the server.
Note
The shared secret key must be the same on both the server and the controller.
Step 8
If you are adding a new server, enter the TACACS+ server’s TCP port number for the interface protocols
in the Port Number text box. The valid range is 1 to 65535, and the default value is 49.
Step 9
In the Server Status text box, choose Enabled to enable this TACACS+ server or choose Disabled to
disable it. The default value is Enabled.
Step 10
In the Server Timeout text box, enter the number of seconds between retransmissions. The valid range
is 5 to 30 seconds, and the default value is 5 seconds.
Cisco Wireless LAN Controller Configuration Guide
7-22
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring TACACS+
Note
We recommend that you increase the timeout value if you experience repeated reauthentication
attempts or the controller falls back to the backup server when the primary server is active and
reachable.
Step 11
Click Apply to commit your changes.
Step 12
Click Save Configuration to save your changes.
Step 13
Repeat the previous steps if you want to configure any additional services on the same server or any
additional TACACS+ servers.
Step 14
Specify the order of authentication when multiple databases are configured by choosing Security >
Priority Order > Management User. The Priority Order > Management User page appears.
Step 15
In the Order Used for Authentication text box, specify which servers have priority when the controller
attempts to authenticate management users. Use the > and < buttons to move servers between the Not
Used and Order Used for Authentication text boxes. After the desired servers appear in the Order Used
for Authentication text box, use the Up and Down buttons to move the priority server to the top of the
list.
By default, the local database is always queried first. If the username is not found, the controller switches
to the RADIUS server if configured for RADIUS or to the TACACS+ server if configured for TACACS+.
The default setting is local and then RADIUS.
Step 16
Click Apply to commit your changes.
Step 17
Click Save Configuration to save your changes.
Configuring TACACS+ (CLI)
•
Configure a TACACS+ authentication server by entering these commands:
– config tacacs auth add index server_ip_address port# {ascii | hex} shared_secret—Adds a
TACACS+ authentication server.
– config tacacs auth delete index—Deletes a previously added TACACS+ authentication server.
– config tacacs auth (enable | disable} index—Enables or disables a TACACS+ authentication
server.
– config tacacs auth server-timeout index timeout—Configures the network login
retransmission timeout value for a TACACS+ authentication server.
– config tacacs auth mgmt-server-timeout index timeout—Configures the management login
retransmission timeout value for a TACACS+ authentication server.
•
Configure a TACACS+ authorization server by entering these commands:
– config tacacs athr add index server_ip_address port# {ascii | hex} shared_secret—Adds a
TACACS+ authorization server.
– config tacacs athr delete index—Deletes a previously added TACACS+ authorization server.
– config tacacs athr (enable | disable} index—Enables or disables a TACACS+ authorization
server.
– config tacacs athr server-timeout index timeout—Configures the network login
retransmission timeout value for a TACACS+ authorization server.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-23
Chapter 7
Configuring Security Solutions
Configuring TACACS+
– config tacacs mgmt-athr server-timeout index timeout—Configures the management login
retransmission timeout value for a TACACS+ authorization server.
•
Configure a TACACS+ accounting server by entering these commands:
– config tacacs acct add index server_ip_address port# {ascii | hex} shared_secret—Adds a
TACACS+ accounting server.
– config tacacs acct delete index—Deletes a previously added TACACS+ accounting server.
– config tacacs acct (enable | disable} index—Enables or disables a TACACS+ accounting
server.
– config tacacs acct server-timeout index timeout—Configures the retransmission timeout value
for a TACACS+ accounting server.
•
See TACACS+ statistics by entering these commands:
– show tacacs summary—Shows a summary of TACACS+ servers and statistics.
– show tacacs auth stats—Shows the TACACS+ authentication server statistics.
– show tacacs athr stats—Shows the TACACS+ authorization server statistics.
– show tacacs acct stats—Shows the TACACS+ accounting server statistics.
•
Clear the statistics for one or more TACACS+ servers by entering this command:
clear stats tacacs [auth | athr | acct] {index | all}
•
Configure the order of authentication when multiple databases are configured by entering this
command. The default setting is local and then radius.
config aaa auth mgmt [radius | tacacs]
See the current management authentication server order by entering the show aaa auth command.
•
Make sure the controller can reach the TACACS+ server by entering this command:
ping server_ip_address
•
Enable or disable TACACS+ debugging by entering this command:
debug aaa tacacs {enable | disable}
•
Save your changes by entering this command:
save config
Viewing the TACACS+ Administration Server Logs
Prerequisites
You must have configured TACACS+ accounting server on the controller.
Step 1
On the ACS main page, in the left navigation pane, choose Reports and Activity.
Step 2
Under Reports, choose TACACS+ Administration.
Step 3
Click the .csv file corresponding to the date of the logs you want to view. The TACACS+ Administration
.csv page appears.
Cisco Wireless LAN Controller Configuration Guide
7-24
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring TACACS+
Figure 7-4
TACACS+ Administration .csv Page on CiscoSecure ACS
This page displays the following information:
•
Date and time the action was taken
•
Name and assigned role of the user who took the action
•
Group to which the user belongs
•
Specific action that the user took
•
Privilege level of the user who executed the action
•
IP address of the controller
•
IP address of the laptop or workstation from which the action was executed
Sometimes a single action (or command) is logged multiple times, once for each parameter in the
command. For example, if you enter the snmp community ipaddr ip_address subnet_mask
community_name command, the IP address may be logged on one line while the subnet mask and
community name are logged as “E.” On another line, the subnet mask maybe logged while the IP address
and community name are logged as “E.” See the first and third lines in the example in Figure 7-5.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-25
Chapter 7
Configuring Security Solutions
Configuring Maximum Local Database Entries
Figure 7-5
TACACS+ Administration .csv Page on CiscoSecure ACS
Configuring Maximum Local Database Entries
This section contains the following topics:
•
Information About Configuring Maximum Local Database Entries, page 7-26
•
Configuring Maximum Local Database Entries (GUI), page 7-26
•
Configuring Maximum Local Database Entries (CLI), page 7-27
Information About Configuring Maximum Local Database Entries
You can configure the controller to specify the maximum number of local database entries used for
storing user authentication information. The database entries include local management users (including
lobby ambassadors), local network users (including guest users), MAC filter entries, exclusion list
entries, and access point authorization list entries. Together, they cannot exceed the configured
maximum value.
Configuring Maximum Local Database Entries (GUI)
Step 1
Choose Security > AAA > General to open the General page.
Cisco Wireless LAN Controller Configuration Guide
7-26
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Local Network Users on the Controller
Figure 7-6
Step 2
General Page
In the Maximum Local Database Entries text box, enter a value for the maximum number of entries that
can be added to the local database the next time the controller reboots. The currently configured value
appears in parentheses to the right of the text box. The valid range is 512 to 2048, and the default setting
is 2048.
The Number of Entries, Already Used text box shows the number of entries currently in the database.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your settings.
Configuring Maximum Local Database Entries (CLI)
Step 1
Specify the maximum number of entries that can be added to the local database the next time the
controller reboots by entering this command:
config database size max_entries
Step 2
Save your changes by entering this command:
save config
Step 3
View the maximum number of database entries and the current database contents by entering this
command:
show database summary
Configuring Local Network Users on the Controller
This section contains the following topics:
•
Information About Local Network Users on Controller, page 7-28
•
Configuring Local Network Users for the Controller, page 7-28
•
Additional References, page 7-30
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-27
Chapter 7
Configuring Security Solutions
Configuring Local Network Users on the Controller
Information About Local Network Users on Controller
You can add local network users to the local user database on the controller. The local user database
stores the credentials (username and password) of all the local network users. These credentials are then
used to authenticate the users. For example, local EAP may use the local user database as its backend
database to retrieve user credentials.
Note
The controller passes client information to the RADIUS authentication server first. If the client
information does not match a RADIUS database entry, the local user database is polled. Clients located
in this database are granted access to network services if the RADIUS authentication fails or does not
exist.
Configuring Local Network Users for the Controller
This section contains the following topics:
•
Configuring Local Network Users for the Controller (GUI), page 7-28
•
Configuring Local Network Users for the Controller (CLI), page 7-29
Configuring Local Network Users for the Controller (GUI)
Step 1
Choose Security > AAA > Local Net Users to open the Local Net Users page.
Figure 7-7
Local Net Users Page
This page lists any local network users that have already been configured. It also specifies any guest
users and the QoS role to which they are assigned (if applicable).
Note
Step 2
If you want to delete an existing user, hover your cursor over the blue drop-down arrow for that
user and choose Remove.
Perform one of the following:
•
To edit an existing local network user, click the username for that user. The Local Net Users > Edit
page appears.
•
To add a local network user, click New. The Local Net Users > New page appears.
Cisco Wireless LAN Controller Configuration Guide
7-28
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Local Network Users on the Controller
Step 3
If you are adding a new user, enter a username for the local user in the User Name text box. You can
enter up to 24 alphanumeric characters.
Note
Local network usernames must be unique because they are all stored in the same database.
Step 4
In the Password and Confirm Password text boxes, enter a password for the local user. You can enter up
to 24 alphanumeric characters.
Step 5
If you are adding a new user, select the Guest User check box if you want to limit the amount of time
that the user has access to the local network. The default setting is unselected.
Step 6
If you are adding a new user and you selected the Guest User check box, enter the amount of time (in
seconds) that the guest user account is to remain active in the Lifetime text box. The valid range is 60 to
2,592,000 seconds (30 days) inclusive, and the default setting is 86,400 seconds.
Step 7
If you are adding a new user, you selected the Guest User check box, and you want to assign a QoS role
to this guest user, select the Guest User Role check box. The default setting is unselected.
Note
If you do not assign a QoS role to a guest user, the bandwidth contracts for this user are defined
in the QoS profile for the WLAN.
Step 8
If you are adding a new user and you selected the Guest User Role check box, choose the QoS role that
you want to assign to this guest user from the Role drop-down list.
Step 9
From the WLAN Profile drop-down list, choose the name of the WLAN that is to be accessed by the
local user. If you choose Any WLAN, which is the default setting, the user can access any of the
configured WLANs.
Step 10
In the Description text box, enter a descriptive title for the local user (such as “User 1”).
Step 11
Click Apply to commit your changes.
Step 12
Click Save Configuration to save your changes.
Configuring Local Network Users for the Controller (CLI)
•
Configure a local network user by entering these commands:
– config netuser add username password wlan wlan_id userType permanent description
description—Adds a permanent user to the local user database on the controller.
– config netuser add username password {wlan | guestlan} {wlan_id | guest_lan_id} userType
guestlifetime seconds description description—Adds a guest user on a WLAN or wired guest
LAN to the local user database on the controller.
Note
Instead of adding a permanent user or a guest user to the local user database from the
controller, you can choose to create an entry on the RADIUS server for the user and enable
RADIUS authentication for the WLAN on which web authentication is performed.
– config netuser delete username—Deletes a user from the local user database on the controller.
Note
Local network usernames must be unique because they are all stored in the same database.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-29
Chapter 7
Configuring Security Solutions
Configuring Password Policies
•
See information related to the local network users configured on the controller by entering these
commands:
– show netuser detail username—Shows the configuration of a particular user in the local user
database.
– show netuser summary—Lists all the users in the local user database.
•
Save your changes by entering this command:
save config
Additional References
To know more about configuring local network users, see “Configuring Local EAP” section on
page 7-36 for more information.
If you want to create a new QoS role, see the “Configuring Quality of Service” section on page 4-66 for
instructions.
Configuring Password Policies
This section contains the following topics:
•
Information About Password Policies, page 7-30
•
Configuring Password Policies (GUI), page 7-30
•
Configuring Password Policies (CLI), page 7-31
Information About Password Policies
The password policies allows you to enforce strong password checks on newly created passwords for
additional management users of controller and access point. The following are the requirements enforced
on the new password:
•
When the controller is upgraded from old version, all the old passwords are maintained as it is, even
though the passwords are weak. After the system upgrade, if strong password checks are enabled,
the same is enforced from that time and the strength of previously added passwords will not be
checked or altered.
•
Depending on the settings done in the Password Policy page, the local management and access point
user configuration is affected.
Configuring Password Policies (GUI)
Step 1
Choose Security > AAA > Password Policies to open the Password Policies page.
Step 2
Select the Password must contain characters from at least 3 different classes check box if you want
your password to contain characters from at least three of the following classes: lower case letters, upper
case letters, digits, and special characters.
Step 3
Select No character can be repeated more than 3 times consecutively check box if you do not want
character in the new password to repeat more than three times consecutively.
Cisco Wireless LAN Controller Configuration Guide
7-30
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring LDAP
Step 4
Select the Password cannot be the default words like cisco, admin check box if you do not want the
password to contain words such as Cisco, ocsic, admin, nimda, or any variant obtained by changing the
capitalization of letters or by substituting 1, |, or! or substituting 0 for o or substituting $ for s.
Step 5
Select the Password cannot contain username or reverse of username check box if you do not want
the password to contain a username or the reverse letters of a username.
Step 6
Click Apply to commit your changes.
Step 7
Click Save Configuration to save your changes.
Configuring Password Policies (CLI)
Step 1
Enable or disable strong password check for AP and WLC by entering this command:
config switchconfig strong-pwd {case-check | consecutive-check | default-check | username-check |
all-check} {enable | disable}
where
Step 2
•
case-check—Checks the occurrence of same character thrice consecutively
•
consecutive-check—Checks the default values or its variants are being used.
•
default-check—Checks either username or its reverse is being used.
•
all-checks—Enables/disables all the strong password checks.
See the configured options for strong password check by entering this command:
show switchconfig
Example: Show Command for Password Policies
Information similar to the following appears:
802.3x Flow Control Mode......................... Disabled
FIPS prerequisite features....................... Disabled
secret obfuscation............................... Enabled
Strong Password Check Features:
case-check ...........Enabled
consecutive-check ....Enabled
default-check .......Enabled
username-check ......Enabled
Configuring LDAP
This section explains how to configure a Lightweight Directory Access Protocol (LDAP) server as a
backend database, similar to a RADIUS or local user database.
This section contains the following topics:
•
Information About LDAP, page 7-32
•
Configuring LDAP (GUI), page 7-32
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-31
Chapter 7
Configuring Security Solutions
Configuring LDAP
•
Configuring LDAP (CLI), page 7-34
•
Additional References, page 7-36
Information About LDAP
An LDAP backend database allows the controller to query an LDAP server for the credentials (username
and password) of a particular user. These credentials are then used to authenticate the user. For example,
local EAP may use an LDAP server as its backend database to retrieve user credentials.
Note
The LDAP backend database supports these local EAP methods: EAP-TLS, EAP-FAST/GTC, and
PEAPv1/GTC. LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported but only
if the LDAP server is set up to return a clear-text password.
Note
Cisco wireless LAN controllers support Local EAP authentication against external LDAP databases such
as Microsoft Active Directory and Novell’s eDirectory. For more information about configuring the
controller for Local EAP authentication against Novell’s eDirectory, see the Configure Unified Wireless
Network for Authentication Against Novell's eDirectory Database whitepaper at
http://www.cisco.com/en/US/products/ps6366/products_white_paper09186a0080b4cd24.shtml.
Configuring LDAP (GUI)
Step 1
Choose Security > AAA > LDAP to open the LDAP Servers page.
Figure 7-8
LDAP Servers Page
This page lists any LDAP servers that have already been configured.
Step 2
•
If you want to delete an existing LDAP server, hover your cursor over the blue drop-down arrow for
that server and choose Remove.
•
If you want to make sure that the controller can reach a particular server, hover your cursor over the
blue drop-down arrow for that server and choose Ping.
Perform one of the following:
•
To edit an existing LDAP server, click the index number for that server. The LDAP Servers > Edit
page appears.
Cisco Wireless LAN Controller Configuration Guide
7-32
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring LDAP
•
To add an LDAP server, click New. The LDAP Servers > New page appears. If you are adding a new
server, choose a number from the Server Index (Priority) drop-down list to specify the priority order
of this server in relation to any other configured LDAP servers. You can configure up to 17 servers.
If the controller cannot reach the first server, it tries the second one in the list and so on.
Step 3
If you are adding a new server, enter the IP address of the LDAP server in the Server IP Address text box.
Step 4
If you are adding a new server, enter the LDAP server’s TCP port number in the Port Number text box.
The valid range is 1 to 65535, and the default value is 389.
Step 5
Select the Enable Server Status check box to enable this LDAP server or unselect it to disable it. The
default value is disabled.
Step 6
From the Simple Bind drop-down list, choose Anonymous or Authenticated to specify the local
authentication bind method for the LDAP server. The Anonymous method allows anonymous access to
the LDAP server. The Authenticated method requires that a username and password be entered to secure
access. The default value is Anonymous.
Step 7
If you chose Authenticated in Step 6, follow these steps:
a.
In the Bind Username text box, enter a username to be used for local authentication to the LDAP
server. The username can contain up to 80 characters.
Note
b.
If the username starts with “cn=” (in lowercase letters), the controller assumes that the
username includes the entire LDAP database path and does not append the user base DN.
This designation allows the authenticated bind user to be outside the user base DN.
In the Bind Password and Confirm Bind Password text boxes, enter a password to be used for local
authentication to the LDAP server. The password can contain up to 32 characters.
Step 8
In the User Base DN text box, enter the distinguished name (DN) of the subtree in the LDAP server that
contains a list of all the users. For example, ou=organizational unit, .ou=next organizational unit, and
o=corporation.com. If the tree containing users is the base DN, type o=corporation.com or
dc=corporation,dc=com.
Step 9
In the User Attribute text box, enter the name of the attribute in the user record that contains the
username. You can obtain this attribute from your directory server.
Step 10
In the User Object Type text box, enter the value of the LDAP objectType attribute that identifies the
record as a user. Often, user records have several values for the objectType attribute, some of which are
unique to the user and some of which are shared with other object types.
Step 11
In the Server Timeout text box, enter the number of seconds between retransmissions. The valid range
is 2 to 30 seconds, and the default value is 2 seconds.
Step 12
Click Apply to commit your changes.
Step 13
Click Save Configuration to save your changes.
Step 14
Specify LDAP as the priority backend database server for local EAP authentication as follows:
a.
Choose Security > Local EAP > Authentication Priority to open the Priority Order > Local-Auth
page.
b.
Highlight LOCAL and click < to move it to the left User Credentials box.
c.
Highlight LDAP and click > to move it to the right User Credentials box. The database that appears
at the top of the right User Credentials box is used when retrieving user credentials.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-33
Chapter 7
Configuring Security Solutions
Configuring LDAP
Note
Step 15
If both LDAP and LOCAL appear in the right User Credentials box with LDAP on the top
and LOCAL on the bottom, local EAP attempts to authenticate clients using the LDAP
backend database and fails over to the local user database if the LDAP servers are not
reachable. If the user is not found, the authentication attempt is rejected. If LOCAL is on the
top, local EAP attempts to authenticate using only the local user database. It does not fail
over to the LDAP backend database.
d.
Click Apply to commit your changes.
e.
Click Save Configuration to save your changes.
(Optional) Assign specific LDAP servers to a WLAN as follows:
a.
Choose WLANs to open the WLANs page.
b.
Click the ID number of the desired WLAN.
c.
When the WLANs > Edit page appears, choose the Security > AAA Servers tabs to open the
WLANs > Edit (Security > AAA Servers) page.
d.
From the LDAP Servers drop-down lists, choose the LDAP server(s) that you want to use with this
WLAN. You can choose up to three LDAP servers, which are tried in priority order.
Note
These LDAP servers apply only to WLANs with web authentication enabled. They are not
used by local EAP.
e.
Click Apply to commit your changes.
f.
Click Save Configuration to save your changes.
Configuring LDAP (CLI)
•
Configure an LDAP server by entering these commands:
– config ldap add index server_ip_address port# user_base user_attr user_type—
Adds an LDAP server.
– config ldap delete index—Deletes a previously added LDAP server.
– config ldap {enable | disable} index—Enables or disables an LDAP server.
– config ldap simple-bind {anonymous index | authenticated index username username
password password}—Specifies the local authentication bind method for the LDAP server. The
anonymous method allows anonymous access to the LDAP server whereas the authenticated
method requires that a username and password be entered to secure access. The default value is
anonymous.
Note
The username can contain up to 80 characters.
Cisco Wireless LAN Controller Configuration Guide
7-34
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring LDAP
Note
If the username starts with “cn=” (in lowercase letters), the controller assumes that the
username includes the entire LDAP database path and does not append the user base
DN. This designation allows the authenticated bind user to be outside the user base DN.
– config ldap retransmit-timeout index timeout—Configures the number of seconds between
retransmissions for an LDAP server.
•
Specify LDAP as the priority backend database server by entering this command:
config local-auth user-credentials ldap
If you enter the config local-auth user-credentials ldap local command, local EAP
attempts to authenticate clients using the LDAP backend database and fails over to the local
user database if the LDAP servers are not reachable. If the user is not found, the
authentication attempt is rejected. If you enter the config local-auth user-credentials local
ldap command, local EAP attempts to authenticate using only the local user database. It
does not fail over to the LDAP backend database.
Note
•
(Optional) Assign specific LDAP servers to a WLAN by entering these commands:
– config wlan ldap add wlan_id server_index—Links a configured LDAP server to a WLAN.
Note
The LDAP servers specified in this command apply only to WLANs with web
authentication enabled. They are not used by local EAP.
– config wlan ldap delete wlan_id {all | index}—Deletes a specific or all configured LDAP
server(s) from a WLAN.
•
View information pertaining to configured LDAP servers by entering these commands:
– show ldap summary—Shows a summary of the configured LDAP servers.
Idx
--1
2
Server Address
Port Enabled
--------------- ---- ------2.3.1.4
389 No
10.10.20.22
389
Yes
– show ldap index—Shows detailed LDAP server information. Information similar to following
appears:
Server Index..................................... 2
Address.......................................... 10.10.20.22
Port............................................. 389
Enabled.......................................... Yes
User DN..........................................
ou=active,ou=employees,ou=people,
o=cisco.com
User Attribute................................... uid
User Type........................................ Person
Retransmit Timeout............................... 2 seconds
Bind Method ..................................... Authenticated
Bind Username................................. user1
– show ldap statistics—Shows LDAP server statistics.
Server Index..................................... 1
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-35
Chapter 7
Configuring Security Solutions
Configuring Local EAP
Server statistics:
Initialized OK.................................
Initialization failed..........................
Initialization retries.........................
Closed OK......................................
Request statistics:
Received.......................................
Sent...........................................
OK.............................................
Success........................................
Authentication failed..........................
Server not found...............................
No received attributes.........................
No passed username.............................
Not connected to server........................
Internal error.................................
Retries........................................
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Server Index..................................... 2
..
– show wlan wlan_id—Shows the LDAP servers that are applied to a WLAN.
•
Make sure the controller can reach the LDAP server by entering this command:
ping server_ip_address
•
Save your changes by entering this command:
save config
•
Enable or disable debugging for LDAP by entering this command:
debug aaa ldap {enable | disable}
Additional References
For more information about configuring LEAP, see the “Configuring Local EAP” section on page 7-36.
Configuring Local EAP
This section contains the following topics:
•
Information About Local EAP, page 7-36
•
Configuring Local EAP (GUI), page 7-38
•
Configuring Local EAP (CLI), page 7-42
•
Additional References, page 7-47
Information About Local EAP
Local EAP is an authentication method that allows users and wireless clients to be authenticated locally.
It is designed for use in remote offices that want to maintain connectivity to wireless clients when the
backend system becomes disrupted or the external authentication server goes down. When you enable
local EAP, the controller serves as the authentication server and the local user database, which removes
dependence on an external authentication server. Local EAP retrieves user credentials from the local user
Cisco Wireless LAN Controller Configuration Guide
7-36
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Local EAP
database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST,
EAP-TLS, PEAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless
clients.
Note
The LDAP backend database supports these local EAP methods: EAP-TLS, EAP-FAST/GTC, and
PEAPv1/GTC. LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported but only
if the LDAP server is set up to return a clear-text password.
Note
Cisco wireless LAN controllers support Local EAP authentication against external LDAP databases such
as Microsoft Active Directory and Novell’s eDirectory. For more information about configuring the
controller for Local EAP authentication against Novell’s eDirectory, see the Configure Unified Wireless
Network for Authentication Against Novell's eDirectory Database whitepaper at
http://www.cisco.com/en/US/products/ps6366/products_white_paper09186a0080b4cd24.shtml.
If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless
clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found,
either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS
servers are configured, the controller attempts to authenticate the client with the first RADIUS server,
then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate
manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local
EAP. If you never want the controller to try to authenticate clients using an external RADIUS server,
enter these CLI commands in this order:
•
config wlan disable wlan_id
•
config wlan radius_server auth disable wlan_id
•
config wlan enable wlan_id
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-37
Chapter 7
Configuring Security Solutions
Configuring Local EAP
Figure 7-9
Local EAP Example
WAN
RADIUS server
LDAP server
(optional)
Wireless LAN
controller
Cisco Aironet
Lightweight Access Point
232306
IP
Regional office
Guidelines and Limitations
Local EAP Profiles are not supported on AP602 OEAP.
Configuring Local EAP (GUI)
Note
EAP-TLS, PEAPv0/MSCHAPv2, and PEAPv1/GTC use certificates for authentication, and EAP-FAST
uses either certificates or PACbs. The controller is shipped with Cisco-installed device and Certificate
Authority (CA) certificates. However, if you want to use your own vendor-specific certificates, they must
be imported on the controller.
Step 1
If you are configuring local EAP to use one of the EAP types listed in the note above, make sure that the
appropriate certificates and PACs (if you will use manual PAC provisioning) have been imported on the
controller.
Step 2
If you want the controller to retrieve user credentials from the local user database, make sure that you
have properly configured the local network users on the controller.
Step 3
If you want the controller to retrieve user credentials from an LDAP backend database, make sure that
you have properly configured an LDAP server on the controller.
Cisco Wireless LAN Controller Configuration Guide
7-38
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Local EAP
Step 4
Specify the order in which user credentials are retrieved from the backend database servers as follows:
a.
Choose Security > Local EAP > Authentication Priority to open the Priority Order > Local-Auth
page.
b.
Determine the priority order in which user credentials are to be retrieved from the local and/or LDAP
databases. For example, you may want the LDAP database to be given priority over the local user
database, or you may not want the LDAP database to be considered at all.
c.
When you have decided on a priority order, highlight the desired database. Then use the left and
right arrows and the Up and Down buttons to move the desired database to the top of the right User
Credentials box.
Note
d.
Step 5
If both LDAP and LOCAL appear in the right User Credentials box with LDAP on the top
and LOCAL on the bottom, local EAP attempts to authenticate clients using the LDAP
backend database and fails over to the local user database if the LDAP servers are not
reachable. If the user is not found, the authentication attempt is rejected. If LOCAL is on the
top, local EAP attempts to authenticate using only the local user database. It does not fail
over to the LDAP backend database.
Click Apply to commit your changes.
Specify values for the local EAP timers as follows:
a.
Choose Security > Local EAP > General to open the General page.
b.
In the Local Auth Active Timeout text box, enter the amount of time (in seconds) in which the
controller attempts to authenticate wireless clients using local EAP after any pair of configured
RADIUS servers fails. The valid range is 1 to 3600 seconds, and the default setting is 100 seconds.
c.
In the Identity Request Timeout text box, enter the amount of time (in seconds) in which the
controller attempts to send an EAP identity request to wireless clients using local EAP. The valid
range is 1 to 120 seconds, and the default setting is 30 seconds.
d.
In the Identity Request Max Retries text box, enter the maximum number of times that the controller
attempts to retransmit the EAP identity request to wireless clients using local EAP. The valid range
is 1 to 20 retries, and the default setting is 20 retries.
e.
In the Dynamic WEP Key Index text box, enter the key index used for dynamic wired equivalent
privacy (WEP). The default value is 0, which corresponds to a key index of 1; the valid values are 0
to 3 (key index of 1 to 4).
f.
In the Request Timeout text box, enter the amount of time (in seconds) in which the controller
attempts to send an EAP request to wireless clients using local EAP. The valid range is 1 to 120
seconds, and the default setting is 30 seconds.
g.
In the Request Max Retries text box, enter the maximum number of times that the controller attempts
to retransmit the EAP request to wireless clients using local EAP. The valid range is 1 to 120 retries,
and the default setting is 20 retries.
h.
From the Max-Login Ignore Identity Response drop-down list, choose Enable to limit the number
of devices that can be connected to the controller with the same username. You can log in up to eight
times from different devices (PDA, laptop, IP phone, and so on) on the same controller. The default
value is enabled.
i.
In the EAPOL-Key Timeout text box, enter the amount of time (in seconds) in which the controller
attempts to send an EAP key over the LAN to wireless clients using local EAP. The valid range is 1
to 5 seconds, and the default setting is 1 second.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-39
Chapter 7
Configuring Security Solutions
Configuring Local EAP
Note
Step 6
If the controller and access point are separated by a WAN link, the default timeout of 1 second
may not be sufficient.
j.
In the EAPOL-Key Max Retries text box, enter the maximum number of times that the controller
attempts to send an EAP key over the LAN to wireless clients using local EAP. The valid range is 0
to 4 retries, and the default setting is 2 retries.
k.
Click Apply to commit your changes.
Create a local EAP profile, which specifies the EAP authentication types that are supported on the
wireless clients as follows:
a.
Choose Security > Local EAP > Profiles to open the Local EAP Profiles page.
This page lists any local EAP profiles that have already been configured and specifies their EAP
types. You can create up to 16 local EAP profiles.
Note
If you want to delete an existing profile, hover your cursor over the blue drop-down arrow
for that profile and choose Remove.
b.
Click New to open the Local EAP Profiles > New page.
c.
In the Profile Name text box, enter a name for your new profile and then click Apply.
Note
You can enter up to 63 alphanumeric characters for the profile name. Make sure not to
include spaces.
d.
When the Local EAP Profiles page reappears, click the name of your new profile. The Local EAP
Profiles > Edit page appears.
e.
Select the LEAP, EAP-FAST, EAP-TLS, and/or PEAP check boxes to specify the EAP type that
can be used for local authentication.
f.
Note
You can specify more than one EAP type per profile. However, if you choose multiple EAP
types that use certificates (such as EAP-FAST with certificates, EAP-TLS,
PEAPv0/MSCHAPv2, and PEAPv1/GTC), all of the EAP types must use the same
certificate (from either Cisco or another vendor).
Note
If you select the PEAP check box, both PEAPv0/MSCHAPv2 or PEAPv1/GTC are enabled
on the controller.
If you chose EAP-FAST and want the device certificate on the controller to be used for
authentication, select the Local Certificate Required check box. If you want to use EAP-FAST
with PACs instead of certificates, leave this check box unselected, which is the default setting.
Note
This option applies only to EAP-FAST because device certificates are not used with LEAP
and are mandatory for EAP-TLS and PEAP.
Cisco Wireless LAN Controller Configuration Guide
7-40
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Local EAP
g.
If you chose EAP-FAST and want the wireless clients to send their device certificates to the
controller in order to authenticate, select the Client Certificate Required check box. If you want
to use EAP-FAST with PACs instead of certificates, leave this check box unselected, which is the
default setting.
Note
h.
If you chose EAP-FAST with certificates, EAP-TLS, or PEAP, choose which certificates will be sent
to the client, the ones from Cisco or the ones from another Vendor, from the Certificate Issuer
drop-down list. The default setting is Cisco.
i.
If you chose EAP-FAST with certificates or EAP-TLS and want the incoming certificate from the
client to be validated against the CA certificates on the controller, select the Check against CA
certificates check box. The default setting is enabled.
j.
If you chose EAP-FAST with certificates or EAP-TLS and want the common name (CN) in the
incoming certificate to be validated against the CA certificates’ CN on the controller, select the
Verify Certificate CN Identity check box. The default setting is disabled.
k.
If you chose EAP-FAST with certificates or EAP-TLS and want the controller to verify that the
incoming device certificate is still valid and has not expired, select the Check Certificate Date
Validity check box. The default setting is enabled.
Note
l.
Step 7
This option applies only to EAP-FAST because client certificates are not used with LEAP
or PEAP and are mandatory for EAP-TLS.
Certificate date validity is checked against the current UTC (GMT) time that is configured
on the controller. Timezone offset will be ignored.
Click Apply to commit your changes.
If you created an EAP-FAST profile, follow these steps to configure the EAP-FAST parameters:
a.
Choose Security > Local EAP > EAP-FAST Parameters to open the EAP-FAST Method
Parameters page.
b.
In the Server Key and Confirm Server Key text boxes, enter the key (in hexadecimal characters) used
to encrypt and decrypt PACs.
c.
In the Time to Live for the PAC text box, enter the number of days for the PAC to remain viable. The
valid range is 1 to 1000 days, and the default setting is 10 days.
d.
In the Authority ID text box, enter the authority identifier of the local EAP-FAST server in
hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even
number of characters.
e.
In the Authority ID Information text box, enter the authority identifier of the local EAP-FAST server
in text format.
f.
If you want to enable anonymous provisioning, select the Anonymous Provision check box. This
feature allows PACs to be sent automatically to clients that do not have one during PAC
provisioning. If you disable this feature, PACS must be manually provisioned. The default setting is
enabled.
Note
g.
If the local and/or client certificates are required and you want to force all EAP-FAST clients
to use certificates, unselect the Anonymous Provision check box.
Click Apply to commit your changes.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-41
Chapter 7
Configuring Security Solutions
Configuring Local EAP
Step 8
Step 9
Enable local EAP on a WLAN as follows:
a.
Choose WLANs to open the WLANs page.
b.
Click the ID number of the desired WLAN.
c.
When the WLANs > Edit page appears, choose the Security > AAA Servers tabs to open the
WLANs > Edit (Security > AAA Servers) page.
d.
Select the Local EAP Authentication check box to enable local EAP for this WLAN.
e.
From the EAP Profile Name drop-down list, choose the EAP profile that you want to use for this
WLAN.
f.
If desired, choose the LDAP server that you want to use with local EAP on this WLAN from the
LDAP Servers drop-down lists.
g.
Click Apply to commit your changes.
Click Save Configuration to save your changes.
Configuring Local EAP (CLI)
Note
EAP-TLS, PEAPv0/MSCHAPv2, and PEAPv1/GTC use certificates for authentication, and EAP-FAST
uses either certificates or PACbs. The controller is shipped with Cisco-installed device and Certificate
Authority (CA) certificates. However, if you want to use your own vendor-specific certificates, they must
be imported on the controller.
Step 1
If you are configuring local EAP to use one of the EAP types listed in the note above, make sure that the
appropriate certificates and PACs (if you will use manual PAC provisioning) have been imported on the
controller.
Step 2
If you want the controller to retrieve user credentials from the local user database, make sure that you
have properly configured the local network users on the controller.
Step 3
If you want the controller to retrieve user credentials from an LDAP backend database, make sure that
you have properly configured an LDAP server on the controller.
Step 4
Specify the order in which user credentials are retrieved from the local and/or LDAP databases by
entering this command:
config local-auth user-credentials {local | ldap}
Note
Step 5
If you enter the config local-auth user-credentials ldap local command, local EAP attempts to
authenticate clients using the LDAP backend database and fails over to the local user database
if the LDAP servers are not reachable. If the user is not found, the authentication attempt is
rejected. If you enter the config local-auth user-credentials local ldap command, local EAP
attempts to authenticate using only the local user database. It does not fail over to the LDAP
backend database.
Specify values for the local EAP timers by entering these commands:
Cisco Wireless LAN Controller Configuration Guide
7-42
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Local EAP
•
config local-auth active-timeout timeout—Specifies the amount of time (in seconds) in which the
controller attempts to authenticate wireless clients using local EAP after any pair of configured
RADIUS servers fails. The valid range is 1 to 3600 seconds, and the default setting is 100 seconds.
•
config advanced eap identity-request-timeout timeout—Specifies the amount of time (in seconds)
in which the controller attempts to send an EAP identity request to wireless clients using local EAP.
The valid range is 1 to 120 seconds, and the default setting is 30 seconds.
•
config advanced eap identity-request-retries retries—Specifies the maximum number of times
that the controller attempts to retransmit the EAP identity request to wireless clients using local
EAP. The valid range is 1 to 20 retries, and the default setting is 20 retries.
•
config advanced eap key-index index—Specifies the key index used for dynamic wired equivalent
privacy (WEP). The default value is 0, which corresponds to a key index of 1; the valid values are 0
to 3 (key index of 1 to 4).
•
config advanced eap request-timeout timeout—Specifies the amount of time (in seconds) in which
the controller attempts to send an EAP request to wireless clients using local EAP. The valid range
is 1 to 120 seconds, and the default setting is 30 seconds.
•
config advanced eap request-retries retries—Specifies the maximum number of times that the
controller attempts to retransmit the EAP request to wireless clients using local EAP. The valid
range is 1 to 120 retries, and the default setting is 20 retries.
•
config advanced eap eapol-key-timeout timeout—Specifies the amount of time (in seconds) in
which the controller attempts to send an EAP key over the LAN to wireless clients using local EAP.
The valid range is 1 to 5 seconds, and the default setting is 1 second.
Note
Step 6
If the controller and access point are separated by a WAN link, the default timeout of 1 second
may not be sufficient.
•
config advanced eap eapol-key-retries retries—Specifies the maximum number of times that the
controller attempts to send an EAP key over the LAN to wireless clients using local EAP. The valid
range is 0 to 4 retries, and the default setting is 2 retries.
•
config advanced eap max-login-ignore-identity-response {enable | disable}—When enabled,
this command limits the number of devices that can be connected to the controller with the same
username. You can log in up to eight times from different devices (PDA, laptop, IP phone, and so
on) on the same controller. The default value is enabled.
Create a local EAP profile by entering this command:
config local-auth eap-profile add profile_name
Step 7
Note
Do not include spaces within the profile name.
Note
To delete a local EAP profile, enter the config local-auth eap-profile delete profile_name
command.
Add an EAP method to a local EAP profile by entering this command:
config local-auth eap-profile method add method profile_name
The supported methods are leap, fast, tls, and peap.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-43
Chapter 7
Configuring Security Solutions
Configuring Local EAP
Step 8
Note
If you choose peap, both PEAPv0/MSCHAPv2 or PEAPv1/GTC are enabled on the controller.
Note
You can specify more than one EAP type per profile. However, if you create a profile with
multiple EAP types that use certificates (such as EAP-FAST with certificates, EAP-TLS,
PEAPv0/MSCHAPv2, and PEAPv1/GTC), all of the EAP types must use the same certificate
(from either Cisco or another vendor).
Note
To delete an EAP method from a local EAP profile, enter the config local-auth eap-profile
method delete method profile_name command:
Configure EAP-FAST parameters if you created an EAP-FAST profile by entering this command:
config local-auth method fast ?
where ? is one of the following:
Step 9
•
anon-prov {enable | disable}—Configures the controller to allow anonymous provisioning, which
allows PACs to be sent automatically to clients that do not have one during PAC provisioning.
•
authority-id auth_id—Specifies the authority identifier of the local EAP-FAST server.
•
pac-ttl days—Specifies the number of days for the PAC to remain viable.
•
server-key key—Specifies the server key used to encrypt and decrypt PACs.
Configure certificate parameters per profile by entering these commands:
•
config local-auth eap-profile method fast local-cert {enable | disable} profile_name—
Specifies whether the device certificate on the controller is required for authentication.
Note
•
This command applies only to EAP-FAST because device certificates are not used with
LEAP and are mandatory for EAP-TLS and PEAP.
config local-auth eap-profile method fast client-cert {enable | disable} profile_name—
Specifies whether wireless clients are required to send their device certificates to the controller in
order to authenticate.
Note
This command applies only to EAP-FAST because client certificates are not used with
LEAP or PEAP and are mandatory for EAP-TLS.
•
config local-auth eap-profile cert-issuer {cisco | vendor} profile_name—If you specified
EAP-FAST with certificates, EAP-TLS, or PEAP, specifies whether the certificates that will be sent
to the client are from Cisco or another vendor.
•
config local-auth eap-profile cert-verify ca-issuer {enable | disable} profile_name—If you chose
EAP-FAST with certificates or EAP-TLS, specifies whether the incoming certificate from the client
is to be validated against the CA certificates on the controller.
•
config local-auth eap-profile cert-verify cn-verify {enable | disable} profile_name—If you chose
EAP-FAST with certificates or EAP-TLS, specifies whether the common name (CN) in the
incoming certificate is to be validated against the CA certificates’ CN on the controller.
Cisco Wireless LAN Controller Configuration Guide
7-44
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Local EAP
•
Step 10
config local-auth eap-profile cert-verify date-valid {enable | disable} profile_name—If you
chose EAP-FAST with certificates or EAP-TLS, specifies whether the controller is to verify that the
incoming device certificate is still valid and has not expired.
Enable local EAP and attach an EAP profile to a WLAN by entering this command:
config wlan local-auth enable profile_name wlan_id
Note
Step 11
To disable local EAP for a WLAN, enter the config wlan local-auth disable wlan_id command.
Save your changes by entering this command:
save config
Step 12
View information pertaining to local EAP by entering these commands:
•
show local-auth config—Shows the local EAP configuration on the controller.
User credentials database search order:
Primary ..................................... Local DB
Timer:
Active timeout .............................. 300
Configured EAP profiles:
Name ........................................
Certificate issuer ........................
Peer verification options:
Check against CA certificates ...........
Verify certificate CN identity ..........
Check certificate date validity .........
EAP-FAST configuration:
Local certificate required ..............
Client certificate required .............
Enabled methods ...........................
Configured on WLANs .......................
Name ........................................
Certificate issuer ........................
Peer verification options:
Check against CA certificates ...........
Verify certificate CN identity ..........
Check certificate date validity .........
EAP-FAST configuration:
Local certificate required ..............
Client certificate required .............
Enabled methods ...........................
Configured on WLANs .......................
EAP Method configuration:
EAP-FAST:
Server key ................................
TTL for the PAC ...........................
Anonymous provision allowed ...............
Accept client on auth prov ................
Authority ID ..............................
Authority Information .....................
fast-cert
vendor
Enabled
Disabled
Enabled
Yes
Yes
fast
1
tls
vendor
Enabled
Disabled
Enabled
No
No
tls
2
<hidden>
10
Yes
No
436973636f0000000000000000000000
Cisco A-ID
•
show local-auth statistics—Shows the local EAP statistics.
•
show local-auth certificates—Shows the certificates available for local EAP.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-45
Chapter 7
Configuring Security Solutions
Configuring Local EAP
•
show local-auth user-credentials—Shows the priority order that the controller uses when
retrieving user credentials from the local and/or LDAP databases.
•
show advanced eap—Shows the timer values for local EAP.
EAP-Identity-Request Timeout (seconds)...........
EAP-Identity-Request Max Retries.................
EAP Key-Index for Dynamic WEP....................
EAP Max-Login Ignore Identity Response...........
EAP-Request Timeout (seconds)....................
EAP-Request Max Retries..........................
EAPOL-Key Timeout (seconds)......................
EAPOL-Key Max Retries......................... 2
•
show ap stats wlan Cisco_AP—Shows the EAP timeout and failure counters for a specific access
point for each WLAN.
•
show client detail client_mac—Shows the EAP timeout and failure counters for a specific
associated client. These statistics are useful in troubleshooting client association issues.
...
Client Statistics:
Number of Bytes Received...................
Number of Bytes Sent.......................
Number of Packets Received.................
Number of Packets Sent.....................
Number of EAP Id Request Msg Timeouts......
Number of EAP Id Request Msg Failures......
Number of EAP Request Msg Timeouts.........
Number of EAP Request Msg Failures.........
Number of EAP Key Msg Timeouts.............
Number of EAP Key Msg Failures.............
Number of Policy Errors....................
Radio Signal Strength Indicator............
Signal to Noise Ratio......................
•
Step 13
1
20
0
enable
20
20
1
10
10
2
2
0
0
2
1
0
0
0
Unavailable
Unavailable
show wlan wlan_id—Shows the status of local EAP on a particular WLAN.
(Optional) Troubleshoot local EAP sessions by entering these commands:
•
debug aaa local-auth eap method {all | errors | events | packets | sm} {enable | disable}—
Enables or disables debugging of local EAP methods.
•
debug aaa local-auth eap framework {all | errors | events | packets | sm} {enable | disable}—
Enables or disables debugging of the local EAP framework.
Note
In these two debug commands, sm is the state machine.
•
clear stats local-auth—Clears the local EAP counters.
•
clear stats ap wlan Cisco_AP—Clears the EAP timeout and failure counters for a specific access
point for each WLAN.
WLAN
EAP
EAP
EAP
EAP
EAP
EAP
WLAN
EAP
EAP
EAP
1
Id Request Msg Timeouts...................
Id Request Msg Timeouts Failures..........
Request Msg Timeouts......................
Request Msg Timeouts Failures.............
Key Msg Timeouts..........................
Key Msg Timeouts Failures.................
2
Id Request Msg Timeouts...................
Id Request Msg Timeouts Failures..........
Request Msg Timeouts......................
0
0
2
1
0
0
1
0
0
Cisco Wireless LAN Controller Configuration Guide
7-46
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring the System for SpectraLink NetLink Telephones
EAP Request Msg Timeouts Failures............. 0
EAP Key Msg Timeouts.......................... 3
EAP Key Msg Timeouts Failures.............. 1
Additional References
See Chapter 11, “Managing Controller Software and Configurations,” for instructions on importing
certificates and PACs.
See the “Configuring Local Network Users on the Controller” section on page 7-27 for instructions.
See the “Configuring LDAP” section on page 7-31 for instructions.
Configuring the System for SpectraLink NetLink Telephones
This section contains the following topics:
•
Information About SpectraLink NetLink Telephones, page 7-47
•
Configuring SpectraLink NetLink Phones, page 7-47
Information About SpectraLink NetLink Telephones
For the best integration with the Cisco UWN solution, SpectraLink NetLink Telephones require an extra
operating system configuration step: enable long preambles. The radio preamble (sometimes called a
header) is a section of data at the head of a packet that contains information that wireless devices need
when sending and receiving packets. Short preambles improve throughput performance, so they are
enabled by default. However, some wireless devices, such as SpectraLink NetLink phones, require long
preambles.
Configuring SpectraLink NetLink Phones
This section contains the following topics:
•
Enabling Long Preambles (GUI), page 7-47
•
Enabling Long Preambles (CLI), page 7-48
•
Configuring Enhanced Distributed Channel Access (CLI), page 7-49
Enabling Long Preambles (GUI)
Step 1
Choose Wireless > 802.11b/g/n > Network to open the 802.11b/g Global Parameters page.
Step 2
If the Short Preamble check box is selected, continue with this procedure. However, if the Short
Preamble check box is unselected (which means that long preambles are enabled), the controller is
already optimized for SpectraLink NetLink phones and you do not need to continue this procedure.
Step 3
Unselect the Short Preamble check box to enable long preambles.
Step 4
Click Apply to update the controller configuration.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-47
Chapter 7
Configuring Security Solutions
Configuring the System for SpectraLink NetLink Telephones
Note
Step 5
If you do not already have an active CLI session to the controller, we recommend that you start
a CLI session to reboot the controller and watch the reboot process. A CLI session is also useful
because the GUI loses its connection when the controller reboots.
Choose Commands > Reboot > Reboot > Save and Reboot to reboot the controller. Click OK in
response to this prompt:
Configuration will be saved and the controller will be rebooted. Click ok to confirm.
The controller reboots.
Step 6
Log back into the controller GUI to verify that the controller is properly configured.
Step 7
Choose Wireless > 802.11b/g/n > Network to open the 802.11b/g Global Parameters page. If the Short
Preamble check box is unselected, the controller is optimized for SpectraLink NetLink phones.
Enabling Long Preambles (CLI)
Step 1
Log on to the controller CLI.
Step 2
Enter the show 802.11b command and select the Short preamble mandatory parameter. If the
parameter indicates that short preambles are enabled, continue with this procedure. This example shows
that short preambles are enabled:
Short Preamble mandatory....................... Enabled
However, if the parameter shows that short preambles are disabled (which means that long preambles
are enabled), the controller is already optimized for SpectraLink NetLink phones and you do not need
to continue this procedure.
Step 3
Disable the 802.11b/g network by entering this command:
config 802.11b disable network
You cannot enable long preambles on the 802.11a network.
Step 4
Enable long preambles by entering this command:
config 802.11b preamble long
Step 5
Reenable the 802.11b/g network by entering this command:
config 802.11b enable network
Step 6
Enter the reset system command to reboot the controller. Enter y at the prompt to save the system
changes. The controller reboots.
Step 7
Verify that the controller is properly configured by logging back into the CLI and entering the show
802.11b command to view these parameters:
802.11b Network................................ Enabled
Short Preamble mandatory....................... Disabled
These parameters show that the 802.11b/g network is enabled and that short preambles are disabled.
Cisco Wireless LAN Controller Configuration Guide
7-48
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring RADIUS NAC Support
Configuring Enhanced Distributed Channel Access (CLI)
To configure 802.11 enhanced distributed channel access (EDCA) parameters to support SpectraLink
phones, enter this command:
config advanced edca-parameters {svp-voice | wmm-default}
where
svp-voice enables SpectraLink voice priority (SVP) parameters and wmm-default enables wireless
multimedia (WMM) default parameters.
Note
To propagate this command to all access points connected to the controller, make sure to disable and then
reenable the 802.11b/g network after entering this command.
Configuring RADIUS NAC Support
This section contains the following topics:
•
Information About RADIUS NAC Support, page 7-49
•
Guidelines and Limitations, page 7-50
•
Configuring RADIUS NAC Support (GUI), page 7-51
•
Configuring RADIUS NAC Support (CLI), page 7-51
Information About RADIUS NAC Support
The Cisco Identity Services Engine (ISE) is a next-generation, context-based access control solution that
provides the functions of Cisco Secure Access Control System (ACS) and Cisco Network Admission
Control (NAC) in one integrated platform.
ISE has been introduced in the 7.0.116.0 release of the Cisco Unified Wireless Network. ISE can be used
to provide advanced security for your deployed network. It is an authentication server that you can
configure on your controller. When a client associates to the controller on a RADIUS NAC–enabled
WLAN, the controller forwards the request to the ISE server.
The ISE server validates the user in the database and on successful authentication, the URL and
pre-AUTH ACL are sent to the client. The client then moves to the Posture Required state and is
redirected to the URL returned by the ISE server. The NAC agent in the client triggers the posture
validation process. On successful posture validation by the ISE server, the client is moved to the run
state.
Device Registration
To get devices such as tablets or smart phones to be connected to the corporate wireless network, the
device must first be registered. The device is registered with the ISE server before being allowed
complete access. Device registration occurs in an open WLAN with MAC filtering enabled before it is
connected to the corporate network WLAN.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-49
Chapter 7
Configuring Security Solutions
Configuring RADIUS NAC Support
Central Web Authentication
In the case of Central Web Authentication (CWA), the web-authentication occurs on the ISE server. The
web portal in the ISE server provides a login page to the client. Once the credentials are verified on the
ISE server, the client is provisioned. The client remains in the POSTURE_REQD state until a CoA is
reached. The credentials and ACLs are received from the ISE server.
Local Web Authentication
In the case of Local Web Authentication (LWA), the controller provides a web-auth login page against
which the username and password are verified. Once the client credentials are verified, the ISE server
with the restricted ACL and the URL are sent to the client.
The client remains in POSTURE_REQD state until a change of authorization (CoA) is reached.
Table 7-8 describes the possible combinations in a typical ISE deployment with device registration,
CWA, and LWA enabled.
Guidelines and Limitations
•
A RADIUS NAC-enabled WLAN supports Open Authentication and MAC filtering. If you are using
local web authentication with RADIUS NAC, the Layer 3 web authentication must also be enabled.
•
In local web authentication, the Web Auth priority order must be configured as RADIUS.
•
RADIUS NAC functionality does not work if the configured accounting server is different from the
authentication (ISE) server. You should configure the same server as the authentication and
accounting server if ISE functions are used. If ISE is used only for ACS functionality, the accounting
server can be flexible. Dot1x authentication must be enabled.
•
When clients move from one WLAN to another, the controller retains the client’s audit session ID
if it returns to the WLAN before the idle timeout occurs. As a result, when the clients join the
controller before the idle timeout session expires, they are immediately moved to the RUN state. The
clients are validated if they reassociate with the controller after the session timeout.
•
Suppose you have two WLANs, where WLAN 1 is configured on a controller (WLC1) and WLAN2
is configured on another controller (WLC2) and both are RADIUS NAC enabled. The client first
connects to WLC1 and moves to the RUN state after posture validation. Assume that the client now
moved to WLC2. If the client connects back to WLC1 before the PMK expires for this client in
WLC1, the posture validation is skipped for the client. The client directly moves to the RUN state
and bypasses the posture validation because the controller retains the old audit session ID for the
client that is already known to ISE.
•
When deploying RADIUS NAC in your wireless network, do not configure a primary and secondary
ISE server. Instead, we recommend that you configure HA between the two ISE servers. Having a
primary and secondary ISE setup will require a posture validation to happen before the clients move
to the RUN state. If HA is configured, the client is automatically moved to the RUN state in the
fallback ISE server.
•
The controller software configured with RADIUS NAC does not support a change of authorization
(CoA) on the service port.
•
Do not swap AAA server indexes in a live network because clients might get disconnected and have
to reconnect to the RADIUS server, which might result in log messages to be appended to the ISE
server logs.
Cisco Wireless LAN Controller Configuration Guide
7-50
OL-21524-03
Chapter 7
Configuring Security Solutions
Using Management Over Wireless
•
You must enable AAA override on the WLAN to use RADIUS NAC.
•
WPA and WPA2 or dot1X must be enabled on the WLAN.
•
During slow roaming, the client goes through posture validation.
•
Guest tunneling mobility is not supported for ISE NAC–enabled WLANs.
•
VLAN select is not supported
•
Workgroup bridges are not supported.
•
The AP Group over NAC is not supported over RADIUS NAC.
•
FlexConnect local switching is not supported.
•
With RADIUS NAC enabled, the RADIUS server overwrite interface is not supported.
Configuring RADIUS NAC Support (GUI)
Step 1
Choose the WLANs tab.
Step 2
Click the WLAN ID of the WLAN for which you want to enable ISE.
The WLANs > Edit page appears.
Step 3
Click the Advanced tab.
Step 4
From the NAC State drop-down list, choose Radius NAC:
•
SNMP NAC—Uses SNMP NAC for the WLAN.
•
Radius NAC—Uses Radius NAC for the WLAN
Note
Step 5
AAA override is automatically enabled when you use RADIUS NAC on a WLAN.
Click Apply.
Configuring RADIUS NAC Support (CLI)
config wlan nac radius {enable | disable} wlan wlan_id
Using Management Over Wireless
This section contains the following topics:
•
Information About Management Over Wireless, page 7-52
•
Enabling Management over Wireless (GUI), page 7-52
•
Enabling Management over Wireless (CLI), page 7-52
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-51
Chapter 7
Configuring Security Solutions
Using Dynamic Interfaces for Management
Information About Management Over Wireless
The management over wireless feature allows you to monitor and configure local controllers using a
wireless client. This feature is supported for all management tasks except uploads to and downloads from
(transfers to and from) the controller.
Enabling Management over Wireless (GUI)
Step 1
Choose Management > Mgmt Via Wireless to open the Management Via Wireless page.
Step 2
Select the Enable Controller Management to be accessible from Wireless Clients check box to enable
management over wireless for the WLAN or unselect it to disable this feature. The default value is
unselected.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Enabling Management over Wireless (CLI)
Step 1
Verify whether the management over wireless interface is enabled or disabled by entering this command:
show network summary
If disabled, continue with Step 2. Otherwise, continue with Step 3.
Step 2
Enable management over wireless by entering this command:
config network mgmt-via-wireless enable
Step 3
Use a wireless client to associate with an access point connected to the controller that you want to
manage.
Step 4
Log into the CLI to verify that you can manage the WLAN using a wireless client by entering this
command:
telnet controller-ip-address command
Using Dynamic Interfaces for Management
This section contains the following topics:
•
Information About Using Dynamic Interfaces for Management, page 7-53
•
Enabling Management using Dynamic Interfaces (CLI), page 7-53
Cisco Wireless LAN Controller Configuration Guide
7-52
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring DHCP Option 82
Information About Using Dynamic Interfaces for Management
You can access the controller with one of its dynamic interface IP addresses. While wired computers can
have only CLI access with the dynamic interface of the WLC, wireless clients have both CLI and GUI
access with the dynamic interface.
When the management using dynamic interfaces is disabled, a device can open an SSH connection if the
protocol is enabled. However, users are not prompted to log on. Additionally, the management address
remains accessible from a dynamic interface VLAN unless a CPU ACL is in place.
Enabling Management using Dynamic Interfaces (CLI)
config network mgmt-via-dynamic-interface {enable | disable}
Note
When the management using dynamic interfaces feature is disabled, ensure that ports 22 and 443 on the
dynamic interface are closed. Use the config network ssh disable command to close port 22; and use
the config network secureweb disable command to close port 443.
Configuring DHCP Option 82
This section contains the following topics:
•
Information About DHCP Option 82, page 7-53
•
Guidelines and Limitations, page 7-54
•
Configuring DHCP Option 82 (GUI), page 7-54
•
Configuring DHCP Option 82 (CLI), page 7-55
•
Additional References, page 7-56
Information About DHCP Option 82
DHCP option 82 provides additional security when DHCP is used to allocate network addresses.
Specifically, it enables the controller to act as a DHCP relay agent to prevent DHCP client requests from
untrusted sources. The controller can be configured to add option 82 information to DHCP requests from
clients before forwarding the requests to the DHCP server.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-53
Chapter 7
Configuring Security Solutions
Configuring DHCP Option 82
Figure 7-10
DHCP Option 82
Controller adds Option 82
payload to the request
and forwards it to DHCP Server
PC or PDA with 802.11
Client and IP Soft-Phone
IP
802.11 WLAN
IP Phone
DHCP
Relay Agent
(Controller)
DHCP
Server
231050
Access
Point
The access point forwards all DHCP requests from a client to the controller. The controller adds the
DHCP option 82 payload and forwards the request to the DHCP server. The payload can contain the
MAC address or the MAC address and SSID of the access point, depending on how you configure this
option.
Note
Any DHCP packets that already include a relay agent option are dropped at the controller.
Guidelines and Limitations
DHCP option 82 is not supported for use with auto-anchor mobility, which is described in Chapter 15,
“Configuring Mobility Groups.”
In controller software release 4.0 or later releases, you can configure DHCP option 82 using the
controller CLI. In controller software release 6.0 or later releases, you can configure this feature using
either the GUI or CLI.
Configuring DHCP Option 82 (GUI)
Step 1
Choose Controller > Advanced > DHCP to open the DHCP Parameters page.
Figure 7-11
DHCP Parameters Page
Step 2
Select the Enable DHCP Proxy check box to enable DHCP proxy.
Step 3
Choose one of the following options from the DHCP Option 82 Remote ID text box Format drop-down
list to specify the format of the DHCP option 82 payload:
•
AP-MAC—Adds the MAC address of the access point to the DHCP option 82 payload. This is the
default value.
Cisco Wireless LAN Controller Configuration Guide
7-54
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring DHCP Option 82
•
AP-MAC-SSID—Adds the MAC address and SSID of the access point to the DHCP option 82
payload.
•
AP-ETHMAC—Adds the Ethernet MAC address of the access point to the DHCP option 82
payload.
Note
If the SSID is associated with a dynamic interface, then the DHCP Option 82 that you configure
must be enabled on the dynamic interface.
Step 4
Click Apply to commit your changes.
Step 5
Click Save Configuration to save your changes.
Configuring DHCP Option 82 (CLI)
•
Configure the format of the DHCP option 82 payload by entering one of these commands:
– config dhcp opt-82 remote-id ap_mac
This command adds the MAC address of the access point to the DHCP option 82 payload.
– config dhcp opt-82 remote-id ap_mac:ssid
This command adds the MAC address and SSID of the access point to the DHCP option 82
payload.
– config dhcp opt-82 remote-id ap-ethmac
Adds the Ethernet MAC address of the access point to the DHCP option 82 payload.
•
Override the global DHCP option 82 setting and disable (or enable) this feature for the AP-manager
or management interface on the controller by entering this command:
config interface dhcp {ap-manager | management} option-82 {disable | enable}
•
See the status of DHCP option 82 on the controller by entering the show interface detailed
ap-manager command.
Interface Name...................................
MAC Address......................................
IP Address.......................................
IP Netmask.......................................
IP Gateway.......................................
External NAT IP State............................
External NAT IP Address..........................
External NAT IP Netmask..........................
VLAN.............................................
Active Physical Port.............................
Primary Physical Port............................
Backup Physical Port.............................
Primary DHCP Server..............................
Secondary DHCP Server............................
DHCP Option 82...................................
ACL..............................................
AP Manager.......................................
Guest Interface..................................
ap-manager
00:0a:88:25:10:c4
10.30.16.13
255.255.248.0
10.30.16.1
Disabled
0.0.0.0
0.0.0.0
untagged
LAG (29)
LAG (29)
Unconfigured
10.1.0.10
Unconfigured
Enabled
Unconfigured
Yes
No
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-55
Chapter 7
Configuring Security Solutions
Configuring and Applying Access Control Lists
Additional References
Note
In order for DHCP option 82 to operate correctly, DHCP proxy must be enabled. See the “Configuring
DHCP Proxy” section on page 4-37 for instructions on configuring DHCP proxy.
Configuring and Applying Access Control Lists
This section contains the following topics:
•
Information About Access Control Lists, page 7-56
•
Guidelines and Limitations, page 7-56
•
Configuring and Applying Access Control Lists (GUI), page 7-57
•
Configuring and Applying Access Control Lists (CLI), page 7-63
Information About Access Control Lists
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example,
if you want to restrict a wireless client from pinging the management interface of the controller). After
ACLs are configured on the controller, they can be applied to the management interface, the AP-manager
interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients
or to the controller central processing unit (CPU) to control all traffic destined for the CPU.
You may also want to create a preauthentication ACL for web authentication. Such an ACL could be used
to allow certain types of traffic before authentication is complete.
Both IPv4 and IPv6 ACLs are supported. IPv6 ACLs support the same options as IPv4 ACLs including
source, destination, source and destination ports.
Note
You can enable only IPv4 traffic in your network by blocking IPv6 traffic. That is, you can configure an
IPv6 ACL to deny all IPv6 traffic and apply it on specific or all WLANs.
Guidelines and Limitations
•
You can define up to 64 ACLs, each with up to 64 rules (or filters) for both IPv4 and IPv6. Each rule
has parameters that affect its action. When a packet matches all of the parameters for a rule, the
action set for that rule is applied to the packet.
•
When you apply CPU ACLs on a Cisco 5500 Series Controller or a Cisco WiSM2, you must permit
traffic towards the virtual interface IP address for web authentication.
•
ACLs in your network might need to be modified if CAPWAP uses different ports than LWAPP.
•
Adding an ACL on the controller results in the degradation of throughput and could even result in
packet loss.
•
All ACLs have an implicit “deny all rule” as the last rule. If a packet does not match any of the rules,
it is dropped by the controller.
Cisco Wireless LAN Controller Configuration Guide
7-56
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring and Applying Access Control Lists
•
If you are using an external web server with a Cisco 5500 Series Controller, a controller network
module, you must configure a preauthentication ACL on the WLAN for the external web server.
•
ACL counters are available only on the following controllers: 5500 series, 2500 series, Cisco
WiSM2 and 7500 series Wireless LAN Controller Switch.
•
If you apply an ACL to an interface or a WLAN, wireless throughput is degraded when downloading
from a 1-Gbps file server. To improve throughput, remove the ACL from the interface or WLAN,
move the ACL to a neighboring wired device with a policy rate-limiting restriction, or connect the
file server using 100 Mbps rather than 1 Gbps.
•
Multicast traffic received from wired networks that is destined to wireless clients is not processed
by WLC ACLs. Multicast traffic initiated from wireless clients, destined to wired networks or other
wireless clients on the same controller, is processed by WLC ACLs.
•
ACLs are configured on the controller directly or configured through NCS templates. The ACL
name must be unique.
Configuring and Applying Access Control Lists (GUI)
This section contains the following topics:
•
Configuring Access Control Lists, page 7-57
•
Applying an Access Control List to an Interface, page 7-60
•
Applying an Access Control List to the Controller CPU, page 7-61
•
Applying an Access Control List to a WLAN, page 7-61
Configuring Access Control Lists
Step 1
Choose Security > Access Control Lists > Access Control Lists to open the Access Control Lists page.
Figure 7-12
Access Control Lists Page
This page lists all of the ACLs and their types (IPv4 or IPv6) that have been configured for this
controller.
Note
If you want to delete an existing ACL, hover your cursor over the blue drop-down arrow for that
ACL and choose Remove.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-57
Chapter 7
Configuring Security Solutions
Configuring and Applying Access Control Lists
Step 2
If you want to see if packets are hitting any of the ACLs configured on your controller, select the Enable
Counters check box and click Apply. Otherwise, leave the check box unselected, which is the default
value. This feature is useful when troubleshooting your system.
If you want to clear the counters for an ACL, hover your cursor over the blue drop-down arrow
for that ACL and choose Clear Counters.
Note
Step 3
Add a new ACL by clicking New. The Access Control Lists > New page appears.
Step 4
In the Access Control List Name text box, enter a name for the new ACL. You can enter up to 32
alphanumeric characters.
Step 5
Choose the ACL type. There are two ACL types: IPv4 and IPv6.
Step 6
Click Apply. When the Access Control Lists page reappears, click the name of the new ACL.
Step 7
When the Access Control Lists > Edit page appears, click Add New Rule. The Access Control Lists >
Rules > New page appears.
Step 8
Configure a rule for this ACL as follows:
a.
The controller supports up to 64 rules for each ACL. These rules are listed in order from 1 to 64. In
the Sequence text box, enter a value (between 1 and 64) to determine the order of this rule in relation
to any other rules defined for this ACL.
Note
b.
c.
d.
If rules 1 through 4 are already defined and you add rule 29, it is added as rule 5. If you add
or change a sequence number for a rule, the sequence numbers for other rules adjust to
maintain a continuous sequence. For instance, if you change a rule’s sequence number from
7 to 5, the rules with sequence numbers 5 and 6 are automatically reassigned as 6 and 7,
respectively.
From the Source drop-down list, choose one of these options to specify the source of the packets to
which this ACL applies:
•
Any—Any source (this is the default value).
•
IP Address—A specific source. If you choose this option, enter the IP address and netmask of
the source in the text boxes. If you are configuring an IPv6 ACL, enter the IPv6 address and
prefix length of the destination in the text boxes.
From the Destination drop-down list, choose one of these options to specify the destination of the
packets to which this ACL applies:
•
Any—Any destination (this is the default value).
•
IP Address—A specific destination. If you choose this option, enter the IP address and netmask
of the destination in the text boxes. If you are configuring an IPv6 ACL, enter the IPv6 address
and prefix length of the destination in the text boxes.
From the Protocol drop-down list, choose the protocol ID of the IP packets to be used for this ACL.
These are the protocol options:
•
Any—Any protocol (this is the default value)
•
TCP—Transmission Control Protocol
•
UDP—User Datagram Protocol
•
ICMP/ICMPv6—Internet Control Message Protocol
Cisco Wireless LAN Controller Configuration Guide
7-58
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring and Applying Access Control Lists
ICMPv6 is only available for IPv6 ACL.
Note
•
ESP—IP Encapsulating Security Payload
•
AH—Authentication Header
•
GRE—Generic Routing Encapsulation
•
IP in IP—Internet Protocol (IP) in IP (permits or denies IP-in-IP packets)
•
Eth Over IP—Ethernet-over-Internet Protocol
•
OSPF—Open Shortest Path First
•
Other—Any other Internet Assigned Numbers Authority (IANA) protocol
Note
If you choose Other, enter the number of the desired protocol in the Protocol text box.
You can find the list of available protocols in the INAI website.
•
The controller can permit or deny only IP packets in an ACL. Other types of packets (such as ARP
packets) cannot be specified.
e.
If you chose TCP or UDP in the previous step, two additional parameters appear: Source Port and
Destination Port. These parameters enable you to choose a specific source port and destination port
or port ranges. The port options are used by applications that send and receive data to and from the
networking stack. Some ports are designated for certain applications such as Telnet, SSH, HTTP,
and so on.
Source and Destination ports based on the ACL type.
Note
f.
g.
From the DSCP drop-down list, choose one of these options to specify the differentiated services
code point (DSCP) value of this ACL. DSCP is an IP header text box that can be used to define the
quality of service across the Internet.
•
Any—Any DSCP (this is the default value)
•
Specific—A specific DSCP from 0 to 63, which you enter in the DSCP edit box
From the Direction drop-down list, choose one of these options to specify the direction of the traffic
to which this ACL applies:
•
Any—Any direction (this is the default value)
•
Inbound—From the client
•
Outbound—To the client
Note
If you are planning to apply this ACL to the controller CPU, the packet direction does not
have any significance, it is always ‘Any’.
h.
From the Action drop-down list, choose Deny to cause this ACL to block packets or Permit to cause
this ACL to allow packets. The default value is Deny.
i.
Click Apply to commit your changes. The Access Control Lists > Edit page reappears, showing the
rules for this ACL.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-59
Chapter 7
Configuring Security Solutions
Configuring and Applying Access Control Lists
The Deny Counters fields shows the number of times that packets have matched the explicit deny
ACL rule. The Number of Hits field shows the number of times that packets have matched an ACL
rule. You must enable ACL counters on the Access Control Lists page to enable these fields.
Note
j.
If you want to edit a rule, click the sequence number of the desired rule to open the Access
Control Lists > Rules > Edit page. If you want to delete a rule, hover your cursor over the
blue drop-down arrow for the desired rule and choose Remove.
Repeat this procedure to add any additional rules for this ACL.
Step 9
Click Save Configuration to save your changes.
Step 10
Repeat this procedure to add any additional ACLs.
Applying an Access Control List to an Interface
Step 1
Choose Controller > Interfaces.
Step 2
Click the name of the desired interface. The Interfaces > Edit page for that interface appears.
Figure 7-13
Step 3
Interfaces > Edit Page
From the ACL Name drop-down list, choose the desired ACL and click Apply. The default is None.
Cisco Wireless LAN Controller Configuration Guide
7-60
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring and Applying Access Control Lists
Note
Step 4
Only IPv4 ACL are supported as interface ACL, see Chapter 4, “Configuring Ports and
Interfaces,” for more information on configuring controller interfaces.
Click Save Configuration to save your changes.
Applying an Access Control List to the Controller CPU
Step 1
Choose Security > Access Control Lists > CPU Access Control Lists to open the CPU Access Control
Lists page.
Step 2
Select the Enable CPU ACL check box to enable a designated ACL to control the traffic to the controller
CPU or unselect the check box to disable the CPU ACL feature and remove any ACL that had been
applied to the CPU. The default value is unselected.
Step 3
From the ACL Name drop-down list, choose the ACL that will control the traffic to the controller CPU.
None is the default value when the CPU ACL feature is disabled. If you choose None while the CPU
ACL Enable check box is selected, an error message appears indicating that you must choose an ACL.
Note
This parameter is available only if you have selected the CPU ACL Enable check box.
Note
When CPU ACL is enabled, it is applicable to both wireless and wired traffic. Only IPv4 ACL
are supported as CPU ACL.
Step 4
Click Apply to commit your changes.
Step 5
Click Save Configuration to save your changes.
Applying an Access Control List to a WLAN
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the desired WLAN to open the WLANs > Edit page.
Step 3
Choose the Advanced tab to open the WLANs > Edit (Advanced) page.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-61
Chapter 7
Configuring Security Solutions
Configuring and Applying Access Control Lists
Figure 7-14
WLANs > Edit (Advanced) Page
Step 4
From the Override Interface ACL drop-down list, choose the IPv4 or IPv6 ACL that you want to apply
to this WLAN. The ACL that you choose overrides any ACL that is configured for the interface. None
is the default value.
Note
To support centralized access control through an AAA server such as ISE or ACS, you must configure
the IPv4 and IPv6 ACL on the controller and the WLAN must be configured with AAA override enabled
feature.
Note
See Chapter 8, “Working with WLANs,” for more information on configuring WLANs.
Step 5
Click Apply to commit your changes.
Step 6
Click Save Configuration to save your changes.
Applying a Preauthentication Access Control List to a WLAN
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the desired WLAN to open the WLANs > Edit page.
Cisco Wireless LAN Controller Configuration Guide
7-62
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring and Applying Access Control Lists
Step 3
Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page.
Figure 7-15
WLANs > Edit (Security > Layer 3) Page
Step 4
Select the Web Policy check box.
Step 5
From the Preauthentication ACL drop-down list, choose the desired ACL and click Apply. None is the
default value.
Note
Step 6
See Chapter 8, “Working with WLANs,” for more information on configuring WLANs.
Click Save Configuration to save your changes.
Configuring and Applying Access Control Lists (CLI)
Configuring Access Control Lists
Step 1
See all of the ACLs that are configured on the controller by entering this command:
show acl summary
Information similar to the following appears:
ACL Counter Status
Enabled
------------------------------------ACL Name
Applied
------------------------- ----------acl1
Yes
acl2
Yes
acl3
Yes
Step 2
See all of the IPv6 ACLs that are configured on the controller by entering this command:
show ipv6 acl summary
Step 3
See detailed information for a particular ACL by entering this command:
show [ipv6] acl detailed acl_name
Information similar to the following appears:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-63
Chapter 7
Configuring Security Solutions
Configuring and Applying Access Control Lists
I
1
2
Dir
--Any
In
Source
Destination
Source Port Dest Port
IP Address/Netmask IP Address/Netmask Prot
Range Range
DSCP Action Counter
------------------ ------------------ ---- ----------- -------- ----- ------ ------0.0.0.0/0.0.0.0
0.0.0.0/0.0.0.0
Any
0-65535 0-65535 0
Deny
0
0.0.0.0/0.0.0.0
200.200.200.0/
6
80-80
0-65535 Any Permit 0
255.255.255.0
DenyCounter :
0
The Counter text box increments each time a packet matches an ACL rule, and the DenyCounter text box
increments each time a packet does not match any of the rules.
Note
Step 4
If a traffic/request is allowed from the controller by a permit rule, then the response to the traffic/request
in the opposite direction also is allowed and cannot be blocked by a deny rule in the ACL.
Enable or disable ACL counters for your controller by entering this command:
config acl counter {start | stop}
Step 5
Note
If you want to clear the current counters for an ACL, enter the clear acl counters acl_name
command.
Note
ACL counters are available only on the Cisco 5500 Series Controller, Cisco 4400 Series
Controller, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch.
Add a new ACL by entering this command:
config [ipv6] acl create acl_name
You can enter up to 32 alphanumeric characters for the acl_name parameter.
Note
Step 6
When you try to create an interface name with space, the controller CLI does not create an interface. For
example, if you want to create an interface name int 3, the CLI will not create this since there is a space
between int and 3. If you want to use int 3 as the interface name, you need to enclose within single quotes
like ‘int 3’.
Add a rule for an ACL by entering this command:
config [ipv6] acl rule add acl_name rule_index
Step 7
Configure an ACL rule by entering this command:
config [ipv6] acl rule
action acl_name rule_index {permit | deny} |
change index acl_name old_index new_index |
destination address acl_name rule_index ip_address netmask |
destination port range acl_name rule_index start_port end_port |
direction acl_name rule_index {in | out | any} |
dscp acl_name rule_index dscp |
protocol acl_name rule_index protocol |
Cisco Wireless LAN Controller Configuration Guide
7-64
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring and Applying Access Control Lists
source address acl_name rule_index ip_address netmask |
source address [ipv6] acl_name rule_index prefix |
swap index acl_name index_1 index_2}
See Step 8 of the “Configuring and Applying Access Control Lists (GUI)” section on page 7-57 for
explanations of the rule parameters.
Step 8
Save your settings by entering this command:
save config
Note
To delete an ACL, enter the config [ipv6] acl delete acl_name command. To delete an ACL rule,
enter the config [ipv6] acl rule delete acl_name rule_index command.
Applying Access Control Lists
Step 1
Perform any of the following:
•
To apply an ACL to a management, AP-manager, or dynamic interface, enter this command:
config interface acl {management | ap-manager | dynamic_interface_name} acl_name
Note
To see the ACL that is applied to an interface, enter the show interface detailed
{management | ap-manager | dynamic_interface_name} command. To remove an ACL
that is applied to an interface, enter the config interface acl
{management | ap-manager | dynamic_interface_name} none command.
See Chapter 4, “Configuring Ports and Interfaces,” for more information on configuring controller
interfaces.
•
To apply an ACL to the data path, enter this command:
config acl apply acl_name
•
To apply an ACL to the controller CPU to restrict the type of traffic (wired, wireless, or both)
reaching the CPU, enter this command:
config acl cpu acl_name {wired | wireless | both}
Note
•
To see the ACL that is applied to the controller CPU, enter the show acl cpu command. To
remove the ACL that is applied to the controller CPU, enter the config acl cpu none
command.
To apply an ACL to a WLAN, enter this command:
config wlan acl wlan_id acl_name
Note
To see the ACL that is applied to a WLAN, enter the show wlan wlan_id command. To
remove the ACL that is applied to a WLAN, enter the config wlan acl wlan_id none
command.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-65
Chapter 7
Configuring Security Solutions
Configuring Management Frame Protection
•
To apply a preauthentication ACL to a WLAN, enter this command:
config wlan security web-auth acl wlan_id acl_name
See Chapter 8, “Working with WLANs,” for more information on configuring WLANs.
Step 2
Save your changes by entering this command:
save config
Configuring Management Frame Protection
This chapter contains the following topics:
•
Information About Management Frame Protection, page 7-66
•
Guidelines and Limitations, page 7-67
•
Configuring Management Frame Protection (GUI), page 7-68
•
Viewing the Management Frame Protection Settings (GUI), page 7-69
•
Configuring Management Frame Protection (CLI), page 7-70
•
Viewing the Management Frame Protection Settings (CLI), page 7-70
•
Debugging Management Frame Protection Issues (CLI), page 7-72
Information About Management Frame Protection
Management frame protection (MFP) provides security for the otherwise unprotected and unencrypted
802.11 management messages passed between access points and clients. MFP provides both
infrastructure and client support.
•
Infrastructure MFP—Protects management frames by detecting adversaries that are invoking
denial-of-service attacks, flooding the network with associations and probes, interjecting as rogue
access points, and affecting network performance by attacking the QoS and radio measurement
frames. It also provides a quick and effective means to detect and report phishing incidents.
Specifically, infrastructure MFP protects 802.11 session management functions by adding message
integrity check information elements (MIC IEs) to the management frames emitted by access points
(and not those emitted by clients), which are then validated by other access points in the network.
Infrastructure MFP is passive. It can detect and report intrusions but has no means to stop them.
•
Client MFP—Shields authenticated clients from spoofed frames, preventing many of the common
attacks against wireless LANs from becoming effective. Most attacks, such as deauthentication
attacks, revert to simply degrading performance by contending with valid clients.
Specifically, client MFP encrypts management frames are sent between access points and CCXv5
clients so that both the access points and clients can take preventative action by dropping spoofed
class 3 management frames (that is, management frames passed between an access point and a client
that is authenticated and associated). Client MFP leverages the security mechanisms defined by
IEEE 802.11i to protect the following types of class 3 unicast management frames: disassociation,
deauthentication, and QoS (WMM) action. Client MFP protects a client-access point session from
the most common type of denial-of-service attack. It protects class 3 management frames by using
the same encryption method used for the session’s data frames. If a frame received by the access
point or client fails decryption, it is dropped, and the event is reported to the controller.
Cisco Wireless LAN Controller Configuration Guide
7-66
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Management Frame Protection
To use client MFP, clients must support CCXv5 MFP and must negotiate WPA2 using either TKIP
or AES-CCMP. EAP or PSK may be used to obtain the PMK. CCKM and controller mobility
management are used to distribute session keys between access points for Layer 2 and Layer 3 fast
roaming.
Note
To prevent attacks using broadcast frames, access points supporting CCXv5 will not emit any
broadcast class 3 management frames (such as disassociation, deauthentication, or action).
CCXv5 clients and access points must discard broadcast class 3 management frames.
Client MFP supplements infrastructure MFP rather than replaces it because infrastructure MFP
continues to detect and report invalid unicast frames sent to clients that are not client-MFP capable
as well as invalid class 1 and 2 management frames. Infrastructure MFP is applied only to
management frames that are not protected by client MFP.
Infrastructure MFP consists of three main components:
•
Management frame protection—The access point protects the management frames it transmits by
adding a MIC IE to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC,
causing any receiving access point configured to detect MFP frames to report the discrepancy.
•
Management frame validation—In infrastructure MFP, the access point validates every management
frame that it receives from other access points in the network. It ensures that the MIC IE is present
(when the originator is configured to transmit MFP frames) and matches the content of the
management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID
belonging to an access point that is configured to transmit MFP frames, it reports the discrepancy to
the network management system. In order for the timestamps to operate properly, all controllers
must be Network Transfer Protocol (NTP) synchronized.
•
Event reporting—The access point notifies the controller when it detects an anomaly, and the
controller aggregates the received anomaly events and can report the results through SNMP traps to
the network management system.
Note
Client MFP uses the same event reporting mechanisms as infrastructure MFP.
Infrastructure MFP is enabled by default and can be disabled globally. When you upgrade from a
previous software release, infrastructure MFP is disabled globally if access point authentication is
enabled because the two features are mutually exclusive. Once infrastructure MFP is enabled globally,
signature generation (adding MICs to outbound frames) can be disabled for selected WLANs, and
validation can be disabled for selected access points.
Client MFP is enabled by default on WLANs that are configured for WPA2. It can be disabled, or it can
be made mandatory (in which case, only clients that negotiate MFP are allowed to associate) on selected
WLANs.
Guidelines and Limitations
•
Infrastructure MFP is a global setting only in the 7.0.98.0 release. In the earlier releases, there was
an option for you to enable or disable the MFP infrastructure protection for WLANs and MFP
infrastructure validation for APs. These options are no longer available in the GUI or CLI.
•
Controller software release 4.1 or later releases support both infrastructure and client MFP while
controller software release 4.0 supports only infrastructure MFP.
•
MFP is supported for use with Cisco Aironet lightweight access points.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-67
Chapter 7
Configuring Security Solutions
Configuring Management Frame Protection
•
Lightweight access points support infrastructure MFP in local and monitor modes and in
FlexConnect mode when the access point is connected to a controller. They support client MFP in
local, FlexConnect, and bridge modes.
•
OEAP 600 Series Access points do not support MFP.
•
Client MFP is supported for use only with CCXv5 clients using WPA2 with TKIP or AES-CCMP.
•
Non-CCXv5 clients may associate to a WLAN if client MFP is disabled or optional.
•
Error reports generated on a FlexConnect access point in standalone mode cannot be forwarded to
the controller and are dropped.
Configuring Management Frame Protection (GUI)
Step 1
Choose Security > Wireless Protection Policies > AP Authentication/MFP to open the AP
Authentication Policy page.
Figure 7-16
AP Authentication Policy Page
Step 2
From the Protection Type drop-down list, enable infrastructure MFP globally for the controller by
choosing Management Frame Protection.
Step 3
Click Apply to commit your changes.
Note
Step 4
If more than one controller is included in the mobility group, you must configure a Network
Time Protocol (NTP) server on all controllers in the mobility group that are configured for
infrastructure MFP.
Configure client MFP for a particular WLAN after infrastructure MFP has been enabled globally for the
controller as follows:
a.
Choose WLANs.
Cisco Wireless LAN Controller Configuration Guide
7-68
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Management Frame Protection
b.
Click the profile name of the desired WLAN. The WLANs > Edit page appears.
c.
Choose Advanced. The WLANs > Edit (Advanced) page appears.
Figure 7-17
d.
From the MFP Client Protection drop-down list choose Disabled, Optional, or Required . The
default value is Optional. If you choose Required, clients are allowed to associate only if MFP is
negotiated (that is, if WPA2 is configured on the controller and the client supports CCXv5 MFP and
is also configured for WPA2).
Note
e.
Step 5
WLANs > Edit (Advanced) Page
For Cisco OEAP 600, MFP is not supported. It should either be Disabled or Optional.
Click Apply to commit your changes.
Click Save Configuration to save your settings.
Viewing the Management Frame Protection Settings (GUI)
To see the controller’s current global MFP settings, choose Security > Wireless Protection Policies >
Management Frame Protection. The Management Frame Protection Settings page appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-69
Chapter 7
Configuring Security Solutions
Configuring Management Frame Protection
Figure 7-18
Management Frame Protection Settings Page
On this page, you can see the following MFP settings:
•
The Management Frame Protection field shows if infrastructure MFP is enabled globally for the
controller.
•
The Controller Time Source Valid field indicates whether the controller time is set locally (by
manually entering the time) or through an external source (such as the NTP server). If the time is set
by an external source, the value of this field is “True.” If the time is set locally, the value is “False.”
The time source is used for validating the timestamp on management frames between access points
of different controllers within a mobility group.
•
The Infrastructure Protection field shows if infrastructure MFP is enabled for individual WLANs.
•
The Client Protection field shows if client MFP is enabled for individual WLANs and whether it is
optional or required.
Configuring Management Frame Protection (CLI)
•
Enable or disable infrastructure MFP globally for the controller by entering this command:
config wps mfp infrastructure {enable | disable}
•
Enable or disable client MFP on a specific WLAN by entering this command:
config wlan mfp client {enable | disable} wlan_id [required]
If you enable client MFP and use the optional required parameter, clients are allowed to associate
only if MFP is negotiated.
Viewing the Management Frame Protection Settings (CLI)
•
See the controller’s current MFP settings by entering this command:
show wps mfp summary
Information similar to the following appears:
Global Infrastructure MFP state.... Enabled
Controller Time Source Valid....... False
WLAN ID
-------
WLAN
Infra.
Client
WLAN Name Status
Protection Protection
---------- -------- ---------- -----------
Cisco Wireless LAN Controller Configuration Guide
7-70
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Management Frame Protection
1
2
3
test1
open
testpsk
Enabled
Enabled
Enabled
Disabled
Enabled
*Enabled
Infra.
Operational
AP Name Validation Radio State
-------- ----------- ----- ----------mapAP
Disabled
a
Up
b/g
Up
rootAP2 Enabled
a
Up
b/g
Up
FlexConnect
*Enabled
b/g
Up
a
Down
•
Disabled
Required
Optional but inactive (WPA2 not configured)
--Infra. Capability-Protection Validation
----------- ----------Full
Full
Full
Full
Full
Full
Full
Full
Full
Full
Full
Full
See the current MFP configuration for a particular WLAN by entering this command:
show wlan wlan_id
Information similar to the following appears:
WLAN Identifier...........................
Profile Name..............................
Network Name (SSID).......................
Status....................................
MAC Filtering.............................
Broadcast SSID............................
...
Local EAP Authentication..................
Diagnostics Channel.......................
Security
1
test1
test1
Enabled
Disabled
Enabled
Enabled (Profile 'test')
Disabled
802.11 Authentication:................. Open System
Static WEP Keys........................ Disabled
802.1X................................. Enabled
Encryption:.............................. 104-bit WEP
Wi-Fi Protected Access (WPA/WPA2)...... Disabled
CKIP .................................. Disabled
IP Security............................ Disabled
IP Security Passthru................... Disabled
Web Based Authentication............... Disabled
Web-Passthrough........................ Disabled
Conditional Web Redirect............... Disabled
Auto Anchor............................ Enabled
FlexConnect Local Switching................. Disabled
Infrastructure MFP protection.......... Enabled
Client MFP............................. Required
...
•
See whether client MFP is enabled for a specific client by entering this command:
show client detail client_mac
Client MAC Address...............................
...
Policy Type......................................
Authentication Key Management....................
Encryption Cipher................................
Management Frame Protection......................
...
•
00:14:1c:ed:34:72
WPA2
PSK
CCMP (AES)
Yes
See MFP statistics for the controller by entering this command:
show wps mfp statistics
Information similar to the following appears:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-71
Chapter 7
Configuring Security Solutions
Configuring Client Exclusion Policies
Note
This report contains no data unless an active attack is in progress. Examples of various error
types are shown for illustration only. This table is cleared every 5 minutes when the data is
forwarded to any network management stations.
BSSID
Radio Validator AP Last Source Addr Found Error Type Count Frame Types
----------------- ----- ------------- ------------------ ------ ------------ ----- ------00:0b:85:56:c1:a0 a
jatwo-1000b 00:01:02:03:04:05 Infra Invalid MIC 183 Assoc Req
Probe Req
Beacon
Infra Out of seq
4 Assoc Req
Infra Unexpected MIC 85 Reassoc Req
Client Decrypt err 1974 Reassoc Req
Disassoc
Client Replay err
74 Assoc Req
Probe Req
Beacon
Client Invalid ICV
174 Reassoc Req
Disassoc
Client Invalid header174 Assoc Req
Probe Req
Beacon
Client Brdcst disass 174 Reassoc Req
Disassoc
00:0b:85:56:c1:a0 b/g jatwo-1000b 00:01:02:03:04:05 Infra Out of seq 185 Reassoc Resp
Client Not encrypted 174 Assoc Resp
Probe Resp
Debugging Management Frame Protection Issues (CLI)
Use this command if you experience any problems with MFP:
•
debug wps mfp ? {enable | disable}
where ? is one of the following:
client—Configures debugging for client MFP messages.
capwap—Configures debugging for MFP messages between the controller and access points.
detail—Configures detailed debugging for MFP messages.
report—Configures debugging for MFP reporting.
mm—Configures debugging for MFP mobility (inter-controller) messages.
Configuring Client Exclusion Policies
This section contains the following topics:
•
Configuring Client Exclusion Policies (GUI), page 7-73
•
Configuring Client Exclusion Policies (CLI), page 7-73
Cisco Wireless LAN Controller Configuration Guide
7-72
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Client Exclusion Policies
Configuring Client Exclusion Policies (GUI)
Step 1
Choose Security > Wireless Protection Policies > Client Exclusion Policies to open the Client
Exclusion Policies page.
Figure 7-19
Step 2
Client Exclusion Policies Page
Select any of these check boxes if you want the controller to exclude clients for the condition specified.
The default value for each exclusion policy is enabled.
•
Excessive 802.11 Association Failures—Clients are excluded on the sixth 802.11 association
attempt, after five consecutive failures.
•
Excessive 802.11 Authentication Failures—Clients are excluded on the sixth 802.11
authentication attempt, after five consecutive failures.
•
Excessive 802.1X Authentication Failures—Clients are excluded on the fourth 802.1X
authentication attempt, after three consecutive failures.
•
IP Theft or IP Reuse—Clients are excluded if the IP address is already assigned to another device.
•
Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication
attempt, after three consecutive failures.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Configuring Client Exclusion Policies (CLI)
Step 1
Enable or disable the controller to exclude clients on the sixth 802.11 association attempt, after five
consecutive failures by entering this command:
config wps client-exclusion 802.11-assoc {enable | disable}
Step 2
Enable or disable the controller to exclude clients on the sixth 802.11 authentication attempt, after five
consecutive failures by entering this command:
config wps client-exclusion 802.11-auth {enable | disable}
Step 3
Enable or disable the controller to exclude clients on the fourth 802.1X authentication attempt, after
three consecutive failures by entering this command:
config wps client-exclusion 802.1x-auth {enable | disable}
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-73
Chapter 7
Configuring Security Solutions
Configuring Client Exclusion Policies
Step 4
Enable or disable the controller to exclude clients if the IP address is already assigned to another device
by entering this command:
config wps client-exclusion ip-theft {enable | disable}
Step 5
Enable or disable the controller to exclude clients on the fourth web authentication attempt, after three
consecutive failures by entering this command:
config wps client-exclusion web-auth {enable | disable}
Step 6
Enable or disable the controller to exclude clients for all of the above reasons by entering this command:
config wps client-exclusion all {enable | disable}
Step 7
Use the following command to add or delete client exclusion entries.
config exclusionlist {add MAC [description] | delete MAC | description MAC [description]}
Step 8
Save your changes by entering this command:
save config
Step 9
See a list of clients that have been dynamically excluded, by entering this command:
show exclusionlist
Information similar to the following appears:
Step 10
Dynamically Disabled Clients
---------------------------MAC Address
Exclusion Reason
--------------------------
Time Remaining (in secs)
------------------------
00:40:96:b4:82:55
51
802.1X Failure
See the client exclusion policy configuration settings by entering this command:
show wps summary
Information similar to the following appears:
Auto-Immune
Auto-Immune.................................... Disabled
Client Exclusion Policy
Excessive 802.11-association failures..........
Excessive 802.11-authentication failures.......
Excessive 802.1x-authentication................
IP-theft.......................................
Excessive Web authentication failure...........
Enabled
Enabled
Enabled
Enabled
Enabled
Signature Policy
Signature Processing........................ Enabled
Cisco Wireless LAN Controller Configuration Guide
7-74
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Identity Networking
Configuring Identity Networking
Information About Identity Networking
In most wireless LAN systems, each WLAN has a static policy that applies to all clients associated with
an SSID. Although powerful, this method has limitations because it requires clients to associate with
different SSIDs to inherit different QoS and security policies.
However, the Cisco Wireless LAN solution supports identity networking, which allows the network to
advertise a single SSID but allows specific users to inherit different QoS or security policies based on
their user profiles. The specific policies that you can control using identity networking are as follows:
•
Quality of service—When present in a RADIUS Access Accept, the QoS Level value overrides the
QoS value specified in the WLAN profile.
•
ACL—When the ACL attribute is present in the RADIUS Access Accept, the system applies the
ACL name to the client station after it authenticates, which overrides any ACLs that are assigned to
the interface.
•
VLAN—When a VLAN Interface-name or VLAN tag is present in a RADIUS Access Accept, the
system places the client on a specific interface.
Note
•
The VLAN feature only supports MAC filtering, 802.1X, and WPA. The VLAN feature does
not support web authentication or IPsec.
Tunnel Attributes.
Note
When any of the other RADIUS attributes (QoS-Level, ACL-Name, Interface-Name, or
VLAN-Tag), which are described later in this section, are returned, the Tunnel Attributes
must also be returned.
The operating system’s local MAC filter database has been extended to include the interface name,
allowing local MAC filters to specify to which interface the client should be assigned. A separate
RADIUS server can also be used, but the RADIUS server must be defined using the Security menus.
RADIUS Attributes Used in Identity Networking
This section explains the RADIUS attributes used in identity networking. This section contains the
following topics:
•
QoS-Level, page 7-76
•
ACL-Name, page 7-76
•
Interface-Name, page 7-76
•
VLAN-Tag, page 7-77
•
Tunnel Attributes, page 7-78
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-75
Chapter 7
Configuring Security Solutions
Configuring Identity Networking
QoS-Level
This attribute indicates the QoS level to be applied to the mobile client's traffic within the switching
fabric, as well as over the air. This example shows a summary of the QoS-Level Attribute format. The
text boxes are transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
QoS Level
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
•
Type – 26 for Vendor-Specific
•
Length – 10
•
Vendor-Id – 14179
•
Vendor type – 2
•
Vendor length – 4
•
Value – Three octets:
– 0 – Bronze (Background)
– 1 – Silver (Best Effort)
– 2 – Gold (Video)
– 3 – Platinum (Voice)
ACL-Name
This attribute indicates the ACL name to be applied to the client. A summary of the ACL-Name Attribute
format is shown below. The text boxes are transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type
| Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
ACL Name...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
•
Type – 26 for Vendor-Specific
•
Length – >7
•
Vendor-Id – 14179
•
Vendor type – 6
•
Vendor length – >0
•
Value – A string that includes the name of the ACL to use for the client
Interface-Name
This attribute indicates the VLAN Interface a client is to be associated to. A summary of the
Interface-Name Attribute format is shown below. The text boxes are transmitted from left to right.
Cisco Wireless LAN Controller Configuration Guide
7-76
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Identity Networking
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
| Length
|
Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.)
| Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Interface Name...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
•
Type – 26 for Vendor-Specific
•
Length – >7
•
Vendor-Id – 14179
•
Vendor type – 5
•
Vendor length – >0
•
Value – A string that includes the name of the interface the client is to be assigned to.
Note
This Attribute only works when MAC filtering is enabled or if 802.1X or WPA is used as the
security policy.
VLAN-Tag
This attribute indicates the group ID for a particular tunneled session and is also known as the
Tunnel-Private-Group-ID attribute.
This attribute might be included in the Access-Request packet if the tunnel initiator can predetermine
the group resulting from a particular connection and should be included in the Access-Accept packet if
this tunnel session is to be treated as belonging to a particular private group. Private groups may be used
to associate a tunneled session with a particular group of users. For example, it may be used to facilitate
routing of unregistered IP addresses through a particular interface. It should be included in
Accounting-Request packets which contain Acct-Status-Type attributes with values of either Start or
Stop and which pertain to a tunneled session.
A summary of the Tunnel-Private-Group-ID Attribute format is shown below. The text boxes are
transmitted from left to right.
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Type
|
Length
|
Tag
|
String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
•
Type – 81 for Tunnel-Private-Group-ID.
•
Length – >= 3
•
Tag – The Tag text box is one octet in length and is intended to provide a means of grouping
attributes in the same packet which refer to the same tunnel. If the value of the Tag text box is greater
than 0x00 and less than or equal to 0x1F, it should be interpreted as indicating which tunnel (of
several alternatives) this attribute pertains. If the Tag text box is greater than 0x1F, it should be
interpreted as the first byte of the following String text box.
•
String – This text box must be present. The group is represented by the String text box. There is no
restriction on the format of group IDs.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-77
Chapter 7
Configuring Security Solutions
Configuring AAA Override
Tunnel Attributes
Note
When any of the other RADIUS attributes (QoS-Level, ACL-Name, Interface-Name, or VLAN-Tag) are
returned, the Tunnel Attributes must also be returned.
RFC 2868 defines RADIUS tunnel attributes used for authentication and authorization, and RFC2867
defines tunnel attributes used for accounting. Where the IEEE 802.1X authenticator supports tunneling,
a compulsory tunnel may be set up for the Supplicant as a result of the authentication.
In particular, it may be desirable to allow a port to be placed into a particular VLAN, defined in IEEE
8021Q, based on the result of the authentication. This configuration can be used, for example, to allow
a wireless host to remain on the same VLAN as it moves within a campus network.
The RADIUS server typically indicates the desired VLAN by including tunnel attributes within the
Access-Accept. However, the IEEE 802.1X authenticator may also provide a hint as to the VLAN to be
assigned to the Supplicant by including Tunnel attributes within the AccessRequest.
For use in VLAN assignment, the following tunnel attributes are used:
•
Tunnel-Type=VLAN (13)
•
Tunnel-Medium-Type=802
•
Tunnel-Private-Group-ID=VLANID
The VLAN ID is 12 bits, with a value between 1 and 4094, inclusive. Because the
Tunnel-Private-Group-ID is of type String as defined in RFC 2868, for use with IEEE 802.1X, the
VLANID integer value is encoded as a string.
When Tunnel attributes are sent, it is necessary to fill in the Tag text box. As noted in RFC 2868,
section 3.1:
•
The Tag text box is one octet in length and is intended to provide a means of grouping attributes in
the same packet that refer to the same tunnel. Valid values for this text box are 0x01 through 0x1F,
inclusive. If the Tag text box is unused, it must be zero (0x00).
•
For use with Tunnel-Client-Endpoint, Tunnel-Server-Endpoint, Tunnel-Private-Group-ID,
Tunnel-Assignment-ID, Tunnel-Client-Auth-ID or Tunnel-Server-Auth-ID attributes (but not
Tunnel-Type, Tunnel-Medium-Type, Tunnel-Password, or Tunnel-Preference), a tag text box of
greater than 0x1F is interpreted as the first octet of the following text box.
•
Unless alternative tunnel types are provided, (e.g. for IEEE 802.1X authenticators that may support
tunneling but not VLANs), it is only necessary for tunnel attributes to specify a single tunnel. As a
result, where it is only desired to specify the VLANID, the tag text box should be set to zero (0x00)
in all tunnel attributes. Where alternative tunnel types are to be provided, tag values between 0x01
and 0x1F should be chosen.
Configuring AAA Override
This section contains the following topics:
•
Information About AAA Override, page 7-79
•
Guidelines and Limitations, page 7-79
•
Updating the RADIUS Server Dictionary File for Proper QoS Values, page 7-79
•
Configuring AAA Override (GUI), page 7-80
Cisco Wireless LAN Controller Configuration Guide
7-78
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring AAA Override
•
Configure AAA Override (CLI), page 7-81
Information About AAA Override
The Allow AAA Override option of a WLAN enables you to configure the WLAN for identity
networking. It enables you to apply VLAN tagging, QoS, and ACLs to individual clients based on the
returned RADIUS attributes from the AAA server.
Guidelines and Limitations
•
If a client moves to a new interface due to the AAA override and then you apply an ACL to that
interface, the ACL does not take effect until the client reauthenticates. To work around this issue,
apply the ACL and then enable the WLAN so that all clients connect to the ACL that is already
configured on the interface, or disable and then reenable the WLAN after you apply the interface so
that the clients can reauthenticate.
•
When the interface group is mapped to a WLAN and clients connect to the WLAN, the client does
not get the IP address in a round robin fashion.
•
Most of the configuration for allowing AAA override is done at the RADIUS server, where you
should configure the Access Control Server (ACS) with the override properties you would like it to
return to the controller (for example, Interface-Name, QoS-Level, and VLAN-Tag).
•
On the controller, enable the Allow AAA Override configuration parameter using the GUI or CLI.
Enabling this parameter allows the controller to accept the attributes returned by the RADIUS
server. The controller then applies these attributes to its clients.
Updating the RADIUS Server Dictionary File for Proper QoS Values
If you are using a Steel-Belted RADIUS (SBR), FreeRadius, or similar RADIUS server, clients may not
obtain the correct QoS values after the AAA override feature is enabled. For these servers, which allow
you to edit the dictionary file, you need to update the file to reflect the proper QoS values: Silver is 0,
Gold is 1, Platinum is 2, and Bronze is 3. To update the RADIUS server dictionary file, follow these
steps:
Note
This issue does not apply to the Cisco Secure Access Control Server (ACS).
To update the RADIUS server dictionary file, follow these steps:
Step 1
Stop the SBR service (or other RADIUS service).
Step 2
Save the following text to the Radius_Install_Directory\Service folder as ciscowlan.dct:
################################################################################
# CiscoWLAN.dct- Cisco Wireless Lan Controllers
#
# (See README.DCT for more details on the format of this file)
################################################################################
# Dictionary - Cisco WLAN Controllers
#
# Start with the standard Radius specification attributes
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-79
Chapter 7
Configuring Security Solutions
Configuring AAA Override
#
@radius.dct
#
# Standard attributes supported by Airespace
#
# Define additional vendor specific attributes (VSAs)
#
MACRO Airespace-VSA(t,s) 26 [vid=14179 type1=%t% len1=+2 data=%s%]
ATTRIBUTE
WLAN-Id
ATTRIBUTE
Aire-QoS-Level
VALUE Aire-QoS-Level Bronze 3
VALUE Aire-QoS-Level Silver
0
VALUE Aire-QoS-Level Gold
1
VALUE Aire-QoS-Level Platinum 2
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
DSCP
802.1P-Tag
Interface-Name
ACL-Name
Airespace-VSA(1, integer)
Airespace-VSA(2, integer)
Airespace-VSA(3,
Airespace-VSA(4,
Airespace-VSA(5,
Airespace-VSA(6,
cr
r
integer)
integer)
string)
string)
r
r
r
r
# This should be last.
################################################################################
# CiscoWLAN.dct - Cisco WLC dictionary
##############################################################################
Step 3
Open the dictiona.dcm file (in the same directory) and add the line “@ciscowlan.dct.”
Step 4
Save and close the dictiona.dcm file.
Step 5
Open the vendor.ini file (in the same directory) and add the following text:
vendor-product
dictionary
ignore-ports
port-number-usage
help-id
=
=
=
=
Cisco WLAN Controller
ciscowlan
no
per-port-type
=
Step 6
Save and close the vendor.ini file.
Step 7
Start the SBR service (or other RADIUS service).
Step 8
Launch the SBR Administrator (or other RADIUS Administrator).
Step 9
Add a RADIUS client (if not already added). Choose Cisco WLAN Controller from the Make/Model
drop-down list.
Configuring AAA Override (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN that you want to configure. The WLANs > Edit page appears.
Step 3
Choose the Advanced tab to open the WLANs > Edit (Advanced) page.
Cisco Wireless LAN Controller Configuration Guide
7-80
OL-21524-03
Chapter 7
Configuring Security Solutions
Managing Rogue Devices
Figure 7-20
WLANs > Edit (Advanced) Page
Step 4
Select the Allow AAA Override check box to enable AAA override or unselect it to disable this feature.
The default value is disabled.
Step 5
Click Apply to commit your changes.
Step 6
Click Save Configuration to save your changes.
Configure AAA Override (CLI)
config wlan aaa override {enable | disable} wlan_id
For wlan_id, enter an ID from 1 to 16.
Managing Rogue Devices
This section contains the following topics:
•
Information About Rogue Devices, page 7-81
•
Guidelines and Limitations, page 7-82
•
WCS Interaction and Rogue Detection, page 7-83
•
Configuring Rogue Detection (GUI), page 7-83
•
Configuring Rogue Detection (CLI), page 7-85
Information About Rogue Devices
Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using
plain-text or other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue
access point to capture sensitive information, such as usernames and passwords. The hacker can then
transmit a series of clear-to-send (CTS) frames. This action mimics an access point informing a
particular client to transmit and instructing all others to wait, which results in legitimate clients being
unable to access network resources. Wireless LAN service providers have a strong interest in banning
rogue access points from the air space.
Because rogue access points are inexpensive and readily available, employees sometimes plug
unauthorized rogue access points into existing LANs and build ad-hoc wireless networks without IT
department knowledge or consent. These rogue access points can be a serious breach of network security
because they can be plugged into a network port behind the corporate firewall. Because employees
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-81
Chapter 7
Configuring Security Solutions
Managing Rogue Devices
generally do not enable any security settings on the rogue access point, it is easy for unauthorized users
to use the access point to intercept network traffic and hijack client sessions. Even more alarming,
wireless users frequently publish unsecure access point locations, increasing the odds of having
enterprise security breached.
Detecting Rogue Devices
The controller continuously monitors all nearby access points and automatically discovers and collects
information on rogue access points and clients. When the controller discovers a rogue access point, it
uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your
network.
You can configure the controller to use RLDP on all access points or only on access points configured
for monitor (listen-only) mode. The latter option facilitates automated rogue access point detection in a
crowded RF space, allowing monitoring without creating unnecessary interference and without affecting
regular data access point functionality. If you configure the controller to use RLDP on all access points,
the controller always chooses the monitor access point for RLDP operation if a monitor access point and
a local (data) access point are both nearby. If RLDP determines that the rogue is on your network, you
can choose to either manually or automatically contain the detected rogue.
A rogue access point is moved to a contained state either automatically or manually. The controller
selects the best available access point for containment and pushes the information to the access point.
The access point stores the list of containments per radio. For auto-containment, you can configure the
controller to use only monitor mode access point.
The containment operation happens in following two ways:
•
The container access point goes through the list of containments periodically and sends unicast
containment frames. For rogue access point containment, the frames are sent only if there is a rogue
client associated.
•
Whenever a contained rogue activity is detected, containment frames are transmitted.
The individual rogue containment involves sending a sequence of unicast disassociation and
deauthentication frames.
Guidelines and Limitations
•
Starting in release 7.0.116.0 and later releases, the controller software provides enhanced rogue
containment strategies. In previous releases, when a rogue device was detected, the controller sent
containment frames at regular intervals to the rogue devices. In release 7.0.116.0 and later, the
containment frames are sent immediately after authorization and associations are detected. The
enhanced containment algorithm provides more effective containment of ad hoc clients.
•
In a dense RF environment where maximum rogue access points are suspected, the chances of
detecting rogue access points by a local and FlexConnect mode access point in channel 157 or 161
are less when compared to other channels. To mitigate this problem, we recommended that you use
dedicated monitor mode access points.
•
The local and FlexConnect mode access points are designed to serve associated clients and these
access points spend relatively less time performing off-channel scanning. The access points spend
about 50 milliseconds on each channel. If you want to perform high rogue detection, a monitor mode
access point must be used. Alternatively, you can reduce the scan intervals from 180 seconds to a
Cisco Wireless LAN Controller Configuration Guide
7-82
OL-21524-03
Chapter 7
Configuring Security Solutions
Managing Rogue Devices
lesser value, for example, 120 or 60 seconds, ensuring that the radio goes off-channel more
frequently which improves the chances of rogue detection. However, the access point would still
spend about 50 milliseconds on each channel.
•
Rogue detection is disabled by default for OfficeExtend access points because these access points,
which are deployed in a home environment, are likely to detect a large number of rogue devices.
•
Controller software release 5.0 or later releases improve the classification and reporting of rogue
access points through the use of rogue states and user-defined classification rules that enable rogues
to automatically move between states. In previous releases, the controller listed all rogue access
points on one page sorted by MAC address or BSSID.
WCS Interaction and Rogue Detection
WCS software release 5.0 or later releases also support rule-based classification. WCS uses the
classification rules configured on the controller. The controller sends traps to WCS after the following
events:
•
If an unknown access point moves to Friendly for the first time, the controller sends a trap to WCS
only if the rogue state is Alert. It does not send a trap if the rogue state is Internal or External.
•
If a rogue entry is removed after the timeout expires, the controller sends a trap to WCS for rogue
access points categorized as Malicious (Alert, Threat) or Unclassified (Alert). The controller does
not remove rogue entries with the following rogue states: Contained, Contained Pending, Internal,
and External.
Configuring Rogue Detection (GUI)
Step 1
Make sure that rogue detection is enabled on the desired access points. Rogue detection is enabled by
default for all access points joined to the controller (except for OfficeExtend access points). However,
in controller software release 6.0 or later releases, you can enable or disable it for individual access
points by selecting or unselecting the Rogue Detection check box on the All APs > Details for
(Advanced) page.
Step 2
Choose Security > Wireless Protection Policies > Rogue Policies > General to open the Rogue
Policies page.
Step 3
From the Rogue Location Discovery Protocol drop-down list, choose one of the following options:
Step 4
•
Disable—Disables RLDP on all access points. This is the default value.
•
All APs—Enables RLDP on all access points.
•
Monitor Mode APs—Enables RLDP only on access points in monitor mode.
In the Expiration Timeout for Rogue AP and Rogue Client Entries text box, enter the number of seconds
after which the rogue access point and client entries expire and are removed from the list. The valid range
is 240 to 3600 seconds, and the default value is 1200 seconds.
Note
Step 5
If a rogue access point or client entry times out, it is removed from the controller only if its rogue
state is Alert or Threat for any classification type.
If desired, select the Validate Rogue Clients Against AAA check box to use the AAA server or local
database to validate if rogue clients are valid clients. The default value is unselected.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-83
Chapter 7
Configuring Security Solutions
Managing Rogue Devices
Step 6
If desired, select the Detect and Report Ad-Hoc Networks check box to enable ad-hoc rogue detection
and reporting. The default value is selected.
Step 7
In the Rogue Detection Report Interval text box, enter the time interval in seconds at which APs should
send rogue detection report to the controller. The valid range is from 10 seconds to 300 seconds, and the
default value is 10 seconds.
Note
Step 8
Note
This feature is applicable to APs that are in monitor mode only.
In the Rogue Detection Minimum RSSI text box, enter the minimum RSSI value that a rogue should have
for APs to detect and for a rogue entry to be created in the controller. The valid range is from –128 dBm
to 0 dBm, and the default value is 0 dBm.
This feature is applicable to all the AP modes.
There can be many rogues with very weak RSSI values that do not provide any valuable information in
rogue analysis. Therefore, you can use this option to filter rogues by specifying the minimum RSSI value
at which APs should detect rogues.
Step 9
Note
In the Rogue Detection Transient Interval text box, enter the time interval at which a rogue has to be
scanned for by the AP after the first time that the rogue is scanned. After the rogue is scanned, updates
are sent periodically to the controller. The APs filter transient rogues, which are active for a very short
period and are then silent. The valid range is from 120 seconds to 1800 seconds, and the default value is
0.
This feature is applicable to APs that are in monitor mode only.
This feature has the following advantages:
Step 10
Caution
•
Rogue reports from APs to the controller are shorter.
•
Transient rogue entries are avoided in the controller.
•
Unnecessary memory allocation for transient rogues are avoided.
If you want the controller to automatically contain certain rogue devices, select the following check
boxes. Otherwise, leave the check boxes unselected, which is the default value.
When you enable any of these parameters, the following warning appears: “Using this feature may have
legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial,
Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such,
containing devices on another party’s network could have legal consequences.
•
Auto Containment Level—Set the auto containment level by selecting a value from the drop-down
list. The default is 1.
•
Auto Containment only for monitor mode APs—Enable the check box if you want to use only
monitor mode access points for auto-containment.
•
Rogue on Wire—Automatically contains rogues that are detected on the wired network.
Cisco Wireless LAN Controller Configuration Guide
7-84
OL-21524-03
Chapter 7
Configuring Security Solutions
Managing Rogue Devices
•
Using Our SSID—Automatically contains rogues that are advertising your network’s SSID. If you
leave this parameter unselected, the controller only generates an alarm when such a rogue is
detected.
•
Valid Client on Rogue AP—Automatically contains a rogue access point to which trusted clients
are associated. If you leave this parameter unselected, the controller only generates an alarm when
such a rogue is detected.
•
AdHoc Rogue AP—Automatically contains ad-hoc networks detected by the controller. If you
leave this parameter unselected, the controller only generates an alarm when such a network is
detected.
Step 11
Click Apply to commit your changes.
Step 12
Click Save Configuration to save your changes.
Configuring Rogue Detection (CLI)
Step 1
Step 2
Step 3
Make sure that rogue detection is enabled on the desired access points. Rogue detection is enabled by
default for all access points joined to the controller (except for OfficeExtend access points). However,
in controller software release 6.0 or later releases, you can enable or disable it for individual access
points by entering the config rogue detection {enable | disable} Cisco_AP command.
Note
To see the current rogue detection configuration for a specific access point, enter the show ap
config general Cisco_AP command.
Note
Rogue detection is disabled by default for OfficeExtend access points because these access
points, which are deployed in a home environment, are likely to detect a large number of rogue
devices.
Enable, disable, or initiate RLDP by entering these commands:
•
config rogue ap rldp enable alarm-only—Enables RLDP on all access points.
•
config rogue ap rldp enable alarm-only monitor_ap_only—Enables RLDP only on access points
in monitor mode.
•
config rogue ap rldp initiate rogue_mac_address—Initiates RLDP on a specific rogue access
point.
•
config rogue ap rldp disable—Disables RLDP on all access points.
Specify the number of seconds after which the rogue access point and client entries expire and are
removed from the list by entering this command:
config rogue ap timeout seconds
The valid range for the seconds parameter is 240 to 3600 seconds (inclusive), and the default value is
1200 seconds.
Note
If a rogue access point or client entry times out, it is removed from the controller only if its rogue
state is Alert or Threat for any classification type.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-85
Chapter 7
Configuring Security Solutions
Managing Rogue Devices
Step 4
Enable or disable ad-hoc rogue detection and reporting by entering this command:
config rogue adhoc {enable | disable}
Step 5
Enable or disable the AAA server or local database to validate if rogue clients are valid clients by
entering this command:
config rogue client aaa {enable | disable}
Step 6
Specify the time interval in seconds at which APs should send rogue detection report to the controller
by entering the following command:
config rogue detection monitor-ap report-interval time in sec
Valid range for the time in sec parameter is 10 seconds to 300 seconds, and the default value is 10
seconds.
Note
Step 7
This feature is applicable to APs that are in monitor mode only.
Specify the minimum RSSI value that rogues should have for APs to detect and for rogue entry to be
created in the controller by entering the following command:
config rogue detection min-rssi rssi in dBm
Valid range for the rssi in dBm parameter is –128 dBm to 0 dBm, and the default value is 0 dBm.
Note
This feature is applicable to all the AP modes.
There can be many rogues with very weak RSSI values that do not provide any valuable information in
rogue analysis. Therefore, you can use this option to filter rogues by specifying the minimum RSSI value
at which APs should detect rogues.
Step 8
Specify the time interval at which rogues have to be consistently scanned for by APs after the first time
the rogues are scanned for by entering the following command:
config rogue detection monitor-ap transient-rogue-interval time in sec
Valid range for the time in sec parameter is 120 seconds to 1800 seconds, and the default value is 0.
Note
This feature is applicable to APs that are in monitor mode only
Using the transient interval values, you can control the time interval at which APs should scan for rogues.
APs can also filter the rogues based on their transient interval values.
This feature has the following advantages:
Step 9
•
Rogue reports from APs to the controller are shorter.
•
Transient rogue entries are avoided in the controller.
•
Unnecessary memory allocation for transient rogues are avoided.
If you want the controller to automatically contain certain rogue devices, enter these commands:
Cisco Wireless LAN Controller Configuration Guide
7-86
OL-21524-03
Chapter 7
Configuring Security Solutions
Managing Rogue Devices
Caution
When you enter any of these commands, the following warning appears: “Using this feature may have
legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial,
Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such,
containing devices on another party’s network could have legal consequences.
•
config rogue ap rldp enable auto-contain—Automatically contains rogues that are detected on the
wired network.
•
config rogue ap ssid auto-contain—Automatically contains rogues that are advertising your
network’s SSID.
Note
•
config rogue ap valid-client auto-contain—Automatically contains a rogue access point to which
trusted clients are associated.
Note
•
If you want the controller to only generate an alarm when such a rogue is detected, enter the
config rogue ap valid-client alarm command.
config rogue adhoc auto-contain—Automatically contains adhoc networks detected by the
controller.
Note
Step 10
If you want the controller to only generate an alarm when such a rogue is detected, enter the
config rogue ap ssid alarm command.
If you want the controller to only generate an alarm when such a network is detected, enter
the config rogue adhoc alert command.
•
configure rogue auto-containment level {1 - 4}—Sets the auto containment level when you enter
a value between 1 and 4. The default is 1.
•
config rogue auto-contain level 1 monitor_mode_ap_only—Automatically contains only monitor
mode access points.
Configure RLDP scheduling by entering this command:
•
config rogue ap rldp schedule add—Enables you to schedule RLDP on a particular day of the
week. You must enter the day of the week (for example mon, tue, wed, and so on) on which you
want to schedule RLDP and the start time and end time in HH:MM:SS format. An example is as
follows:
config rogue ap rldp schedule add mon 22:00:00 23:00:00
Note
Step 11
When you configure RLDP scheduling, it is assumed that the scheduling would occur in the
future, that is, after the configuration is saved.
Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-87
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
Classifying Rogue Access Points
This section contains the following topics:
•
Information About Classifying Rogue Access Points, page 7-88
•
Configuring Rogue Classification Rules (GUI), page 7-90
•
Viewing and Classifying Rogue Devices (GUI), page 7-93
•
Configuring Rogue Classification Rules (CLI), page 7-96
•
Viewing and Classify Rogue Devices (CLI), page 7-98
Information About Classifying Rogue Access Points
The controller software now enables you to create rules that can organize and display rogue access points
as Friendly, Malicious, or Unclassified.
By default, none of the classification rules are enabled. Therefore, all unknown access points are
categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the
unclassified access points are reclassified. Whenever you change a rule, it is applied to all access points
(friendly, malicious, and unclassified) in the Alert state only.
Note
Rule-based rogue classification does not apply to ad-hoc rogues and rogue clients.
Note
You can configure up to 64 rogue classification rules per controller.
When the controller receives a rogue report from one of its managed access points, it responds as
follows:
1.
The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the
controller classifies the access point as Friendly.
2.
If the unknown access point is not in the friendly MAC address list, the controller starts applying
rogue classification rules.
3.
If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller
does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it
automatically only if the rogue is in the Alert state.
4.
The controller applies the first rule based on priority. If the rogue access point matches the criteria
specified by the rule, the controller classifies the rogue according to the classification type
configured for the rule.
5.
If the rogue access point does not match any of the configured rules, the controller classifies the
rogue as Unclassified.
6.
The controller repeats the previous steps for all rogue access points.
7.
If RLDP determines that the rogue access point is on the network, the controller marks the rogue
state as Threat and classifies it as Malicious automatically, even if no rules are configured. You can
then manually contain the rogue (unless you have configured RLDP to automatically contain the
rogue), which would change the rogue state to Contained. If the rogue access point is not on the
network, the controller marks the rogue state as Alert, and you can manually contain the rogue.
Cisco Wireless LAN Controller Configuration Guide
7-88
OL-21524-03
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
8.
If desired, you can manually move the access point to a different classification type and rogue state.
Table 7-9
Classification Mapping
Rule-Based Classification Type
Friendly
Malicious
Unclassified
Rogue States
•
Internal—If the unknown access point is inside the network and
poses no threat to WLAN security, you would manually
configure it as Friendly, Internal. An example is the access
points in your lab network.
•
External—If the unknown access point is outside the network
and poses no threat to WLAN security, you would manually
configure it as Friendly, External. An example is an access
point that belongs to a neighboring coffee shop.
•
Alert—The unknown access point is moved to Alert if it is not
in the neighbor list or in the user-configured friendly MAC list.
•
Alert—The unknown access point is moved to Alert if it is not
in the neighbor list or in the user-configured friendly MAC list.
•
Threat—The unknown access point is found to be on the
network and poses a threat to WLAN security.
•
Contained—The unknown access point is contained.
•
Contained Pending—The unknown access point is marked
Contained, but the action is delayed due to unavailable
resources.
•
Pending—On first detection, the unknown access point is put in
the Pending state for 3 minutes. During this time, the managed
access points determine if the unknown access point is a
neighbor access point.
•
Alert—The unknown access point is moved to Alert if it is not
in the neighbor list or in the user-configured friendly MAC list.
•
Contained—The unknown access point is contained.
•
Contained Pending—The unknown access point is marked
Contained, but the action is delayed due to unavailable
resources.
If you upgrade to controller software release 5.0 or later releases, the classification and state of the rogue
access points are reconfigured as follows:
•
From Known to Friendly, Internal
•
From Acknowledged to Friendly, External
•
From Contained to Malicious, Contained
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-89
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
As mentioned previously, the controller can automatically change the classification type and rogue state
of an unknown access point based on user-defined rules, or you can manually move the unknown access
point to a different classification type and rogue state.
Table 7-10
Allowable Classification Type and Rogue State Transitions
From
To
Friendly (Internal, External, Alert)
Malicious (Alert)
Friendly (Internal, External, Alert)
Unclassified (Alert)
Friendly (Alert)
Friendly (Internal, External)
Malicious (Alert, Threat)
Friendly (Internal, External)
Malicious (Contained, Contained Pending)
Malicious (Alert)
Unclassified (Alert, Threat)
Friendly (Internal, External)
Unclassified (Contained, Contained Pending)
Unclassified (Alert)
Unclassified (Alert)
Malicious (Alert)
If the rogue state is Contained, you have to uncontain the rogue access point before you can change the
classification type. If you want to move a rogue access point from Malicious to Unclassified, you must
delete the access point and allow the controller to reclassify it.
Configuring Rogue Classification Rules (GUI)
Step 1
Choose Security > Wireless Protection Policies > Rogue Policies > Rogue Rules to open the Rogue
Rules page.
Figure 7-21
Rogue Rules Page
Any rules that have already been created are listed in priority order. The name, type, and status of each
rule is provided.
Note
If you ever want to delete a rule, hover your cursor over the blue drop-down arrow for that rule
and click Remove.
Cisco Wireless LAN Controller Configuration Guide
7-90
OL-21524-03
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
Step 2
Step 3
Create a new rule as follows:
a.
Click Add Rule. An Add Rule section appears at the top of the page.
b.
In the Rule Name text box, enter a name for the new rule. Make sure that the name does not contain
any spaces.
c.
From the Rule Type drop-down list, choose Friendly or Malicious to classify rogue access points
matching this rule as friendly or malicious.
d.
Click Add to add this rule to the list of existing rules, or click Cancel to discard this new rule.
Edit a rule as follows:
a.
Click the name of the rule that you want to edit. The Rogue Rule > Edit page appears.
Figure 7-22
Rogue Rule > Edit Page
b.
From the Type drop-down list, choose Friendly or Malicious to classify rogue access points
matching this rule as friendly or malicious.
c.
From the Match Operation text box, choose one of the following:
•
Match All—If this rule is enabled, a detected rogue access point must meet all of the conditions
specified by the rule in order for the rule to be matched and the rogue to adopt the classification
type of the rule.
•
Match Any—If this rule is enabled, a detected rogue access point must meet any of the
conditions specified by the rule in order for the rule to be matched and the rogue to adopt the
classification type of the rule. This is the default value.
d.
To enable this rule, select the Enable Rule check box. The default value is unselected.
e.
From the Add Condition drop-down list, choose one or more of the following conditions that the
rogue access point must meet and click Add Condition.
•
SSID—Requires that the rogue access point have a specific user-configured SSID. If you
choose this option, enter the SSID in the User Configured SSID text box, and click Add SSID.
Note
•
To delete an SSID, highlight the SSID and click Remove.
RSSI—Requires that the rogue access point have a minimum received signal strength indication
(RSSI) value. For example, if the rogue access point has an RSSI that is greater than the
configured value, then the access point could be classified as malicious. If you choose this
option, enter the minimum RSSI value in the Minimum RSSI text box. The valid range is –95
to –50 dBm (inclusive), and the default value is 0 dBm.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-91
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
•
Duration—Requires that the rogue access point be detected for a minimum period of time. If
you choose this option, enter a value for the minimum detection period in the Time Duration
text box. The valid range is 0 to 3600 seconds (inclusive), and the default value is 0 seconds.
•
Client Count—Requires that a minimum number of clients be associated to the rogue access
point. For example, if the number of clients associated to the rogue access point is greater than
or equal to the configured value, then the access point could be classified as malicious. If you
choose this option, enter the minimum number of clients to be associated to the rogue access
point in the Minimum Number of Rogue Clients text box. The valid range is 1 to 10 (inclusive),
and the default value is 0.
•
No Encryption—Requires that the rogue access point’s advertised WLAN does not have
encryption enabled. If a rogue access point has encryption disabled, it is likely that more clients
will try to associate to it. No further configuration is required for this option.
Note
•
WCS refers to this option as “Open Authentication.”
Managed SSID—Requires that the rogue access point’s managed SSID (the SSID configured
for the WLAN) be known to the controller. No further configuration is required for this option.
Note
The SSID and Managed SSID conditions cannot be used with the Match All operation
because these two SSID lists are mutually exclusive. If you define a rule with Match All
and have these two conditions configured, the rogue access points are never classified
as friendly or malicious because one of the conditions can never be met.
You can add up to six conditions per rule. When you add a condition, it appears under the Conditions
section.
Note
f.
If you ever want to delete a condition from this rule, hover your cursor over the blue
drop-down arrow for that condition and click Remove.
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Step 5
If you want to change the order in which rogue classification rules are applied, follow these steps:
a.
Click Back to return to the Rogue Rules page.
b.
Click Change Priority to access the Rogue Rules > Priority page.
The rogue rules are listed in priority order in the Change Rules Priority text box.
Step 6
c.
Highlight the rule for which you want to change the priority, and click Up to raise its priority in the
list or Down to lower its priority in the list.
d.
Continue to move the rules up or down until the rules are in the desired order.
e.
Click Apply to commit your changes.
Classify any rogue access points as friendly and add them to the friendly MAC address list as follows:
a.
Choose Security > Wireless Protection Policies > Rogue Policies > Friendly Rogue to open the
Friendly Rogue > Create page.
b.
In the MAC Address text box, enter the MAC address of the friendly rogue access point.
c.
Click Apply to commit your changes.
Cisco Wireless LAN Controller Configuration Guide
7-92
OL-21524-03
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
d.
Click Save Configuration to save your changes. This access point is added to the controller’s list
of friendly access points and should now appear on the Friendly Rogue APs page.
Viewing and Classifying Rogue Devices (GUI)
Caution
When you choose to contain a rogue device, the following warning appears: “There may be legal issues
following this containment. Are you sure you want to continue?” The 2.4- and 5-GHz frequencies in the
Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license.
As such, containing devices on another party’s network could have legal consequences.
Step 1
Choose Monitor > Rogues.
Step 2
Choose the following options to view the different types of rogue access points detected by the
controller:
•
Friendly APs
•
Malicious APs
•
Unclassified APs
Figure 7-23
Rogue APs Page
The Friendly Rogue APs page, Malicious Rogue APs page, and Unclassified Rogue APs page provide
the following information: the MAC address and SSID of the rogue access point, Channel Number, the
number of clients connected to the rogue access point, the number of radios that detected the rogue
access point, and the current status of the rogue access point.
Note
To remove acknowledged rogues from the database, go to the WLC UI and change the rogue
state to Alert Unknown and click Save Configuration. If the rogue is no longer present, it will
disappear from the database in 20 minutes.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-93
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
Note
Step 3
If you ever want to delete a rogue access point from one of these pages, hover your cursor over
the blue drop-down arrow and click Remove. To delete multiple rogue access points, check the
check box corresponding to the row you want to delete and click Remove Selected.
Obtain more details about a rogue access point by clicking the MAC address of the access point. The
Rogue AP Detail page appears.
This page provides the following information: the MAC address of the rogue device, the type of rogue
device (such as an access point), whether the rogue device is on the wired network, the dates and times
when the rogue device was first and last reported, and the current status of the device.
The Class Type text box shows the current classification for this rogue access point:
•
Friendly—An unknown access point that matches the user-defined friendly rules or an existing
known and acknowledged rogue access point. Friendly access points cannot be contained.
•
Malicious—An unknown access point that matches the user-defined malicious rules or is moved
manually by the user from the Friendly or Unclassified classification type.
Note
•
Step 4
Unclassified—An unknown access point that does not match the user-defined friendly or malicious
rules. An unclassified access point can be contained. It can also be moved to the Friendly or
Malicious classification type automatically in accordance with user-defined rules or manually by the
user.
If you want to change the classification of this device, choose a different classification from the Class
Type drop-down list.
Note
Step 5
Once an access point is classified as Malicious, you cannot apply rules to it in the future,
and it cannot be moved to another classification type. If you want to move a malicious access
point to the Unclassified classification type, you must delete the access point and allow the
controller to reclassify it.
A rogue access point cannot be moved to another class if its current state is Contain.
From the Update Status drop-down list, choose one of the following options to specify how the controller
should respond to this rogue access point:
•
Internal—The controller trusts this rogue access point. This option is available if the Class Type is
set to Friendly.
•
External—The controller acknowledges the presence of this rogue access point. This option is
available if the Class Type is set to Friendly.
•
Contain—The controller contains the offending device so that its signals no longer interfere with
authorized clients. This option is available if the Class Type is set to Malicious or Unclassified.
•
Alert—The controller forwards an immediate alert to the system administrator for further action.
This option is available if the Class Type is set to Malicious or Unclassified.
The bottom of the page provides information on both the access points that detected this rogue access
point and any clients that are associated to it. To see more details for any of the clients, click Edit to
open the Rogue Client Detail page.
Step 6
Click Apply to commit your changes.
Step 7
Click Save Configuration to save your changes.
Cisco Wireless LAN Controller Configuration Guide
7-94
OL-21524-03
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
Step 8
View any rogue clients that are connected to the controller by choosing Rogue Clients. The Rogue
Clients page appears. This page shows the following information: the MAC address of the rogue client,
the MAC address of the access point to which the rogue client is associated, the SSID of the rogue client,
the number of radios that detected the rogue client, the date and time when the rogue client was last
reported, and the current status of the rogue client.
Step 9
Obtain more details about a rogue client by clicking the MAC address of the client. The Rogue Client
Detail page appears.
This page provides the following information: the MAC address of the rogue client, the MAC address of
the rogue access point to which this client is associated, the SSID and IP address of the rogue client, the
dates and times when the rogue client was first and last reported, and the current status of the rogue
client.
Step 10
From the Update Status drop-down list, choose one of the following options to specify how the controller
should respond to this rogue client:
•
Contain—The controller contains the offending device so that its signals no longer interfere with
authorized clients.
•
Alert—The controller forwards an immediate alert to the system administrator for further action.
The bottom of the page provides information on the access points that detected this rogue client.
Step 11
Click Apply to commit your changes.
Step 12
If desired, you can test the controller’s connection to this client by clicking Ping.
Step 13
Click Save Configuration to save your changes.
Step 14
See any ad-hoc rogues detected by the controller by choosing Adhoc Rogues. The Adhoc Rogues page
appears.
This page shows the following information: the MAC address, BSSID, and SSID of the ad-hoc rogue,
the number of radios that detected the ad-hoc rogue, and the current status of the ad-hoc rogue.
Step 15
Obtain more details about an ad-hoc rogue by clicking the MAC address of the rogue. The Adhoc Rogue
Detail page appears.
This page provides the following information: the MAC address and BSSID of the ad-hoc rogue, the
dates and times when the rogue was first and last reported, and the current status of the rogue.
Step 16
Step 17
From the Update Status drop-down list, choose one of the following options to specify how the controller
should respond to this ad-hoc rogue:
•
Contain—The controller contains the offending device so that its signals no longer interfere with
authorized clients.
•
Alert—The controller forwards an immediate alert to the system administrator for further action.
•
Internal—The controller trusts this rogue access point.
•
External—The controller acknowledges the presence of this rogue access point.
From the Maximum Number of APs to Contain the Rogue drop-down list, choose one of the following
options to specify the maximum number of access points used to contain this ad-hoc rogue: 1, 2, 3, or 4.
The bottom of the page provides information on the access points that detected this ad-hoc rogue.
Step 18
Click Apply to commit your changes.
Step 19
Click Save Configuration to save your changes.
Step 20
View any access points that have been configured to be ignored by choosing Rogue AP Ignore-List. The
Rogue AP Ignore-List page appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-95
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
This page shows the MAC addresses of any access points that are configured to be ignored. The
rogue-ignore list contains a list of any autonomous access points that have been manually added to WCS
maps by WCS users. The controller regards these autonomous access points as rogues even though WCS
is managing them. The rogue-ignore list allows the controller to ignore these access points. The list is
updated as follows:
•
When the controller receives a rogue report, it checks to see if the unknown access point is in the
rogue-ignore access point list.
•
If the unknown access point is in the rogue-ignore list, the controller ignores this access point and
continues to process other rogue access points.
•
If the unknown access point is not in the rogue-ignore list, the controller sends a trap to WCS. If
WCS finds this access point in its autonomous access point list, WCS sends a command to the
controller to add this access point to the rogue-ignore list. This access point is then ignored in future
rogue reports.
•
If a user removes an autonomous access point from WCS, WCS sends a command to the controller
to remove this access point from the rogue-ignore list.
Configuring Rogue Classification Rules (CLI)
Step 1
Create a rule by entering this command:
config rogue rule add ap priority priority classify {friendly | malicious} rule_name
Step 2
Note
If you later want to change the priority of this rule and shift others in the list accordingly, enter
the config rogue rule priority priority rule_name command. If you later want to change the
classification of this rule, enter the config rogue rule classify {friendly | malicious} rule_name
command.
Note
If you ever want to delete all of the rogue classification rules or a specific rule, enter the config
rogue rule delete {all | rule_name} command.
Disable all rules or a specific rule by entering this command:
config rogue rule disable {all | rule_name}
Note
Step 3
A rule must be disabled before you can modify its attributes.
Add conditions to a rule that the rogue access point must meet by entering this command:
config rogue rule condition ap set condition_type condition_value rule_name
where condition_type is one of the following:
•
ssid—Requires that the rogue access point have a specific SSID. You should add SSIDs that are not
managed by the controller. If you choose this option, enter the SSID for the condition_value
parameter. The SSID is added to the user-configured SSID list.
Cisco Wireless LAN Controller Configuration Guide
7-96
OL-21524-03
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
Note
•
rssi—Requires that the rogue access point have a minimum RSSI value. For example, if the rogue
access point has an RSSI that is greater than the configured value, then the access point could be
classified as malicious. If you choose this option, enter the minimum RSSI value for the
condition_value parameter. The valid range is –95 to –50 dBm (inclusive), and the default value is
0 dBm.
•
duration—Requires that the rogue access point be detected for a minimum period of time. If you
choose this option, enter a value for the minimum detection period for the condition_value
parameter. The valid range is 0 to 3600 seconds (inclusive), and the default value is 0 seconds.
•
client-count—Requires that a minimum number of clients be associated to the rogue access point.
For example, if the number of clients associated to the rogue access point is greater than or equal to
the configured value, then the access point could be classified as malicious. If you choose this
option, enter the minimum number of clients to be associated to the rogue access point for the
condition_value parameter. The valid range is 1 to 10 (inclusive), and the default value is 0.
•
no-encryption—Requires that the rogue access point’s advertised WLAN does not have encryption
enabled. A condition_value parameter is not required for this option.
•
managed-ssid—Requires that the rogue access point’s SSID be known to the controller. A
condition_value parameter is not required for this option.
Note
Step 4
If you ever want to delete all of the SSIDs or a specific SSID from the user-configured SSID
list, enter the config rogue rule condition ap delete ssid {all | ssid} rule_name command.
You can add up to six conditions per rule. If you ever want to delete all of the conditions or a
specific condition from a rule, enter the config rogue rule condition ap delete {all |
condition_type} condition_value rule_name command.
Specify whether a detected rogue access point must meet all or any of the conditions specified by the
rule in order for the rule to be matched and the rogue access point to adopt the classification type of the
rule by entering this command:
config rogue rule match {all | any} rule_name
Step 5
Enable all rules or a specific rule by entering this command:
config rogue rule enable {all | rule_name}
Note
Step 6
For your changes to become effective, you must enable the rule.
Add a new friendly access point entry to the friendly MAC address list or delete an existing friendly
access point entry from the list by entering this command:
config rogue ap friendly {add | delete} ap_mac_address
Step 7
Save your changes by entering this command:
save config
Step 8
View the rogue classification rules that are configured on the controller by entering this command:
show rogue rule summary
Information similar to the following appears:
Priority Rule Name State
Type
Match Hit Count
-------- ----------- -------- ------------ ------ ---------
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-97
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
1
2
3
Step 9
Rule1
Rule2
Rule3
Disabled
Enabled
Disabled
Friendly
Malicious
Friendly
Any
Any
Any
0
339
0
View detailed information for a specific rogue classification rule by entering this command:
show rogue rule detailed rule_name
Information similar to the following appears:
Priority......................................... 2
Rule Name........................................ Rule2
State............................................ Enabled
Type............................................. Malicious
Match Operation.................................. Any
Hit Count........................................ 352
Total Conditions................................. 6
Condition 1
type......................................... Client-count
value........................................ 10
Condition 2
type......................................... Duration
value (seconds).............................. 2000
Condition 3
type......................................... Managed-ssid
value........................................ Enabled
Condition 4
type......................................... No-encryption
value........................................ Enabled
Condition 5
type......................................... Rssi
value (dBm).................................. -50
Condition 6
type......................................... Ssid
SSID Count................................... 1
SSID 1.................................... test
Viewing and Classify Rogue Devices (CLI)
•
View a list of all rogue access points detected by the controller by entering this command:
show rogue ap summary
Information similar to the following appears:
Rogue Location Discovery Protocol................ Enabled
Rogue AP timeout................................. 1200
MAC Address
Classification
----------------- -----------------00:0a:b8:7f:08:c0 Friendly
00:0b:85:01:30:3f Malicious
00:0b:85:63:70:6f Malicious
00:0b:85:63:cd:bf Malicious
1
...
•
# APs
----0
1
1
# Clients
--------0
0
0
0
Last Heard
----------------------Not Heard
Fri Nov 30 11:30:59 2007
Fri Nov 30 11:20:14 2007
Fri Nov 30 11:23:12 2007
See a list of the friendly rogue access points detected by the controller by entering this command:
show rogue ap friendly summary
Information similar to the following appears:
Cisco Wireless LAN Controller Configuration Guide
7-98
OL-21524-03
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
Number of APs.................................... 1
MAC Address
----------------00:0a:b8:7f:08:c0
•
State
# APs # Clients Last Heard
------------------ ----- --------- --------------------------Internal
1
0
Tue Nov 27 13:52:04 2007
See a list of the malicious rogue access points detected by the controller by entering this command:
show rogue ap malicious summary
Information similar to the following appears:
Number of APs.................................... 264
MAC Address
State
----------------- -----------------00:0b:85:01:30:3f Alert
00:0b:85:63:70:6f Alert
00:0b:85:63:cd:bf Alert
00:0b:85:63:cd:dd Alert
00:0b:85:63:cd:de Alert
00:0b:85:63:cd:df Alert
1
...
•
# APs
----1
1
1
1
1
0
# Clients
--------0
0
0
0
0
Fri
Last Heard
----------------------Fri Nov 30 11:20:01 2007
Fri Nov 30 11:20:14 2007
Fri Nov 30 11:23:12 2007
Fri Nov 30 11:27:03 2007
Fri Nov 30 11:26:23 2007
Nov 30 11:26:50 2007
See a list of the unclassified rogue access points detected by the controller by entering this
command:
show rogue ap unclassified summary
Information similar to the following appears:
Number of APs.................................... 164
MAC Address
State
----------------- -----------------00:0b:85:63:cd:bd Alert
00:0b:85:63:cd:e7 Alert
00:0b:85:63:ce:05 Alert
00:0b:85:63:ce:07Alert
1
...
•
# APs # Clients Last Heard
----- --------- ----------------------1 0
Fri Nov 30 11:12:52 2007
1 0
Fri Nov 30 11:29:01 2007
1 0
Fri Nov 30 11:26:23 2007
0
Fri Nov 30 11:26:23 2007
See detailed information for a specific rogue access point by entering this command:
show rogue ap detailed ap_mac_address
Information similar to the following appears:
Rogue BSSID......................................
Rogue Radio Type.................................
State............................................
First Time Rogue was Reported....................
Last Time Rogue was Reported.....................
Rogue Client IP address..........................
Reported By
AP 1
MAC Address..............................
Name.....................................
RSSI.....................................
SNR......................................
Channel..................................
Last reported by this AP.................
•
00:1d:70:59:95:9d
802.11a
Alert
Tue Sep 21 09:57:08 2010
Tue Sep 21 10:00:56 2010
Not known
68:ef:bd:e1:fd:30
AP5475.d074.48e4
-80 dBm
18 dB
40
Tue Sep 21 10:00:56 2010
See the rogue report (which shows the number of rogue devices detected on different channel
widths) for a specific 802.11a/n radio by entering this command:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-99
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
show ap auto-rf 802.11a Cisco_AP
Information similar to the following appears:
Number Of Slots..................................
AP Name..........................................
MAC Address......................................
Radio Type.....................................
Noise Information
Noise Profile................................
Channel 36...................................
Channel 40...................................
...
Interference Information
Interference Profile.........................
Channel 36...................................
Channel 40...................................
...
Rogue Histogram (20/40_ABOVE/40_BELOW)
Channel 36...................................
Channel 40...................................
...
•
2
AP2
00:1b:d5:13:39:74
RADIO_TYPE_80211a
PASSED
-80 dBm
-78 dBm
PASSED
-81 dBm @
-66 dBm @
8 % busy
4 % busy
21/ 1/ 0
7/ 0/ 0
See a list of all rogue clients that are associated to a rogue access point by entering this command:
show rogue ap clients ap_mac_address
Information similar to the following appears:
MAC Address
----------------00:bb:cd:12:ab:ff
•
State
# APs Last Heard
------------------ ----- ------------------------Alert
1
Fri Nov 30 11:26:23 2007
See a list of all rogue clients detected by the controller by entering this command:
show rogue client summary
Information similar to the following appears:
Validate rogue clients against AAA............... Disabled
MAC Address
State
----------------- -----------------00:0a:8a:7d:f5:f5 Alert
00:18:ba:78:c4:44 Alert
00:18:ba:78:c4:d1 Alert
00:18:ba:78:ca:f8 Alert
1
...
•
# APs Last Heard
----- ----------------------1
Mon Dec 3 21:56:36 2007
1
Mon Dec 3 21:59:36 2007
1
Mon Dec 3 21:47:36 2007
Mon Dec 3 22:02:36 2007
See detailed information for a specific rogue client by entering this command:
show rogue client detailed client_mac_address
Information similar to the following appears:
Rogue BSSID......................................
State............................................
First Time Rogue was Reported....................
Last Time Rogue was Reported.....................
Rogue Client IP address..........................
Reported By
AP 1
MAC Address..............................
Name.....................................
Radio Type...............................
RSSI.....................................
SNR......................................
00:0b:85:23:ea:d1
Alert
Mon Dec 3 21:50:36 2007
Mon Dec 3 21:50:36 2007
Not known
00:15:c7:82:b6:b0
AP0016.47b2.31ea
802.11a
-71 dBm
23 dB
Cisco Wireless LAN Controller Configuration Guide
7-100
OL-21524-03
Chapter 7
Configuring Security Solutions
Classifying Rogue Access Points
Channel.................................. 149
Last reported by this AP.............. Mon Dec
•
3 21:50:36 2007
See a list of all ad-hoc rogues detected by the controller by entering this command:
show rogue adhoc summary
Information similar to the following appears:
Detect and report Ad-Hoc Networks................ Enabled
Client MAC Address Adhoc BSSID
State
# APs
Last Heard
------------------ ------------------ ----------- ------- -----------------------00:bb:cd:12:ab:ff super
Alert
1
Fri Nov 30 11:26:23 2007
•
See detailed information for a specific ad-hoc rogue by entering this command:
show rogue adhoc detailed rogue_mac_address
Information similar to the following appears:
Adhoc Rogue MAC address.......................... 02:61:ce:8e:a8:8c
Adhoc Rogue BSSID................................ 02:61:ce:8e:a8:8c
State............................................ Alert
First Time Adhoc Rogue was Reported.............. Tue Dec 11 20:45:45 2007
Last Time Adhoc Rogue was Reported............... Tue Dec 11 20:45:45 2007
Reported By
AP 1
MAC Address.............................. 00:14:1b:58:4a:e0
Name..................................... AP0014.1ced.2a60
Radio Type............................... 802.11b
SSID..................................... rf4k3ap
Channel.................................. 3
RSSI..................................... -56 dBm
SNR...................................... 15 dB
Encryption............................... Disabled
ShortPreamble............................ Disabled
WPA Support.............................. Disabled
Last reported by this AP............... Tue Dec 11 20:45:45 2007
•
See a list of rogue access points that are configured to be ignore by entering this command:
show rogue ignore-list
Information similar to the following appears:
MAC Address
-----------------10:bb:17:cc:01:ef
See Step 20 of the “Viewing and Classifying Rogue Devices (GUI)” section on page 7-93
for more information on the rogue-ignore access point list.
Note
•
Classify a rogue access point as friendly by entering this command:
config rogue ap classify friendly state {internal | external} ap_mac_address
where
•
internal means that the controller trusts this rogue access point.
•
external means that the controller acknowledges the presence of this rogue access point.
Note
A rogue access point cannot be moved to the Friendly class if its current state is Contain.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-101
Chapter 7
Configuring Security Solutions
Configuring Cisco TrustSec SXP
•
Mark a rogue access point as malicious by entering this command:
config rogue ap classify malicious state {alert | contain} ap_mac_address
where
•
alert means that the controller forwards an immediate alert to the system administrator for
further action.
•
contain means that the controller contains the offending device so that its signals no longer
interfere with authorized clients.
Note
•
A rogue access point cannot be moved to the Malicious class if its current state is Contain.
Mark a rogue access point as unclassified by entering this command:
config rogue ap classify unclassified state {alert | contain} ap_mac_address
Note
•
•
•
A rogue access point cannot be moved to the Unclassified class if its current state is Contain.
•
alert means that the controller forwards an immediate alert to the system administrator for
further action.
•
contain means that the controller contains the offending device so that its signals no longer
interfere with authorized clients.
Specify how the controller should respond to a rogue client by entering one of these commands:
•
config rogue client alert client_mac_address—The controller forwards an immediate alert to
the system administrator for further action.
•
config rogue client contain client_mac_address—The controller contains the offending device
so that its signals no longer interfere with authorized clients.
Specify how the controller should respond to an ad-hoc rogue by entering one these commands:
•
config rogue adhoc alert rogue_mac_address—The controller forwards an immediate alert to
the system administrator for further action.
•
config rogue adhoc contain rogue_mac_address—The controller contains the offending device
so that its signals no longer interfere with authorized clients.
•
config rogue adhoc external rogue_mac_address—The controller acknowledges the presence
of this ad-hoc rogue.
Save your changes by entering this command:
save config
Configuring Cisco TrustSec SXP
This section contains the following topics:
•
Information About Cisco TrustSec SXP, page 7-103
•
Guidelines and Limitations, page 7-103
•
Configuring Cisco TrustSec SXP (GUI), page 7-104
Cisco Wireless LAN Controller Configuration Guide
7-102
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Cisco TrustSec SXP
•
Creating a New SXP Connection (GUI), page 7-105
•
Configuring Cisco TrustSec SXP (CLI), page 7-105
Information About Cisco TrustSec SXP
Cisco TrustSec (CTS) enables organizations to secure their networks and services through identity-based
access control to anyone, anywhere, anytime. The solution also offers data integrity and confidentiality
services, policy-based governance, and centralized monitoring, troubleshooting, and reporting services.
CTS can be combined with personalized, professional service offerings to simplify solution deployment
and management and is a foundational security component to Cisco Borderless Networks.
The CTS architecture establishes domains of trusted network devices. Each device in the domain is
authenticated by its peers. Communication on the links between devices in the domain is secured with a
combination of encryption, message integrity checks, and data-path replay protection mechanisms. CTS
uses the device and user credentials acquired during authentication for classifying the packets by
security groups (SGs) as they enter the network. This packet classification is maintained by tagging
packets on ingress to the CTS network so that they can be correctly identified to apply security and other
policy criteria along the data path. The tag, called the security group tag (SGT), allows the network to
enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
One of the components of the CTS architecture is the security group-based access control. Access
policies in the Cisco TrustSec domain are topology-independent, based on the roles (as indicated by
security group number) of source and destination devices rather than on network addresses. Individual
packets are tagged with the security group number of the source.
Cisco devices use the SGT Exchange Protocol (SXP) to propagate SGTs across network devices that do
not have hardware support for Cisco TrustSec. SXP is the software solution to avoid CTS hardware
upgrade on all switches. WLC will be supporting SXP as part of the CTS architecture. The SXP sends
SGT information to the CTS-enabled switches so that appropriate role-based access control lists
(RBACLs) can be activated depending on the role information represented by the SGT. By default, the
controller always works in the Speaker mode. To implement the SXP on a network, only the egress
distribution switch needs to be CTS-enabled, and all the other switches can be non-CTS-capable
switches.
The SXP runs between any access layer and distribution switch or between two distribution switches.
The SXP uses TCP as the transport layer. CTS authentication is performed for any host (client) that joins
the network on the access layer switch similar to an access switch with CTS–enabled hardware. The
access layer switch is not CTS hardware enabled. Data traffic is not encrypted or cryptographically
authenticated when it passes through the access layer switch. The SXP is used to pass the IP address of
the authenticated device (that is a wireless client) and the corresponding SGT up to the distribution
switch. If the distribution switch is CTS–hardware enabled, the switch inserts the SGT into the packet
on behalf of the access layer switch. If the distribution switch is not CTS-hardware enabled, the SXP on
the distribution switch passes the IP-SGT mapping to all the distribution switches that have CTS
hardware. On the egress side, the enforcement of the RBACL occurs at the egress Layer 3 interface on
the distribution switch.
For more information about CTS, see http://www.cisco.com/en/US/netsol/ns1051/index.html.
Guidelines and Limitations
•
SXP is not supported on FlexConnect access points.
•
SXP is supported only in centrally switched networks that have central authentication.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-103
Chapter 7
Configuring Security Solutions
Configuring Cisco TrustSec SXP
•
By default, SXP is supported for APs that work in local mode only.
•
The controller always operates in the Speaker mode.
•
The configuration of the default password should be consistent for both controller and the switch.
•
Fault tolerance is not supported because fault tolerance requires local switching on APs.
•
SXP is supported for both IPv4 and IPv6 clients.
•
Static IP-SGT mapping for local authentication of users is not supported.
•
IP-SGT mapping requires authentication with external ACS servers.
•
SXP is supported on the following security policies only:
– WPA2-dot1x
– WPA-dot1x
– 802.1x (Dynamic WEP)
– MAC Filtering using RADIUS servers
– Web authentication using RADIUS servers for user authentication
Configuring Cisco TrustSec SXP (GUI)
Step 1
Choose SECURITY > TrustSec SXP to open the SXP Configuration page.
Figure 7-24
SXP Configuration Page
This page lists the following SXP configuration details:
•
Total SXP Connections—Number of SXP connections that are configured.
•
SXP State—Status of SXP connections as either disabled or enabled.
•
SXP Mode—SXP mode of the controller. The controller is always set to Speaker mode for SXP
connections.
•
Default Password—Password for MD5 authentication of SXP messages. We recommend that the
password has a minimum of 6 characters.
•
Default Source IP—IP address of the management interface. SXP uses the default source IP address
for all new TCP connections.
Cisco Wireless LAN Controller Configuration Guide
7-104
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Cisco TrustSec SXP
•
Retry Period—SXP retry timer. The default value is 120 seconds (2 minutes). The valid range is 0
to 64000 seconds. The SXP retry period determines how often the controller retries for an SXP
connection. When an SXP connection is not successfully set up, the controller makes a new attempt
to set up the connection after the SXP retry period timer expires. Setting the SXP retry period to 0
seconds disables the timer and retries are not attempted.
This page also displays the following information about SXP connections:
•
Peer IP Address—The IP address of the next hop switch to which the controller is connected. There
is no effect on the existing TCP connections when you configure a new peer connection.
•
Source IP Address—The management IP address of the controller.
•
Connection Status—Status of the SXP connection.
Step 2
To enable CTS SXP, from the SXP State drop-down list, choose Enabled.
Step 3
Enter the default password that should be used to make an SXP connection. We recommend that the
password contain a minimum of 6 characters.
Step 4
In the Retry Period text box, enter the time in seconds that determines how often the Cisco TrustSec
software retries for an SXP connection.
Step 5
Click Apply to commit your changes.
Creating a New SXP Connection (GUI)
Step 1
Choose SECURITY > TrustSec SXP and click New to open the SXP Connection > New page.
Step 2
In the Peer IP Address text box, enter the IP address of the next hop switch to which the controller is
connected.
Step 3
Click Apply.
Configuring Cisco TrustSec SXP (CLI)
•
To enable or disable the SXP on the controller, enter this command:
config cts sxp {enable | disable}
•
To configure the default password for MD5 Authentication of SXP messages, enter this command:
config cts sxp default password password
•
To configure the SXP retry period, enter the following command:
config cts sxp retry period time-in-seconds
•
To configure the IP address of the next hop switch with which the controller is connected, enter the
command:
config cts sxp connection peer ip-address
•
To remove an SXP connection, enter this command:
config cts sxp connection delete ip-address
•
To see a summary of SXP configuration, enter this command:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-105
Chapter 7
Configuring Security Solutions
Configuring Cisco Intrusion Detection System
show cts sxp summary
Information similar to the following appears:
SXP State........................................
SXP Mode.........................................
Default Password.................................
Default Source IP................................
Connection retry open period ....................
•
Enable
Speaker
****
209.165.200.224
120
To see the list of SXP connections that are configured, enter the following command:
show cts sxp connections
Information similar to the following appears:
Total num of SXP Connections..................... 1
SXP State........................................ Enable
Peer IP
Source IP
Connection Status
--------------------------------------------209.165.200.229
209.165.200.224
On
Configuring Cisco Intrusion Detection System
This section contains the following topics:
•
Information About Cisco Intrusion Detection System, page 7-106
•
Additional Information, page 7-107
•
Configuring IDS Sensors (GUI), page 7-107
•
Configuring IDS Sensors (CLI), page 7-108
•
Viewing Shunned Clients (CLI), page 7-110
Information About Cisco Intrusion Detection System
The Cisco Intrusion Detection System/Intrusion Prevention System (CIDS/CIPS) instructs controllers to
block certain clients from accessing the wireless network when attacks involving these clients are
detected at Layer 3 through Layer 7. This system offers significant network protection by helping to
detect, classify, and stop threats including worms, spyware/adware, network viruses, and application
abuse. Two methods are available to detect potential attacks:
•
IDS sensors
•
IDS signatures
You can configure IDS sensors to detect various types of IP-level attacks in your network. When the
sensors identify an attack, they can alert the controller to shun the offending client. When you add a new
IDS sensor, you register the controller with that IDS sensor so that the controller can query the sensor
to get the list of shunned clients.
When an IDS sensor detects a suspicious client, it alerts the controller to shun this client. The shun entry
is distributed to all controllers within the same mobility group. If the client to be shunned is currently
joined to a controller in this mobility group, the anchor controller adds this client to the dynamic
exclusion list, and the foreign controller removes the client. The next time that the client tries to connect
to a controller, the anchor controller rejects the handoff and informs the foreign controller that the client
is being excluded.
Cisco Wireless LAN Controller Configuration Guide
7-106
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Cisco Intrusion Detection System
Additional Information
The Cisco wireless intrusion prevention system (wIPS) is also supported on the controller through WCS.
See the “Configuring wIPS” section on page 7-121 for more information.
See Chapter 15, “Configuring Mobility Groups,” for more information on mobility groups.
Configuring IDS Sensors (GUI)
Step 1
Choose Security > Advanced > CIDs > Sensors to open the CIDS Sensors List page.
Figure 7-25
CIDS Sensors List Page
This page lists all of the IDS sensors that have been configured for this controller.
Note
If you want to delete an existing sensor, hover your cursor over the blue drop-down arrow for
that sensor and choose Remove.
Step 2
Add an IDS sensor to the list by clicking New. The CIDS Sensor Add page appears.
Step 3
The controller supports up to five IDS sensors. From the Index drop-down list, choose a number
(between 1 and 5) to determine the sequence in which the controller consults the IDS sensors. For
example, if you choose 1, the controller consults this IDS sensor first.
Step 4
In the Server Address text box, enter the IP address of your IDS server.
Step 5
The Port text box contains the number of the HTTPS port through which the controller is to communicate
with the IDS sensor. We recommend that you set this parameter to 443 because the sensor uses this value
to communicate by default.
The default value is 443 and the range is 1 to 65535.
Step 6
In the Username text box, enter the name that the controller uses to authenticate to the IDS sensor.
Note
This username must be configured on the IDS sensor and have at least a read-only privilege.
Step 7
In the Password and Confirm Password text boxes, enter the password that the controller uses to
authenticate to the IDS sensor.
Step 8
In the Query Interval text box, enter the time (in seconds) for how often the controller should query the
IDS server for IDS events.
The default is 60 seconds and the range is 10 to 3600 seconds.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-107
Chapter 7
Configuring Security Solutions
Configuring Cisco Intrusion Detection System
Step 9
Select the State check box to register the controller with this IDS sensor or unselected this check box to
disable registration. The default value is disabled.
Step 10
In the Fingerprint text box, enter a 40-hexadecimal-character security key. This key is used to verify the
validity of the sensor and is used to prevent security attacks.
Note
Make sure you include colons that appear between every two bytes within the key. For example,
enter AA:BB:CC:DD.
Step 11
Click Apply. Your new IDS sensor appears in the list of sensors on the CIDS Sensors List page.
Step 12
Click Save Configuration to save your changes.
Viewing Shunned Clients (GUI)
Step 1
Choose Security > Advanced > CIDS > Shunned Clients to open the CIDS Shun List page.
Figure 7-26
CIDS Shun List Page
This page shows the IP address and MAC address of each shunned client, the length of time that the
client’s data packets should be blocked by the controller as requested by the IDS sensor, and the IP
address of the IDS sensor that discovered the client.
Step 2
Click Re-sync to purge and reset the list as desired.
Configuring IDS Sensors (CLI)
Step 1
Add an IDS sensor by entering this command:
config wps cids-sensor add index ids_ip_address username password
The index parameter determines the sequence in which the controller consults the IDS sensors. The
controller supports up to five IDS sensors. Enter a number (between 1 and 5) to determine the priority
of this sensor. For example, if you enter 1, the controller consults this IDS sensor first.
Cisco Wireless LAN Controller Configuration Guide
7-108
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Cisco Intrusion Detection System
Note
Step 2
The username must be configured on the IDS sensor and have at least a read-only privilege.
(Optional) Specify the number of the HTTPS port through which the controller is to communicate with
the IDS sensor by entering this command:
config wps cids-sensor port index port_number
For the port-number parameter, you can enter a value between 1 and 65535. The default value is 443.
This step is optional because we recommend that you use the default value of 443. The sensor uses this
value to communicate by default.
Step 3
Specify how often the controller should query the IDS server for IDS events by entering this command:
config wps cids-sensor interval index interval
For the interval parameter, you can enter a value between 10 and 3600 seconds. The default value is 60
seconds.
Step 4
Enter a 40-hexadecimal-character security key used to verify the validity of the sensor by entering this
command:
config wps cids-sensor fingerprint index sha1 fingerprint
You can get the value of the fingerprint by entering show tls fingerprint on the sensor’s console.
Note
Step 5
Make sure to include the colons that appear between every two bytes within the key (for
example, AA:BB:CC:DD).
Enable or disable this controller’s registration with an IDS sensor by entering this command:
config wps cids-sensor {enable | disable} index
Step 6
Enable or disable protection from DoS attacks by entering this command:
config wps auto-immune {enable | disable}
The default value is disabled.
Note
Step 7
A potential attacker can use specially crafted packets to mislead the IDS into treating a
legitimate client as an attacker. It causes the controller to wrongly disconnect this legitimate
client and launches a DoS attack. The auto-immune feature, when enabled, is designed to protect
against such attacks. However, conversations using Cisco 792x phones might be interrupted
intermittently when the auto-immune feature is enabled. If you experience frequent disruptions
when using 792x phones, you might want to disable this feature.
Save your settings by entering this command:
save config
Step 8
See the IDS sensor configuration by entering one of these commands:
•
show wps cids-sensor summary
•
show wps cids-sensor detail index
The second command provides more information than the first.
Step 9
See the auto-immune configuration setting by entering this command:
show wps summary
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-109
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
Information similar to the following appears:
Auto-Immune
Auto-Immune.................................... Disabled
Client Exclusion Policy
Excessive 802.11-association failures..........
Excessive 802.11-authentication failures.......
Excessive 802.1x-authentication................
IP-theft.......................................
Excessive Web authentication failure...........
Signature Policy
Signature Processing...........................
Step 10
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Obtain debug information regarding IDS sensor configuration by entering this command:
debug wps cids enable
Note
If you ever want to delete or change the configuration of a sensor, you must first disable it by entering
the config wps cids-sensor disable index command. To delete the sensor, enter the config wps
cids-sensor delete index command.
Viewing Shunned Clients (CLI)
Step 1
View the list of clients to be shunned by entering this command:
show wps shun-list
Step 2
Force the controller to synchronize with other controllers in the mobility group for the shun list by
entering this command:
config wps shun-list re-sync
Configuring IDS Signatures
This section contains the following topics:
•
Information About IDS Signatures, page 7-111
•
Configuring IDS Signatures (GUI), page 7-113
•
Viewing IDS Signature Events (GUI), page 7-116
•
Configure IDS Signatures (CLI), page 7-118
•
Viewing IDS Signature Events (CLI), page 7-119
Cisco Wireless LAN Controller Configuration Guide
7-110
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
Information About IDS Signatures
You can configure IDS signatures, or bit-pattern matching rules used to identify various types of attacks
in incoming 802.11 packets, on the controller. When the signatures are enabled, the access points joined
to the controller perform signature analysis on the received 802.11 data or management frames and
report any discrepancies to the controller. If an attack is detected, appropriate mitigation is initiated.
Cisco supports 17 standard signatures on the controller as shown on the Standard Signatures page.
Figure 7-27
Standard Signatures Page
These signatures are divided into six main groups. The first four groups contain management signatures,
and the last two groups contain data signatures.
•
Broadcast deauthentication frame signatures—During a broadcast deauthentication frame attack, a
hacker sends an 802.11 deauthentication frame to the broadcast MAC destination address of another
client. This attack causes the destination client to disassociate from the access point and lose its
connection. If this action is repeated, the client experiences a denial of service. When the broadcast
deauthentication frame signature (precedence 1) is used to detect such an attack, the access point
listens for clients transmitting broadcast deauthentication frames that match the characteristics of
the signature. If the access point detects such an attack, it alerts the controller. Depending on how
your system is configured, the offending device is contained so that its signals no longer interfere
with authorized clients, or the controller forwards an immediate alert to the system administrator for
further action, or both.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-111
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
•
NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL
probe response to a wireless client adapter. As a result, the client adapter locks up. When a NULL
probe response signature is used to detect such an attack, the access point identifies the wireless
client and alerts the controller. The NULL probe response signatures are as follows:
– NULL probe resp 1 (precedence 2)
– NULL probe resp 2 (precedence 3)
•
Management frame flood signatures—During a management frame flood attack, a hacker floods an
access point with 802.11 management frames. The result is a denial of service to all clients
associated or attempting to associate to the access point. This attack can be implemented with
different types of management frames: association requests, authentication requests, reassociation
requests, probe requests, disassociation requests, deauthentication requests, and reserved
management subtypes.
When a management frame flood signature is used to detect such an attack, the access point
identifies management frames matching the entire characteristic of the signature. If the frequency
of these frames is greater than the value of the frequency set in the signature, an access point that
hears these frames triggers an alarm. The controller generates a trap and forwards it to WCS.
The management frame flood signatures are as follows:
– Assoc flood (precedence 4)
– Auth flood (precedence 5)
– Reassoc flood (precedence 6)
– Broadcast probe flood (precedence 7)
– Disassoc flood (precedence 8)
– Deauth flood (precedence 9)
– Reserved mgmt 7 (precedence 10)
– Reserved mgmt F (precedence 11)
The reserved management frame signatures 7 and F are reserved for future use.
•
Wellenreiter signature—Wellenreiter is a wireless LAN scanning and discovery utility that can
reveal access point and client information. When the Wellenreiter signature (precedence 17) is used
to detect such an attack, the access point identifies the offending device and alerts the controller.
•
EAPOL flood signature—During an EAPOL flood attack, a hacker floods the air with EAPOL
frames that contain 802.1X authentication requests. As a result, the 802.1X authentication server
cannot respond to all of the requests and fails to send successful authentication responses to valid
clients. The result is a denial of service to all affected clients. When the EAPOL flood signature
(precedence 12) is used to detect such an attack, the access point waits until the maximum number
of allowed EAPOL packets is exceeded. It then alerts the controller and proceeds with the
appropriate mitigation.
•
NetStumbler signatures—NetStumbler is a wireless LAN scanning utility that reports access point
broadcast information (such as operating channel, RSSI information, adapter manufacturer name,
SSID, WEP status, and the latitude and longitude of the device running NetStumbler when a GPS is
attached). If NetStumbler succeeds in authenticating and associating to an access point, it sends a
data frame with the following strings, depending on the NetStumbler version:
Version
String
3.2.0
“Flurble gronk bloopit, bnip Frundletrune”
Cisco Wireless LAN Controller Configuration Guide
7-112
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
Version
String
3.2.3
“All your 802.11b are belong to us”
3.3.0
Sends white spaces
When a NetStumbler signature is used to detect such an attack, the access point identifies the
offending device and alerts the controller. The NetStumbler signatures are as follows:
– NetStumbler 3.2.0 (precedence 13)
– NetStumbler 3.2.3 (precedence 14)
– NetStumbler 3.3.0 (precedence 15)
– NetStumbler generic (precedence 16)
A standard signature file exists on the controller by default. You can upload this signature file from the
controller, or you can create a custom signature file and download it to the controller or modify the
standard signature file to create a custom signature.
Configuring IDS Signatures (GUI)
This section contains the following topics:
•
Uploading or Downloading IDS Signatures, page 7-113
•
Enabling or Disabling IDS Signatures, page 7-115
Uploading or Downloading IDS Signatures
Step 1
If desired, create your own custom signature file.
Step 2
Make sure that you have a Trivial File Transfer Protocol (TFTP) server available. Follow these
guidelines when setting up a TFTP server:
•
If you are downloading through the service port, the TFTP server must be on the same subnet as the
service port because the service port is not routable, or you must create static routes on the
controller.
•
If you are downloading through the distribution system network port, the TFTP server can be on the
same or a different subnet because the distribution system port is routable.
•
A third-party TFTP server cannot run on the same computer as the Cisco WCS because the WCS
built-in TFTP server and the third-party TFTP server require the same communication port.
Step 3
If you are downloading a custom signature file (*.sig), copy it to the default directory on your TFTP
server.
Step 4
Choose Commands to open the Download File to Controller page.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-113
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
Figure 7-28
Step 5
Download File to Controller Page
Perform one of the following:
•
If you want to download a custom signature file to the controller, choose Signature File from the
File Type drop-down list on the Download File to Controller page.
•
If you want to upload a standard signature file from the controller, choose Upload File and then
Signature File from the File Type drop-down list on the Upload File from Controller page.
Step 6
From the Transfer Mode drop-down list, choose TFTP or FTP.
Step 7
In the IP Address text box, enter the IP address of the TFTP or FTP server.
Step 8
If you are downloading the signature file using a TFTP server, enter the maximum number of times that
the controller should attempt to download the signature file in the Maximum retries text box.
The range is 1 to 254 and the default value is 10.
Step 9
If you are downloading the signature file using a TFTP server, enter the amount of time in seconds before
the controller times out while attempting to download the signature file in the Timeout text box.
The range is 1 to 254 seconds and the default is 6 seconds.
Step 10
In the File Path text box, enter the path of the signature file to be downloaded or uploaded. The default
value is “/.”
Step 11
In the File Name text box, enter the name of the signature file to be downloaded or uploaded.
Note
Step 12
Step 13
When uploading signatures, the controller uses the filename that you specify as a base name and
then adds “_std.sig” and “_custom.sig” to it in order to upload both standard and custom
signature files to the TFTP server. For example, if you upload a signature file called “ids1,” the
controller automatically generates and uploads both ids1_std.sig and ids1_custom.sig to the
TFTP server. If desired, you can then modify ids1_custom.sig on the TFTP server (making sure
to set “Revision = custom”) and download it by itself.
If you are using an FTP server, follow these steps:
a.
In the Server Login Username text box, enter the username to log into the FTP server.
b.
In the Server Login Password text box, enter the password to log into the FTP server.
c.
In the Server Port Number text box, enter the port number on the FTP server through which the
download occurs. The default value is 21.
Choose Download to download the signature file to the controller or Upload to upload the signature file
from the controller.
Cisco Wireless LAN Controller Configuration Guide
7-114
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
Enabling or Disabling IDS Signatures
Step 1
Choose Security > Wireless Protection Policies > Standard Signatures or Custom Signatures to open
the Standard Signatures page or the Custom Signatures page.
Figure 7-29
Standard Signatures Page
The Standard Signatures page shows the list of Cisco-supplied signatures that are currently on the
controller. The Custom Signatures page shows the list of customer-supplied signatures that are currently
on the controller. This page shows the following information for each signature:
Step 2
•
The order, or precedence, in which the controller performs the signature checks.
•
The name of the signature, which specifies the type of attack that the signature is trying to detect.
•
The frame type on which the signature is looking for a security attack. The possible frame types are
data and management.
•
The action that the controller is directed to take when the signature detects an attack. The possible
actions are None and Report.
•
The state of the signature, which indicates whether the signature is enabled to detect security attacks.
•
A description of the type of attack that the signature is trying to detect.
Perform one of the following:
•
If you want to allow all signatures (both standard and custom) whose individual states are set to
Enabled to remain enabled, select the Enable Check for All Standard and Custom Signatures
check box at the top of either the Standard Signatures page or the Custom Signatures page. The
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-115
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
default value is enabled (or selected). When the signatures are enabled, the access points joined to
the controller perform signature analysis on the received 802.11 data or management frames and
report any discrepancies to the controller.
•
If you want to disable all signatures (both standard and custom) on the controller, unselect the
Enable Check for All Standard and Custom Signatures check box. If you unselected this check
box, all signatures are disabled, even the ones whose individual states are set to Enabled.
Step 3
Click Apply to commit your changes.
Step 4
Click the precedence number of the desired signature to enable or disable an individual signature. The
Standard Signature (or Custom Signature) > Detail page appears.
This page shows much of the same information as the Standard Signatures and Custom Signatures pages
but provides these additional details:
•
The tracking method used by the access points to perform signature analysis and report the results
to the controller. The possible values are as follows:
– Per Signature—Signature analysis and pattern matching are tracked and reported on a
per-signature and per-channel basis.
– Per MAC—Signature analysis and pattern matching are tracked and reported separately for
individual client MAC addresses on a per-channel basis.
– Per Signature and MAC—Signature analysis and pattern matching are tracked and reported on
a per-signature and per-channel basis as well as on a per-MAC-address and per-channel basis.
•
The pattern that is being used to detect a security attack
Step 5
In the Measurement Interval text box, enter the number of seconds that must elapse before the signature
frequency threshold is reached within the configured interval. The range is 1 to 3600 seconds, and the
default value varies per signature.
Step 6
In the Signature Frequency text box, enter the number of matching packets per interval that must be
identified at the individual access point level before an attack is detected. The range is 1 to 32,000
packets per interval, and the default value varies per signature.
Step 7
In the Signature MAC Frequency text box, enter the number of matching packets per interval that must
be identified per client per access point before an attack is detected. The range is 1 to 32,000 packets per
interval, and the default value varies per signature.
Step 8
In the Quiet Time text box, enter the length of time (in seconds) after which no attacks have been
detected at the individual access point level and the alarm can stop. The range is 60 to 32,000 seconds,
and the default value varies per signature.
Step 9
Select the State check box to enable this signature to detect security attacks or unselect it to disable this
signature. The default value is enabled (or selected).
Step 10
Click Apply to commit your changes. The Standard Signatures or Custom Signatures page reflects the
signature’s updated state.
Step 11
Click Save Configuration to save your changes.
Viewing IDS Signature Events (GUI)
Step 1
Choose Security > Wireless Protection Policies > Signature Events Summary to open the Signature
Events Summary page.
Cisco Wireless LAN Controller Configuration Guide
7-116
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
Figure 7-30
Signature Events Summary Page
This page shows the number of attacks detected by the enabled signatures.
Step 2
Click the signature type link for that signature to see more information on the attacks detected by a
particular signature. The Signature Events Detail page appears.
This page shows the following information:
Step 3
•
The MAC addresses of the clients identified as attackers
•
The method used by the access point to track the attacks
•
The number of matching packets per second that were identified before an attack was detected.
•
The number of access points on the channel on which the attack was detected
•
The day and time when the access point detected the attack
Click the Detail link for that attack to see more information for a particular attack. The Signature Events
Track Detail page appears.
Figure 7-31
Signature Events Track Detail Page
This page shows the following information:
•
The MAC address of the access point that detected the attack
•
The name of the access point that detected the attack
•
The type of radio (802.11a or 802.11b/g) used by the access point to detect the attack
•
The radio channel on which the attack was detected
•
The day and time when the access point reported the attack
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-117
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
Configure IDS Signatures (CLI)
Step 1
If desired, create your own custom signature file.
Step 2
Make sure that you have a TFTP server available. See the guidelines for setting up a TFTP server in
Step 2 of the “Uploading or Downloading IDS Signatures” section on page 7-113.
Step 3
Copy the custom signature file (*.sig) to the default directory on your TFTP server.
Step 4
Specify the download or upload mode by entering the transfer {download | upload} mode tftp
command.
Step 5
Specify the type of file to be downloaded or uploaded by entering the transfer {download | upload}
datatype signature command.
Step 6
Specify the IP address of the TFTP server by entering the transfer {download | upload} serverip
tftp-server-ip-address command.
Note
Some TFTP servers require only a forward slash (/) as the TFTP server IP address, and the TFTP
server automatically determines the path to the correct directory.
Step 7
Specify the download or upload path by entering the transfer {download | upload} path
absolute-tftp-server-path-to-file command.
Step 8
Specify the file to be downloaded or uploaded by entering the transfer {download | upload} filename
filename.sig command.
Note
When uploading signatures, the controller uses the filename you specify as a base name and then
adds “_std.sig” and “_custom.sig” to it in order to upload both standard and custom signature
files to the TFTP server. For example, if you upload a signature file called “ids1,” the controller
automatically generates and uploads both ids1_std.sig and ids1_custom.sig to the TFTP server.
If desired, you can then modify ids1_custom.sig on the TFTP server (making sure to set
“Revision = custom”) and download it by itself.
Step 9
Enter the transfer {download | upload} start command and answer y to the prompt to confirm the
current settings and start the download or upload.
Step 10
Specify the number of seconds that must elapse before the signature frequency threshold is reached
within the configured interval by entering this command:
config wps signature interval signature_id interval
where signature_id is a number used to uniquely identify a signature. The range is 1 to 3600 seconds,
and the default value varies per signature.
Step 11
Specify the number of matching packets per interval that must be identified at the individual access point
level before an attack is detected by entering this command:
config wps signature frequency signature_id frequency
The range is 1 to 32,000 packets per interval, and the default value varies per signature.
Step 12
Specify the number of matching packets per interval that must be identified per client per access point
before an attack is detected by entering this command:
config wps signature mac-frequency signature_id mac_frequency
The range is 1 to 32,000 packets per interval, and the default value varies per signature.
Cisco Wireless LAN Controller Configuration Guide
7-118
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
Step 13
Specify the length of time (in seconds) after which no attacks have been detected at the individual access
point level and the alarm can stop by entering by entering this command:
config wps signature quiet-time signature_id quiet_time
The range is 60 to 32,000 seconds, and the default value varies per signature.
Step 14
Perform one of the following:
•
To enable or disable an individual IDS signature, enter this command:
config wps signature {standard | custom} state signature_id {enable | disable}
•
To enable or disable IDS signature processing, which enables or disables the processing of all IDS
signatures, enter this command:
config wps signature {enable | disable}
Note
Step 15
If IDS signature processing is disabled, all signatures are disabled, regardless of the state
configured for individual signatures.
Save your changes by entering this command:
save config
Step 16
If desired, you can reset a specific signature or all signatures to default values. To do so, enter this
command:
config wps signature reset {signature_id | all}
Note
You can reset signatures to default values only through the controller CLI.
Viewing IDS Signature Events (CLI)
•
See whether IDS signature processing is enabled or disabled on the controller by entering this
command:
show wps summary
Information similar to the following appears:
Auto-Immune
Auto-Immune.................................... Disabled
Client Exclusion Policy
Excessive 802.11-association failures..........
Excessive 802.11-authentication failures.......
Excessive 802.1x-authentication................
IP-theft.......................................
Excessive Web authentication failure...........
Enabled
Enabled
Enabled
Enabled
Enabled
Signature Policy
Signature Processing........................... Enabled
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-119
Chapter 7
Configuring Security Solutions
Configuring IDS Signatures
Note
•
If IDS signature processing is disabled, all signatures are disabled, regardless of the state
configured for individual signatures.
See individual summaries of all of the standard and custom signatures installed on the controller by
entering this command:
show wps signature summary
Information similar to the following appears:
Signature-ID.....................................
Precedence.......................................
Signature Name...................................
Type.............................................
FrameType........................................
State............................................
Action...........................................
Tracking.........................................
Signature Frequency..............................
Signature Mac Frequency..........................
Interval.........................................
Quiet Time.......................................
Description......................................
Patterns:
0(Header):0x00c0:0x00ff
4(Header):0x01:0x01
•
1
1
Bcast deauth
standard
management
enabled
report
per Signature and Mac
50 pkts/interval
30 pkts/interval
1 sec
300 sec
Broadcast Deauthentication Frame
See the number of attacks detected by the enabled signatures by entering this command:
show wps signature events summary
Information similar to the following appears:
Precedence
---------1
2
•
Signature Name
-----------------Bcast deauth
NULL probe resp 1
Type
# Events
--------------Standard
2
Standard
1
See more information on the attacks detected by a particular standard or custom signature by
entering this command:
show wps signature events {standard | custom} precedence# summary
Information similar to the following appears:
Precedence....................................... 1
Signature Name................................... Bcast deauth
Type............................................. Standard
Number of active events....................... 2
Source MAC Addr
----------------00:01:02:03:04:01
00:01:02:03:04:01
•
Track Method Frequency No. APs Last Heard
------------ --------- -------- -----------------------Per Signature
4
3
Tue Dec 6 00:17:44 2005
Per Mac
6
2
Tue Dec 6 00:30:04 2005
See information on attacks that are tracked by access points on a per-signature and per-channel basis
by entering this command:
show wps signature events {standard | custom} precedence# detailed per-signature source_mac
•
See information on attacks that are tracked by access points on an individual-client basis (by MAC
address) by entering this command:
show wps signature events {standard | custom} precedence# detailed per-mac source_mac
Cisco Wireless LAN Controller Configuration Guide
7-120
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring wIPS
Information similar to the following appears:
Source MAC....................................... 00:01:02:03:04:01
Precedence....................................... 1
Signature Name................................... Bcast deauth
Type............................................. Standard
Track............................................ Per Mac
Frequency........................................ 6
Reported By
AP 1
MAC Address.............................. 00:0b:85:01:4d:80
Name..................................... Test_AP_1
Radio Type............................... 802.11bg
Channel.................................. 4
Last reported by this AP................. Tue Dec 6 00:17:49 2005
AP 2
MAC Address.............................. 00:0b:85:26:91:52
Name..................................... Test_AP_2
Radio Type............................... 802.11bg
Channel.................................. 6
Last reported by this AP................. Tue Dec 6 00:30:04 2005
Configuring wIPS
This section contains the following topics:
•
Information About wIPS, page 7-121
•
Guidelines and Limitations, page 7-126
•
Additional References, page 7-126
•
Configuring wIPS on an Access Point (GUI), page 7-126
•
Configuring wIPS on an Access Point (CLI), page 7-127
•
Viewing wIPS Information (CLI), page 7-128
Information About wIPS
The Cisco Adaptive wireless intrusion prevention system (wIPS) is an advanced approach to wireless
threat detection and performance management. It combines network traffic analysis, network device and
topology information, signature-based techniques, and anomaly detection to deliver highly accurate and
complete wireless threat prevention. With a fully infrastructure-integrated solution, you can continually
monitor wireless traffic on both the wired and wireless networks and use that network intelligence to
analyze attacks from many sources to more accurately pinpoint and proactively prevent attacks rather
than waiting until damage or exposure has occurred.
The Cisco Adaptive wIPS is enabled by the Cisco 3300 Series Mobility Services Engine (MSE), which
centralizes the processing of intelligence collected by the continuous monitoring of Cisco Aironet access
points. With Cisco Adaptive wIPS functionalities and WCS integration into the MSE, the wIPS service
can configure, monitor, and report wIPS policies and alarms.
Note
If your wIPS deployment consists of a controller, access point, and MSE, you must set all the three
entities to the UTC time zone.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-121
Chapter 7
Configuring Security Solutions
Configuring wIPS
The Cisco Adaptive wIPS is not configured on the controller. Instead, WCS forwards the profile
configuration to the wIPS service, which forwards the profile to the controller. The profile is stored in
flash memory on the controller and sent to access points when they join the controller. When an access
point disassociates and joins another controller, it receives the wIPS profile from the new controller.
Local mode or FlexConnect mode access points with a subset of wIPS capabilities is referred to as
Enhanced Local Mode access point or just ELM AP. You can configure an access point to work in wIPS
mode if the access point is in any of the following modes:
•
Monitor
•
Local
•
FlexConnect
wIPS ELM has limited capability of detecting off-channel alarms. The access point periodically goes
off-channel, and monitors the non-serving channels for a short duration, and triggers alarms if any attack
is detected on the channel. But the off-channel alarm detection is best effort and it takes longer time to
detect attacks and trigger alarms, which might cause the ELM AP intermittently detect an alarm and
clear it because it is not visible. Access points in any of the above modes can periodically send alarms
based on the policy profile to the wIPS service through the controller. The wIPS service stores and
processes the alarms and generates SNMP traps. WCS configures its IP address as a trap destination to
receive SNMP traps from the MSE.
Table 7-11 lists all the SNMP trap controls and their respective traps. When a trap control is enabled, all
the traps of the trap control are also enabled.
Table 7-11
SNMP Trap Controls and their respective Traps
Tab Name
Trap Control
Trap
General
Link (Port) Up/Down
linkUp, linkDown
Spanning Tree
newRoot, topologyChange,
stpInstanceNewRootTrap,
stpInstanceTopologyChangeTrap
Config Save
bsnDot11EssCreated,
bsnDot11EssDeleted, bsnConfigSaved,
ciscoLwappScheduledResetNotif,
ciscoLwappClearResetNotif,
ciscoLwappResetFailedNotif,
ciscoLwappSysInvalidXmlConfig
AP Register
bsnAPDisassociated, bsnAPAssociated
Ap Interface Up/Down
bsnAPIfUp, bsnAPIfDown
802.11 Association
bsnDot11StationAssociate
802.11 Disassociation
bsnDot11StationDisassociate
802.11 Deauthentication
bsnDot11StationDeauthenticate
802.11 Failed Authentication
bsnDot11StationAuthenticateFail
802.11 Failed Association
bsnDot11StationAssociateFail
Exclusion
bsnDot11StationBlacklisted
AP
Client Traps
Cisco Wireless LAN Controller Configuration Guide
7-122
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring wIPS
Table 7-11
SNMP Trap Controls and their respective Traps (continued)
Tab Name
Trap Control
Trap
Security Traps
User Authentication
bsnTooManyUnsuccessLoginAttempts,
cLWAGuestUserLoggedIn,
cLWAGuestUserLoggedOut
RADIUS Servers Not Responding
bsnRADIUSServerNotResponding,
ciscoLwappAAARadiusReqTimedOut
WEP Decrypt Error
bsnWepKeyDecryptError
Rogue AP
bsnAdhocRogueAutoContained,
bsnRogueApAutoContained,
bsnTrustedApHasInvalidEncryption,
bsnMaxRogueCountExceeded,
bsnMaxRogueCountClear,
bsnApMaxRogueCountExceeded,
bsnApMaxRogueCountClear,
bsnTrustedApHasInvalidRadioPolicy,
bsnTrustedApHasInvalidSsid,
bsnTrustedApIsMissing
SNMP Authentication
agentSnmpAuthenticationTrapFlag
Multiple Users
multipleUsersTrap
Load Profile
bsnAPLoadProfileFailed
Noise Profile
bsnAPNoiseProfileFailed
Interference Profile
bsnAPInterferenceProfileFailed
Coverage Profile
bsnAPCoverageProfileFailed
Auto RF Profile
Traps
Auto RF Update Channel Update
Traps
Tx Power Update
bsnAPCurrentChannelChanged
bsnAPCurrentTxPowerChanged
Mesh Traps
Child Excluded Parent
ciscoLwappMeshChildExcludedParent
Parent Change
ciscoLwappMeshParentChange
Authfailure Mesh
ciscoLwappMeshAuthorizationFailure
Child Moved
ciscoLwappMeshChildMoved
Excessive Parent Change
ciscoLwappMeshExcessiveParentChan
ge
Excessive Children
ciscoLwappMeshExcessiveChildren
Poor SNR
ciscoLwappMeshAbateSNR,
ciscoLwappMeshOnsetSNR
Console Login
ciscoLwappMeshConsoleLogin
Excessive Association
ciscoLwappMeshExcessiveAssociation
Default Bridge Group Name
ciscoLwappMeshDefaultBridgeGroup
Name
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-123
Chapter 7
Configuring Security Solutions
Configuring wIPS
The following are the trap description for the traps mentioned in the Table 7-11 above:
•
General Traps
– SNMP Authentication—The SNMPv2 entity has received a protocol message that is not
properly authenticated.
Note
When a user who is configured in SNMP V3 mode tries to access the controller with an
incorrect password, the authentication fails and a failure message is displayed.
However, no trap logs are generated for the authentication failure.
– Link (Port) Up/Down—Link changes status from up or down.
– Multiple Users—Two users login with the same login ID.
– Spanning Tree—Spanning Tree traps. See the STP specifications for descriptions of individual
parameters.
– Rogue AP—Whenever a rogue access point is detected this trap will be sent with its MAC
Address; When a rogue access point that was detected earlier and it no longer exists this trap is
sent.
– Config Save—Notification sent when the controller configuration is modified.
•
Cisco AP Traps
– AP Register—Notification sent when an access point associates or disassociates with the
controller.
– AP Interface Up/Down—Notification sent when access point interface (802.11a or 802.11b/g)
status goes up or down.
•
Client Related Traps
– 802.11 Association—The associate notification is sent when the client sends an association
frame.
– 802.11 Disassociation—The disassociate notification is sent when the client sends a
disassociation frame.
– 802.11 Deauthentication—The deauthenticate notification is sent when the client sends a
deauthentication frame.
– 802.11 Failed Authentication—The authenticate failure notification is sent when the client
sends an authentication frame with a status code other than 'successful'.
– 802.11 Failed Association—The associate failure notification is sent when the client sends an
association frame with a status code other than 'successful'.
– Exclusion—The associate failure notification is sent when a client is excluded.
•
Security Traps
– User Auth Failure—This trap is to inform that a client RADIUS Authentication failure has
occurred.
– RADIUS Server No Response—This trap is to indicate that no RADIUS server(s) are
responding to authentication requests sent by the RADIUS client.
– WEP Decrypt Error—Notification sent when the controller detects a WEP decrypting error.
– Rouge AP—Whenever a rogue access point is detected this trap will be sent with its MAC
Address; When a rogue access point that was detected earlier and it no longer exists this trap is
sent.
Cisco Wireless LAN Controller Configuration Guide
7-124
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring wIPS
– SNMP Authentication—The SNMPv2 entity has received a protocol message that is not
properly authenticated.
Note
When a user who is configured in SNMP V3 mode tries to access the controller with an
incorrect password, the authentication fails and a failure message is displayed.
However, no trap logs are generated for the authentication failure.
– Multiple Users—Two users login with the same login ID.
•
Auto RF Profile Traps
– Load Profile—Notification sent when Load Profile state changes between PASS and FAIL.
– Noise Profile—Notification sent when Noise Profile state changes between PASS and FAIL.
– Interference Profile—Notification sent when Interference Profile state changes between PASS
and FAIL.
– Coverage Profile—Notification sent when Coverage Profile state changes between PASS and
FAIL.
•
Auto RF Update Traps
– Channel Update—Notification sent when access point dynamic channel algorithm is updated.
– Tx Power Update—Notification sent when access point dynamic transmit power algorithm is
updated.
•
Mesh Traps
– Child Excluded Parent—Notification send when a defined number of failed association to the
controller occurs through a parent mesh node.
– Notification sent when child mesh node exceeds threshold limit of number of discovery
response timeouts. The child mesh node will not try to associate excluded parent mesh node for
the interval defined. The child mesh node will remember the excluded parent MAC address and
when it joins the network it will inform the controller.
– Parent Change—Notification is sent by the agent when a child mesh node changes its parent.
The Child mesh node remembers its previous parent and it will inform the controller about the
change of its parent when it joins back the network.
– Child Moved—Notification sent when a parent mesh node loses connection with its child mesh
node.
– Excessive Parent Change—Notification sent when child mesh node changes its parent
frequently. Each mesh node keeps count of number of parent changes in fixed time. If it exceeds
the defined threshold then child mesh node informs the controller.
– Excessive Children—Notification sent when the child count exceeds for a RAP and MAP.
– Poor SNR—Notification sent when child mesh node detects lower SNR on backhaul link. For
the other trap, a notification is sent to clear a notification when child mesh node detects SNR
on backhaul link is higher then the object defined by 'clMeshSNRThresholdAbate'.
– Console Login—Notification is sent by the agent when login on MAP console is successful or
failure after three attempts.
– Default Bridge Group Name—Notification sent when MAP mesh node joins parent using
'default' bridge group name.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-125
Chapter 7
Configuring Security Solutions
Configuring wIPS
Note
The remaining traps do not have trap controls. These are traps, which are not generated too frequently
and thus do not require any trap control. Thus, any other trap generated by the Controller cannot be
turned off.
Note
In all of the above cases, the controller functions solely as a forwarding device.
Note
To download the MIBs, click on
http://www.cisco.com/cisco/software/release.html?mdfid=282600534&flowid=7012&softwareid=2807
75088&release=7.3&relind=AVAILABLE&rellifecycle=&reltype=latest.
Guidelines and Limitations
•
Starting in release 7.0.116.0, the regular local mode or FlexConnect mode access point has been
extended with a subset of Wireless Intrusion Prevention System (wIPS) capabilities. This feature
enables you to deploy your access points to provide protection without needing a separate overlay
network.
•
wIPS ELM is not supported on 1130 and 1240 access points.
Additional References
For more information on the Cisco Adaptive wIPS, see the Cisco Wireless Control System Configuration
Guide, Release 7.0.172.0 and the Cisco 3300 Series Mobility Services Engine Configuration Guide,
Release 7.0.201.0.
Configuring wIPS on an Access Point (GUI)
Step 1
Choose Wireless > Access Points > All APs > access point name.
Step 2
Set the AP Mode parameter. To configure an access point for wIPS, you must choose one of the
following modes from the AP Mode drop-down list:
•
Local
•
FlexConnect
•
Monitor
Step 3
Set the AP Sub Mode to wIPS by choosing wIPS from the AP Sub Mode drop-down list.
Step 4
Click Apply.
Cisco Wireless LAN Controller Configuration Guide
7-126
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring wIPS
Configuring wIPS on an Access Point (CLI)
Step 1
Configure an access point for monitor mode by entering this command:
config ap mode {monitor | local | flexconnect} Cisco_AP
Note
To configure an access point for wIPS, the access point must be in monitor, local, or
flexconnect modes.
Step 2
Enter Y when you see the message that the access point will be rebooted if you want to continue.
Step 3
Save your changes by entering this command:
save config
Step 4
Disable the access point radio by entering this command:
config {802.11a | 802.11b} disable Cisco_AP
Step 5
Configure the wIPS submode on the access point by entering this command:
config ap mode ap_mode submode wips Cisco_AP
Note
Step 6
To disable wIPS on the access point, enter the config ap mode ap_mode submode none
Cisco_AP command.
Enable wIPS optimized channel scanning for the access point by entering this command:
config ap monitor-mode wips-optimized Cisco_AP
The access point scans each channel for 250 milliseconds. It derives the list of channels to be scanned
from the monitor configuration. You can choose one of these options:
•
All—All channels supported by the access point’s radio
•
Country—Only the channels supported by the access point’s country of operation
•
DCA—Only the channel set used by the dynamic channel assignment (DCA) algorithm, which by
default includes all of the nonoverlapping channels allowed in the access point’s country of
operation
The 802.11a or 802.11b Monitor Channels text box in the output of the show advanced {802.11a |
802.11b} monitor command shows the monitor configuration channel set:
Default 802.11b AP monitoring
802.11b Monitor Mode...........................
802.11b Monitor Channels.......................
802.11b AP Coverage Interval...................
802.11b AP Load Interval.......................
802.11b AP Noise Interval......................
802.11b AP Signal Strength Interval............
Step 7
enable
Country channels
180 seconds
60 seconds
180 seconds
60 seconds
Reenable the access point radio by entering this command:
config {802.11a | 802.11b} enable Cisco_AP
Step 8
Save your changes by entering this command:
save config
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-127
Chapter 7
Configuring Security Solutions
Configuring wIPS
Viewing wIPS Information (CLI)
Note
You can also view the access point submode from the controller GUI. To do so, choose Wireless >
Access Points > All APs > the access point name > the Advanced tab. The AP Sub Mode text box shows
wIPS if the access point in is monitor mode and the wIPS submode is configured on the access point or
None if the access point is not in monitor mode or the access point is in monitor mode but the wIPS
submode is not configured.
•
See the wIPS submode on the access point by entering this command:
show ap config general Cisco_AP
Information similar to the following appears:
Cisco AP Identifier..............................
Cisco AP Name....................................
...
AP Mode .........................................
Public Safety ...................................
AP SubMode ......................................
...
•
3
AP1131:46f2.98ac
Monitor
Disabled
WIPS
Disabled
See the wIPS optimized channel scanning configuration on the access point by entering this
command:
show ap monitor-mode summary
Information similar to the following appears:
AP Name
Ethernet MAC
Status
------------------ -------------------- ---------AP1131:46f2.98ac
00:16:46:f2:98:ac
wIPS
•
Scanning Channel List
-----------------------1, 6, NA, NA
See the wIPS configuration forwarded by WCS to the controller by entering this command:
show wps wips summary
Information similar to the following appears:
Policy Name.............. Default
Policy Version.......... 3
•
See the current state of wIPS operation on the controller by entering this command:
show wps wips statistics
Information similar to the following appears:
Policy Assignment Requests............
Policy Assignment Responses...........
Policy Update Requests................
Policy Update Responses...............
Policy Delete Requests................
Policy Delete Responses...............
Alarm Updates.........................
Device Updates........................
Device Update Requests................
Device Update Responses...............
Forensic Updates......................
Invalid WIPS Payloads.................
Invalid Messages Received.............
NMSP Transmitted Packets..............
1
1
0
0
0
0
13572
8376
0
0
1001
0
0
22950
Cisco Wireless LAN Controller Configuration Guide
7-128
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Wi-Fi Direct Client Policy
NMSP Transmit Packets Dropped......... 0
NMSP Largest Packet................... 1377
•
Clear the wIPS statistics on the controller by entering this command:
clear stats wps wips
Configuring Wi-Fi Direct Client Policy
This section contains the following topics:
•
Information About Wi-Fi Direct Client Policy, page 7-129
•
Guidelines and Limitations, page 7-129
•
Configuring Wi-Fi Direct Client Policy (GUI), page 7-129
•
Configuring Wi-Fi Direct Client Policy (CLI), page 7-130
•
Monitoring and Troubleshooting Wi-Fi Direct Client Policy (CLI), page 7-130
Information About Wi-Fi Direct Client Policy
Devices that are Wi-Fi Direct capable can connect directly to each other quickly and conveniently to do
tasks such as printing, synchronization, and sharing of data. Wi-Fi Direct devices can associate with
multiple peer-to-peer (P2P) devices and with infrastructure wireless LANs (WLANs) concurrently. You
can use the controller to configure the Wi-Fi Direct Client Policy, on a per WLAN basis, where you can
allow or disallow association of Wi-Fi devices with infrastructure WLANs or disable Wi-Fi Direct Client
Policy altogether for WLANs.
Guidelines and Limitations
Wi-Fi Direct Client Policy is applicable to WLANs that have APs in local mode only.
Configuring Wi-Fi Direct Client Policy (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the WLAN ID of the WLAN for which you want to configure the Wi-Fi Direct Client Policy. The
WLANs > Edit page appears.
Step 3
Click the Advanced tab.
Step 4
From the Wi-Fi Direct Clients Policy drop-down list, choose one of the following options:
Step 5
•
Disabled—Disables the Wi-Fi Direct Client Policy for the WLAN and deauthenticates all Wi-Fi
Direct clients.
•
Allow—Allows Wi-Fi Direct clients to associate with the WLAN.
•
Not-Allow—Disallows the Wi-Fi Direct clients from associating with the WLAN.
Click Apply to commit your configuration.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-129
Chapter 7
Configuring Security Solutions
Configuring Web Auth Proxy
Configuring Wi-Fi Direct Client Policy (CLI)
Step 1
To configure the Wi-Fi Direct Client Policy on WLANs, enter this command:
config wlan wifidirect {allow | disable | not-allow} wlan-id
The syntax of the command is as follows:
Step 2
•
allow—Allows Wi-Fi Direct clients to associate with the WLAN.
•
disable—Disables the Wi-Fi Direct Client Policy for the WLAN and deauthenticates all Wi-Fi
Direct clients.
•
not-allow—Disallows the Wi-Fi Direct clients from associating with the WLAN.
•
wlan-id—WLAN identifier.
Save your configuration by entering this command:
save config
Monitoring and Troubleshooting Wi-Fi Direct Client Policy (CLI)
To monitor and troubleshoot the Wi-Fi Direct Client Policy, enter these commands:
•
show wlan wifidirect wlan-id—Displays the status of Wi-Fi Direct Client Policy on the WLAN.
•
show client wifiDirect-stats—Displays the total number of clients associated and number of clients
rejected if Wi-Fi Direct Client Policy is enabled.
Configuring Web Auth Proxy
This section contains the following topics:
•
Information About Web Auth Proxy, page 7-130
•
Configuring Web Auth Proxy (GUI), page 7-131
•
Configuring Web Auth Proxy (CLI), page 7-132
Information About Web Auth Proxy
This feature enables clients that have a manual web proxy enabled in the browser to facilitate
authentication with the controller. If the user's browser is configured with manual proxy settings with a
configured port number as 8080 or 3128 and if the client requests any URL, the controller responds with
a web page prompting the user to change the Internet proxy settings to automatically detect the proxy
settings so that the browser’s manual proxy settings information does not get lost. After enabling this
settings, the user can get access to the network through the web authentication policy. This functionality
is given for port 8080 and 3128 because these are the most commonly used ports for the web proxy
server.
Cisco Wireless LAN Controller Configuration Guide
7-130
OL-21524-03
Chapter 7
Configuring Security Solutions
Configuring Web Auth Proxy
Note
Webauth proxy redirect ports are not blocked via CPU ACL. If a CPU ACL is configured to block the
port 8080, 3128, and one random port as part of webauth proxy configuration, then those ports are not
blocked because the webauth rules take higher precedence than the CPU ACL rules, until the client is in
webauth_req state.
A web browser has three types of Internet settings that can be configured by the user:
•
Auto detect
•
System Proxy
•
Manual
In a manual proxy server configuration, the browser uses a proxy server's IP address and a port. If this
configuration is enabled on the browser, the wireless client communicates with the destination proxy
server's IP on the configured port. In a Web-Auth scenario, the controller does not listen to such proxy
ports and the client would not able to establish a TCP connection with the controller. In effect, the user
is unable to get any login page to authentication and get access to the network.
When a wireless client enters a web authenticated WLAN network, it tries to access a URL. If a manual
proxy configuration is configured on the client's browser, all web traffic going out from the client will
be destined to the proxy IP and port configured on the browser.
•
A TCP connection is established between the client and the proxy server IP address that the
controller proxies for.
•
The client processes the DHCP response and obtains a JavaScript file from the controller. The script
disables all proxy configurations on the client for that session.
Note
Note
For external clients, the controller sends the login page as is (with or without JavaScipt).
•
Any requests that are bypass the proxy configuration. The controller can then perform
web-redirection, login, and authentication.
•
When the client goes out of the network, and then back into its own network, a DHCP refresh occurs
and the client continues to use the old proxy configuration configured on the browser.
•
If the external DHCP server is used with webauth proxy, then DHCP option 252 must be configured
on the DHCP server for that scope. The value of option 252 will have the format http://<virtual
ip>/proxy.js. No extra configuration is needed for internal DHCP servers.
When you configure FIPS mode with secure web authentication, we recommend that you use Mozilla
Firefox as your browser.
Configuring Web Auth Proxy (GUI)
Step 1
Choose Controller > General to open the Controller > General page.
Step 2
From the WebAuth Proxy Redirection Mode, select Enabled.
Step 3
In the WebAuth Proxy Redirection Port text box, enter the port number of the web auth proxy.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
7-131
Chapter 7
Configuring Security Solutions
Detecting Active Exploits
This text box consists of the port numbers on which the controller listens to for web authentication proxy
redirection. By default, the three ports 80, 8080, and 3128 are assumed. If you configured the web
authentication redirection port to any port other than these values, you must specify that value.
Step 4
Click Apply.
Configuring Web Auth Proxy (CLI)
•
Enable web auth proxy redirection by entering the config network web-auth proxy-redirect
{enable | disable} command.
•
Configure the secure web (https) authentication for clients by entering the config network
web-auth secureweb {enable | disable} command.
The default secure web (https) authentication for clients is enabled.
Note
•
If you configure to disallow secure web (https) authentication for clients using the config
network web-auth secureweb disable command, then you must reboot the Cisco WLC to
implement the change.
Set the web auth port number by entering the config network web-auth port port-number
command.
This parameter specifies the port numbers on which the controller listens to for web authentication
proxy redirection. By default, the three ports 80, 8080, and 3128 are assumed. If you configured the
web authentication redirection port to any port other than these values, you must specify that value.
•
To see the current status of the web auth proxy configuration, enter the show network summary or
the show running-config command.
Detecting Active Exploits
The controller supports three active exploit alarms that serve as notifications of potential threats. They
are enabled by default and therefore require no configuration on the controller.
•
ASLEAP detection—The controller raises a trap event if an attacker launches a LEAP crack tool.
The trap message is visible in the controller’s trap log.
•
Fake access point detection—The controller tweaks the fake access point detection logic to avoid
false access point alarms in high-density access point environments.
•
Honeypot access point detection—The controller raises a trap event if a rogue access point is using
managed SSIDs (WLANs configured on the controller). The trap message is visible in the
controller’s trap log.
Cisco Wireless LAN Controller Configuration Guide
7-132
OL-21524-03
CH A P T E R
8
Working with WLANs
This chapter contains the following sections:
•
Information About WLANs, page 8-1
•
Guidelines and Limitations, page 8-1
•
Creating WLANs, page 8-3
•
Searching WLANs, page 8-6
•
Configuring WLANs, page 8-8
Information About WLANs
The Cisco UWN solution can control up to 512 WLANs for lightweight access points. Each WLAN has
a separate WLAN ID (1 through 512), a separate profile name, and a WLAN SSID. All controllers
publish up to 16 WLANs to each connected access point, but you can create up to 512 WLANs and then
selectively publish these WLANs (using access point groups) to different access points to better manage
your wireless network.
You can configure WLANs with different Service Set Identifiers (SSIDs) or with the same SSID. An
SSID identifies the specific wireless network that you want the controller to access.
Guidelines and Limitations
•
All OfficeExtend access points should be in the same access point group, and that group should
contain no more than 15 WLANs. A controller with OfficeExtend access points in an access point
group publishes only up to 15 WLANs to each connected OfficeExtend access point because it
reserves one WLAN for the personal SSID.
•
You can associate up to 16 WLANs with each access point group and assign specific access points
to each group. Each access point advertises only the enabled WLANs that belong to its access point
group. The access point does not advertise disabled WLANs in its access point group or WLANs
that belong to another group. See the “Creating Access Point Groups (GUI)” section on page 8-60
for more information on access point groups.
•
We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for
management interfaces to ensure that controllers properly route VLAN traffic.
The controller uses different attributes to differentiate between WLANs with the same SSID.
•
WLANS with the same SSID and same L2 Policy cannot be created if the WLAN ID < 17.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-1
Chapter 8
Working with WLANs
Guidelines and Limitations
•
Two WLANs with ids greater than 17 having the same SSID and same L2 policy is allowed provided
WLANS are added in different AP groups.
Note
This requirement ensures that clients never detect the SSID present on the same access point
radio.
When creating a WLAN with the same SSID, follow these guidelines and requirements:
•
You must create a unique profile name for each WLAN.
•
When multiple WLANs with the same SSID get assigned to the same AP radio, you must have a
unique Layer 2 security policy so that clients can safely select between them.
WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a
WLAN selection based on information advertised in beacon and probe responses. The available Layer 2
security policies are as follows:
•
None (open WLAN)
•
Static WEP or 802.1X
Note
Because static WEP and 802.1X are both advertised by the same bit in beacon and probe
responses, they cannot be differentiated by clients. Therefore, they cannot both be used by
multiple WLANs with the same SSID.
•
CKIP
•
WPA/WPA2
Note
•
Although WPA and WPA2 cannot be used by multiple WLANs with the same SSID, you can
configure two WLANs with the same SSID with WPA/TKIP with PSK and WPA (Wi-Fi
Protected Access) /TKIP (Temporal Key Integrity Protocol) with 802.1X, respectively, or
with WPA/TKIP with 802.1X or WPA/AES with 802.1X, respectively.
If you configured your WLAN with EAP Passthrough and if you downgrade to an earlier controller
version, you might encounter XML validation errors during the downgrade process. This problem
is because EAP Passthrough is not supported in earlier releases. The configuration will default to
the default security settings (WPA2/802.1X).
Caution
Some clients might not be able to connect to WLANs properly if they detect the same SSID with multiple
security policies. Use this feature with care.
Note
The OEAP 600 Series access point supports a maximum of two WLANs and one remote LAN. If you
have configured more than two WLANs and one remote LAN, you can assign the 600 Series access point
to an AP group. The support for two WLANs and one remote LAN still applies to the AP Group If the
600 Series OEAP is in the default group, the WLAN or remote LAN IDs must be lower than 8.
Cisco Flex 7500 Series Controller does not support the 802.1x security variants on a centrally switched
WLAN. For example, the following configurations are not allowed on a centrally switched WLAN:
•
WPA1/WPA2 with 802.1x AKM
Cisco Wireless LAN Controller Configuration Guide
8-2
OL-21524-03
Chapter 8
Working with WLANs
Creating WLANs
•
WPA1/WPA2 with CCKM
•
Dynamic-WEP
•
Conditional webauth
•
Splash WEB page redirect
•
If you want to configure your WLAN in any of the above combinations, the WLAN must be
configured to use local switching.
Creating WLANs
This section contains the following topics:
•
Creating and Removing WLANs (GUI), page 8-3
•
Enabling and Disabling WLANs (GUI), page 8-4
•
Creating and Deleting WLANs (CLI), page 8-4
•
Viewing WLANs (CLI), page 8-5
•
Enabling and Disabling WLANs (CLI), page 8-5
Creating and Removing WLANs (GUI)
Step 1
Choose WLANs to open the WLANs page.
This page lists all of the WLANs currently configured on the controller. For each WLAN, you can see
its WLAN ID, profile name, type, SSID, status, and security policies.
The total number of WLANs appears in the upper right-hand corner of the page. If the list of WLANs
spans multiple pages, you can access these pages by clicking the page number links.
Note
If you want to delete a WLAN, hover your cursor over the blue drop-down arrow for that WLAN
and choose Remove, or select the check box to the left of the WLAN, choose Remove Selected
from the drop-down list, and click Go. A message appears asking you to confirm your decision.
If you proceed, the WLAN is removed from any access point group to which it is assigned and
from the access point’s radio.
Step 2
Create a new WLAN by choosing Create New from the drop-down list and clicking Go. The WLANs >
New page appears.
Note
When you upgrade to controller software release 5.2 or later releases, the controller creates the
default-group access point group and automatically populates it with the first 16 WLANs (WLANs with
IDs 1 through 16, or fewer if 16 WLANs are not configured). This default group cannot be modified (you
cannot add WLANs to it nor delete WLANs from it). It is dynamically updated whenever the first 16
WLANs are added or deleted. If an access point does not belong to an access point group, it is assigned
to the default group and uses the WLANs in that group. If an access point joins the controller with an
undefined access point group name, the access point keeps its group name but uses the WLANs in the
default-group access point group.
Step 3
From the Type drop-down list, choose WLAN to create a WLAN.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-3
Chapter 8
Working with WLANs
Creating WLANs
Note
If you want to create a guest LAN for wired guest users, choose Guest LAN and follow the
instructions in the “Configuring Wired Guest Access” section on page 12-28.
Step 4
In the Profile Name text box, enter up to 32 alphanumeric characters for the profile name to be assigned
to this WLAN. The profile name must be unique.
Step 5
In the WLAN SSID text box, enter up to 32 alphanumeric characters for the SSID to be assigned to this
WLAN.
Step 6
From the WLAN ID drop-down list, choose the ID number for this WLAN.
Note
Step 7
If the Cisco OEAP 600 is in the default group, the WLAN/Remote LAN IDs need to be set as
lower than ID 8.
Click Apply to commit your changes. The WLANs > Edit page appears.
Note
You can also open the WLANs > Edit page from the WLANs page by clicking the ID number of
the WLAN that you want to edit.
Step 8
Use the parameters on the General, Security, QoS, and Advanced tabs to configure this WLAN. See the
sections in the rest of this chapter for instructions on configuring specific features for WLANs.
Step 9
On the General tab, select the Status check box to enable this WLAN. Be sure to leave it unselected until
you have finished making configuration changes to the WLAN.
Step 10
Click Apply to commit your changes.
Step 11
Click Save Configuration to save your changes.
Enabling and Disabling WLANs (GUI)
Step 1
Choose WLANs to open the WLANs page.
This page lists all of the WLANs currently configured on the controller.
Step 2
Enable or disable WLANs from the WLANs page by selecting the check boxes to the left of the WLANs
that you want to enable or disable, choosing Enable Selected or Disable Selected from the drop-down
list, and clicking Go.
Step 3
Click Apply.
Creating and Deleting WLANs (CLI)
•
Create a new WLAN by entering this command:
config wlan create wlan_id {profile_name | foreign_ap} ssid
Cisco Wireless LAN Controller Configuration Guide
8-4
OL-21524-03
Chapter 8
Working with WLANs
Creating WLANs
•
Note
If you do not specify an ssid, the profile_name parameter is used for both the profile name
and the SSID.
Note
When WLAN 1 is created in the configuration wizard, it is created in enabled mode. Disable
it until you have finished configuring it. When you create a new WLAN using the config
wlan create command, it is created in disabled mode. Leave it disabled until you have
finished configuring it.
Note
If you want to create a guest LAN for wired guest users, follow the instructions in the
“Configuring Wired Guest Access” section on page 12-28.
Delete a WLAN by entering this command:
config wlan delete {wlan_id | foreign_ap}
An error message appears if you try to delete a WLAN that is assigned to an access point
group. If you proceed, the WLAN is removed from the access point group and from the
access point’s radio.
Note
Viewing WLANs (CLI)
•
View the list of existing WLANs and to see whether they are enabled or disabled by entering this
command:
show wlan summary
Enabling and Disabling WLANs (CLI)
•
Enable a WLAN (for example, after you have finished making configuration changes to the WLAN)
by entering this command:
config wlan enable {wlan_id | foreign_ap | all}
If the command fails, an error message appears (for example, “Request failed for wlan 10 Static WEP key size does not match 802.1X WEP key size”).
Note
•
Disable a WLAN (for example, before making any modifications to a WLAN) by entering this
command:
config wlan disable {wlan_id | foreign_ap | all}
where
•
wlan_id is a WLAN ID between 1 and 512.
•
foreign_ap is a third-party access point.
•
all is all WLANs.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-5
Chapter 8
Working with WLANs
Searching WLANs
Note
If the management and AP-manager interfaces are mapped to the same port and are members
of the same VLAN, you must disable the WLAN before making a port-mapping change to
either interface. If the management and AP-manager interfaces are assigned to different
VLANs, you do not need to disable the WLAN.
Searching WLANs
This section contains the following topics:
•
Searching WLANs (GUI), page 8-6
•
Setting the Client Count per WLAN, page 8-6
Searching WLANs (GUI)
Step 1
To search for WLANs using the controller GUI, follow these steps:
Step 2
On the WLANs page, click Change Filter. The Search WLANs dialog box appears.
Step 3
Perform one of the following:
Step 4
•
To search for WLANs based on profile name, select the Profile Name check box and enter the
desired profile name in the edit box.
•
To search for WLANs based on SSID, select the SSID check box and enter the desired SSID in the
edit box.
•
To search for WLANs based on their status, select the Status check box and choose Enabled or
Disabled from the drop-down list.
Click Find. Only the WLANs that match your search criteria appear on the WLANs page, and the
Current Filter field at the top of the page specifies the search criteria used to generate the list (for
example, None, Profile Name:user1, SSID:test1, Status: disabled).
Note
To clear any configured search criteria and display the entire list of WLANs, click Clear Filter.
Setting the Client Count per WLAN
This section contains the following topics:
•
Information About Setting Client Count per WLAN, page 8-7
•
Guidelines and Limitations, page 8-7
•
Configuring Client Count per WLAN (GUI), page 8-7
•
Configuring Maximum Number of Clients per WLAN (CLI), page 8-7
Cisco Wireless LAN Controller Configuration Guide
8-6
OL-21524-03
Chapter 8
Working with WLANs
Searching WLANs
Information About Setting Client Count per WLAN
You can set a limit to the number of clients that can connect to a WLAN, which is useful in scenarios
where you have a limited number of clients that can connect to a controller. For example, consider a
scenario where the controller can serve up to 256 clients on a WLAN and these clients can be shared
between enterprise users (employees) and guest users. You can set a limit on the number of guest clients
that can access a given WLAN. The number of clients that you can configure per WLAN depends on the
platform that you are using.
Guidelines and Limitations
•
The maximum number of clients per WLAN feature is not supported when you use FlexConnect
local authentication.
•
The maximum number of clients per WLAN feature is supported only for access points that are in
connected mode.
Configuring Client Count per WLAN (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to limit the number of clients. The WLANs >
Edit page appears.
Step 3
On the Advanced tab, enter the Maximum Allowed Clients text box.
See Table 8-1 for the maximum number of clients supported per platform.
Step 4
Click Apply to commit your changes.
Configuring Maximum Number of Clients per WLAN (CLI)
Step 1
Determine the WLAN ID for which you want to configure the maximum clients by entering this
command:
show wlan summary
Obtain the WLAN ID from the list.
Step 2
Configure the maximum number of clients per WLAN by entering this command:
config wlan max-associated-clients max-clients wlanid
See Table 8-1 for the maximum number of clients supported per platform.
Configuring Maximum Number of Clients per AP Radio Per WLAN (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to limit the number of clients. The WLANs >
Edit page appears.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-7
Chapter 8
Working with WLANs
Configuring WLANs
Step 3
On the Advanced tab, enter the maximum allowed clients per access point radio in the Maximum
Allowed Clients Per AP Radio text box. You can configure up to 200 clients.
Step 4
Click Apply to commit your changes.
Configuring Maximum Number of Clients per AP Radio Per WLAN (CLI)
Step 1
Determine the WLAN ID for which you want to configure the maximum clients per radio by entering
this command:
show wlan summary
Obtain the WLAN ID from the list.
Step 2
Configure the maximum number of clients per WLAN by entering this command:
config wlan max-radio-clients client_count
You can configure up to 200 clients.
Step 3
To view the configured maximum associated clients, use the show 802.11a command.
Configuring WLANs
This section contains the following topics:
•
Configuring DHCP, page 8-9
•
Configuring MAC Filtering for WLANs, page 8-16
•
Configuring Local MAC Filters, page 8-16
•
Configuring a Timeout for Disabled Clients, page 8-17
•
Assigning WLANs to Interfaces, page 8-18
•
Configuring the DTIM Period, page 8-18
•
Configuring Peer-to-Peer Blocking, page 8-20
•
Configuring Layer 2 Security, page 8-23
•
Configuring a WLAN for Both Static and Dynamic WEP, page 8-24
•
Configuring WPA1 +WPA2, page 8-26
•
Configuring CKIP, page 8-29
•
Configuring Session Timeouts, page 8-32
•
Configuring Layer 3 Security Using Web Authentication, page 8-33
•
Configuring Layer 3 Security Using Web Authentication, page 8-33
•
Configuring a Fallback Policy with MAC Filtering and Web Authentication, page 8-36
•
Assigning a QoS Profile to a WLAN, page 8-38
•
Configuring QoS Enhanced BSS, page 8-40
•
Configuring Media Session Snooping and Reporting, page 8-43
Cisco Wireless LAN Controller Configuration Guide
8-8
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
•
Configuring Key Telephone System-Based CAC, page 8-47
•
Configuring Reanchoring of Roaming Voice Clients, page 8-50
•
Configuring Seamless IPv6 Mobility, page 8-51
•
Configuring RA Guard for IPv6 Clients, page 8-53
•
Configuring RA Throttling for IPv6 Clients, page 8-53
•
Configuring IPv6 Neighbor Discovery Caching, page 8-55
•
Configuring Cisco Client Extensions, page 8-57
•
Configuring AP Groups, page 8-58
•
Configuring RF Profiles, page 8-64
•
Configuring Web Redirect with 802.1X Authentication, page 8-66
•
Configuring NAC Out-of-Band Integration, page 8-70
•
Configuring Passive Clients, page 8-74
•
Configuring Per-WLAN RADIUS Source Support, page 8-79
•
Configuring Remote LANs, page 8-81
Configuring DHCP
You can configure WLANs to use the same or different Dynamic Host Configuration Protocol (DHCP)
servers or no DHCP server. Two types of DHCP servers are available: internal and external.
This section contains the following topics:
•
Internal DHCP Server, page 8-9
•
External DHCP Servers, page 8-10
•
DHCP Assignment, page 8-10
•
Configuring DHCP, page 8-11
•
Configuring DHCP Scopes, page 8-13
Internal DHCP Server
The controllers contain an internal DHCP server. This server is typically used in branch offices that do
not already have a DHCP server. The wireless network generally contains 10 access points or fewer, with
the access points on the same IP subnet as the controller. The internal server provides DHCP addresses
to wireless clients, direct-connect access points, and DHCP requests that are relayed from access points.
Only lightweight access points are supported. When you want to use the internal DHCP server, you must
set the management interface IP address of the controller as the DHCP server IP address.
DHCP option 43 is not supported on the internal server. Therefore, the access point must use an
alternative method to locate the management interface IP address of the controller, such as local subnet
broadcast, DNS, or priming.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-9
Chapter 8
Working with WLANs
Configuring WLANs
Note
See Chapter 9, “Controlling Lightweight Access Points,” or the Controller Deployment Guide at this
URL for more information on how access points find controllers:
http://www.cisco.com/en/US/products/ps6366/prod_technical_reference_list.html
An internal DHCP server pool only serves the wireless clients of that controller, not clients of other
controllers. Also, internal DHCP server can only serve wireless clients and not wired clients. Wired
guest clients are always on a Layer 2 network connected to a local or foreign controller.
Note
The DHCP required state can cause traffic to not be forwarded properly if a client is deauthenticated or
removed. To overcome this problem, ensure that the DHCP required state is always disabled.
Note
The controller does not support internal DHCPv6 servers. However, clients can learn the IP addresses
that are assigned by an external DHCPv6 server.
External DHCP Servers
The operating system is designed to appear as a DHCP Relay to the network and as a DHCP server to
clients with industry-standard external DHCP servers that support DHCP Relay, which means that each
controller appears as a DHCP Relay agent to the DHCP server and as a DHCP server at the virtual IP
address to wireless clients.
Because the controller captures the client IP address obtained from a DHCP server, it maintains the same
IP address for that client during intra-controller, inter-controller, and inter-subnet client roaming.
DHCP Assignment
You can configure DHCP on a per-interface or per-WLAN basis. The preferred method is to use the
primary DHCP server address assigned to a particular interface.
You can assign DHCP servers for individual interfaces. The management interface, AP-manager
interface, and dynamic interfaces can be configured for a primary and secondary DHCP server, and the
service-port interface can be configured to enable or disable DHCP servers.
Note
See Chapter 11, “Managing Controller Software and Configurations,” for information on configuring the
controller’s interfaces.
You can also define a DHCP server on a WLAN. This server will override the DHCP server address on
the interface assigned to the WLAN.
Security Considerations
For enhanced security, we recommend that you require all clients to obtain their IP addresses from a
DHCP server. To enforce this requirement, all WLANs can be configured with a DHCP Addr.
Assignment Required setting, which disallows client static IP addresses. If DHCP Addr. Assignment
Cisco Wireless LAN Controller Configuration Guide
8-10
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
Required is selected, clients must obtain an IP address via DHCP. Any client with a static IP address is
not allowed on the network. The controller monitors DHCP traffic because it acts as a DHCP proxy for
the clients.
Note
WLANs that support management over wireless must allow management (device-servicing) clients to
obtain an IP address from a DHCP server. See the “Using Management Over Wireless” section on
page 7-51 for instructions on configuring management over wireless.
If slightly less security is tolerable, you can create WLANs with DHCP Addr. Assignment Required
disabled. Clients then have the option of using a static IP address or obtaining an IP address from a
designated DHCP server.
Note
DHCP Addr. Assignment Required is not supported for wired guest LANs.
You are also allowed to create separate WLANs with DHCP Addr. Assignment Required being disabled.
This is applicable only if DHCP proxy is enabled for the controller. It is not necessary to define the
primary/secondary DHCP server. These WLANs drop all DHCP requests and force clients to use a static
IP address. These WLANs do not support management over wireless connections.
Note
See Chapter 7, “Configuring Security Solutions,” for instructions on globally configuring DHCP proxy.
Note
If you want to specify a static IP address for an access point rather than having one assigned
automatically by a DHCP server, see the “Configuring a Static IP Address on a Lightweight Access
Point” section on page 9-48 for more information.
Guidelines and Limitations
The controller internal DHCP server does not support Cisco Aironet 600 Series OfficeExtend Access
Point.
Configuring DHCP
This section contains the following topics:
•
Configuring DHCP (GUI), page 8-11
•
Configuring DHCP (CLI), page 8-12
•
Debugging DHCP (CLI), page 8-13
Configuring DHCP (GUI)
To configure a primary DHCP server for a management, AP-manager, or dynamic interface, see
Chapter 4, “Configuring Ports and Interfaces.”
When you want to use the internal DHCP server, you must set the management interface IP address of
the controller as the DHCP server IP address.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-11
Chapter 8
Working with WLANs
Configuring WLANs
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to assign an interface. The WLANs > Edit
(General) page appears.
Step 3
On the General tab, unselect the Status check box and click Apply to disable the WLAN.
Step 4
Click the ID number of the WLAN.
Step 5
On the General tab, choose the interface for which you configured a primary DHCP server to be used
with this WLAN from the Interface drop-down list.
Step 6
Choose the Advanced tab to open the WLANs > Edit (Advanced) page.
Step 7
If you want to define a DHCP server on the WLAN that will override the DHCP server address on the
interface assigned to the WLAN, select the DHCP Server Override check box and enter the IP address
of the desired DHCP server in the DHCP Server IP Addr text box. The default value for the check box
is disabled.
Step 8
Note
The preferred method for configuring DHCP is to use the primary DHCP address assigned to a
particular interface instead of the DHCP server override.
Note
DHCP Server override is applicable only for the default group.
Note
If a WLAN has the DHCP server override option enabled and the controller has DHCP proxy
enabled, any interface mapped to the WLAN must have a DHCP server IP address or the WLAN
must be configured with a DHCP server IP address.
If you want to require all clients to obtain their IP addresses from a DHCP server, select the DHCP Addr.
Assignment Required check box. When this feature is enabled, any client with a static IP address is not
allowed on the network. The default value is disabled.
Note
DHCP Addr. Assignment Required is not supported for wired guest LANs.
Step 9
Click Apply to commit your changes.
Step 10
On the General tab, select the Status check box and click Apply to reenable the WLAN.
Step 11
Click Save Configuration to save your changes.
Configuring DHCP (CLI)
To configure a primary DHCP server for a management, AP-manager, or dynamic interface, see
Chapter 4, “Configuring Ports and Interfaces.”
Step 1
Disable the WLAN by entering this command:
config wlan disable wlan_id
Cisco Wireless LAN Controller Configuration Guide
8-12
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
Step 2
Specify the interface for which you configured a primary DHCP server to be used with this WLAN by
entering this command:
config wlan interface wlan_id interface_name
Step 3
If you want to define a DHCP server on the WLAN that will override the DHCP server address on the
interface assigned to the WLAN, enter this command:
config wlan dhcp_server wlan_id dhcp_server_ip_address
Step 4
Note
The preferred method for configuring DHCP is to use the primary DHCP address assigned to a
particular interface instead of the DHCP server override. If you enable the override, you can use
the show wlan command to verify that the DHCP server has been assigned to the WLAN.
Note
If a WLAN has the DHCP server override option enabled and the controller has DHCP proxy
enabled, any interface mapped to the WLAN must have a DHCP server IP address or the WLAN
must be configured with a DHCP server IP address.
Reenable the WLAN by entering this command:
config wlan enable wlan_id
Debugging DHCP (CLI)
•
debug dhcp packet {enable | disable}—Enables or disables debugging of DHCP packets.
•
debug dhcp message {enable | disable}—Enables or disables debugging of DHCP error messages.
•
debug dhcp service-port {enable | disable}—Enables or disables debugging of DHCP packets on
the service port.
Configuring DHCP Scopes
Controllers have built-in DHCP relay agents. However, when you desire network segments that do not
have a separate DHCP server, the controllers can have built-in DHCP scopes that assign IP addresses and
subnet masks to wireless clients. Typically, one controller can have one or more DHCP scopes that each
provide a range of IP addresses.
DHCP scopes are needed for internal DHCP to work. Once DHCP is defined on the controller, you can
then point the primary DHCP server IP address on the management, AP-manager, and dynamic
interfaces to the controller’s management interface.
You can configure up to 16 DHCP scopes using the controller GUI or CLI.
This section contains the following topics:
•
Configuring DHCP Scopes (GUI), page 8-14
•
Configuring DHCP Scopes (CLI), page 8-15
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-13
Chapter 8
Working with WLANs
Configuring WLANs
Configuring DHCP Scopes (GUI)
Step 1
Choose Controller > Internal DHCP Server > DHCP Scope to open the DHCP Scopes page.
This page lists any DHCP scopes that have already been configured.
Note
If you ever want to delete an existing DHCP scope, hover your cursor over the blue drop-down
arrow for that scope and choose Remove.
Step 2
Click New to add a new DHCP scope. The DHCP Scope > New page appears.
Step 3
In the Scope Name text box, enter a name for the new DHCP scope.
Step 4
Click Apply. When the DHCP Scopes page reappears, click the name of the new scope. The DHCP
Scope > Edit page appears.
Step 5
In the Pool Start Address text box, enter the starting IP address in the range assigned to the clients.
Note
Step 6
This pool must be unique for each DHCP scope and must not include the static IP addresses of
routers or other servers.
In the Pool End Address text box, enter the ending IP address in the range assigned to the clients.
Note
This pool must be unique for each DHCP scope and must not include the static IP addresses of
routers or other servers.
Step 7
In the Network text box, enter the network served by this DHCP scope. This IP address is used by the
management interface with Netmask applied, as configured on the Interfaces page.
Step 8
In the Netmask text box, enter the subnet mask assigned to all wireless clients.
Step 9
In the Lease Time text box, enter the amount of time (from 0 to 65536 seconds) that an IP address is
granted to a client.
Step 10
In the Default Routers text box, enter the IP address of the optional router connecting the controllers.
Each router must include a DHCP forwarding agent, which allows a single controller to serve the clients
of multiple controllers.
Step 11
In the DNS Domain Name text box, enter the optional domain name system (DNS) domain name of this
DHCP scope for use with one or more DNS servers.
Step 12
In the DNS Servers text box, enter the IP address of the optional DNS server. Each DNS server must be
able to update a client’s DNS entry to match the IP address assigned by this DHCP scope.
Step 13
In the Netbios Name Servers text box, enter the IP address of the optional Microsoft Network Basic Input
Output System (NetBIOS) name server, such as the Internet Naming Service (WINS) server.
Step 14
From the Status drop-down list, choose Enabled to enable this DHCP scope or choose Disabled to
disable it.
Step 15
Click Apply to commit your changes.
Step 16
Click Save Configuration to save your changes.
Cisco Wireless LAN Controller Configuration Guide
8-14
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
Step 17
Choose DHCP Allocated Leases to see the remaining lease time for wireless clients. The DHCP
Allocated Lease page appears, showing the MAC address, IP address, and remaining lease time for the
wireless clients.
Configuring DHCP Scopes (CLI)
Step 1
Create a new DHCP scope by entering this command:
config dhcp create-scope scope
Note
Step 2
If you ever want to delete a DHCP scope, enter this command: config dhcp delete-scope scope.
Specify the starting and ending IP address in the range assigned to the clients by entering this command:
config dhcp address-pool scope start end
Note
Step 3
This pool must be unique for each DHCP scope and must not include the static IP addresses of
routers or other servers.
Specify the network served by this DHCP scope (the IP address used by the management interface with
the Netmask applied) and the subnet mask assigned to all wireless clients by entering this command:
config dhcp network scope network netmask
Step 4
Specify the amount of time (from 0 to 65536 seconds) that an IP address is granted to a client by entering
this command:
config dhcp lease scope lease_duration
Step 5
Specify the IP address of the optional router connecting the controllers by entering this command:
config dhcp default-router scope router_1 [router_2] [router_3]
Each router must include a DHCP forwarding agent, which allows a single controller to serve the clients
of multiple controllers.
Step 6
Specify the optional domain name system (DNS) domain name of this DHCP scope for use with one or
more DNS servers by entering this command:
config dhcp domain scope domain
Step 7
Specify the IP address of the optional DNS server(s) by entering this command:
config dhcp dns-servers scope dns1 [dns2] [dns3]
Each DNS server must be able to update a client’s DNS entry to match the IP address assigned by this
DHCP scope
Step 8
Specify the IP address of the optional Microsoft Network Basic Input Output System (NetBIOS) name
server, such as the Internet Naming Service (WINS) server by entering this command:
config dhcp netbios-name-server scope wins1 [wins2] [wins3]
Step 9
Enable or disable this DHCP scope by entering this command:
config dhcp {enable | disable} scope
Step 10
Save your changes by entering this command:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-15
Chapter 8
Working with WLANs
Configuring WLANs
save config
Step 11
See the list of configured DHCP scopes by entering this command:
show dhcp summary
Information similar to the following appears:
Scope Name
Scope 1
Scope 2
Step 12
Enabled
No
No
Address Range
0.0.0.0 -> 0.0.0.0
0.0.0.0 -> 0.0.0.0
Display the DHCP information for a particular scope by entering this command:
show dhcp scope
Information similar to the following appears:
Enabled.......................................
Lease Time....................................
Pool Start....................................
Pool End......................................
Network.......................................
Netmask.......................................
Default Routers...............................
DNS Domain....................................
DNS...........................................
Netbios Name Servers..........................
No
0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0 0.0.0.0 0.0.0.0
0.0.0.0 0.0.0.0 0.0.0.0
0.0.0.0 0.0.0.0 0.0.0.0
Configuring MAC Filtering for WLANs
When you use MAC filtering for client or administrator authorization, you need to enable it at the WLAN
level first. If you plan to use local MAC address filtering for any WLAN, use the commands in this
section to configure MAC filtering for a WLAN.
Use these commands to enable MAC filtering on a WLAN:
•
Enable MAC filtering by entering the config wlan mac-filtering enable wlan_id command.
•
Verify that you have MAC filtering enabled for the WLAN by entering the show wlan command.
When you enable MAC filtering, only the MAC addresses that you add to the WLAN are allowed to join
the WLAN. MAC addresses that have not been added are not allowed to join the WLAN.
Configuring Local MAC Filters
This section contains the following topics:
•
Information About Local MAC Filters, page 8-17
•
Guidelines and Limitations, page 8-17
•
Configuring Local MAC Filters (CLI), page 8-17
•
Configuring a Timeout for Disabled Clients, page 8-17
•
Configuring a Timeout for Disabled Clients (CLI), page 8-17
Cisco Wireless LAN Controller Configuration Guide
8-16
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
Information About Local MAC Filters
Controllers have built-in MAC filtering capability, similar to that provided by a RADIUS authorization
server. You can configure a MAC filter using the GUI or CLI.
Configuring Local MAC Filters (CLI)
•
Create a MAC filter entry on the controller by entering the config macfilter add mac_addr wlan_id
[interface_name] [description] [IP_addr] command.
The following parameters are optional:
– mac_addr—MAC address of the client.
– wlan_id—WLAN id on which the client is associating.
– interface_name—The name of the interface. This interface name is used to override the
interface configured to the WLAN.
– description—A brief description of the interface in double quotes (for example, “Interface1”).
– IP_addr—The IP address which is used for a passive client with the MAC address specified by
the mac addr value above.
Note
•
Assign an IP address to an existing MAC filter entry, if one was not assigned in the config macfilter
add command by entering the config macfilter ip-address mac_addr IP_addr command.
•
Verify that MAC addresses are assigned to the WLAN by entering the show macfilter command.
If MAC filtering is configured, the controller tries to authenticate the wireless clients using the RADIUS
servers first. Local MAC filtering is attempted only if no RADIUS servers are found, either because the
RADIUS servers timed out or no RADIUS servers were configured.
Guidelines and Limitations
You must have AAA enabled on the WLAN to override the interface name.
Configuring a Timeout for Disabled Clients
You can configure a timeout for disabled clients. Clients who fail to authenticate three times when
attempting to associate are automatically disabled from further association attempts. After the timeout
period expires, the client is allowed to retry authentication until it associates or fails authentication and
is excluded again. Use these commands to configure a timeout for disabled clients.
Configuring a Timeout for Disabled Clients (CLI)
•
Configure the timeout for disabled clients by entering the config wlan exclusionlist wlan_id timeout
command. Enter a timeout from 1 to 65535 seconds, or enter 0 to permanently disable the client.
•
Verify the current timeout by entering the show wlan command.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-17
Chapter 8
Working with WLANs
Configuring WLANs
Assigning WLANs to Interfaces
Use these commands to assign a WLAN to an interface:
•
Assign a WLAN to an interface by entering this command:
config wlan interface {wlan_id | foreignAp} interface_id
– Use the interface_id option to assign the WLAN to a specific interface.
– Use the foreignAp option to use a third-party access point.
•
Verify the interface assignment status by entering the show wlan summary command.
Configuring the DTIM Period
This section contains the following topics:
•
Information About the DTIM Period, page 8-18
•
Guidelines and Limitations, page 8-19
•
Configuring the DTIM Period, page 8-19
Information About the DTIM Period
In 802.11a/n and 802.11b/g/n networks, lightweight access points broadcast a beacon at regular
intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point
broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set
for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they
are expecting broadcast or multicast data.
Typically, the DTIM value is set to 1 (transmit broadcast and multicast frames after every beacon) or 2
(transmit after every other beacon). For instance, if the beacon period of the 802.11a/n or 802.11b/g/n
network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and
multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the
access point transmits buffered broadcast and multicast frames 5 times per second. Either of these
settings may be suitable for applications, including VoIP, that expect frequent broadcast and multicast
frames.
However, the DTIM value can be set as high as 255 (transmit broadcast and multicast frames after every
255th beacon) if all 802.11a/n or 802.11b/g/n clients have power save enabled. Because the clients have
to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts
less frequently, resulting in a longer battery life. For instance, if the beacon period is 100 ms and the
DTIM value is set to 100, the access point transmits buffered broadcast and multicast frames once every
10 seconds, allowing the power-saving clients to sleep longer before they have to wake up and listen for
broadcasts and multicasts, resulting in a longer battery life.
Note
A beacon period, which is specified in milliseconds on the controller, is converted internally by the
software to 802.11 Time Units (TUs), where 1 TU = 1.024 milliseconds. On Cisco’s 802.11n access
points, this value is rounded to the nearest multiple of 17 TUs. Because of this, a configured beacon
period of 100 ms, for example, will result in an actual beacon period of 104 ms.
Cisco Wireless LAN Controller Configuration Guide
8-18
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
Many applications cannot tolerate a long time between broadcast and multicast messages, which results
in poor protocol and application performance. We recommend a low DTIM value for 802.11a/n and
802.11b/g/n networks that support such clients.
In controller software release 5.0 or later releases, you can configure the DTIM period for the 802.11a/n
and 802.11b/g/n radio networks on specific WLANs. In previous software releases, the DTIM period was
configured per radio network only, not per WLAN. The benefit of this change is that now you can
configure a different DTIM period for each WLAN. For example, you might want to set different DTIM
values for voice and data WLANs.
Guidelines and Limitations
When you upgrade the controller software to release 5.0 or later releases, the DTIM period that was
configured for a radio network is copied to all of the existing WLANs on the controller.
Configuring the DTIM Period
This section contains the following topics:
•
Configuring the DTIM Period (GUI), page 8-19
•
Configuring the DTIM Period (CLI), page 8-19
Configuring the DTIM Period (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to configure the DTIM period.
Step 3
Unselect the Status check box to disable the WLAN.
Step 4
Click Apply to commit your changes.
Step 5
Choose the Advanced tab to open the WLANs > Edit (Advanced) page.
Step 6
Under DTIM Period, enter a value between 1 and 255 (inclusive) in the 802.11a/n and 802.11b/g/n text
boxes. The default value is 1 (transmit broadcast and multicast frames after every beacon).
Step 7
Click Apply to commit your changes.
Step 8
Choose the General tab to open the WLANs > Edit (General) page.
Step 9
Select the Status check box to reenable the WLAN.
Step 10
Click Save Configuration to save your changes.
Configuring the DTIM Period (CLI)
Step 1
Disable the WLAN by entering this command:
config wlan disable wlan_id
Step 2
Configure the DTIM period for either the 802.11a/n or 802.11b/g/n radio network on a specific WLAN
by entering this command:
config wlan dtim {802.11a | 802.11b} dtim wlan_id
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-19
Chapter 8
Working with WLANs
Configuring WLANs
where dtim is a value between 1 and 255 (inclusive). The default value is 1 (transmit broadcast and
multicast frames after every beacon).
Step 3
Reenable the WLAN by entering this command:
config wlan enable wlan_id
Step 4
Save your changes by entering this command:
save config
Step 5
Verify the DTIM period by entering this command:
show wlan wlan_id
Information similar to the following appears:
WLAN Identifier.................................. 1
Profile Name..................................... employee1
Network Name (SSID).............................. employee
Status........................................... Enabled
...
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Local EAP Authentication...................... Disabled
...
Configuring Peer-to-Peer Blocking
This section contains the following topics:
•
Information About Peer-to-Peer Blocking, page 8-20
•
Guidelines and Limitations, page 8-21
•
Configuring Peer-to-Peer Blocking, page 8-22
Information About Peer-to-Peer Blocking
In controller software releases prior to 4.2, peer-to-peer blocking is applied globally to all clients on all
WLANs and causes traffic between two clients on the same VLAN to be transferred to the upstream
VLAN rather than being bridged by the controller. This behavior usually results in traffic being dropped
at the upstream switch because switches do not forward packets out the same port on which they are
received.
In controller software release 4.2 or later releases, peer-to-peer blocking is applied to individual
WLANs, and each client inherits the peer-to-peer blocking setting of the WLAN to which it is
associated. In software release 4.2 or later releases, you also have more control over how traffic is
directed. For example, you can choose to have traffic bridged locally within the controller, dropped by
the controller, or forwarded to the upstream VLAN. Figure 8-1 shows each option.
Cisco Wireless LAN Controller Configuration Guide
8-20
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
Figure 8-1
Peer-to-Peer Blocking Examples
Layer 3
Router/Switch
Controller
Layer 2 Switch
Lightweight
Access Point
WLAN 1
Disable:
Peer-to-peer blocking
is disabled, and traffic
is bridged.
WLAN 2
WLAN 2
Drop:
Packets are discarded
by the controller.
WLAN 3
WLAN 3
Forward Up:
Packets are forwarded
to the upstream switch.
232321
WLAN 1
In controller release 7.2 and later releases, peer-to-peer blocking is supported for clients associated with
local switching WLAN. Per WLAN, peer-to-peer configuration is pushed by the controller to
FlexConnect AP.
Guidelines and Limitations
•
In controller software releases prior to 4.2, the controller forwards Address Resolution Protocol
(ARP) requests upstream (just like all other traffic). In controller software release 4.2 or later
releases, ARP requests are directed according to the behavior set for peer-to-peer blocking.
•
Peer-to-peer blocking does not apply to multicast traffic.
•
If you upgrade to controller software release 4.2 or later releases from a previous release that
supports global peer-to-peer blocking, each WLAN is configured with the peer-to-peer blocking
action of forwarding traffic to the upstream VLAN.
•
In FlexConnect, solution peer-to-peer blocking configuration cannot be applied only to a particular
FlexConnect AP or a subset of APs. It is applied to all FlexConnect APs that broadcast the SSID.
•
Unified solution for central switching clients supports peer-to-peer upstream-forward. However, this
is not supported in the FlexConnect solution. This is treated as peer-to-peer drop and client packets
are dropped.
•
Unified solution for central switching clients supports peer-to-peer blocking for clients associated
with different APs. However, this solution targets only clients connected to the same AP.
FlexConnect ACLs can be used as a workaround for this limitation.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-21
Chapter 8
Working with WLANs
Configuring WLANs
Configuring Peer-to-Peer Blocking
This section contains the following topics:
•
Configuring Peer-to-Peer Blocking (GUI), page 8-22
•
Configuring Peer-to-Peer Blocking (CLI), page 8-22
Configuring Peer-to-Peer Blocking (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to configure peer-to-peer blocking.
Step 3
Choose the Advanced tab to open the WLANs > Edit (Advanced) page.
Step 4
Choose one of the following options from the P2P Blocking drop-down list:
•
Disabled—Disables peer-to-peer blocking and bridges traffic locally within the controller whenever
possible. This is the default value.
Note
Traffic is never bridged across VLANs in the controller.
•
Drop—Causes the controller to discard the packets.
•
Forward-UpStream—Causes the packets to be forwarded on the upstream VLAN. The device
above the controller decides what action to take regarding the packets.
Note
To enable peer-to-peer blocking on a WLAN configured for FlexConnect local switching, select
Drop from the P2P Blocking drop-down list and select the FlexConnect Local Switching check
box.
Step 5
Click Apply to commit your changes.
Step 6
Click Save Configuration to save your changes.
Configuring Peer-to-Peer Blocking (CLI)
Step 1
Configure a WLAN for peer-to-peer blocking by entering this command:
config wlan peer-blocking {disable | drop | forward-upstream} wlan_id
Note
Step 2
See the description of each parameter in the “Configuring Peer-to-Peer Blocking (GUI)” section
above.
Save your changes by entering this command:
save config
Step 3
See the status of peer-to-peer blocking for a WLAN by entering this command:
show wlan wlan_id
Information similar to the following appears:
Cisco Wireless LAN Controller Configuration Guide
8-22
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
WLAN Identifier.................................. 1
Profile Name..................................... test
Network Name (SSID).............................. test
Status........................................... Enabled
...
...
...
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
Local EAP Authentication...................... Disabled
Configuring Layer 2 Security
This section contains the following topics:
•
Configuring Static WEP Keys (CLI), page 8-23
•
Configuring Dynamic 802.1X Keys and Authorization (CLI), page 8-23
Configuring Static WEP Keys (CLI)
Controllers can control static WEP keys across access points. Use these commands to configure static
WEP for WLANs:
•
Disable the 802.1X encryption by entering this command:
config wlan security 802.1X disable wlan_id
•
Configure 40/64-bit or 104/128-bit WEP keys by entering this command:
config wlan security static-wep-key encryption wlan_id {40 | 104} {hex | ascii} key key_index
– Use the 40 or 104 option to specify 40/64-bit or 104/128-bit encryption. The default setting is
104/128.
– Use the hex or ascii option to specify the character format for the WEP key.
– Enter 10 hexadecimal digits (any combination of 0-9, a-f, or A-F) or five printable ASCII
characters for 40-bit/64-bit WEP keys or enter 26 hexadecimal or 13 ASCII characters for
104-bit/128-bit keys.
– Enter a key index (sometimes called a key slot). The default value is 0, which corresponds to a
key index of 1; the valid values are 0 to 3 (key index of 1 to 4).
Configuring Dynamic 802.1X Keys and Authorization (CLI)
Controllers can control 802.1X dynamic WEP keys using Extensible Authentication Protocol (EAP)
across access points and support 802.1X dynamic key settings for WLANs.
Note
To use LEAP with lightweight access points and wireless clients, make sure to choose Cisco-Aironet as
the RADIUS server type when configuring the CiscoSecure Access Control Server (ACS).
•
Check the security settings of each WLAN by entering this command:
show wlan wlan_id
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-23
Chapter 8
Working with WLANs
Configuring WLANs
The default security setting for new WLANs is 802.1X with dynamic keys enabled. To maintain
robust Layer 2 security, leave 802.1X configured on your WLANs.
•
Disable or enable the 802.1X authentication by entering this command:
config wlan security 802.1X {enable | disable} wlan_id
After you enable 802.1X authentication, the controller sends EAP authentication packets between
the wireless client and the authentication server. This command allows all EAP-type packets to be
sent to and from the controller.
•
Change the 802.1X encryption level for a WLAN by entering this command:
config wlan security 802.1X encryption wlan_id [0 | 40 | 104]
– Use the 0 option to specify no 802.1X encryption.
– Use the 40 option to specify 40/64-bit encryption.
– Use the 104 option to specify 104/128-bit encryption. (This is the default encryption setting.)
Configuring a WLAN for Both Static and Dynamic WEP
This section contains the following topics:
•
Information About WLAN for Both Static and Dynamic WEP, page 8-24
•
WPA1 and WPA2, page 8-24
•
Guidelines and Limitations, page 8-25
Information About WLAN for Both Static and Dynamic WEP
You can configure up to four WLANs to support static WEP keys, and you can also configure dynamic
WEP on any of these static-WEP WLANs. Follow these guidelines when configuring a WLAN for both
static and dynamic WEP:
•
The static WEP key and the dynamic WEP key must be the same length.
•
When you configure both static and dynamic WEP as the Layer 2 security policy, no other security
policies can be specified. That is, you cannot configure web authentication. However, when you
configure either static or dynamic WEP as the Layer 2 security policy, you can configure web
authentication.
WPA1 and WPA2
Wi-Fi Protected Access (WPA or WPA1) and WPA2 are standards-based security solutions from the
Wi-Fi Alliance that provide data protection and access control for wireless LAN systems. WPA1 is
compatible with the IEEE 802.11i standard but was implemented prior to the standard’s ratification;
WPA2 is the Wi-Fi Alliance's implementation of the ratified IEEE 802.11i standard.
By default, WPA1 uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for
data protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm
using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP).
Both WPA1 and WPA2 use 802.1X for authenticated key management by default. However, these
options are also available:
Cisco Wireless LAN Controller Configuration Guide
8-24
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
•
802.1X—The standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11,
or simply 802.1X. An access point that supports 802.1X acts as the interface between a wireless
client and an authentication server, such as a RADIUS server, to which the access point
communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported.
•
PSK—When you choose PSK (also known as WPA preshared key or WPA passphrase), you need to
configure a preshared key (or a passphrase). This key is used as the pairwise master key (PMK)
between the clients and the authentication server.
•
CCKM—Cisco Centralized Key Management (CCKM) uses a fast rekeying technique that enables
clients to roam from one access point to another without going through the controller, typically in
under 150 milliseconds (ms). CCKM reduces the time required by the client to mutually authenticate
with the new access point and derive a new session key during reassociation. CCKM fast secure
roaming ensures that there is no perceptible delay in time-sensitive applications such as wireless
Voice over IP (VoIP), enterprise resource planning (ERP), or Citrix-based solutions. CCKM is a
CCXv4-compliant feature. If CCKM is selected, only CCKM clients are supported.
When CCKM is enabled, the behavior of access points differs from the controller's for fast roaming
in the following ways:
– If an association request sent by a client has CCKM enabled in a Robust Secure Network
Information Element (RSN IE) but CCKM IE is not encoded and only PMKID is encoded in
RSN IE, then the controller does not do a full authentication. Instead, the controller validates
the PMKID and does a four-way handshake.
– If an association request sent by a client has CCKM enabled in RSN IE but CCKM IE is not
encoded and only PMKID is encoded in RSN IE, then AP does a full authentication. The access
point does not use PMKID sent with the association request when CCKM is enabled in RSN IE.
•
802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a
new access point by performing a complete 802.1X authentication, including communication with
the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast
secure roaming, CCKM-enabled clients securely roam from one access point to another without the
need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM
because both CCKM and non-CCKM clients are supported when this option is selected.
On a single WLAN, you can allow WPA1, WPA2, and 802.1X/PSK/CCKM/802.1X+CCKM clients to
join. All of the access points on such a WLAN advertise WPA1, WPA2, and 802.1X/PSK/CCKM/
802.1X+CCKM information elements in their beacons and probe responses. When you enable WPA1
and/or WPA2, you can also enable one or two ciphers, or cryptographic algorithms, designed to protect
data traffic. Specifically, you can enable AES and/or TKIP data encryption for WPA1 and/or WPA2.
TKIP is the default value for WPA1, and AES is the default value for WPA2.
Note
WLAN should be enabled only after WPA1 and WPA2 ciphers are enabled. You can enable WPA1 and
WPA2 using the config wlan security wpa {wpa1/wpa2} enable command. You can not enable
ciphers from the GUI unless WPA1 and WPA 2 are enabled.
Guidelines and Limitations
•
The OEAP 600 series does not support fast roaming for clients. Dual mode voice clients will
experience reduced call quality when they roam between the two spectrums on OEAP602 access
point. We recommend that you configure voice devices to only connect on one band, either 2.4 GHz
or 5.0 GHz.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-25
Chapter 8
Working with WLANs
Configuring WLANs
•
The 4.2 or later release of controller software supports CCX versions 1 through 5. CCX support is
enabled automatically for every WLAN on the controller and cannot be disabled. The controller
stores the CCX version of the client in its client database and uses it to limit client functionality.
Clients must support CCXv4 or v5 in order to use CCKM. See the “Configuring Cisco Client
Extensions” section on page 8-57 for more information on CCX.
Configuring WPA1 +WPA2
This section contains the following topics:
•
Configuring WPA1+WPA2 (GUI), page 8-26
•
Configuring WPA1+WPA2 (CLI), page 8-27
Configuring WPA1+WPA2 (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the desired WLAN to open the WLANs > Edit page.
Step 3
Choose the Security and Layer 2 tabs to open the WLANs > Edit (Security > Layer 2) page.
Step 4
Choose WPA+WPA2 from the Layer 2 Security drop-down list.
Step 5
Under WPA+WPA2 Parameters, select the WPA Policy check box to enable WPA1, select the WPA2
Policy check box to enable WPA2, or select both check boxes to enable both WPA1 and WPA2.
Note
The default value is disabled for both WPA1 and WPA2. If you leave both WPA1 and WPA2
disabled, the access points advertise in their beacons and probe responses information elements
only for the authentication key management method that you choose in Step 7.
Step 6
Select the AES check box to enable AES data encryption or the TKIP check box to enable TKIP data
encryption for WPA1, WPA2, or both. The default values are TKIP for WPA1 and AES for WPA2.
Step 7
Choose one of the following key management methods from the Auth Key Mgmt drop-down list:
802.1X, CCKM, PSK, or 802.1X+CCKM.
Step 8
Note
Cisco OEAP 600 does not support CCKM. You must choose either 802.1X or PSK.
Note
For Cisco OEAP 600, the TKIP and AES security encryption settings must be identical for WPA
and WPA2.
If you chose PSK in Step 7, choose ASCII or HEX from the PSK Format drop-down list and then enter
a preshared key in the blank text box. WPA preshared keys must contain 8 to 63 ASCII text characters
or 64 hexadecimal characters.
Cisco Wireless LAN Controller Configuration Guide
8-26
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
The PSK parameter is a set-only parameter. The value set for the PSK key is not visible to the
user for security reasons. For example, if you selected HEX as the key format when setting the
PSK key, and later when you view the parameters of this WLAN, the value shown is the default
value. The default is ASCII.
Note
Step 9
Click Apply to commit your changes.
Step 10
Click Save Configuration to save your changes.
Configuring WPA1+WPA2 (CLI)
Step 1
Disable the WLAN by entering this command:
config wlan disable wlan_id
Step 2
Enable or disable WPA for the WLAN by entering this command:
config wlan security wpa {enable | disable} wlan_id
Step 3
Enable or disable WPA1 for the WLAN by entering this command:
config wlan security wpa wpa1 {enable | disable} wlan_id
Step 4
Enable or disable WPA2 for the WLAN by entering this command:
config wlan security wpa wpa2 {enable | disable} wlan_id
Step 5
Enable or disable AES or TKIP data encryption for WPA1 or WPA2 by entering one of these commands:
•
config wlan security wpa wpa1 ciphers {aes | tkip} {enable | disable} wlan_id
•
config wlan security wpa wpa2 ciphers {aes | tkip} {enable | disable} wlan_id
The default values are TKIP for WPA1 and AES for WPA2.
Step 6
Enable or disable 802.1X, PSK, or CCKM authenticated key management by entering this command:
config wlan security wpa akm {802.1X | psk | cckm} {enable | disable} wlan_id
The default value is 802.1X.
Step 7
If you enabled PSK in Step 6, enter this command to specify a preshared key:
config wlan security wpa akm psk set-key {ascii | hex} psk-key wlan_id
WPA preshared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal characters.
Step 8
If you enabled WPA2 with 802.1X authenticated key management or WPA1 or WPA2 with CCKM
authenticated key management, the PMK cache lifetime timer is used to trigger reauthentication with the
client when necessary. The timer is based on the timeout value received from the AAA server or the
WLAN session timeout setting. To see the amount of time remaining before the timer expires, enter this
command:
show pmk-cache all
Information similar to the following appears:
PMK-CCKM Cache
Type
------
Entry
Station
Lifetime
------------------- --------
VLAN Override
------------------
IP Override
---------------
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-27
Chapter 8
Working with WLANs
Configuring WLANs
CCKM
00:07:0e:b9:3a:1b
150
0.0.0.0
If you enabled WPA2 with 802.1X authenticated key management, the controller supports opportunistic
PMKID caching but not sticky (or non-opportunistic) PMKID caching. In sticky PMKID caching, the
client stores multiple PMKIDs. This approach is not practical because it requires full authentication for
each new access point and is not guaranteed to work in all conditions. In contrast, opportunistic PMKID
caching stores only one PMKID per client and is not subject to the limitations of sticky PMK caching.
Step 9
Enable the WLAN by entering this command:
config wlan enable wlan_id
Step 10
Save your settings by entering this command:
save config
Configuring Sticky PMKID Caching
This section contains:
•
Information About Sticky PMKID Caching
•
Guidelines and Limitations
•
Configuring Sticky PMKID Caching (CLI)
Information About Sticky PMKID Caching
Beginning in Release 7.2 and later releases, the controller supports Sticky PMKID Caching (SKC). With
sticky PMKID caching, the client receives and stores a different PMKID for every AP it associates with.
The APs also maintain a database of the PMKID issued to the client.
In SKC the client stores each Pairwise Master Key (PMK) identifier (PMKID) against a Pairwise Master
Key Security Association (PMKSA). When a client finds an AP for which it has the PMKSA, it sends
the PMKID in the association request to the AP. If the PMKSA is alive in the AP, the AP provides support
for fast roaming. In SKC, full authentication is done on each new AP to which the client associates and
the client must keep the PMKSA associated with all APs. For SKC, PMKSA is a per AP cache that the
client stores and PMKSA is precalculated based on the BSSID of the new AP.
Guidelines and Limitations
•
The controller supports SKC for up to eight APs per client. If a client roams to more than 8 APs per
session, the old APs are removed to store the newly cached entries when the client roams. We
recommend that you do not use SKC for large scale deployments.
•
SKC does not work across controllers in a mobility group.
•
SKC works only on WPA2-enabled WLANs.
•
SKC works only on local mode APs.
Configuring Sticky PMKID Caching (CLI)
Step 1
Disable the WLAN by entering this command:
Cisco Wireless LAN Controller Configuration Guide
8-28
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
config wlan disable wlan_id
Step 2
Enable Sticky PMKIDCaching by entering this command:
config wlan security wpa wpa2 cache sticky enable wlan_id
By default, Sticky PMKID Caching (SKC) is disabled and Opportunistic PMKID caching (OKC) is
enabled.
SKC works only on WPA2 enabled WLANs.
Note
You can check if SKC is enabled by entering this command:
show wlan wlan_id
Information similar to the following appears:
WLAN Identifier.................................. 2
Profile Name..................................... new
Network Name (SSID).............................. new
Status........................................... Disabled
MAC Filtering.................................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
SKC Cache Support......................... Enabled
FT Reassociation Timeout................... 20
FT Over-The-Air mode....................... Enabled
FT Over-The-Ds mode........................ Enabled
CCKM tsf Tolerance............................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
Step 3
Enable the WLAN by entering this command:
config wlan enable wlan_id
Step 4
Save your settings by entering this command:
save config
Configuring CKIP
This section contains the following topics:
•
Information About CKIP, page 8-30
•
Configuring CKIP, page 8-30
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-29
Chapter 8
Working with WLANs
Configuring WLANs
Information About CKIP
Cisco Key Integrity Protocol (CKIP) is a Cisco-proprietary security protocol for encrypting 802.11
media. CKIP improves 802.11 security in infrastructure mode using key permutation, a message
integrity check (MIC), and a message sequence number. Software release 4.0 or later releases support
CKIP with a static key. For this feature to operate correctly, you must enable Aironet information
elements (IEs) for the WLAN.
A lightweight access point advertises support for CKIP in beacon and probe response packets by adding
an Aironet IE and setting one or both of the CKIP negotiation bits (key permutation and multi-modular
hash message integrity check [MMH MIC]). Key permutation is a data encryption technique that uses
the basic encryption key and the current initialization vector (IV) to create a new key. MMH MIC
prevents bit-flip attacks on encrypted packets by using a hash function to compute message integrity
code.
The CKIP settings specified in a WLAN are mandatory for any client attempting to associate. If the
WLAN is configured for both CKIP key permutation and MMH MIC, the client must support both. If
the WLAN is configured for only one of these features, the client must support only the CKIP feature.
CKIP requires that 5-byte and 13-byte encryption keys be expanded to 16-byte keys. The algorithm to
perform key expansion occurs at the access point. The key is appended to itself repeatedly until the
length reaches 16 bytes. All lightweight access points support CKIP.
Configuring CKIP
This section contains the following topics:
•
Configuring CKIP (GUI), page 8-30
•
Configuring CKIP (CLI), page 8-31
Configuring CKIP (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the desired WLAN to open the WLANs > Edit page.
Step 3
Choose the Advanced tab.
Step 4
Select the Aironet IE check box to enable Aironet IEs for this WLAN and click Apply.
Step 5
Choose the General tab.
Step 6
Unselect the Status check box, if selected, to disable this WLAN and click Apply.
Step 7
Choose the Security and Layer 2 tabs to open the WLANs > Edit (Security > Layer 2) page.
Cisco Wireless LAN Controller Configuration Guide
8-30
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
Figure 8-2
WLANs > Edit (Security > Layer 2) Page
Step 8
Choose CKIP from the Layer 2 Security drop-down list.
Step 9
Under CKIP Parameters, choose the length of the CKIP encryption key from the Key Size drop-down
list.The range is Not Set, 40 bits, or 104 bits and the default is Not Set.
Step 10
Choose the number to be assigned to this key from the Key Index drop-down list. You can configure up
to four keys.
Step 11
From the Key Format drop-down list, choose ASCII or HEX and then enter an encryption key in the
Encryption Key text box. 40-bit keys must contain 5 ASCII text characters or 10 hexadecimal characters.
104-bit keys must contain 13 ASCII text characters or 26 hexadecimal characters.
Step 12
Select the MMH Mode check box to enable MMH MIC data protection for this WLAN. The default
value is disabled (or unselected).
Step 13
Select the Key Permutation check box to enable this form of CKIP data protection. The default value
is disabled (or unselected).
Step 14
Click Apply to commit your changes.
Step 15
Choose the General tab.
Step 16
Select the Status check box to enable this WLAN.
Step 17
Click Apply to commit your changes.
Step 18
Click Save Configuration to save your changes.
Configuring CKIP (CLI)
Step 1
Disable the WLAN by entering this command:
config wlan disable wlan_id
Step 2
Enable Aironet IEs for this WLAN by entering this command:
config wlan ccx aironet-ie enable wlan_id
Step 3
Enable or disable CKIP for the WLAN by entering this command:
config wlan security ckip {enable | disable} wlan_id
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-31
Chapter 8
Working with WLANs
Configuring WLANs
Step 4
Specify a CKIP encryption key for the WLAN by entering this command:
config wlan security ckip akm psk set-key wlan_id {40 | 104} {hex | ascii} key key_index
Step 5
Enable or disable CKIP MMH MIC for the WLAN by entering this command:
config wlan security ckip mmh-mic {enable | disable} wlan_id
Step 6
Enable or disable CKIP key permutation for the WLAN by entering this command:
config wlan security ckip kp {enable | disable} wlan_id
Step 7
Enable the WLAN by entering this command:
config wlan enable wlan_id
Step 8
Save your settings by entering this command:
save config
Configuring Session Timeouts
The session timeout is the maximum time for a client session to remain active before requiring
reauthorization. This section contains the following topics:
•
Configuring a Session Timeout (GUI), page 8-32
•
Configuring a Session Timeout (CLI), page 8-32
Configuring a Session Timeout (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to assign a session timeout.
Step 3
When the WLANs > Edit page appears, choose the Advanced tab. The WLANs > Edit (Advanced) page
appears.
Step 4
Select the Enable Session Timeout check box to configure a session timeout for this WLAN. Otherwise,
unselect the check box. The default value is selected.
In the Session Timeout text box, enter a value between 300 and 86400 seconds to specify the duration
of the client session. The default value is 1800 seconds for the following Layer 2 security types: 802.1X,
Static WEP+802.1X, WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key
management and 0 seconds for all other Layer 2 security types (Open WLAN/CKIP/Static WEP). A
value of 0 is equivalent to no timeout.
Step 5
Click Apply to commit your changes.
Step 6
Click Save Configuration to save your changes.
Configuring a Session Timeout (CLI)
Step 1
Configure a session timeout for wireless clients on a WLAN by entering this command:
config wlan session-timeout wlan_id timeout
Cisco Wireless LAN Controller Configuration Guide
8-32
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
The default value is 1800 seconds for the following Layer 2 security types: 802.1X, Static WEP+802.1X,
WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key management and 0 seconds
for all other Layer 2 security types (Open WLAN/CKIP/Static WEP). A value of 0 is equivalent to no
timeout.
Step 2
Save your changes by entering this command:
save config
Step 3
See the current session timeout value for a WLAN by entering this command:
show wlan wlan_id
Information similar to the following appears:
WLAN Identifier.................................. 9
Profile Name..................................... test12
Network Name (SSID)........................... test12
...
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout............................... 1800 seconds
...
Configuring Layer 3 Security Using Web Authentication
This section contains the following topics:
•
Information About Web Authentication, page 8-33
•
Guidelines and Limitations, page 8-33
•
Configuring Web Authentication, page 8-34
Information About Web Authentication
WLANs can use web authentication only if VPN passthrough is not enabled on the controller. Web
authentication is simple to set up and use and can be used with SSL to improve the overall security of
the WLAN.
Guidelines and Limitations
•
Web authentication is supported only with these Layer 2 security policies: open authentication, open
authentication+WEP, and WPA-PSK. It is not supported for use with 802.1X.
•
To initiate HTTP/HTTPS web authentication redirection, always use only HTTP URL and not
HTTPS URL.
•
If the CPU ACLs are configured to block HTTP / HTTPS traffic, after the successful web login
authentication, there could be a failure in the redirection page.
•
Before enabling web authentication, make sure that all proxy servers are configured for ports other
than port 53.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-33
Chapter 8
Working with WLANs
Configuring WLANs
•
When you enable web authentication for a WLAN, a message appears indicating that the controller
forwards DNS traffic to and from wireless clients prior to authentication. We recommend that you
have a firewall or intrusion detection system (IDS) behind your guest VLAN to regulate DNS traffic
and to prevent and detect any DNS tunneling attacks.
•
If the web authentication is enabled on the WLAN and you also have the CPU ACL rules, the
client-based web authentication rules take higher precedence as long as the client is unauthenticated
(in the webAuth_Reqd state). Once the client goes to the RUN state, the CPU ACL rules get applied.
Therefore, if the CPU ACL rules are enabled in the controller, an allow rule for the virtual interface
IP is required (in any direction) with the following conditions:
– When the CPU ACL does not have an allow ACL rule for both directions.
– When an allow ALL rule exists, but also a DENY rule for port 443 or 80 of higher precedence.
•
The allow rule for the virtual IP should be for TCP protocol and port 80 (if secureweb is disabled)
or port 443 (if secureweb is enabled). This process is required to allow client’s access to the virtual
interface IP address, post successful authentication when the CPU ACL rules are in place.
•
When clients connect to a WebAuth SSID and a preauthorization ACL configured to allow VPN
users, the clients will get disconnected from the SSID every few minutes. Webauth SSIDs must not
connect without authenticating on the web page.
•
Special charecters are not supported in the username field for web-authentication.
•
You can select the following identity stores to authenticate web-auth user, under WLANs > Security
> AAA servers > Authentication priority order for web-auth user section:
– Local,
– RADIUS,
– LDAP
If multiple identity stores are selected, then the controller checks each identity store in the list, in
the order specified, from top to bottom, until authentication for the user succeeds. The
authentication fails, if the controller reaches the end of the list and user remains un-authenticated in
any of the identity stores.
For more information on using web authentication, see Chapter 12, “Managing User Accounts.”
Configuring Web Authentication
This section contains the following topics:
•
Configuring the Web Authentication (GUI), page 8-34
•
Configuring the Web Authentication (CLI), page 8-35
Configuring the Web Authentication (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to configure web authentication. The WLANs >
Edit page appears.
Step 3
Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page.
Step 4
Select the Web Policy check box.
Step 5
Make sure that the Authentication option is selected.
Step 6
Click Apply to commit your changes.
Cisco Wireless LAN Controller Configuration Guide
8-34
OL-21524-03
Chapter 8
Working with WLANs
Configuring WLANs
Step 7
Click Save Configuration to save your settings.
Configuring the Web Authentication (CLI)
Step 1
Enable or disable web authentication on a particular WLAN by entering this command:
config wlan security web-auth {enable | disable} wlan_id
Step 2
Release the guest user IP address when the web authentication policy timer expires and prevent the guest
user from acquiring an IP address for 3 minutes by entering this command:
config wlan webauth-exclude wlan_id {enable | disable}
The default value is disabled. This command is applicable when you configure the internal DHCP scope
on the controller. By default, when the web authentication timer expires for a guest user, the user can
immediately reassociate to the same IP address before another guest user can acquire it. If there are many
guest users or limited IP addresses in the DHCP pool, some guest users might not be able to acquire an
IP address.
When you enable this feature on the guest WLAN, the guest user’s IP address is released when the web
authentication policy timer expires and the guest user is excluded from acquiring an IP address for 3
minutes. The IP address is available for another guest user to use. After 3 minutes, the excluded guest
user can reassociate and acquire an IP address, if available.
Step 3
See the status of web authentication by entering this command:
show wlan wlan_id
Information similar to the following appears:
WLAN Identifier..................................
Profile Name.....................................
Network Name (SSID)..............................
Status...........................................
MAC Filtering....................................
Broadcast SSID...................................
AAA Policy Override..............................
Network Admission Control
1
cj
cj
Disabled
Disabled
Enabled
Disabled
NAC-State...................................... Disabled
Quarantine VLAN................................ 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN.................................. Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required.............. Disabled
...
Web Based Authentication......................... Disabled
Web-Passthrough............................... Disabled
...
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-35
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Configuring Captive Bypassing
Information about Captive Bypassing
WISPr is a draft protocol that enables users to roam between different wireless service providers. Some
devices (For example, Apple iOS devices) have a mechanism using which they can determine if the
device is connected to Internet, based on an HTTP WISPr request made to a designated URL. This
mechanism is used to allow users to launch the web browser if they need to provide credentials to access
Internet, and the actual authentication is done in the background every time the device connects to a new
SSID.
This HTTP request triggers a webauth interception in the controller as any other page requests are
performed by a wireless client. This interception leads to a webauth process, which will be completed
normally. If the webauth is being used with any of the controller splash page features (URL provided by
a configured RADIUS server), the splash page may never be displayed because the WISPr requests are
made a very short intervals, and as soon as one of the queries is able to reach the designated server, any
web redirection or splash page display process that is performed in the background is aborted, and the
device processes the page request, thus breaking the splash page functionality.
For example, Apple introduced an iOS feature to facilitate network access when captive portals are
present. This feature detects the presence of captive portal by sending a web request upon connecting to
a wireless network, and directs the request to http://www.apple.com/library/test/success.html.
If a response is received, then the internet access is assumed to be available and no further interaction is
required. If no response is received, then the internet access is assumed to be blocked by captive portal
and Apples’s Captive Network Assistant (CNA) auto-launches the pseudo browser to request portal login
in a controlled window.
The CNA may break when redirecting to an ISE captive portal.
Cisco Wireless Lan Controller 7.2 prevents this pseudo browser from popping up. You can now configure
the controller to bypass WISPr detection process, so the webauth interception is only done when a user
requests a webpage leading to splash page load in user context, without the WISPr detection being
performed in the background.
Configuring Captive Bypassing
Configuring Captive Bypassing (CLI)
•
config network web-auth captive-bypass {enable | disable}—Enables or disables the controller
to support bypass of captive portals at the network level.
•
show network summary—Displays the status for the WISPr protocol detection feature.
Configuring a Fallback Policy with MAC Filtering and Web Authentication
This section contains the following topics:
•
Information About Fallback Policy with MAC Filtering and Web Authentication, page 8-37
•
Configuring a Fallback Policy with MAC Filtering and Web Authentication, page 8-37
Cisco Wireless LAN Controller Configuration Guide
8-36
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Information About Fallback Policy with MAC Filtering and Web Authentication
You can configure a fallback policy mechanism that combines Layer 2 and Layer 3 security. In a scenario
where you have both MAC filtering and web authentication implemented, when a client tries to connect
to a WLAN using the MAC filter (RADIUS server), if the client fails the authentication, you can
configure the authentication to fall back to web authentication. When a client passes the MAC filter
authentication, the web authentication is skipped and the client is connected to the WLAN. With this
feature, you can avoid disassociations based on only a MAC filter authentication failure.
Configuring a Fallback Policy with MAC Filtering and Web Authentication
This section contains the following topics:
•
Configuring a Fallback Policy with MAC Filtering and Web Authentication (GUI), page 8-37
•
Configuring a Fallback Policy with MAC Filtering and Web Authentication (CLI), page 8-38
Configuring a Fallback Policy with MAC Filtering and Web Authentication (GUI)
Note
Before configuring a fallback policy, you must have MAC filtering enabled. To know more about how
to enable MAC filtering, see the “Configuring MAC Filtering for WLANs” section on page 8-16.
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to configure the fallback policy for web
authentication. The WLANs > Edit page appears.
Step 3
Choose the Security and Layer 3 tabs to open the WLANs > Edit (Security > Layer 3) page.
Step 4
From the Layer 3 Security drop-down list, choose None.
Step 5
Select the Web Policy check box.
Note
The controller forwards DNS traffic to and from wireless clients prior to authentication.
The following options are displayed:
•
Authentication
•
Passthrough
•
Conditional Web Redirect
•
Splash Page Web Redirect
•
On MAC Filter Failure
Step 6
Click On MAC Filter Failure.
Step 7
Click Apply to commit your changes.
Step 8
Click Save Configuration to save your settings.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-37
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Configuring a Fallback Policy with MAC Filtering and Web Authentication (CLI)
Note
Step 1
Before configuring a fallback policy, you must have MAC filtering enabled. To know more about how
to enable MAC filtering, see the “Configuring MAC Filtering for WLANs” section on page 8-16
Enable or disable web authentication on a particular WLAN by entering this command:
config wlan security web-auth on-macfilter-failure wlan-id
Step 2
See the web authentication status by entering this command:
show wlan wlan_id
FT Over-The-Ds mode.............................. Enabled
CKIP ......................................... Disabled
IP Security................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Enabled-On-MACFilter-Failure
ACL............................................. Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Assigning a QoS Profile to a WLAN
This section contains the following topics:
•
Information About QoS Profiles, page 8-38
•
Assigning QoS Profiles, page 8-39
Information About QoS Profiles
Cisco UWN solution WLANs support four levels of QoS: Platinum/Voice, Gold/Video, Silver/Best
Effort (default), and Bronze/Background. You can configure the voice traffic WLAN to use Platinum
QoS, assign the low-bandwidth WLAN to use Bronze QoS, and assign all other traffic between the
remaining QoS levels.
The WLAN QoS level defines a specific 802.11e user priority (UP) for over-the-air traffic. This UP is
used to derive the over-the-wire priorities for non-WMM traffic, and it also acts as the ceiling when
managing WMM traffic with various levels of priorities. The access point uses this QoS-profile-specific
UP in accordance with the values in Table 8-1 to derive the IP DSCP value that is visible on the wired
LAN.
Table 8-1
Access Point QoS Translation Values
AVVID Traffic Type
AVVID IP DSCP
QoS Profile
AVVID 802.1p
IEEE 802.11e UP
Network control
56 (CS7)
Platinum
7
7
Inter-network control
(CAPWAP control,
802.11 management)
48 (CS6)
Platinum
6
7
Cisco Wireless LAN Controller Configuration Guide
8-38
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Table 8-1
Note
Access Point QoS Translation Values (continued)
AVVID Traffic Type
AVVID IP DSCP
QoS Profile
AVVID 802.1p
IEEE 802.11e UP
Voice
46 (EF)
Platinum
5
6
Interactive video
34 (AF41)
Gold
4
5
Mission critical
26 (AF31)
Gold
3
4
Transactional
18 (AF21)
Silver
2
3
Bulk data
10 (AF11)
Bronze
1
2
Best effort
0 (BE)
Silver
0
0
Scavenger
2
Bronze
0
1
The IEEE 802.11e UP value for DSCP values that are not mentioned in the table is calculated by
considering 3 MSB bits of DSCP. For example, the IEEE 802.11e UP value for DSCP 32 (100 000 in
binary), would be the decimal converted value of the MSB (100) which is 4. The 802.11e UP value of
DSCP 32 is 4.
Assigning QoS Profiles
This section contains the following topics:
•
Assigning a QoS Profile to a WLAN (GUI), page 8-39
•
Assigning a QoS Profile to a WLAN (CLI), page 8-40
Assigning a QoS Profile to a WLAN (GUI)
If you have not already done so, configure one or more QoS profiles using the instructions in the
“Configuring QoS Profiles (GUI)” section on page 4-66.
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN to which you want to assign a QoS profile.
Step 3
When the WLANs > Edit page appears, choose the QoS tab.
Step 4
From the Quality of Service (QoS) drop-down list, choose one of the following:
•
Platinum (voice)
•
Gold (video)
•
Silver (best effort)
•
Bronze (background)
Note
Silver (best effort) is the default value.
Step 5
Click Apply to commit your changes.
Step 6
Click Save Configuration to save your changes.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-39
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Assigning a QoS Profile to a WLAN (CLI)
If you have not already done so, configure one or more QoS profiles using the instructions in the
“Configuring QoS Profiles (CLI)” section on page 4-68.
Step 1
Assign a QoS profile to a WLAN by entering this command:
config wlan qos wlan_id {bronze | silver | gold | platinum}
Silver is the default value.
Step 2
Save your changes by entering this command:
save config
Step 3
Verify that you have properly assigned the QoS profile to the WLAN by entering this command:
show wlan wlan_id
Information similar to the following appears:
WLAN Identifier..................................
Profile Name.....................................
Network Name (SSID)..............................
Status...........................................
MAC Filtering....................................
Broadcast SSID...................................
AAA Policy Override..............................
Number of Active Clients.........................
Exclusionlist....................................
Session Timeout..................................
Interface........................................
WLAN ACL.........................................
DHCP Server......................................
DHCP Address Assignment Required.................
Quality of Service...............................
WMM..............................................
...
1
test
test
Enabled
Disabled
Enabled
Disabled
0
Disabled
0
management
unconfigured
1.100.163.24
Disabled
Silver (best effort)
Disabled
Configuring QoS Enhanced BSS
This section contains the following topics:
•
Information About QoS Enhanced BSS, page 8-40
•
Guidelines and Limitations, page 8-41
•
Configuring QBSS, page 8-42
Information About QoS Enhanced BSS
The QoS Enhanced Basis Service Set (QBSS) information element (IE) enables the access points to
communicate their channel usage to wireless devices. Because access points with high channel usage
might not be able to handle real-time traffic effectively, the 7921 or 7920 phone uses the QBSS value to
determine if they should associate to another access point. You can enable QBSS in these two modes:
•
Wi-Fi Multimedia (WMM) mode, which supports devices that meet the 802.11E QBSS standard
(such as Cisco 7921 IP Phones)
Cisco Wireless LAN Controller Configuration Guide
8-40
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
•
7920 support mode, which supports Cisco 7920 IP Phones on your 802.11b/g network
The 7920 support mode has two options:
– Support for 7920 phones that require call admission control (CAC) to be configured on and
advertised by the client device (these are typically older 7920 phones)
– Support for 7920 phones that require CAC to be configured on and advertised by the access
point (these are typically newer 7920 phones)
When access point-controlled CAC is enabled, the access point sends out a Cisco proprietary
CAC Information Element (IE) and does not send out the standard QBSS IE.
Guidelines and Limitations
•
The OEAP 600 Series access points do not support CAC.
•
QBSS is disabled by default.
•
7920 phones are non-WMM phones with limited CAC functionality. The phones look at the channel
utilization of the access point to which they are associated and compare that to a threshold that is
beaconed by the access point. If the channel utilization is less than the threshold, the 7920 places a
call. In contrast, 7921 phones are full-fledged WMM phones that use traffic specifications (TSPECs)
to gain access to the voice queue before placing a phone call. The 7921 phones work well with
load-based CAC, which uses the percentage of the channel set aside for voice and tries to limit the
calls accordingly.
Because 7921 phones support WMM and 7920 phones do not, capacity and voice quality problems
can arise if you do not properly configure both phones when they are used in a mixed environment.
To enable both 7921 and 7920 phones to co-exist on the same network, make sure that load-based
CAC and 7920 AP CAC are both enabled on the controller and the WMM Policy is set to Allowed.
These settings become particularly important if you have many more 7920 users than 7921 users.
Additional Guidelines for Using Cisco 7921 and 7920 Wireless IP Phones
Follow these guidelines to use Cisco 7921 and 7920 Wireless IP Phones with controllers:
•
Aggressive load balancing must be disabled for each controller. Otherwise, the initial roam attempt
by the phone may fail, causing a disruption in the audio path.
•
The Dynamic Transmit Power Control (DTPC) information element (IE) must be enabled using the
config 802.11b dtpc enable command. The DTPC IE is a beacon and probe information element
that allows the access point to broadcast information on its transmit power. The 7921 or 7920 phone
uses this information to automatically adjust its transmit power to the same level as the access point
to which it is associated. In this manner, both devices are transmitting at the same level.
•
Both the 7921 and 7920 phones and the controllers support Cisco Centralized Key Management
(CCKM) fast roaming.
•
When configuring WEP, there is a difference in nomenclature for the controller and the 7921 or 7920
phone. Configure the controller for 104 bits when using 128-bit WEP for the 7921 or 7920.
•
For standalone 7921 phones, load-based CAC must be enabled, and the WMM Policy must be set to
Required on the WLAN.
•
The controller supports traffic classification (TCLAS) coming from 7921 phones using firmware
version 1.1.1. This feature ensures proper classification of voice streams to the 7921 phones.
•
When using a 7921 phone with the 802.11a radio of a 1242 series access point, set the 24-Mbps data
rate to Supported and choose a lower Mandatory data rate (such as 12 Mbps). Otherwise, the phone
might experience poor voice quality.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-41
Chapter 8
Working with WLANs
Configuring Captive Bypassing
See Chapter 4, “Configuring Controller Settings,” for more information and configuration instructions
for load-based CAC.
Configuring QBSS
This section contains the following topics:
•
Configuring QBSS (GUI), page 8-42
•
Configuring QBSS (CLI), page 8-42
Configuring QBSS (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to configure WMM mode.
Step 3
When the WLANs > Edit page appears, choose the QoS tab to open the WLANs > Edit (Qos) page.
Step 4
From the WMM Policy drop-down list, choose one of the following options, depending on whether you
want to enable WMM mode for 7921 phones and other devices that meet the WMM standard:
•
Disabled—Disables WMM on the WLAN. This is the default value.
•
Allowed—Allows client devices to use WMM on the WLAN.
•
Required—Requires client devices to use WMM. Devices that do not support WMM cannot join
the WLAN.
Step 5
Select the 7920 AP CAC check box if you want to enable 7920 support mode for phones that require
access point-controlled CAC. The default value is unselected.
Step 6
Select the 7920 Client CAC check box if you want to enable 7920 support mode for phones that require
client-controlled CAC. The default value is unselected.
Note
You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.
Step 7
Click Apply to commit your changes.
Step 8
Click Save Configuration to save your changes.
Configuring QBSS (CLI)
Step 1
Determine the ID number of the WLAN to which you want to add QBSS support by entering this
command:
show wlan summary
Step 2
Disable the WLAN by entering this command:
config wlan disable wlan_id
Step 3
Configure WMM mode for 7921 phones and other devices that meet the WMM standard by entering this
command:
config wlan wmm {disabled | allowed | required} wlan_id
where
Cisco Wireless LAN Controller Configuration Guide
8-42
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Step 4
•
disabled disables WMM mode on the WLAN.
•
allowed allows client devices to use WMM on the WLAN.
•
required requires client devices to use WMM. Devices that do not support WMM cannot join the
WLAN.
Enable or disable 7920 support mode for phones that require client-controlled CAC by entering this
command:
config wlan 7920-support client-cac-limit {enable | disable} wlan_id
Note
Step 5
You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.
Enable or disable 7920 support mode for phones that require access point-controlled CAC by entering
this command:
config wlan 7920-support ap-cac-limit {enable | disable} wlan_id
Step 6
Reenable the WLAN by entering this command:
config wlan enable wlan_id
Step 7
Save your changes by entering this command:
save config
Step 8
Verify that the WLAN is enabled and the Dot11-Phone Mode (7920) text box is configured for compact
mode by entering this command:
show wlan wlan_id
Configuring Media Session Snooping and Reporting
This section contains the following topics:
•
Information About Media Session Snooping and Reporting, page 8-43
•
Guidelines and Limitations, page 8-44
•
Configuring Media Session Snooping, page 8-44
Information About Media Session Snooping and Reporting
This feature enables access points to detect the establishment, termination, and failure of Session
Initiation Protocol (SIP) voice calls and then report them to the controller and WCS. VoIP snooping and
reporting can be enabled or disabled for each WLAN.
When VoIP MSA snooping is enabled, the access point radios that advertise this WLAN look for SIP
voice packets that comply with SIP RFC 3261. They do not look for non-RFC 3261-compliant SIP voice
packets or Skinny Call Control Protocol (SCCP) voice packets. Any SIP packets destined to or
originating from port number 5060 (the standard SIP signaling port) are considered for further
inspection. The access points track when Wi-Fi Multimedia (WMM) and non-WMM clients are
establishing a call, are already on an active call, or are in the process of ending a call. Upstream packet
classification for both client types occurs at the access point. Downstream packet classification occurs
at the controller for WMM clients and at the access point for non-WMM clients. The access points notify
the controller and WCS of any major call events, such as call establishment, termination, and failure.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-43
Chapter 8
Working with WLANs
Configuring Captive Bypassing
The controller provides detailed information for VoIP MSA calls. For failed calls, the controller
generates a trap log with a timestamp and the reason for failure (in the GUI) and an error code (in the
CLI) to aid in troubleshooting. For successful calls, the controller shows the number and duration of calls
for usage tracking purposes. WCS displays failed VoIP call information in the Events page.
Guidelines and Limitations
Controller software release 6.0 or later releases support Voice over IP (VoIP) Media Session Aware
(MSA) snooping and reporting.
Configuring Media Session Snooping
This section contains the following topics;
•
Configuring Media Session Snooping (GUI), page 8-44
•
Configuring Media Session Snooping (CLI), page 8-44
Configuring Media Session Snooping (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to configure media session snooping.
Step 3
On the WLANs > Edit page, click the Advanced tab.
Step 4
Under Voice, select the Media Session Snooping check box to enable media session snooping or
unselect it to disable this feature. The default value is unselected.
Step 5
Click Apply to commit your changes.
Step 6
Click Save Configuration to save your changes.
Step 7
See the VoIP statistics for your access point radios as follows:
a.
Choose Monitor > Access Points > Radios > 802.11a/n or 802.11b/g/n to open the 802.11a/n (or
802.11b/g/n) Radios page.
b.
Scroll to the right and click the Detail link for the access point for which you want to view VoIP
statistics. The Radio > Statistics page appears.
The VoIP Stats section shows the cumulative number and length of voice calls for this access point radio.
Entries are added automatically when voice calls are successfully placed and deleted when the access
point disassociates from the controller.
Step 8
Choose Management > SNMP > Trap Logs to see the traps generated for failed calls. The Trap Logs
page appears.
For example, log 0 shows that a call failed. The log provides the date and time of the call, a description
of the failure, and the reason why the failure occurred.
Configuring Media Session Snooping (CLI)
Step 1
Enable or disable VoIP snooping for a particular WLAN by entering this command:
config wlan call-snoop {enable | disable} wlan_id
Step 2
Save your changes by entering this command:
Cisco Wireless LAN Controller Configuration Guide
8-44
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
save config
Step 3
See the status of media session snooping on a particular WLAN by entering this command:
show wlan wlan_id
Information similar to the following appears:
WLAN Identifier.................................. 1
Profile Name..................................... wpa2-psk
Network Name (SSID).............................. wpa2-psk
Status........................................... Enabled
...
FlexConnect Local Switching........................ Disabled
FlexConnect Learn IP Address....................... Enabled
Infrastructure MFP protection.............. Enabled (Global Infrastructure MFP
Disabled)
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................. Enabled
Step 4
See the call information for an MSA client when media session snooping is enabled and the call is active
by entering this command:
show call-control client callInfo client_MAC_address
Information similar to the following appears:
Uplink IP/port......................................
Downlonk IP/port....................................
UP..................................................
Calling Party.......................................
Called Party........................................
Call ID.............................................
Number of calls for given client is.............. 1
Step 5
192.11.1.71 / 23870
192.12.1.47 / 2070
6
sip:1054
sip:1000
58635b00-850161b7-14853-1501a8
See the metrics for successful calls or the traps generated for failed calls by entering this command:
show call-control ap {802.11a | 802.11b} Cisco_AP {metrics | traps}
Information similar to the following appears when you enter show call-control ap {802.11a | 802.11b}
Cisco_AP metrics:
Total Call Duration in Seconds................... 120
Number of Calls.................................. 10
Information similar to the following appears when you enter show call-control ap {802.11a | 802.11b}
Cisco_AP traps:
Number of traps sent in one min.................. 2
Last SIP error code.............................. 404
Last sent trap timestamp...................... Jun 20 10:05:06
To aid in troubleshooting, the output of this command shows an error code for any failed calls. Table 8-2
explains the possible error codes for failed calls.
Table 8-2
Error Codes for Failed VoIP Calls
Error Code
Integer
Description
1
unknown
Unknown error.
400
badRequest
The request could not be understood because of
malformed syntax.
401
unauthorized
The request requires user authentication.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-45
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Table 8-2
Error Codes for Failed VoIP Calls (continued)
Error Code
Integer
Description
402
paymentRequired
Reserved for future use.
403
forbidden
The server understood the request but refuses to fulfill it.
404
notFound
The server has information that the user does not exist at
the domain specified in the Request-URI.
405
methodNotallowed
The method specified in the Request-Line is understood
but not allowed for the address identified by the
Request-URI.
406
notAcceptabl
The resource identified by the request is only capable of
generating response entities with content characteristics
that are not acceptable according to the Accept header
text box sent in the request.
407
proxyAuthenticationRequired The client must first authenticate with the proxy.
408
requestTimeout
The server could not produce a response within a suitable
amount of time, if it could not determine the location of
the user in time.
409
conflict
The request could not be completed due to a conflict with
the current state of the resource.
410
gone
The requested resource is no longer available at the
server, and no forwarding address is known.
411
lengthRequired
The server is refusing to process a request because the
request entity-body is larger than the server is willing or
able to process.
413
requestEntityTooLarge
The server is refusing to process a request because the
request entity-body is larger than the server is willing or
able to process.
414
requestURITooLarge
The server is refusing to service the request because the
Request-URI is longer than the server is willing to
interpret.
415
unsupportedMediaType
The server is refusing to service the request because the
message body of the request is in a format not supported
by the server for the requested method.
420
badExtension
The server did not understand the protocol extension
specified in a Proxy-Require or Require header text box.
480
temporarilyNotAvailable
The callee’s end system was contacted successfully, but
the callee is currently unavailable.
481
callLegDoesNotExist
The UAS received a request that does not match any
existing dialog or transaction.
482
loopDetected
The server has detected a loop.
483
tooManyHops
The server received a request that contains a
Max-Forwards header text box with the value zero.
Cisco Wireless LAN Controller Configuration Guide
8-46
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Table 8-2
Note
Error Codes for Failed VoIP Calls (continued)
Error Code
Integer
Description
484
addressIncomplete
The server received a request with a Request-URI that
was incomplete.
485
ambiguous
The Request-URI was ambiguous.
486
busy
The end system of the callee was contacted successfully,
but the callee is currently not willing or able to take
additional calls at this end system.
500
internalServerError
The server encountered an unexpected condition that
prevented it from fulfilling the request.
501
notImplemented
The server does not support the functionality required to
fulfill the request.
502
badGateway
The server, while acting as a gateway or proxy, received
an invalid response from the downstream server it
accessed in attempting to fulfill the request.
503
serviceUnavailable
The server is temporarily unable to process the request
because of a temporary overloading or maintenance of
the server.
504
serverTimeout
The server did not receive a timely response from an
external server it accessed in attempting to process the
request.
505
versionNotSupported
The server does not support or refuses to support the SIP
protocol version that was used in the request.
600
busyEverywhere
The callee’s end system was contacted successfully, but
the callee is busy or does not want to take the call at this
time.
603
decline
The callee’s machine was contacted successfully, but the
user does not want to or cannot participate.
604
doesNotExistAnywhere
The server has information that the user indicated in the
Request-URI does not exist anywhere.
606
notAcceptable
The user’s agent was contacted successfully, but some
aspects of the session description (such as the requested
media, bandwidth, or addressing style) were not
acceptable.
If you experience any problems with media session snooping, enter the debug call-control {all | event}
{enable | disable} command to debug all media session snooping messages or events.
Configuring Key Telephone System-Based CAC
This section contains the following topics:
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-47
Chapter 8
Working with WLANs
Configuring Captive Bypassing
•
Information About Key Telephone System-Based CAC, page 8-48
•
Guidelines and Limitations, page 8-48
•
Configuring KTS-based CAC, page 8-48
Information About Key Telephone System-Based CAC
Key Telephone System (KTS) based CAC is a protocol that is used in NEC MH240 wireless IP
telephones. You can configure the controller to support CAC on KTS-based SIP clients, to process
bandwidth request message from such clients, to allocate the required bandwidth on the AP radio, and
to handle other messages that are part of the protocol.
When a call is initiated, the KTS-based CAC client sends a Bandwidth Request message to which the
controller responds with a Bandwidth Confirm message indicating whether the bandwidth is allocated
or not. The call is allowed only if the bandwidth is available. If the client roams from one AP to another,
the client sends another Bandwidth Request message to the controller.
Bandwidth allocation depends on the median time calculated using the data rate from the Bandwidth
Request message and the packetization interval. For KTS-based CAC clients, the G.711 codec with 20
milliseconds as the packetization interval is used to compute the medium time.
The controller releases the bandwidth after it receives the bandwidth release message from the client.
When the client roams to another AP, the controller releases the bandwidth on the previous AP and
allocates bandwidth on the new AP, in both intracontroller and intercontroller roaming scenarios. The
controller releases the bandwidth if the client is dissociated or if there is inactivity for 120 seconds. The
controller does not inform the client when the bandwidth is released for the client due to inactivity or
dissociation of the client.
Guidelines and Limitations
•
The controller ignores the SSID Capability Check Request message from the clients.
•
Preferred call is not supported for KTS CAC clients.
•
Reason code 17 is not supported in intercontroller roaming scenarios.
•
To make the KTS-based CAC feature functional, ensure that you do the following:
– Enable WMM on the WLAN
– Enable ACM at the radio level
– Enable processing of TSPEC inactivity timeout at the radio level
Configuring KTS-based CAC
This section contains the following topics:
•
Configuring KTS-based CAC (GUI), page 8-48
•
Configuring KTS-based CAC (CLI), page 8-49
Configuring KTS-based CAC (GUI)
Prerequisites
To enable KTS-based CAC for a WLAN, ensure that you do the following:
Cisco Wireless LAN Controller Configuration Guide
8-48
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
•
Set the QoS profile for the WLAN to Platinum (see the “Assigning QoS Profiles” section on
page 8-39).
•
Set the WLAN in disabled state (see the “Enabling and Disabling WLANs (GUI)” section on
page 8-4).
•
Set the FlexConnect Local Switching in disabled state for the WLAN (On the WLANs > Edit page,
click the Advanced tab and unselect the FlexConnect Local Switching check box).
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to configure the KTS-based CAC policy.
Step 3
On the WLANs > Edit page, click the Advanced tab.
Step 4
Under Voice, select or unselect the KTS based CAC Policy check box to enable or disable KTS-based
CAC for the WLAN.
Step 5
Click Apply to commit your changes.
Configuring KTS-based CAC (CLI)
Prerequisites
To enable KTS-based CAC for a WLAN, ensure that you do the following:
•
Configure the QoS profile for the WLAN to Platinum by entering the following command:
config wlan qos wlan-id platinum
•
Disable the WLAN by entering the following command:
config wlan disable wlan-id
•
Disable FlexConnect Local Switching for the WLAN by entering the following command:
config wlan flexconnect local-switching wlan-id disable
Step 1
Enable KTS-based CAC for a WLAN by entering this command:
config wlan kts-cac enable wlan-id
Step 2
Enable the KTS-based CAC feature by doing the following:
a.
Enable WMM on the WLAN by entering this command:
config wlan wmm allow wlan-id
b.
Enable ACM at the radio level by entering this command:
config 802.11a cac voice acm enable
c.
Enable processing of the TSPEC inactivity timeout at the radio level by entering this command:
config 802.11a cac voice tspec-inactivity-timeout enable
Related Commands
•
See whether the client supports KTS-based CAC by entering the following command:
show client detail client-mac-address
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-49
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Information similar to the following appears:
Client MAC Address............................... 00:60:b9:0d:ef:26
Client Username ................................. N/A
AP MAC Address................................... 58:bc:27:93:79:90
QoS Level........................................
802.1P Priority Tag..............................
KTS CAC Capability...............................
WMM Support......................................
Power Save.......................................
•
Platinum
disabled
Yes
Enabled
ON
Troubleshoot issues with KTS-based CAC by entering the following command:
debug cac kts enable
•
Troubleshoot other issues related to CAC, by entering the following commands:
– debug cac event enable
– debug call-control all enable
Configuring Reanchoring of Roaming Voice Clients
This section contains the following topics;
•
Information About Reanchoring of Roaming Voice Clients, page 8-50
•
Guidelines and Limitations, page 8-50
•
Configuring Reanchoring of Roaming Voice Clients, page 8-50
Information About Reanchoring of Roaming Voice Clients
You can allow voice clients to get anchored on the best suited and nearest available controller, which is
useful when intercontroller roaming occurs. By using this feature, you can avoid the use of tunnels to
carry traffic between the foreign controller and the anchor controller and remove unnecessary traffic
from the network.
The ongoing call during roaming is not affected and can continue without any problem. The traffic passes
through proper tunnels that are established between the foreign controller and the anchor controller.
Disassociation occurs only after the call ends, and then the client then gets reassociated to a new
controller.
Guidelines and Limitations
•
The ongoing data session might be affected due to disassociation and then reassociation.
•
This feature is supported for TSPEC-based calls and non-TSPEC SIP-based calls only when you
enable the admission control.
•
You can reanchor roaming of voice clients for each WLAN.
•
This feature is not recommended for use on Cisco 792x phones.
Configuring Reanchoring of Roaming Voice Clients
This section conatins the following topics;
Cisco Wireless LAN Controller Configuration Guide
8-50
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
•
Configuring Reanchoring of Roaming Voice Clients (GUI), page 8-51
•
Configuring Reanchoring of Roaming Voice Clients (CLI), page 8-51
Configuring Reanchoring of Roaming Voice Clients (GUI)
Step 1
Choose WLANs to open the WLANs page.
Step 2
Click the ID number of the WLAN for which you want to configure reanchoring of roaming voice
clients.
Step 3
When the WLANs > Edit page appears, choose the Advanced tab to open the WLANs > Edit (Advanced)
page.
Step 4
In the Voice area select the Re-anchor Roamed Clients check box.
Step 5
Click Apply to commit your changes.
Step 6
Click Save Configuration to save your changes.
Configuring Reanchoring of Roaming Voice Clients (CLI)
Step 1
Enable or disable reanchoring of roaming voice clients for a particular WLAN by entering this
command:
config wlan roamed-voice-client re-anchor {enable | disable} wlan id
Step 2
Save your changes by entering this command:
save config
Step 3
See the status of reanchoring roaming voice client on a particular WLAN by entering this command:
show wlan wlan_id
Information similar to the following appears:
WLAN Identifier..................................
Profile Name.....................................
Network Name (SSID)..............................
Status...........................................
...
Call Snooping....................................
Roamed Call Re-Anchor Policy.....................
Band Select......................................
Load Balancing...................................
Step 4
1
wpa2-psk
wpa2-psk
Enabled
Enabled
Enabled
Disabled
Disabled
Save your changes by entering this command:
save config
Configuring Seamless IPv6 Mobility
This section contains the following topics:
•
Information About IPv6 Mobility, page 8-52
•
Guidelines and Limitations, page 8-52
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-51
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Information About IPv6 Mobility
Internet Protocol version 6 (IPv6) is the next-generation network layer Internet protocol intended to
replace version 4 (IPv4) in the TCP/IP suite of protocols. This new version increases the Internet global
address space to accommodate users and applications that require unique global IP addresses. IPv6
incorporates 128-bit source and destination addresses, which provide significantly more addresses than
the 32-bit IPv4 addresses.
To support IPv6 clients across controllers, ICMPv6 messages must be dealt with specially to ensure the
IPv6 client remains on the same Layer 3 network. The controllers keep track of IPv6 clients by
intercepting the ICMPv6 messages to provide seamless mobility and protect the network from network
attacks. The NDP (Neighbor Discovery Packets) packets are converted from multicast to unicast and
delivered individually per client. This unique solution ensures that Neighbor Discovery and Router
Advertisement packets are not leaked across VLANs. Clients can receive specific Neighbor Discovery
and Router Advertisement packets ensuring correct IPv6 addressing and avoids unnecessary multicast
traffic.
The configuration for IPv6 mobility is the same as IPv4 mobility and requires no separate software on
the client side to achieve seamless roaming. The controllers must be part of the same mobility group.
Both IPv4 and IPv6 client mobility are enabled by default.
Guidelines and Limitations
•
Up to 16 client addresses can be tracked per client.
•
Clients must support IPv6 with either static stateless auto configuration (such as Windows XP
clients) or stateful DHCPv6 IP addressing (such as Windows Vista clients).
•
Note
Currently, DHCPv6 is supported for use only with Windows Vista clients. For these clients,
you must manually renew the DHCPv6 IP address after the client changes VLANs.
Note
The dynamic VLAN function for IPv6 is not supported on the controller software releases
6.0 and 7.0.
To allow stateful DHCPv6 IP addressing to operate properly, you must have a switch or router that
supports the DHCP for IPv6 feature (such as the Catalyst 3750 switch) that is configured to act like
a DHCPv6 server, or you need a dedicated server such as a Windows 2008 server with a built-in
DHCPv6 server.
Note
To load the SDM IPv6 template in the Catalyst 3750 switch, enter the sdm prefer
dual-ipv4-and-v6 default command and then reset the switch. For more information, see
Catalyst 3750 Switch Configuration Guide for Cisco IOS Release 12.2(46)SE.
To support the seamless IPv6 Mobility, you might need to configure the following:
•
Configuring RA Guard for IPv6 Clients, page 8-53
•
Configuring RA Throttling for IPv6 Clients, page 8-53
•
Configuring IPv6 Neighbor Discovery Caching, page 8-55
Cisco Wireless LAN Controller Configuration Guide
8-52
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Configuring RA Guard for IPv6 Clients
This section contains the following topics:
•
Information About RA Guard, page 8-53
•
Configuring RA Guard (GUI), page 8-53
•
Configuring RA Guard (CLI), page 8-53
Information About RA Guard
IPv6 clients configure IPv6 addresses and populate their router tables based on IPv6 Router
Advertisement (RA) packets. The RA guard feature is similar to the RA guard feature of wired networks.
RA guard increases the security of the IPv6 network by dropping the unwanted or rogue RA packets that
come from wireless clients. If this feature is not configured, malicious IPv6 clients could announce
themselves as the router for the network often with high priority, which would take higher precedence
over legitimate IPv6 routers.
RA guard occurs at the controller. You can configure the controller to drop RA messages at the access
point or at the controller. By default, RA guard is configured at the access point and also enabled in the
controller. All IPv6 RA messages are dropped, which protects other wireless clients and upstream wired
network from malicious IPv6 clients.
Configuring RA Guard (GUI)
Step 1
Choose Controller > IPv6 > RA Guard to open the IPv6 RA Guard page. By default, the IPv6 RA
Guard on AP is enabled.
Step 2
From the drop-down list, select Disable if you want to disable RA guard. The controller also displays
the clients that have been identified as sending RA packets.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Configuring RA Guard (CLI)
•
config ipv6 ra-guard ap {enable | disable}
Configuring RA Throttling for IPv6 Clients
This section contains the following topics;
•
Information about RA Throttling, page 8-54
•
Configuring RA Throttling (GUI), page 8-54
•
Configuring RA Throttle Policy (CLI), page 8-54
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-53
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Information about RA Throttling
RA throttling allows the controller to enforce limits to RA packets headed toward the wireless network.
By enabling RA throttling, routers that send many RA packets can be trimmed to a minimum frequency
that will still maintain an IPv6 client connectivity. If a client sends an RS packet, an RA is sent back to
the client. This RA is allowed through the controller and unicasted to the client. This process ensures
that the new clients or roaming clients are not affected by the RA throttling.
Configuring RA Throttling (GUI)
Step 1
Choose Controller > IPv6 > RA Throttle Policy page. By default the IPv6 RA Throttle Policy is
enabled.
Step 2
Unselect the check box to disable RA throttle policy.
Step 3
Configure the following parameters:
•
Throttle period—The period of time for throttling. RA throttling takes place only after the Max
Through limit is reached for the VLAN or the Allow At-Most value is reached for a particular router.
The range is from 10 seconds to 86400 seconds. The default is 600 seconds.
•
Max Through—The maximum number of RA packets on a VLAN that can be sent before throttling
takes place. The No Limit option allows an unlimited number of RA packets through with no
throttling. The range is from 0 to 256 RA packets. The default is 10 RA packets.
•
Interval Option—Allows the controller to act differently based on the RFC 3775 value set in IPv6
RA packets.
– Passthrough—Allows any RA messages with the RFC3775 interval option to go through
without throttling.
– Ignore—Causes the RA throttle to treat packets with the interval option as a regular RA and
subject to throttling if in effect.
– Throttle—Causes the RA packets with the interval option to always be subject to rate limiting.
Note
•
Allow At-least—The minimum number of RA packets per router that can be sent as multicast before
throttling takes place. The range is from 0 to 32 RA packets.
•
Allow At-most—The maximum number of RA packets per router that can be sent as multicast
before throttling takes place. The No Limit option allows an unlimited number of RA packets
through the router. The range is from 0 to 256 RA packets.
When RA throttling occurs, only the first IPv6 capable router is allowed through. For networks that have
multiple IPv6 prefixes being served by different routers, you should disable RA throttling.
Step 4
Click Apply to commit your changes.
Step 5
Click Save Configuration to save your changes.
Configuring RA Throttle Policy (CLI)
•
config ipv6 neigbhor-binding ra-throttle {allow at-least at-least-value | enable | disable |
interval-option {ignore | passthrough | throttle} | max-through {mzx-through-value | no-limit}
Cisco Wireless LAN Controller Configuration Guide
8-54
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Configuring IPv6 Neighbor Discovery Caching
This section contains the following topics;
•
Information About IPv6 Neighbor Discovery, page 8-55
•
Configuring Neighbor Binding Timers (GUI), page 8-55
•
Configure Neighbor Binding Timers (CLI), page 8-55
Information About IPv6 Neighbor Discovery
IPv6 Neighbor Discovery is a set of messages and processes that determine relationships between
neighboring nodes. Neighbor Discovery replaces ARP, ICMP Router Discovery, and ICMP Redirect
used in IPv4.
IPv6 Neighbor Discovery inspection analyzes neighbor discovery messages in order to build a trusted
binding table database, and IPv6 neighbor discovery packets that do not comply are dropped. The
neighbor binding table in the controller tracks each IPv6 address and its associated MAC address. Clients
are expired from the table according to Neighbor Binding timers.
Configuring Neighbor Binding Timers (GUI)
Step 1
Choose Controller > IPv6 > Neighbor Binding Timers page.
Step 2
Configure the following Timers:
•
Down–Lifetime—Specifies how long IPv6 cache entries are kept if the interface goes down. The
range is from 0 to 86400 seconds.
•
Reachable–Lifetime—Specifies how long IPv6 addresses are active. The range is from 0 to 86400
seconds.
•
Stale–Lifetime—Specifies how long to keep IPv6 addresses in the cache. The range is from 0 to
86400 seconds.
Note
It is recommended that you configure Reachable-lifetime as 3600 sec and Stale-Lifetime as 300
sec for optimal performance.
Step 3
Click Apply to commit your changes.
Step 4
Click Save Configuration to save your changes.
Configure Neighbor Binding Timers (CLI)
•
config ipv6 neighbor-binding timers {down-lifetime | reachable-lifetime | stale-lifetime}
{enable | disable}
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-55
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Configuring Unknown Address NS Multicast Forwarding
The IPv6 addresses of wireless clients are cached by the controller. If the controller receives an NS
multicast looking for an IPv6 address, which belongs to any of the wireless clients of the controller, the
controller acts as the proxy and replies with the NA. If the controller does not have the IPv6 address of
a wireless client, the controller would not respond with NA and would drop the NS packet. To resolve
this issue, an NS Multicast Forwarding knob is provided. If this knob is enabled, the controller gets the
NS packet for the IPv6 address that it does not have (cache miss), forwards the NS packet to the wireless
side. This packet reaches the intended wireless client and the client replies with NA.
This cache miss scenario occurs rarely, and only very few clients which do not implement complete IPv6
stack may not advertise their IPv6 address during NDP.
Configuring NS Multicast Forwarding (CLI)
•
Enter the following command to enable or disable NS multicast forwarding:
config ipv6 ns-mcast-fwd {enable | disable}
By default, NS multicast forwarding is disabled.
When the NS multicast forwarding is enabled, the controller sends an NS multicast packet to all the
wireless and wired clients. When the NS multicast forwarding is disabled, the controller sends an
NS multicast packet to the wired side.
•
Enter the following command to view the status of the NS multicast forwarding:
show ipv6 summary
Information similar to the following appears:
Reachable-lifetime value....................
Stale-lifetime value........................
Down-lifetime value.........................
RA Throttling...............................
RA Throttling allow at-least................
RA Throttling allow at-most.................
RA Throttling max-through...................
RA Throttling throttle-period...............
RA Throttling interval-option...............
NS Mulitcast CacheMiss Forwarding...........
•
86400
86400
86400
Enabled
2
no-limit
10
12
ignore
Disabled
Enter the following command to view the NS multicast forwarding statistics:
show ipv6 neighbor-binding counters
Information similar to the following appears:
..............
Cache Miss Statistics:
Multicast NS Forward[1]
Multicast NS Dropped[3]
Note
The Multicast NS Forward parameter is incremented when the knob is enabled. The Multicast
NS Dropped parameter is incremented when the knob is diabled.
Cisco Wireless LAN Controller Configuration Guide
8-56
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Configuring Cisco Client Extensions
This section contains the following topics;
•
Information About Cisco Client Extensions, page 8-57
•
Guidelines and Limitations, page 8-57
•
Configuring CCX Aironet IEs, page 8-57
Information About Cisco Client Extensions
Cisco Client Extensions (CCX) software is licensed to manufacturers and vendors of third-party client
devices. The CCX code resident on these clients enables them to communicate wirelessly with Cisco
access points and to support Cisco features that other client devices do not, including those features
related to increased security, enhanced performance, fast roaming, and superior power management.
Guidelines and Limitations
•
The 4.2 or later releases of controller software support CCX versions 1 through 5, which enables
controllers and their access points to communicate wirelessly with third-party client devices that
support CCX. CCX support is enabled automatically for every WLAN on the controller and cannot
be disabled. However, you can configure a specific CCX feature per WLAN. This feature is Aironet
information elements (IEs).
•
If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the
access point name, load, number of associated clients, and so on) in the beacon and probe responses
of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management
IP address of the controller and the IP address of the access point) in the reassociation response if it
receives Aironet IE 0x85 in the reassociation request.
•
CCX is not supported on Cisco OEAP 600 access points and all elements related to CCX are not
supported.
•
Cisco OEAP 600 do not support Cisco Aeronet IEs.
•
With the 7.2 release, a new version of CCX, which is called CCX Lite is available. For more
information about CCX Lite, see
http://www.cisco.com/web/partners/pr46/pr147/program_additional_information_new_release_fea
tures.html.
Configuring CCX Aironet IEs
This section contains the following topics;
•
Configuring CCX Aironet IEs (GUI), page 8-57
•
Viewing a Client’s CCX Version (GUI), page 8-58
•
Configure CCX Aironet IEs (CLI), page 8-58
•
Viewing a Client’s CCX Version (CLI), page 8-58
Configuring CCX Aironet IEs (GUI)
Step 1
Choose WLANs to open the WLANs page.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-57
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Step 2
Click the ID number of the desired WLAN to open the WLANs > Edit page.
Step 3
Choose the Advanced tab to open the WLANs > Edit (Advanced tab) page.
Step 4
Select the Aironet IE check box if you want to enable support for Aironet IEs for this WLAN.
Otherwise, unselect this check box. The default value is enabled (or selected).
Step 5
Click Apply to commit your changes.
Step 6
Click Save Configuration to save your changes.
Viewing a Client’s CCX Version (GUI)
A client device sends its CCX version in association request packets to the access point. The controller
then stores the client’s CCX version in its database and uses it to limit the features for this client. For
example, if a client supports CCX version 2, the controller does not allow the client to use CCX version
4 features.
Step 1
Choose Monitor > Clients to open the Clients page.
Step 2
Click the MAC address of the desired client device to open the Clients > Detail page.
The CCX Version text box shows the CCX version supported by this client device. Not Supported
appears if the client does not support CCX.
Step 3
Click Back to return to the previous screen.
Step 4
Repeat this procedure to view the CCX version supported by any other client devices.
Configure CCX Aironet IEs (CLI)
•
Note
config wlan ccx aironet-ie {enable | disable} wlan_id
The default value is enabled.
Viewing a Client’s CCX Version (CLI)
See the CCX version supported by a particular client device using the controller CLI by entering this
command:
show client detail client_mac
Configuring AP Groups
This section contains the following topics:
•
Information About Access Point Groups, page 8-59
•
Guidelines and Limitations, page 8-59
•
Configuring Access Point Groups, page 8-60
Cisco Wireless LAN Controller Configuration Guide
8-58
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Information About Access Point Groups
After you create up to 512 WLANs on the controller, you can selectively publish them (using access
point groups) to different access points to better manage your wireless network. In a typical deployment,
all users on a WLAN are mapped to a single interface on the controller. Therefore, all users associated
with that WLAN are on the same subnet or VLAN. However, you can choose to distribute the load among
several interfaces or to a group of users based on specific criteria such as individual departments (such as
Marketing) by creating access point groups. Additionally, these access point groups can be configured
in separate VLANs to simplify network administration.
In the example, three configured dynamic interfaces are mapped to three different VLANs (VLAN 61,
VLAN 62, and VLAN 63). Three access point groups are defined, and each is a member of a different
VLAN, but all are members of the same SSID. A client within the wireless SSID is assigned an IP
address from the VLAN subnet on which its access point is a member. For example, any user that
associates with an access point that is a member of access point group VLAN 61 is assigned an IP
address from that subnet.
In the example, the controller internally treats roaming between access points as a Layer 3 roaming
event. In this way, WLAN clients maintain their original IP addresses.
After all access points have joined the controller, you can create access point groups and assign up to 16
WLANs to each group. Each access point advertises only the enabled WLANs that belong to its access
point group. The access point does not advertise disabled WLANs in its access point group or WLANs
that belong to another group.
Guidelines and Limitations
•
The required access control list (ACL) must be defined on the router that serves the VLAN or subnet.
•
Multicast traffic is supported with access point group VLANs. However, if the client roams from
one access point to another, the client might stop receiving multicast traffic, unless IGMP snooping
is enabled.
•
The OEAP 600 Series access point supports a maximum of two WLANs and one remote LAN. If
you have configured more than two WLANs and one remote LAN, you can assign the 600 Series
access point to an AP group. The support for two WLANs and one remote LAN still applies to the
AP group If the 600 Series OEAP is in the default group, the WLAN/remote LAN ids must be lower
than 8.
•
Suppose that the interface mapping for a WLAN in the AP group table is the same as the WLAN
interface. If the WLAN interface is changed, the interface mapping for the WLAN in the AP group
table also changes to the new WLAN interface.
Suppose that the interface mapping for a WLAN in the AP group table is different from the one
defined for the WLAN. If the WLAN interface is changed, then the interface mapping for the WLAN
in the AP group table does not change to the new WLAN interface.
Note
A controller with OfficeExtend access points in an access point group publishes up to 15 WLANs to each
connected OfficeExtend access point because it reserves one WLAN for the personal SSID.
•
You can create up to 300 access point groups for Cisco 4400 Series Controllers, Cisco WiSM, and
3750G wireless LAN controller switch; and up to 500 access point groups for Cisco 5500 Series
Controllers.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-59
Chapter 8
Working with WLANs
Configuring Captive Bypassing
•
All OfficeExtend access points should be in the same access point group, and that group should
contain no more than 15 WLANs. A controller with OfficeExtend access points in an access point
group publishes only up to 15 WLANs to each connected OfficeExtend access point because it
reserves one WLAN for the personal SSID.
•
If you clear the configuration on the controller, all of the access point groups disappear except for
the default access point group “default-group,” which is created automatically.
Configuring Access Point Groups
Step 1
Configure the appropriate dynamic interfaces and map them to the desired VLANs.
For example, to implement the network in Figure 7-23, create dynamic interfaces for VLANs 61, 62, and
63 on the controller. See Chapter 4, “Configuring Ports and Interfaces,” for information on how to
configure dynamic interfaces.
Step 2
Create the access point groups. See the “Creating Access Point Groups (GUI)” section on page 8-60.
Step 3
Create a RF profile. See the “Creating an RF Profile (GUI)” section on page 8-65.
Step 4
Assign access points to the appropriate access point groups. See the “Creating Access Point Groups
(GUI)” section on page 8-60.
Step 5
Apply the RF profile on the AP Groups. See the “Applying RF Profile to AP Groups (GUI)” section on
page 8-65.
Creating Access Point Groups (GUI)
Step 1
Choose WLANs > Advanced > AP Groups to open the AP Groups page.
This page lists all the access point groups currently created on the controller. By default, all access points
belong to the default access point group “default-group,” unless you assign them to other access point
groups.
Note
When you upgrade to controller software release 5.2 or later releases, the controller creates the
default-group access point group and automatically populates it with the first 16 WLANs
(WLANs with IDs 1 through 16, or fewer if 16 WLANs are not configured). This default group
cannot be modified (you cannot add WLANs to it nor delete WLANs from it). It is dynamically
updated whenever the first 16 WLANs are added or deleted. If an access point does not belong
to an access point group, it is assigned to the default group and uses the WLANs in that group.
If an access point joins the controller with an undefined access point group name, the access
point keeps its group name but uses the WLANs in the default-group access point group.
Step 2
Click Add Group to create a new access point group. The Add New AP Group section appears at the
top of the page.
Step 3
In the AP Group Name text box, enter the group’s name.
Step 4
In the Description text box, enter the group’s description.
Step 5
Click Add. The newly created access point group appears in the list of access point groups on the AP
Groups page.
Cisco Wireless LAN Controller Configuration Guide
8-60
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Note
If you ever want to delete this group, hover your cursor over the blue drop-down arrow for the
group and choose Remove. An error message appears if you try to delete an access point group
that is used by at least one access point. Before deleting an access point group in controller
software release 6.0 or later releases, move all access points in the group to another group. The
access points are not moved to the default-group access point group as in previous releases.
Step 6
Click the name of the group to edit this new group. The AP Groups > Edit (General) page appears.
Step 7
Change the description of this access point group by entering the new text in the AP Group Description
text box and click Apply.
Step 8
Choose the WLANs tab to open the AP Groups > Edit (WLANs) page. This page lists the WLANs that
are currently assigned to this access point group.
Step 9
Click Add New to assign a WLAN to this access point group. The Add New section appears at the top
of the page.
Step 10
From the WLAN SSID drop-down list, choose the SSID of the WLAN.
Step 11
From the Interface Name drop-down list, choose the interface to which you want to map the access point
group. Choose the quarantine VLAN if you plan to enable network admission control (NAC) out-of-band
support.
Note
The interface name in the default-group access point group matches the WLAN interface.
Step 12
Select the NAC State check box to enable NAC out-of-band support for this access point group. To
disable NAC out-of-band support, leave the check box unselected, which is the default value. See the
“Configuring NAC Out-of-Band Integration” section on page 8-70 for more information on NAC.
Step 13
Click Add to add this WLAN to the access point group. This WLAN appears in the list of WLANs that
are assigned to this access point group.
Note
If you ever want to remove this WLAN from the access point group, hover your cursor over the
blue drop-down arrow for the WLAN and choose Remove.
Step 14
Repeat Step 9 through Step 13 to add any additional WLANs to this access point group.
Step 15
Choose the APs tab to assign access points to this access point group. The AP Groups > Edit (APs) page
lists the access points that are currently assigned to this group as well as any access points that are
available to be added to the group. If an access point is not currently assigned to a group, its group name
appears as “default-group”.
Step 16
Select the check box to the left of the access point name and click Add APs to add an access point to
this access point group. The access point now appears in the list of access points currently in this access
point group.
Note
To select all of the available access points at once, select the AP Name check box. All of the
access points are then selected.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-61
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Step 17
Note
If you ever want to remove an access point from the group, select the check box to the left of the
access point name and click Remove APs. To select all of the access points at once, select the
AP Name check box. All of the access points are then removed from this group.
Note
If you ever want to change the access point group to which an access point belongs, choose
Wireless > Access Points > All APs > ap_name > Advanced tab, choose the name of another
access point group from the AP Group Name drop-down list, and click Apply.
Click Save Configuration to save your changes.
Creating Access Point Groups (CLI)
Step 1
Create an access point group by entering this command:
config wlan apgroup add group_name
Note
Step 2
To delete an access point group, enter the config wlan apgroup delete group_name command.
An error message appears if you try to delete an access point group that is used by at least one
access point. Before deleting an access point group in controller software release 6.0 or later
releases, move all access points in the group to another group. The access points are not moved
to the default-group access point group as in previous releases. To see the access points in a
group, enter the show wlan apgroups command. To move the access points to another group,
enter the config ap group-name group_name Cisco_AP command.
Add a description to an access point group by entering this command:
config wlan apgroup description group_name description
Step 3
Assign a WLAN to an access point group by entering this command:
config wlan apgroup interface-mapping add group_name wlan_id interface_name
Note
Step 4
To remove a WLAN from an access point group, enter the config wlan apgroup
interface-mapping delete group_name wlan_id command.
Enable or disable NAC out-of-band support for this access point group by entering this command:
config wlan apgroup nac {enable | disable} group_name wlan_id
Step 5
Configure a WLAN radio policy on the access point group by entering this command:
config wlan apgroup wlan-radio-policy apgroup_name wlan_id {802.11a-only | 802.11bg |
802.11g-only | all}
Step 6
Assign an access point to an access point group by entering this command:
config ap group-name group_name Cisco_AP
Cisco Wireless LAN Controller Configuration Guide
8-62
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Note
Step 7
To remove an access point from an access point group, reenter this command and assign the
access point to another group.
Save your changes by entering this command:
save config
Viewing Access Point Groups (CLI)
To view information about or to troubleshoot access point groups, use these commands:
•
See a list of all access point groups on the controller by entering this command:
show wlan apgroups
Information similar to the following appears:
Site Name........................................ AP2
Site Description................................. Access Point 2
WLAN ID
------1
2
3
4
9
10
11
12
13
14
15
16
18
Interface
----------management
management
management
management
management
management
management
management
management
management
management
management
management
Network Admission Control
-------------------------Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
AP Name Slots AP Model
Ethernet MAC
Location Port Country Priority GroupName
------- ---- -------------- ----------------- ------- ---- ------- -------- --------AP1242
2
AP1242AG-A-K9 00:14:1c:ed:23:9a default 1
US
1
AP2
...
•
See the BSSIDs for each WLAN assigned to an access point group by entering this command:
show ap wlan {802.11a | 802.11b} Cisco_AP
Information similar to the following appears:
Site Name........................................ AP3
Site Description................................. Access Point 3
WLAN ID
------10
•
Interface
-----------management
BSSID
------------------00:14:1b:58:14:df
See the number of WLANs enabled for an access point group by entering this command:
show ap config {802.11a | 802.11b} Cisco_AP
Information similar to the following appears:
Cisco AP Identifier.............................. 166
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-63
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Cisco AP Name................................. AP2
...
Station Configuration
Configuration ............................. AUTOMATIC
Number Of WLANs ........................... 2
...
•
Enable or disable debugging of access point groups by entering this command:
debug group {enable | disable}
Configuring RF Profiles
This section contains the following topics:
•
Information About RF Profiles, page 8-64
•
Guidelines and Limitations, page 8-64
•
Configuring RF Profiles, page 8-65
Information About RF Profiles
RF profiles allow you to tune groups of APs that share a common coverage zone together and selectively
change how RRM operates the APs within that coverage zone.
For example, a university might deploy a high density of APs, in an area with a high number of users.
This situation requires that you manipulate both data rates and power to address the cell density while
managing the co-channel interference. In adjacent areas, normal coverage is provided and such
manipulation would result in a loss of coverage.
Using RF profiles and AP groups allow you to optimize the RF settings for AP groups that operate in
different environments or coverage zones. RF profiles are created for 802.11b/g/n or 802.11a/n radios.
RF profiles are applied to all APs that belong to an AP group, where all APs in that group will have the
same profile settings.
The RF profile gives you control over the data rates and power (TPC) values.
Note
The application of an RF profile does not change the AP’s status in RRM. It is still in global
configuration mode controlled by RRM.
Note
An AP that has a custom power setting applied for AP power is not in global configuration mode, an RF
profile has no effect on this AP. For RF profiling to work, all APs must have their channel and power
managed by RRM.
Guidelines and Limitations
Once you create an AP group and apply RF profiles or modify an existing AP group, the new settings
are in effect and the following rules apply:
•
The same RF profile must be applied and present on every controller of the AP group or the action
will fail for that controller.
Cisco Wireless LAN Controller Configuration Guide
8-64
OL-21524-03
Chapter 8
Working with WLANs
Configuring Captive Bypassing
•
Once you assign an RF profile to an AP group you cannot make changes to that RF profile. You must
change the AP group RF profile settings to none in order to change the RF profile and then add it
back to the AP group. You can also work around this restriction by disabling the network that will
be affected by the changes that you will be making, either for 802.11a or 802.11b.
•
You can assign the same RF profile to more than one AP group.
•
Within the AP group, changing the assignment of an RF profile on either band causes the AP to
reboot.
•
You cannot delete an RF profile that is applied to an AP group.
•
You cannot delete an AP group that has APs assigned to it.
Configuring RF Profiles
This section contains the following topics:
•
Creating an RF Profile (GUI), page 8-65
•
Applying RF Profile to AP Groups (GUI), page 8-65
Creating an RF Profile (GUI)
Step 1
Choose Wireless > RF Profiles to open the RF profiles page.
Step 2
Click New to create a new RF profile.
Step 3
Enter the RF Profile Name and choose the radio band.
Step 4
Click Apply to configure the customizations of power and data rate parameters.
Step 5
Configure the Maximum and Minimum Power Level Assignment, that is the maximum and minimum
power that the APs in this RF profile are allowed to use. The range is from -10 dBm to 30 dBm.
Step 6
Configure a custom TPC power threshold for either Version1 or Version 2 of TPC. The range is from –80
dBm to –50 dBm.
Note
Only one TPC version can be operable for RRM on a controller. Version 1 and Version 2 are not
interoperable within the same RF profile. If you select a threshold value for TPCv2 and it is not
in the chosen TPC algorithm for the RF profile, this value will be ignored.
Step 7
Configure the data rates to be applied to the APs of this RF profile.
Step 8
Click Apply to commit your changes.
Step 9
Click Save Configuration to save your changes.
Applying RF Profile to AP Groups (GUI)
Step 1
Choose WLAN > Advanced > AP Groups to open the AP Groups page.
Step 2
Click AP Group Name to open a configuration dialog box.
Step 3
Click the RF Profile tab to configure the RF Profile details. You can choose an RF profile for each band
(802.11a/802.11b) or you can choose one or none to apply to this group.
Cisco Wireless LAN Controller Configuration Guide
OL-21524-03
8-65
Chapter 8
Working with WLANs
Configuring Captive Bypassing
Note
Until you choose the APs and add them to the new group, no configurations are applied. You can
save the new configuration as is, but no profiles are applied. Once you have chose the APs in to
the AP group, the process of moving the APs into the new group reboots the APs and the
configurations for the RF profiles will be applied to the APs of the AP group.
Step 4
Click the APs tab and choose the APs to add to the AP group.
Step 5
Click the Add APs to add the selected APs to the AP group. A warning message is displayed indicating
that the AP group reboot and the APs rejoin the controller.
Note
Step 6
The APs cannot belong to two AP groups at once.
Click OK. The APs are added to the AP group.
Configuring Web Redirect with 802.1X Authentication
This section contains the following sections:
•
Information About Web Redirect with 802.1X Authent