EliteConnect™ SMC2552W-G2 Universal 2.4GHz Wireless Single

Add to my manuals
294 Pages

advertisement

EliteConnect™ SMC2552W-G2 Universal 2.4GHz Wireless Single | Manualzz

EliteConnect SMC2552W-G2

Universal 2.4GHz Wireless

Single-Band Access Point

The easy way to make all your network connections

38 Tesla

Irvine, CA 92618

Phone: (949) 679-8000

April 2006

Revision Number: R01

F4.3.2.2 B02

Copyright

Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable.

However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC. SMC reserves the right to change specifications at any time without notice.

Copyright © 2006 by

SMC Networks, Inc.

38 Tesla

Irvine, CA 92618

All rights reserved.

Trademarks:

SMC is a registered trademark; and EliteConnect is a trademark of SMC Networks, Inc. Other product and company names are trademarks or registered trademarks of their respective holders.

C

OMPLIANCES

Federal Communication Commission Interference

Statement

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:

• Reorient or relocate the receiving antenna

• Increase the separation between the equipment and receiver

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected

• Consult the dealer or an experienced radio/TV technician for help

FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.

IMPORTANT NOTE:

FCC Radiation Exposure Statement

This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters (8 inches) between the radiator and your body. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.

Industry Canada - Class B

This digital apparatus does not exceed the Class B limits for radio noise emissions from digital apparatus as set out in the interference-causing equipment standard entitled “Digital Apparatus,” ICES-003 of Industry Canada.

Cet appareil numérique respecte les limites de bruits radioélectriques applicables

i

C

OMPLIANCES aux appareils numériques de Classe B prescrites dans la norme sur le matérial brouilleur: “Appareils Numériques,” NMB-003 édictée par l’Industrie.

Japan VCCI Class B

ii

Australia/New Zealand AS/NZS 4771

ACN 066 352010

EC Conformance Declaration

Marking by the above symbol indicates compliance with the Essential

Requirements of the R&TTE Directive of the European Union (1999/5/

EC). This equipment meets the following conformance standards:

• EN 60950-1 (IEC 60950-1) - Product Safety

• EN 300 328 - Technical requirements for 2.4 GHz radio equipment

• EN 301 489-1 / EN 301 489-17 - EMC requirements for radio equipment

Countries of Operation & Conditions of Use in the European

Community

This device is intended to be operated in all countries of the European

Community. Requirements for indoor vs. outdoor operation, license requirements and allowed channels of operation apply in some countries as described below:

Note: The user must use the configuration utility provided with this product to ensure the channels of operation are in conformance with the spectrum usage rules for European Community countries as described below.

• This device requires that the user or installer properly enter the current country of operation in the command line interface as described in the user guide, before operating this device.

C

OMPLIANCES

• This device will automatically limit the allowable channels determined by the current country of operation. Incorrectly entering the country of operation may result in illegal operation and may cause harmful interference to other systems. The user is obligated to ensure the device is operating according to the channel limitations, indoor/outdoor restrictions and license requirements for each European Community country as described in this document.

• This device may be operated indoors or outdoors in all countries of the

European Community using the 2.4 GHz band: Channels 1 - 13, except where noted below.

- In Italy the end-user must apply for a license from the national spectrum authority to operate this device outdoors.

- In Belgium outdoor operation is only permitted using the 2.46 -

2.4835 GHz band: Channel 13.

- In France outdoor operation is only permitted using the 2.4 - 2.454

GHz band: Channels 1 - 7.

iii

C

OMPLIANCES

Declaration of Conformity in Languages of the European

Community

English

Finnish

Dutch

French

Swedish

Danish

German

Greek

Italian

Hereby, SMC, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC.

Valmistaja SMC vakuuttaa täten että Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sitä koskevien direktiivin muiden ehtojen mukainen.

Hierbij verklaart SMC dat het toestel Radio LAN device in overeenstemming is met de essentiële eisen en de andere relevante bepalingen van richtlijn 1999/5/EG

Bij deze SMC dat deze Radio LAN device voldoet aan de essentiële eisen en aan de overige relevante bepalingen van

Richtlijn 1999/5/EC.

Par la présente SMC déclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE

Härmed intygar SMC att denna Radio LAN device står I

överensstämmelse med de väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv 1999/5/EG.

Undertegnede SMC erklærer herved, at følgende udstyr Radio

LAN device overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF

Hiermit erklärt SMC, dass sich dieser/diese/dieses Radio LAN device in Übereinstimmung mit den grundlegenden

Anforderungen und den anderen relevanten Vorschriften der

Richtlinie 1999/5/EG befindet". (BMWi)

Hiermit erklärt SMC die Übereinstimmung des Gerätes Radio

LAN device mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG.

(Wien)

με την παρουσα SMC δηλωνει οτι radio LAN device

συμμορφωνεται προσ τισ ουσιωδεισ απαιτησεισ και τισ λοιπεσ

σΧετικεσ διαταξεισ τησ οδηγιασ 1999/5/εκ

Con la presente SMC dichiara che questo Radio LAN device è conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE.

iv

C

OMPLIANCES

Spanish Por medio de la presente Manufacturer declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE

Portuguese Manufacturer declara que este Radio LAN device está conforme com os requisitos essenciais e outras disposições da Directiva

1999/5/CE.

Safety Compliance

Power Cord Safety

Please read the following safety information carefully before installing the access point:

WARNING: Installation and removal of the unit must be carried out by qualified personnel only.

• The unit must be connected to an earthed (grounded) outlet to comply with international safety standards.

• Do not connect the unit to an A.C. outlet (power supply) without an earth

(ground) connection.

• The appliance coupler (the connector to the unit and not the wall plug) must have a configuration for mating with an EN 60320/IEC 320 appliance inlet.

• The socket outlet must be near to the unit and easily accessible. You can only remove power from the unit by disconnecting the power cord from the outlet.

• This unit operates under SELV (Safety Extra Low Voltage) conditions according to IEC 60950. The conditions are only maintained if the equipment to which it is connected also operates under SELV conditions.

• The PoE (Power over Ethernet), which is to be interconnected with other equipment that must be contained within the same building including the interconnected equipment’s associated LAN connections.

France and Peru only

This unit cannot be powered from IT

supplies. If your supplies are of IT type, this unit must be powered by 230 V (2P+T) via an isolation transformer ratio 1:1, with the secondary connection point labelled Neutral, connected directly to earth

(ground).

Impédance à la terre

v

C

OMPLIANCES

Important! Before making connections, make sure you have the correct cord set.

Check it (read the label on the cable) against the following:

Power Cord Set

U.S.A. and

Canada

Denmark

Switzerland

U.K.

Europe

The cord set must be UL-approved and CSA certified.

The minimum specifications for the flexible cord are:

- No. 18 AWG - not longer than 2 meters, or 16 AWG.

- Type SV or SJ

- 3-conductor

The cord set must have a rated current capacity of at least

10 A

The attachment plug must be an earth-grounding type with

NEMA 5-15P (15 A, 125 V) or NEMA 6-15P (15 A, 250 V) configuration.

The supply plug must comply with Section 107-2-D1,

Standard DK2-1a or DK2-5a.

The supply plug must comply with SEV/ASE 1011.

The supply plug must comply with BS1363 (3-pin 13 A) and be fitted with a 5 A fuse which complies with BS1362.

The mains cord must be <HAR> or <BASEC> marked and be of type HO3VVF3GO.75 (minimum).

The supply plug must comply with CEE7/7 (“SCHUKO”).

The mains cord must be <HAR> or <BASEC> marked and be of type HO3VVF3GO.75 (minimum).

IEC-320 receptacle.

vi

C

OMPLIANCES

Veuillez lire à fond l'information de la sécurité suivante avant d'installer le access point:

AVERTISSEMENT: L’installation et la dépose de ce groupe doivent être confiés à un personnel qualifié.

• Ne branchez pas votre appareil sur une prise secteur (alimentation électrique) lorsqu'il n'y a pas de connexion de mise à la terre (mise à la masse).

• Vous devez raccorder ce groupe à une sortie mise à la terre (mise à la masse) afin de respecter les normes internationales de sécurité.

• Le coupleur d’appareil (le connecteur du groupe et non pas la prise murale) doit respecter une configuration qui permet un branchement sur une entrée d’appareil

EN 60320/IEC 320.

• La prise secteur doit se trouver à proximité de l’appareil et son accès doit être facile. Vous ne pouvez mettre l’appareil hors circuit qu’en débranchant son cordon

électrique au niveau de cette prise.

• L’appareil fonctionne à une tension extrêmement basse de sécurité qui est conforme à la norme IEC 60950. Ces conditions ne sont maintenues que si l’équipement auquel il est raccordé fonctionne dans les mêmes conditions.

France et Pérou uniquement:

Ce groupe ne peut pas être alimenté par un dispositif à impédance à la terre. Si vos alimentations sont du type impédance à la terre, ce groupe doit être alimenté par une tension de 230 V (2 P+T) par le biais d’un transformateur d’isolement à rapport

1:1, avec un point secondaire de connexion portant l’appellation Neutre et avec raccordement direct à la terre (masse).

Cordon électrique

- Il doit être agréé dans le pays d’utilisation

Etats-Unis et

Canada:

Le cordon doit avoir reçu l’homologation des UL et un certificat de la CSA.

Les spécifications minimales pour un cable flexible sont

AWG No. 18, ou AWG No. 16 pour un cable de longueur inférieure à 2 mètres.

- type SV ou SJ

- 3 conducteurs

Le cordon doit être en mesure d’acheminer un courant nominal d’au moins 10 A.

Danemark:

La prise femelle de branchement doit être du type à mise à la terre (mise à la masse) et respecter la configuration NEMA

5-15P (15 A, 125 V) ou NEMA 6-15P (15 A, 250 V).

La prise mâle d’alimentation doit respecter la section 107-2

D1 de la norme DK2 1a ou DK2 5a.

vii

C

OMPLIANCES

Cordon électrique - Il doit être agréé dans le pays d’utilisation

Suisse: La prise mâle d’alimentation doit respecter la norme SEV/

ASE 1011.

Europe La prise secteur doit être conforme aux normes CEE 7/7

(“SCHUKO”)

LE cordon secteur doit porter la mention <HAR> ou

<BASEC> et doit être de type HO3VVF3GO.75 (minimum).

Bitte unbedingt vor dem Einbauen des Access Point die folgenden

Sicherheitsanweisungen durchlesen

(Germany)

:

WARNUNG: Die Installation und der Ausbau des Geräts darf nur durch

Fachpersonal erfolgen.

• Das Gerät sollte nicht an eine ungeerdete Wechselstromsteckdose angeschlossen werden.

• Das Gerät muß an eine geerdete Steckdose angeschlossen werden, welche die internationalen Sicherheitsnormen erfüllt.

• Der Gerätestecker (der Anschluß an das Gerät, nicht der

Wandsteckdosenstecker) muß einen gemäß EN 60320/IEC 320 konfigurierten

Geräteeingang haben.

• Die Netzsteckdose muß in der Nähe des Geräts und leicht zugänglich sein. Die

Stromversorgung des Geräts kann nur durch Herausziehen des

Gerätenetzkabels aus der Netzsteckdose unterbrochen werden.

• Der Betrieb dieses Geräts erfolgt unter den SELV-Bedingungen

(Sicherheitskleinstspannung) gemäß IEC 60950. Diese Bedingungen sind nur gegeben, wenn auch die an das Gerät angeschlossenen Geräte unter

SELV-Bedingungen betrieben werden.

viii

C

OMPLIANCES

Stromkabel. Dies muss von dem Land, in dem es benutzt wird geprüft werden:

U.S.A und

Kanada

Der Cord muß das UL gepruft und war das CSA beglaubigt.

Das Minimum spezifikation fur der Cord sind:

- Nu. 18 AWG - nicht mehr als 2 meter, oder 16 AWG.

- Der typ SV oder SJ

- 3-Leiter

Der Cord muß haben eine strombelastbarkeit aus wenigstens 10 A

Dieser Stromstecker muß hat einer erdschluss mit der typ

NEMA 5-15P (15A, 125V) oder NEMA 6-15P (15A, 250V) konfiguration.

Danemark

Schweiz

Europe

Dieser Stromstecker muß die ebene 107-2-D1, der standard DK2-1a oder DK2-5a Bestimmungen einhalten.

Dieser Stromstecker muß die SEV/ASE

1011Bestimmungen einhalten.

Das Netzkabel muß vom Typ HO3VVF3GO.75

(Mindestanforderung) sein und die Aufschrift <HAR> oder

<BASEC> tragen.

Der Netzstecker muß die Norm CEE 7/7 erfüllen

(”SCHUKO”).

ix

C

OMPLIANCES

x

Table of Contents

Chapter 1: Introduction

Package Checklist

Hardware Description

Component Description

Features and Benefits

System Defaults

Chapter 2: Hardware Installation

Chapter 3: External Antennas

Installation Procedures

Chapter 4: Network Configuration

Network Topologies

Ad Hoc Wireless LAN (no Access Point)

Infrastructure Wireless LAN

Infrastructure Wireless LAN for Roaming Wireless PCs

Infrastructure Wireless Bridge

Infrastructure Wireless Repeater

Chapter 5: Initial Configuration

Initial Setup through the CLI

Required Connections

Initial Configuration Steps

Logging In

Chapter 6: System Configuration 6-1

Advanced Configuration 6-2

System Identification

TCP / IP Settings

6-3

6-5

RADIUS 6-7

SSH Settings 6-11

Authentication 6-12

Filter Control 6-17

xi

5-1

5-1

5-1

5-2

5-3

3-1

3-1

4-1

4-2

4-2

4-3

4-4

4-5

4-6

1-1

1-2

1-2

1-3

1-5

1-6

2-1

Contents

VLAN 6-19

WDS Settings

AP Management

6-21

6-27

Administration 6-28

System Log 6-32

SNMP 6-36

Configuring SNMP and Trap Message Parameters 6-37

Configuring SNMPv3 Users

Configuring SNMPv3 Trap Filters

Configuring SNMPv3 Targets

Radio Interface

6-42

6-44

6-46

6-48

Security 6-63

Status Information 6-83

Access Point Status

Station Status

Event Logs

6-83

6-86

6-89

Chapter 7: Command Line Interface 7-1

Using the Command Line Interface

Accessing the CLI

Console Connection

Telnet Connection

Entering Commands

Keywords and Arguments

Minimum Abbreviation

Command Completion

Getting Help on Commands

Partial Keyword Lookup

Negating the Effect of Commands

Using Command History

Understanding Command Modes

Exec Commands

Configuration Commands

Command Line Processing

Command Groups

General Commands

configure 7-8 end 7-8 exit 7-8

ping 7-9

7-5

7-6

7-6

7-7

7-3

7-3

7-4

7-4

7-4

7-4

7-5

reset 7-10 show history 7-10

show line

System Management Commands

7-11

7-11

7-1

7-1

7-1

7-1

7-2

7-2

7-2

xii

Contents

country 7-12

prompt 7-14 system name 7-14

username 7-15 password 7-15

ip ssh-server enable ip ssh-server port

7-16

7-16

ip telnet-server enable ip http port

ip http server ip https port

7-17

7-17

7-18

7-18

ip https server 7-19

web-redirect 7-20

APmgmtIP 7-21

APmgmtUI 7-22 show apmagement

show system

show version show config

show hardware

System Logging Commands

logging on logging host

logging console logging level

logging facility-type

logging clear show logging

show event-log

System Clock Commands

sntp-server ip

7-30

7-30

7-31

7-32

7-32

7-33

7-33

7-34

7-22

7-23

7-24

7-24

7-28

7-28

7-29

7-29

sntp-server enable

sntp-server date-time

sntp-server daylight-saving sntp-server timezone

7-34

7-35

7-36

7-36

show sntp

DHCP Relay Commands

7-37

7-38 dhcp-relay enable 7-38

dhcp-relay 7-39 show dhcp-relay

SNMP Commands

snmp-server community snmp-server contact

snmp-server location snmp-server enable server

7-39

7-40

7-41

7-41

7-42

7-42

xiii

Contents xiv

snmp-server host

snmp-server trap

snmp-server engine-id snmp-server user

snmp-server targets

snmp-server filter

snmp-server filter-assignments show snmp groups

show snmp users show snmp group-assignments

show snmp target show snmp filter

show snmp filter-assignments

show snmp

Flash/File Commands bootfile 7-55

copy 7-56

delete 7-57

dir 7-58 show bootfile

RADIUS Client radius-server address

radius-server port

7-58

7-59

7-59

7-60 radius-server key

radius-server retransmit radius-server timeout

radius-server port-accounting radius-server timeout-interim

radius-server radius-mac-format radius-server vlan-format

show radius

7-60

7-61

7-61

7-62

7-62

7-63

7-63

7-64

7-50

7-51

7-51

7-52

7-52

7-53

7-54

7-55

7-43

7-44

7-46

7-46

7-48

7-49

7-50

802.1X Authentication 7-65

802.1x 7-65

802.1x broadcast-key-refresh-rate

802.1x session-key-refresh-rate

7-66

7-67

802.1x session-timeout

802.1x-supplicant enable

802.1x-supplicant user

show authentication

7-67

7-68

7-68

7-69

MAC Address Authentication address filter default

address filter entry address filter delete

mac-authentication server mac-authentication session-timeout

7-70

7-70

7-71

7-71

7-72

7-72

Contents

Filtering Commands filter local-bridge

filter ap-manage filter uplink enable

filter uplink filter ethernet-type enable

filter ethernet-type protocol

show filters

WDS Bridge Commands

bridge role (WDS) bridge-link parent

bridge-link child bridge dynamic-entry age-time

show bridge aging-time

show bridge filter-entry show bridge link

Spanning Tree Commands bridge stp enable

bridge stp forwarding-delay bridge stp hello-time

bridge stp max-age bridge stp priority

bridge-link path-cost bridge-link port-priority

show bridge stp

Ethernet Interface Commands interface ethernet

7-86

7-87

7-88

7-88

dns server ip address

7-89

7-89

ip dhcp 7-90

speed-duplex 7-91

7-81

7-83

7-83

7-84

7-84

7-85

7-85

7-86

7-77

7-77

7-78

7-78

7-79

7-79

7-80

7-81

7-73

7-73

7-74

7-74

7-75

7-75

7-76

shutdown 7-92 show interface ethernet 7-92

Wireless Interface Commands

interface wireless

7-93

7-95 vap 7-95

speed 7-96 multicast-data-rate 7-96

channel 7-97 transmit-power 7-97

radio-mode 7-98

preamble 7-99 antenna control 7-99

antenna id

antenna location

7-100

7-101

xv

Contents xvi

beacon-interval 7-101

dtim-period 7-102 fragmentation-length 7-102

rts-threshold 7-103

super-g 7-104 description 7-104

ssid 7-105 closed-system 7-105

max-association 7-106 assoc-timeout-interval 7-106

auth-timeout-value 7-107 shutdown 7-107

show interface wireless 7-108

show station

Rogue AP Detection Commands

7-109

7-109

rogue-ap enable

rogue-ap authenticate rogue-ap duration

rogue-ap interval

7-110

7-111

7-111

7-112

rogue-ap scan show rogue-ap

7-113

7-113

Wireless Security Commands 7-114 auth 7-114

encryption 7-116

key 7-117

transmit-key 7-118

cipher-suite 7-119

mic_mode 7-120

wpa-pre-shared-key 7-121 pmksa-lifetime 7-121

pre-authentication 7-122

Link Integrity Commands

link-integrity ping-detect link-integrity ping-host

link-integrity ping-interval link-integrity ping-fail-retry link-integrity ethernet-detect

show link-integrity

IAPP Commands

7-123

7-124

7-124

7-125

7-125

7-125

7-126

7-127 iapp 7-127

VLAN Commands 7-128 vlan 7-128

management-vlanid 7-129 vlan-id 7-129

WMM Commands 7-130

Contents

wmm 7-131 wmm-acknowledge-policy 7-131

wmmparam 7-132

Appendix A: Troubleshooting A-1

Appendix B: Cables and Pinouts

Twisted-Pair Cable Assignments

10/100BASE-TX Pin Assignments

Straight-Through Wiring

Crossover Wiring

Console Port Pin Assignments

Wiring Map for Serial Cable

Appendix C: Specifications C-1

General Specifications C-1

Sensitivity C-4

Transmit Power C-4

Operating Range C-6

Glossary

Index

B-1

B-1

B-1

B-2

B-3

B-3

B-4

xvii

Contents xviii

Chapter 1: Introduction

The 2.4 GHz Wireless Access Point is an IEEE 802.11b/g access point that provides transparent, wireless high-speed data communications between the wired LAN and fixed or mobile devices equipped with an 802.11b, or 802.11g wireless adapter.

This solution offers fast, reliable wireless connectivity with considerable cost savings over wired LANs (which include long-term maintenance overhead for cabling). Using

802.11b and 802.11g technology, this access point can easily replace a 10 Mbps

Ethernet connection or seamlessly integrate into a 10/100 Mbps Ethernet LAN.

The access point supports up to eight Virtual Access Points. This allows traffic to be separated for different user groups using an access point that services one area. For each VAP, different security settings, VLAN assignments, and other parameters can be applied.

Each radio interface on the access point can operate in one of four modes:

Access Point – Providing conectivity to wireless clients in the service area.

Repeater – Providing an extended link to a remote access point from the wired

LAN. In this mode, the access point does not have a cable connection to the wired

Ethernet LAN.

Bridge – Providing links to access points operating in “Bridge” or “Root Bridge” mode and thereby connecting other wired LAN segments.

Root Bridge – Providing links to other access points operating in “Bridge” mode and thereby connecting other wired LAN segments. Only one unit in the wireless bridge network can be set to “Root Bridge” mode.

In addition, the access point offers full network management capabilities through an easy to configure web interface, a command line interface for initial configuration and troubleshooting, and support for Simple Network Management Protocol tools.

Radio Characteristics – The IEEE 802.11b/g standard uses a radio modulation technique known as Orthogonal Frequency Division Multiplexing (OFDM), and a shared collision domain (CSMA/CA). It operates at the 2.4 GHz Unlicensed National

Information Infrastructure (UNII) band for connections to 802.11g clients.

IEEE 802.11g includes backward compatibility with the IEEE 802.11b standard.

IEEE 802.11b also operates at 2.4 GHz, but uses Direct Sequence Spread

Spectrum (DSSS) and Complementary Code Keying (CCK) modulation technology to achieve a communication rate of up to 11 Mbps.

The access point supports a 54 Mbps half-duplex connection to Ethernet networks for each active channel.

1-1

1

Introduction

Package Checklist

The 2.4 GHz Wireless Access Point package includes:

• One 2.4 GHz Wireless Access Point

• One Category 5 network cable

• One RS-232 console cable

• One AC power adapter and power cord

• Four rubber feet

• User Guide CD

Inform your dealer if there are any incorrect, missing or damaged parts. If possible, retain the carton, including the original packing materials. Use them again to repack the product in case there is a need to return it.

Hardware Description

Top Panel

Antennas

LED

Indicators

1-2

Hardware Description

1

Rear Panel

RJ-45

Management

Port

Security Slot

5 VDC

Power Socket

Reset

Button

Console

Port

Component Description

Antennas

The access point includes integrated diversity antennas for wireless communications. A diversity antenna system uses two identical antennas to receive and transmit signals, helping to avoid multipath fading effects. When receiving, the access point checks both antennas and selects the one with the strongest signal.

When transmitting, it will continue to use the antenna previously selected for receiving. The access point never transmits from both antennas at the same time.

The antennas transmit the outgoing signal as a toroidal sphere (doughnut shaped), with the coverage extending most in a direction perpendicular to the antenna. The antenna should be adjusted to an angle that provides the appropriate coverage for

the service area. For further information, see “Positioning the Antennas” on 2-2.

LED Indicators

The access point includes three status

LED indicators, as described in the following figure and table.

Power

Ethernet

Link/Activity

802.11b/g

Wireless

Link/Activity

1-3

1

Introduction

LED

PWR

Link

11g

Status

On

Description

Indicates that the system is working normally.

Flashing Indicates running a self-test or loading the software program.

Flashing (Prolonged) Indicates system errors.

On

Flashing

On

Flashing

Off

Indicates a valid 10/100 Mbps Ethernet cable link.

Indicates that the access point is transmitting or receiving data on a 10/100 Mbps Ethernet LAN. Flashing rate is proportional to network activity.

Indicates that the 802.11b/g radio is enabled.

Indicates that the access point is transmitting or receiving data through wireless links. Flashing rate is proportional to network activity.

Indicates that the 802.11b/g radio is disabled.

Security Slot

The access point includes a Kensington security slot on the rear panel. You can prevent unauthorized removal of the access point by wrapping the Kensington security cable (not provided) around an unmovable object, inserting the lock into the slot, and turning the key.

Console Port

This port is used to connect a console device to the access point through a serial

cable. This connection is described under “Console Port Pin Assignments” on page

B-3. The console device can be a PC or workstation running a VT-100 terminal

emulator, or a VT-100 terminal.

Ethernet Port

The access point has one 10BASE-T/100BASE-TX RJ-45 port that can be attached directly to 10BASE-T/100BASE-TX LAN segments. These segments must conform to the IEEE 802.3 or 802.3u specifications.

This port supports automatic MDI/MDI-X operation, so you can use straight-through cables for all network connections to PCs, switches, or hubs.

The access point appears as an Ethernet node and performs a bridging function by moving packets from the wired LAN to remote workstations on the wireless infrastructure.

Note: The RJ-45 port also supports Power over Ethernet (PoE) based on the IEEE

802.3af standard. Refer to the description for the “Power Connector” for information on supplying power to the access point’s network port from a network device, such as a switch, that provides Power over Ethernet (PoE).

1-4

Features and Benefits

1

Reset Button

This button is used to reset the access point or restore the factory default configuration. If you hold down the button for less than 5 seconds, the access point will perform a hardware reset. If you hold down the button for 5 seconds or more, any configuration changes you may have made are removed, and the factory default configuration is restored to the access point.

Power Connector

The access point does not have a power switch. It is powered on when connected to the AC power adapter, and the power adapter is connected to a power source. The power adapter automatically adjusts to any voltage between 100-240 volts at 50 or

60 Hz. No voltage range settings are required.

The access point may also receive Power over Ethernet (PoE) from a switch or other network device that supplies power over the network cable based on the IEEE

802.3af standard.

Note that if the access point is connected to a PoE source device and also connected to a local power source through the AC power adapter, PoE will be disabled.

Features and Benefits

• Local network connection via 10/100 Mbps Ethernet ports or 54 Mbps wireless interface (supporting up to 128 mobile users)

• IEEE 802.11b, and 802.11g compliant

• Interoperable with multiple vendors based on the IEEE 802.11f protocol

• Advanced security through 64/128/152-bit Wired Equivalent Protection (WEP) encryption, IEEE 802.1X authentication via a RADIUS server, Wi-Fi Protected

Access (WPA), and MAC address filtering features to protect your sensitive data and authenticate only authorized users to your network

• Provides seamless roaming within the IEEE 802.11b and 802.11g WLAN environment

• Scans all available channels and selects the best channel for each client based on the signal-to-noise ratio

• Allows the country of operation to be set to match regulatory requirements (for countries outside of the United States)

1-5

1

Introduction

System Defaults

The following table lists some of the access point’s basic system defaults. To reset the access point defaults, use the CLI command “reset configuration” from the Exec level prompt.

Table 1-1. System Defaults

Feature

Identification

Administration

General

Parameter

System Name

User Name

Password

HTTP Server

HTTP Server Port

HTTPS Server

HTTPS Server Port

TCP/IP

Web Redirect

DHCP

IP Address

Subnet Mask

RADIUS (Primary and

Secondary)

Default Gateway

Primary DNS IP

Secondary DNS IP

IP Address

Port

Key

SSH

PPPoE

Timeout

Retransmit attempts

Accounting Port

Interim Update Timeout

Server Status

Server Port

PPPoE Status

Default

SMC admin smcadmin

Enabled

80

Enabled

443

Disabled

Enabled

192.168.2.2

255.255.255.0

0.0.0.0

0.0.0.0

0.0.0.0

0.0.0.0

1812

DEFAULT

5 seconds

3

0 (Disabled)

3600 seconds

Enabled

22

Disabled

1-6

Table 1-1. System Defaults

Feature

MAC Authentication

Parameter Default

MAC Disabled

Authentication Session Timeout 0 minutes (disabled)

Local MAC System Default

Local MAC Permission

802.1X Authentication Status

Broadcast Key Refresh

Allowed

Allowed

Disabled

0 minutes (disabled)

VLAN

QoS

Session Key Refresh 0 minutes (disabled)

Reauthentication Refresh Rate 0 seconds (disabled)

Supplicant

Management VLAN ID

Disabled

1

VLAN ID (VAP Interface)

VLAN Tag Support

1

Disabled

QoS Mode Off

SVP (SpectraLink Voice Priority) Disabled

Filter Control

SNMP

Local Bridge

AP Management

Ethernet Type

Status

Location

Contact

Community (Read Only)

Community

(Read/Write)

Traps

Trap Destination (1-4)

Trap Destination IP Address

Trap Destination Community

Name

SNMP v3 Groups

SNMP v3 Users

Disabled

Enabled

Disabled

Enabled null null

Public

Private

Enabled

Disabled null

Public

RO

RWAuth

RWPriv none

System Defaults

1

1-7

1

Introduction

Feature

System Logging

System Clock

Ethernet Interface

Wireless Interface

802.11b/g

Table 1-1. System Defaults

Parameter

Syslog

Logging Host

Logging Console

IP Address / Host Name

Logging Level

Logging Facility Type

SNTP Server Status

SNTP Server 1 IP

SNTP Server 2 IP

Date and Time

Default

Disabled

Disabled

Disabled

0.0.0.0

Informational

16

Enabled

137.92.140.80

192.43.244.18

00:00, Jan 1, 1970 (when there is no time server)

Daylight Saving Time

Time Zone

Speed and Duplex

IAPP

SSID

Radio Mode

Status

Auto Channel Select

Closed System

Transmit Power

Max Station Data Rate

Multicast Data Rate

Disabled

Full

54 Mbps

5.5 Mbps

Preamble Length

Beacon Interval

Long

100 TUs

Data Beacon Rate (DTIM Interval) 1 beacon

RTS Threshold 2347 bytes

Association Timeout Interval

Authentication Timeout Interval

Rogue AP Detection

Antenna Control Method

Disabled

GMT-5 (Eastern Time, US and Canada)

Auto

Enabled

SMC b+g

Disabled

Enabled

30 minutes

60 minutes

Disabled

Diversity

1-8

Feature

Wireless Interface

802.11b/g (contd.)

Wireless Security

802.11b/g

Link Integrity

Table 1-1. System Defaults

Parameter

Antenna ID

Antenna Location

Authentication Type

Data Encryption

WEP Key Length

WEP Key Type

WEP Transmit Key Number

WEP Keys

WPA Configuration Mode

WPA Key Management

WPA PSK Type

Multicast Cipher

Status

Ping Interval

Fail Retry Count

Default

0x0000

Indoor

Open System

Disabled

128 bits

Hexadecimal

1 null

WEP Only (Disabled)

WPA Pre-shared Key

Alphanumeric

WEP

Disabled

30 seconds

6

System Defaults

1

1-9

1

Introduction

1-10

Chapter 2: Hardware Installation

1.

Select a Site

– Choose a proper place for the access point. In general, the best location is at the center of your wireless coverage area, within line of sight of all wireless devices. Try to place the access point in a position that can best cover

its Basic Service Set (refer to “Infrastructure Wireless LAN” on page 4-3). For

optimum performance, consider these points:

• Mount the access point as high as possible above any obstructions in the coverage area.

• Avoid mounting next to or near building support columns or other obstructions that may cause reduced signal or null zones in parts of the coverage area.

• Mount away from any signal absorbing or reflecting structures (such as those containing metal).

2.

Mount the Access Point – The access point can be mounted on any horizontal surface.

Mounting on a horizontal surface – To keep the access point from sliding on the surface, attach the four rubber feet provided in the accessory kit to the marked circles on the bottom of the access point.

Lock the Access Point in Place – To prevent unauthorized removal of the access point, you can use a Kensington Slim MicroSaver security cable (not included) to attach the access point to a fixed object.

2-1

2

Hardware Installation

3.

Connect the Power Cord – Connect the power adapter to the access point, and the power cord to an AC power outlet.

Otherwise, the access point can derive its operating power directly from the

RJ-45 port when connected to a device that provides IEEE 802.3af compliant

Power over Ethernet (PoE).

Note: If the access point is connected to both a PoE source device and an AC power source, AC power will be disabled.

Caution: Use ONLY the power adapter supplied with this access point. Otherwise, the product may be damaged.

4.

Observe the Self Test

– When you power on the access point, verify that the

PWR indicator stops flashing and remains on, and that the other indicators start

functioning as described under “LED Indicators” on page 1-3. If the PWR LED

does not stop flashing, the self test has not completed correctly. Refer to

“Troubleshooting” on page A-1.

5.

Connect the Ethernet Cable – The access point can be wired to a 10/100

Mbps Ethernet through a network device such as a hub or a switch. Connect your network to the RJ-45 port on the back panel with category 3, 4, or 5 UTP

Ethernet cable. When the access point and the connected device are powered on, the Ethernet Link LED should light indicating a valid network connection. If

this LED fails to turn on refer to “Troubleshooting” on page A-1.

Note: The RJ-45 port on the access point supports auto=MDI/MDI-X operation, so you can use either straight-through or crossover cable to connect to switches or PCs.

6.

Position the Antennas

– Each antenna emits a radiation pattern that is toroidal (doughnut shaped), with the coverage extending most in the direction perpendicular to the antenna. Therefore, the antennas should be oriented so that the radio coverage pattern fills the intended horizontal space. Also, the diversity antennas should both be positioned along the same axes, providing the same coverage area. For example, if the access point is mounted on a horizontal surface, both antennas should be positioned pointing vertically up to provide optimum coverage.

7.

Connect the Console Port – Connect the console cable (included) to the

RS-232 console port for accessing the command-line interface. You can manage the access point using the console port (Chapter 6), the web interface

(Chapter 5), or SNMP management software such as SMC’s EliteView.

2-2

Chapter 3: External Antennas

The SMC2552W-G2 provides a variety of external antenna options for extending the radio range and shaping the coverge area. These antennas offer a number of different mounting locations, including indoor or outdoor, wall, ceiling, or radio mast.

This chapter shows you how to install an external antenna for your SMC2552W-G2.

Note: The use of external antennas with the access point requires professional personnel that are trained in the installation of radio transmitting equipment. The user is responsible for compliance with local regulations concerning items such as antenna gain, cables, lightning arrestors, and transmit power. Therefore, you must consult a professional contractor knowledgeable in local radio regulations prior to equipment installation.

Installation Procedures

Follow these steps to install an external antenna and connect it to the

SMC2552W-G2.

Caution: Never mount the access point outdoors to be near an external antenna. The access point must always be installed indoors.

1.

Plan the Installation

Pigtail Cables - Use the coax pigtail cable attached to the antenna to connect to the access point. Because most pigtail cables are a relatively short length

(83 cm or 33 inches), be sure to find a suitable mounting position for the antenna that is not too far from the access point. If an extension cable is required, please contact a professional installer who is trained in RF installation and knowledgeable in the local regulations.

Installation Location - Plan the antenna’s position and orientation.

Warning: The radiated output power of this device is below the FCC radio exposure limits. Nevertheless, the device should be used in such a manner that the potential for human contact during normal operation is minimized. To avoid the possibility of exceeding the FCC radio frequency exposure limits, human proximity to the antennas should not be less than 20 cm (8 inches) during normal operation.

Consider these points:

• Use the antenna’s mounting bracket or other hardware, if included.

• For optimum performance, mount antennas as high as possible above any obstructions, and away from any signal absorbing or reflecting structures

(such as those containing metal)

• Be sure there are no other radio antennas mounted within 2 m (6 ft).

• Consider the antenna’s radio coverage pattern so that it can properly cover the intended service area.

3-1

3

External Antennas

Omnidirectional Antennas - Consider these factors when selecting a location for these antennas:

• Always mount the antenna in a vertical orientation so that the radio coverage pattern fills the intended horizontal space.

• For optimum coverage, mount the antenna at the center of the area with a line-of-sight path to all points within the area.

• Avoid mounting next to or near building support columns or other obstructions that may cause reduced signal or null zones in parts of the coverage area.

• When mounting outdoors using a mast, make sure that the antenna extends beyond the top of the mast.

Directional Antennas - Consider these factors when selecting a location for these antennas:

• For optimum coverage, mount the antenna above any obstructions, directed at the center of the coverage area sector.

• High-gain directional antennas provide a flattened radio coverage pattern in the horizontal plane. Use the tilting or articulated mounts to point the antennas towards the coverage area.

Outdoor Installation - When installing an antenna outdoors, be sure to consider these additional factors:

• Always place the antenna away from power and telephone lines

• Make sure that the antenna, any supporting structure, and cables are all properly grounded.

• For lightning protection, consider using a lightning arrestor immediately before the cable enters the building.

Warning: Never install an antenna or construct a radio mast near overhead power lines.

2.

Mount the Antenna

Install the antenna in its planned location using the brackets, clips, or other hardware included in the antenna package.

Refer to documentation included with the antenna for specific information and installation instructions.

3.

Connect Pigtail Cables to the Access Point

Use the pigtail cables that are attached to the antenna, or are included in the antenna package. If an extension cable is required, please contact a professional installer who is trained in RF installation and knowledgeable in the local regulations.

Note that diversity antennas have two pigtail cables. A diversity antenna includes two internal antenna elements that are identical. Both antenna pigtail cables must be connected to the access point for correct operation.

Other non-diversity antennas, can be connected to either antenna connector and then configured for usage using the antenna options in the user interface.

3-2

Installation Procedures

To connect pigtail cables to the access point, follow these steps:

1.

Disable the access point radio using the web browser interface, CLI, or SNMP.

3

2.

Remove power to the access point.

3.

Remove both of the access point’s antennas by unscrewing them at their base.

Unscrew antenna to remove

4.

For diversity antennas, connect the antenna pigtail cables to the exposed

Reverse SMA connectors on both sides of the access point.

For non-diversity antennas, be sure to connect the single pigtail cable to the

Reverse SMA connector on the access point’s side activated through the software interface.

Screw onto access point’s

Reverse SMA connector

Antenna pigtail cable

3-3

3

External Antennas

5.

Reconnect power to the access point.

Note: Before enabling the radio with an external antenna attached, be sure to first configure the access point’s antenna mode.

3-4

Chapter 4: Network Configuration

Wireless networks support a stand-alone configuration as well as an integrated configuration with 10/100 Mbps Ethernet LANs. The 2.4 GHz Wireless Access Point also provides repeater and bridging services that can be configured independently on 2.4 GHz radio interfaces.

Access points can be deployed to support wireless clients and connect wired LANs in the following configurations:

• Ad hoc for departmental, SOHO or enterprise LANs

• Infrastructure for wireless LANs

• Infrastructure wireless LAN for roaming wireless PCs

• Infrastructure wireless bridge to connect wired LANs

• Infrastructure wireless repeater for extended range

The 802.11b and 802.11g frequency band which operates at 2.4 GHz can easily encounter interference from other 2.4 GHz devices, such as other 802.11b or g wireless devices, cordless phones and microwave ovens. If you experience poor wireless LAN performance, try the following measures:

• Limit any possible sources of radio interference within the service area

• Increase the distance between neighboring access points

• Decrease the signal strength of neighboring access points

• Increase the channel separation of neighboring access points (e.g. up to 5 channels of separation for 802.11b and 802.11g)

4-1

4

Network Configuration

Network Topologies

Ad Hoc Wireless LAN (no Access Point)

An ad hoc wireless LAN consists of a group of computers, each equipped with a wireless adapter, connected via radio signals as an independent wireless LAN.

Computers in a specific ad hoc wireless LAN must therefore be configured to the same radio channel. An ad hoc wireless LAN can be used for a branch office or

SOHO operation.

Ad Hoc Wireless LAN

Notebook with

Wireless USB Adapter

Notebook with

Wireless PC Card

PC with Wireless

PCI Adapter

4-2

Network Topologies

Infrastructure Wireless LAN

The access point also provides access to a wired LAN for wireless workstations. An integrated wired/wireless LAN is called an Infrastructure configuration. A Basic

Service Set (BSS) consists of a group of wireless PC users, and an access point that is directly connected to the wired LAN. Each wireless PC in this BSS can talk to any computer in its wireless group via a radio link, or access other computers or network resources in the wired LAN infrastructure via the access point.

4

The infrastructure configuration not only extends the accessibility of wireless PCs to the wired LAN, but also increases the effective wireless transmission range for wireless PCs by passing their signal through one or more access points.

A wireless infrastructure can be used for access to a central database, or for connection between mobile workers, as shown in the following figure.

Wired LAN Extension to Wireless Clients

Server

Switch Desktop PC

Access Point

Notebook PC

Desktop PC

4-3

4

Network Configuration

Infrastructure Wireless LAN for Roaming Wireless PCs

The Basic Service Set (BSS) defines the communications domain for each access point and its associated wireless clients. The BSS ID is a 48-bit binary number based on the access point’s wireless MAC address, and is set automatically and transparently as clients associate with the access point. The BSS ID is used in frames sent between the access point and its clients to identify traffic in the service area.

The BSS ID is only set by the access point, never by its clients. The clients only need to set the Service Set Identifier (SSID) that identifies the service set provided by one or more access points. The SSID can be manually configured by the clients, can be detected in an access point’s beacon, or can be obtained by querying for the identity of the nearest access point. For clients that do not need to roam, set the

SSID for the wireless card to that used by the access point to which you want to connect.

A wireless infrastructure can also support roaming for mobile workers. More than one access point can be configured to create an Extended Service Set (ESS). By placing the access points so that a continuous coverage area is created, wireless users within this ESS can roam freely. All wireless network cards and adapters and wireless access points within a specific ESS must be configured with the same

SSID.

Seamless Roaming

Between Access Points

Server

Desktop PC

Switch

Switch

Access Point

Access Point

Notebook PC

<BSS 1> <ESS>

<BSS 2>

Notebook PC

Desktop PC

4-4

Network Topologies

Infrastructure Wireless Bridge

The IEEE 802.11 standard defines a WIreless Distribution System (WDS) for bridge connections between BSS areas (access points). The access point uses WDS to forward traffic on links between units.

The access point supports WDS bridge links on the 2.4 GHz (802.11b/g) band and can be used with various external antennas to offer flexible deployment options.

Up to six WDS bridge links can be specified for each unit in the wireless bridge network. One unit only must be configured as the “root bridge” in the wireless network. The root bridge should be the unit connected to the main core of the wired

LAN. Other bridges must configure one “parent” link to the root bridge or to a bridge connected to the root bridge. The other five available WDS links can be specified as

“child” links to other bridges. This forms a tiered-star topology for the wireless bridge network.

When using WDS on a radio band, only wireless bridge units can associate to each other. Wireless clients can only associate with the access point using a radio band set to access point or repeater mode.

4

Network

Core

Wireless Bridge Links

Between Access Points

802.11g Radio

AP Link

Root Bridge

802.11b Radio

Bridge Link

802.11b Radio

Bridge Link

802.11g Radio

AP Link

Bridge

802.11b Radio

Bridge Link

802.11g Radio

AP Link

Bridge

802.11g Radio

AP Link

Bridge

4-5

4

Network Configuration

Infrastructure Wireless Repeater

The access point can also operate in a bridge “repeater” mode to extend the range of links to wireless clients. The access point uses WDS to forward traffic between the repeater bridge and the root bridge. The access point supports up to six WDS repeater links.

In repeater mode, the access point does not support an Ethernet link to a wired LAN.

Note that when the access point operates in this mode only half the normal throughput is possible. This is because the access point has to receive and then re-transmit all data on the same channel.

Network

Core

Wireless Repeater Links

Between Access Points

802.11g Radio

AP Link

Repeater

Root Bridge

802.11g Radio

Repeater Link

802.11g Radio

Repeater Link

802.11g Radio

AP Link

Repeater

4-6

Chapter 5: Initial Configuration

The 2.4 GHz Wireless Access Point offers a variety of management options, including a web-based interface, a direct connection to the console port, Telnet,

Secure Shell (SSH), or using SNMP software.

The initial configuration steps can be made through the web browser interface or

CLI. The access point requests an IP address via DHCP by default. If no response is received from the DHCP server, then the access point uses the default address

192.168.2.2. If this address is not compatible with your network, you can first use the command line interface (CLI) as described below to configure a valid address.

Note: Units sold in countries outside the United States are not configured with a specific country code. You must use the CLI to set the country code and enable wireless

operation (page 5-3).

Initial Setup through the CLI

Required Connections

The access point provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuration. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the access point. You can use the console cable provided with this package, or use a cable that complies with the

wiring assignments shown on page B-3.

To connect to the console port, complete the following steps:

1.

Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the

DB-9 connector.

2.

Connect the other end of the cable to the RS-232 serial port on the access point.

3.

Make sure the terminal emulation software is set as follows:

• Select the appropriate serial port (COM port 1 or 2).

• Set the data rate to 9600 baud.

• Set the data format to 8 data bits, 1 stop bit, and no parity.

• Set flow control to none.

• Set the emulation mode to VT100.

• When using HyperTerminal, select Terminal keys, not Windows keys.

5-1

5

Initial Configuration

Note: When using HyperTerminal with Microsoft

®

Windows

®

2000, make sure that you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service

Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal’s VT100 emulation. See www.microsoft.com for information on Windows 2000 service packs.

4.

Once you have set up the terminal correctly, press the [Enter] key to initiate the console connection. The console login screen will be displayed.

For a description of how to use the CLI, see “Using the Command Line Interface” on page 7-1. For a list of all the CLI commands and detailed information on using the

CLI, refer to “Command Groups” on page 7-6.

Initial Configuration Steps

Logging In – Enter “admin” for the user name, and “smcadmin” for the password.

The CLI prompt appears displaying the access point’s name.

Username: admin

Password: smcadmin

Enterprise AP#

Setting the IP Address – By default, the access point is configured to obtain IP address settings from a DHCP server. If a DHCP server is not available, the IP address defaults to 192.168.2.2, which may not be compatible with your network.

You will therefore have to use the command line interface (CLI) to assign an IP address that is compatible with your network.

Type “configure” to enter configuration mode, then type “interface ethernet” to access the Ethernet interface-configuration mode.

Enterprise AP#configure

Enterprise AP(config)#interface ethernet

Enterprise AP(config-if)#

First type “no ip dhcp” to disable DHCP client mode. Then type “ip address ip-address netmask gateway ,” where “ip-address” is the access point’s IP address,

“netmask” is the network mask for the network, and “gateway” is the default gateway router. Check with your system administrator to obtain an IP address that is compatible with your network.

Enterprise AP(if-ethernet)#no ip dhcp

Enterprise AP(if-ethernet)#ip address 192.168.2.2

255.255.255.0 192.168.2.254

Enterprise AP(if-ethernet)#

5-2

Logging In

After configuring the access point’s IP parameters, you can access the management interface from anywhere within the attached network. The command line interface can also be accessed using Telnet from any computer attached to the network.

5

Setting the Country Code

– Units sold in the United States are configured by default to use only radio channels 1-11 in 802.11b or 802.11g mode as defined by

FCC regulations. Units sold in other countries are configured by default without a country code (i.e., 99). You must use the CLI to set the country code. Setting the country code restricts operation of the access point to the radio channels and transmit power levels permitted for wireless networks in the specified country.

Type “exit” to leave configuration mode. Then type “country ?” to display the list of countries. Select the code for your country, and enter the country command again, following by your country code (e.g., tw for Taiwan).

Enterprise AP#country tw

Enterprise AP#

Note: Command examples shown later in this manual abbreviate the console prompt to

“AP” for simplicity.

Logging In

There are only a few basic steps you need to complete to connect the access point to your corporate network, and provide network access to wireless clients.

The access point can be managed by any computer using a web browser (Internet

Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Enter the default IP address: http://192.168.2.2

Logging In – Enter the username “admin,” and password “smcadmin” then click

LOGIN. For information on configuring a user name and password, see page 6-28.

5-3

5

Initial Configuration

The home page displays the Main Menu.

5-4

Chapter 6: System Configuration

Before continuing with advanced configuration, first complete the initial configuration steps described in Chapter 4 to set up an IP address for the access point.

The access point can be managed by any computer using a web browser (Internet

Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Enter the configured IP address of the access point, or use the default address: http://192.168.2.2

To log into the access point, enter the default user name “admin” and the password

“smcadmin”, then press “LOGIN”. When the home page displays, click on Advanced

Setup. The following page will display.

The information in this chapter is organized to reflect the structure of the web screens for easy reference. However, it is recommended that you configure a user name and password as the first step under advanced configuration to control

management access to this device (page 6-28).

6-1

6

System Configuration

Advanced Configuration

The Advanced Configuration pages include the following options.

Menu

System

Identification

TCP / IP Settings

RADIUS

SSH Settings

Authentication

Filter Control

VLAN

WDS Settings

AP Management

Administration

System Log

SNMP

SNMP

SNMP Trap Filters

SNMP Targets

Radio Interface G

Radio Settings

Security

Status

AP Status

Table 6-2. Menu

Description

Configures basic administrative and client access

Specifies the host name

Configures the IP address, subnet mask, gateway, and domain name servers

Configures the RADIUS server for wireless client authentication and accounting

Configures Secure Shell management access

Configures 802.1X client authentication, with an option for MAC address authentication

Filters communications between wireless clients, access to the management interface from wireless clients, and traffic matching specific Ethernet protocol types

Enables VLAN support and sets the management VLAN ID

Configures bridge or repeater modes for each radio interface and sets spanning tree parameters

Configures access to management interfaces

Configures user name and password for management access; upgrades software from local file, FTP or TFTP server; resets configuration settings to factory defaults; and resets the access point

Controls logging of error messages; sets the system clock via

SNTP server or manual configuration

Configures SNMP settings

Controls access to this access point from management stations using SNMP, as well as the hosts that will receive trap messages

Defines trap filters for SNMPv3 users

Specifies SNMPv3 users that will receive trap messages

Configures the IEEE 802.11g interface

Configures common radio signal parameters and other settings for each VAP interface

Enables each VAP interface, sets the SSID, and configures wireless security

Displays information about the access point and wireless clients

Displays configuration settings for the basic system and the wireless interface

Page

6-3

6-3

6-5

6-7

6-11

6-12

6-17

6-19

6-21

6-27

6-28

6-32

6-36

6-36

6-44

6-46

6-48

6-48

6-63

6-83

6-83

6-2

Advanced Configuration

6

Menu

Station Station

Event Logs

Table 6-2. Menu

Description

Shows the wireless clients currently associated with the access point

Shows log messages stored in memory

Page

6-86

6-89

System Identification

The system name for the access point can be left at its default setting. However, modifying this parameter can help you to more easily distinguish different devices in your network.

System Name

– An alias for the access point, enabling the device to be uniquely identified on the network. (Default: SMC; Range: 1-32 characters)

6-3

6

System Configuration

CLI Commands for System Identification – Enter the global configuration mode, and use the system name command to specify a new system name. Then return to the

Exec mode, and use the show system command to display the changes to the system identification settings.

Enterprise AP#config

Enterprise AP(config)#system name R&D

Enterprise AP(config)#end

Enterprise AP#show system

Enterprise AP#config

Enter configuration commands, one per line.

Enterprise AP(config)#system name R&D

Enterprise AP(config)#end

Enterprise AP#show system

System Information

==============================================================

Serial Number :

System Up time : 0 days, 0 hours, 32 minutes, 22 seconds

System Name : R&D

System Location :

System Contact : Contact

System Country Code : US - UNITED STATES

MAC Address : 00-12-CF-12-34-60

Radio A MAC Address : 00-12-CF-12-34-61

Radio G MAC Address : 00-12-CF-12-34-65

IP Address : 192.168.2.2

Subnet Mask : 255.255.255.0

Default Gateway : 0.0.0.0

VLAN State : DISABLED

Management VLAN ID(AP): 1

IAPP State : ENABLED

DHCP Client : ENABLED

HTTP Server : ENABLED

HTTP Server Port : 80

HTTPS Server : ENABLED

HTTPS Server Port : 443

Slot Status : Single band(b/g)

Boot Rom Version : v1.1.5

Software Version : v5.0.0.0

SSH Server : ENABLED

SSH Server Port : 22

Telnet Server : ENABLED

WEB Redirect : DISABLED

DHCP Relay : DISABLED

==============================================================

Enterprise AP#

7-14

7-88

7-23

7-8

7-14

7-88

7-23

6-4

Advanced Configuration

6

TCP / IP Settings

Configuring the access point with an IP address expands your ability to manage the access point. A number of access point features depend on IP addressing to operate.

Note: You can use the web browser interface to access IP addressing only if the access point already has an IP address that is reachable through your network.

By default, the access point will be automatically configured with IP settings from a

Dynamic Host Configuration Protocol (DHCP) server. However, if you are not using a DHCP server to configure IP addressing, use the CLI to manually configure the

initial IP values (see page 5-2). After you have network access to the access point,

you can use the web browser interface to modify the initial IP configuration, if needed.

Note: If there is no DHCP server on your network, or DHCP fails, the access point will automatically start up with a default IP address of 192.168.2.2.

DHCP Client (Enable)

– Select this option to obtain the IP settings for the access point from a DHCP (Dynamic Host Configuration Protocol) server. The IP address, subnet mask, default gateway, and Domain Name Server (DNS) address are dynamically assigned to the access point by the network DHCP server.

(Default: Enabled)

DHCP Client (Disable) – Select this option to manually configure a static address for the access point.

• IP Address: The IP address of the access point. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.

6-5

6

System Configuration

• Subnet Mask: The mask that identifies the host address bits used for routing to specific subnets.

• Default Gateway: The default gateway is the IP address of the router for the access point, which is used if the requested destination address is not on the local subnet.

If you have management stations, DNS, RADIUS, or other network servers located on another subnet, type the IP address of the default gateway router in the text field provided. Otherwise, leave the address as all zeros (0.0.0.0).

• Primary and Secondary DNS Address: The IP address of Domain Name Servers on the network. A DNS maps numerical IP addresses to domain names and can be used to identify network hosts by familiar names instead of the IP addresses.

If you have one or more DNS servers located on the local network, type the IP addresses in the text fields provided. Otherwise, leave the addresses as all zeros

(0.0.0.0).

CLI Commands for TCP/IP Settings – From the global configuration mode, enter the interface configuration mode with the interface ethernet command. Use the ip dhcp

command to enable the DHCP client, or no ip dhcp to disable it. To manually configure an address, specify the new IP address, subnet mask, and default gateway using the ip address command. To specify DNS server addresses use the dns server command. Then use the show interface ethernet command from the

Exec mode to display the current IP settings.

Enterprise AP(config)#interface ethernet

Enter Ethernet configuration commands, one per line.

Enterprise AP(if-ethernet)#no ip dhcp

Enterprise AP(if-ethernet)#ip address 192.168.1.2

255.255.255.0 192.168.1.253

Enterprise AP(if-ethernet)#dns primary-server 192.168.1.55

Enterprise AP(if-ethernet)#dns secondary-server 10.1.0.55

Enterprise AP(config)#end

Enterprise AP#show interface ethernet

Ethernet Interface Information

========================================

IP Address : 192.168.1.2

Subnet Mask : 255.255.255.0

Default Gateway : 192.168.1.253

Primary DNS : 192.168.1.55

Secondary DNS : 10.1.0.55

Speed-duplex : 100Base-TX Full Duplex

Admin status : Up

Operational status : Up

========================================

Enterprise AP#

7-88

7-90

7-89

7-89

7-89

7-8

7-92

6-6

Advanced Configuration

6

RADIUS

Remote Authentication Dial-in User Service (RADIUS) is an authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of user credentials for each user that requires access to the network.

A primary RADIUS server must be specified for the access point to implement IEEE

802.1X network access control and Wi-Fi Protected Access (WPA) wireless security.

A secondary RADIUS server may also be specified as a backup should the primary server fail or become inaccessible.

In addition, the configured RADIUS server can also act as a RADIUS Accounting server and receive user-session accounting information from the access point.

RADIUS Accounting can be used to provide valuable information on user activity in the network.

Note: This guide assumes that you have already configured RADIUS server(s) to support the access point. Configuration of RADIUS server software is beyond the scope of this guide, refer to the documentation provided with the RADIUS server software.

6-7

6

System Configuration

6-8

Advanced Configuration

6

MAC Address Format – MAC addresses can be specified in one of four formats, using no delimeter, with a single dash delimeter, with multiple dash delimeters, and with multiple colon delimeters.

VLAN ID Format

– A VLAN ID (a number between 1 and 4094) can be assigned to each client after successful authentication using IEEE 802.1X and a central RADIUS server. The user VLAN IDs must be configured on the RADIUS server for each user authorized to access the network. VLAN IDs can be entered as hexadecimal numbers or as ASCII strings.

Primary Radius Server Setup – Configure the following settings to use RADIUS authentication on the access point.

• IP Address: Specifies the IP address or host name of the RADIUS server.

• Port: The UDP port number used by the RADIUS server for authentication messages. (Range: 1024-65535; Default: 1812)

• Key: A shared text string used to encrypt messages between the access point and the RADIUS server. Be sure that the same text string is specified on the RADIUS server. Do not use blank spaces in the string. (Maximum length: 255 characters)

• Timeout: Number of seconds the access point waits for a reply from the RADIUS server before resending a request. (Range: 1-60 seconds; Default: 5)

• Retransmit attempts: The number of times the access point tries to resend a request to the RADIUS server before authentication fails. (Range: 1-30; Default: 3)

• Accounting Port: The RADIUS Accounting server UDP port used for accounting messages. (Range: 0 or 1024-65535; Default: 0, disabled)

• Interim Update Timeout: The interval between transmitting accounting updates to the RADIUS server. (Range: 60-86400; Default: 3600 seconds)

Note: For the Timeout and Retransmit attempts fields, accept the default values unless you experience problems connecting to the RADIUS server over the network.

Secondary Radius Server Setup – Configure a secondary RADIUS server to provide a backup in case the primary server fails. The access point uses the secondary server if the primary server fails or becomes inaccessible. Once the access point switches over to the secondary server, it periodically attempts to establish communication again with primary server. If communication with the primary server is re-established, the secondary server reverts to a backup role.

6-9

6

System Configuration

CLI Commands for RADIUS – From the global configuration mode, use the radius-server address

command to specify the address of the primary or secondary RADIUS servers. (The following example configures the settings for the primary RADIUS server.) Configure the other parameters for the RADIUS server.

Then use the show show radius command from the Exec mode to display the current settings for the primary and secondary RADIUS servers.

Enterprise AP(config)#radius-server address 192.168.1.25

Enterprise AP(config)#radius-server port 181

Enterprise AP(config)#radius-server key green

Enterprise AP(config)#radius-server timeout 10

Enterprise AP(config)#radius-server retransmit 5

Enterprise AP(config)#radius-server port-accounting 1813

Enterprise AP(config)#radius-server timeout-interim 500

Enterprise AP(config)#exit

Enterprise AP#show radius

Radius Server Information

========================================

IP : 192.168.1.25

Port : 181

Key : *****

Retransmit : 5

Timeout : 10

Radius MAC format : no-delimiter

Radius VLAN format : HEX

========================================

Radius Secondary Server Information

========================================

IP : 0.0.0.0

Port : 1812

Key : *****

Retransmit : 3

Timeout : 5

Radius MAC format : no-delimiter

Radius VLAN format : HEX

========================================

Enterprise AP#

7-59

7-60

7-60

7-61

7-61

7-62

7-62

7-64

6-10

Advanced Configuration

6

SSH Settings

Telnet is a remote management tool that can be used to configure the access point from anywhere in the network. However, Telnet is not secure from hostile attacks.

The Secure Shell (SSH) can act as a secure replacement for Telnet. The SSH protocol uses generated public keys to encrypt all data transfers passing between the access point and SSH-enabled management station clients and ensures that data traveling over the network arrives unaltered. Clients can then securely use the local user name and password for access authentication.

Note that SSH client software needs to be installed on the management station to access the access point for management via the SSH protocol.

Notes: 1.

The access point supports only SSH version 2.0.

2.

After boot up, the SSH server needs about two minutes to generate host encryption keys. The SSH server is disabled while the keys are being generated.

SSH Settings

• Telnet Server Status: Enables or disables the Telnet server. (Default: Enabled)

SSH Server Status: Enables or disables the SSH server. (Default: Enabled)

SSH Server Port: Sets the UDP port for the SSH server. (Range: 1-65535;

Default: 22)

6-11

6

System Configuration

CLI Commands for SSH – To enable the SSH server, use the ip ssh-server enable command from the CLI Ethernet interface configuration mode. To set the SSH server UDP port, use the ip ssh-server port command. To view the current settings, use the show system command from the CLI Exec mode (not shown in the following example).

Enterprise AP(if-ethernet)#no ip telnet-server

Enterprise AP(if-ethernet)#ip ssh-server enable

Enterprise AP(if-ethernet)#ip ssh-server port 1124

Enterprise AP(if-ethernet)#exit

Enterprise AP(if-ethernet)#configure

7-17

7-16

7-16

Authentication

Wireless clients can be authenticated for network access by checking their MAC address against the local database configured on the access point, or by using a database configured on a central RADIUS server. Alternatively, authentication can be implemented using the IEEE 802.1X network access control protocol.

A client’s MAC address provides relatively weak user authentication, since MAC addresses can be easily captured and used by another station to break into the network. Using 802.1X provides more robust user authentication using user names and passwords or digital certificates. You can configure the access point to use both

MAC address and 802.1X authentication, with client station MAC authentication occurring prior to IEEE 802.1X authentication. However, it is better to choose one or the other, as appropriate.

Take note of the following points before configuring MAC address or 802.1X authentication:

• Use MAC address authentication for a small network with a limited number of users. MAC addresses can be manually configured on the access point itself without the need to set up a RADIUS server, but managing a large number of MAC addresses across many access points is very cumbersome. A RADIUS server can be used to centrally manage a larger database of user MAC addresses.

• Use IEEE 802.1X authentication for networks with a larger number of users and where security is the most important issue. When using 802.1X authentication, a

RADIUS server is required in the wired network to centrally manage the credentials of the wireless clients. It also provides a mechanism for enhanced network security using dynamic encryption key rotation or W-Fi Protected Access (WPA).

Note: If you configure RADIUS MAC authentication together with 802.1X, RADIUS MAC address authentication is performed prior to 802.1X authentication. If RADIUS

MAC authentication succeeds, then 802.1X authentication is performed. If

RADIUS MAC authentication fails, 802.1X authentication is not performed.

• The access point can also operate in a 802.1X supplicant mode. This enables the access point itself to be authenticated with a RADIUS server using a configured

MD5 user name and password. This prevents rogue access points from gaining access to the network.

6-12

Advanced Configuration

6

MAC Authentication – You can configure a list of the MAC addresses for wireless clients that are authorized to access the network. This provides a basic level of authentication for wireless clients attempting to gain access to the network. A database of authorized MAC addresses can be stored locally on the access point or remotely on a central RADIUS server.

(Default: Disabled)

• Disabled: No checks are performed on an associating station’s MAC address.

• Local MAC: The MAC address of the associating station is compared against the local database stored on the access point. Use the Local MAC Authentication section of this web page to set up the local database, and configure all access points in the wireless network service area with the same MAC address database.

• Radius MAC: The MAC address of the associating station is sent to a configured

RADIUS server for authentication. When using a RADIUS authentication server for

MAC address authentication, the server must first be configured in the Radius

window (see “RADIUS” on page 6-7). The database of MAC addresses and

filtering policy must be defined in the RADIUS server.

Note:

MAC addresses on the RADIUS server can be entered in four different formats

(see “RADIUS” on page 6-7).

6-13

6

System Configuration

802.1X Supplicant – The access point can also operate in a 802.1X supplicant mode. This enables the access point itself to be authenticated with a RADIUS server using a configured MD5 user name and password. This prevents rogue access points from gaining access to the network.

Note: Enabling Web Redirect will cause the system to reboot after 5 seconds.

Local MAC Authentication

– Configures the local MAC authentication database. The

MAC database provides a mechanism to take certain actions based on a wireless client’s MAC address. The MAC list can be configured to allow or deny network access to specific clients.

• System Default: Specifies a default action for all unknown MAC addresses (that is, those not listed in the local MAC database).

• Deny: Blocks access for all MAC addresses except those listed in the local database as “Allow.”

• Allow: Permits access for all MAC addresses except those listed in the local database as “Deny.”

• MAC Authentication Settings: Enters specified MAC addresses and permissions into the local MAC database.

• MAC Address: Physical address of a client. Enter six pairs of hexadecimal digits separated by hyphens; for example, 00-90-D1-12-AB-89.

• Permission: Select Allow to permit access or Deny to block access. If Delete is selected, the specified MAC address entry is removed from the database.

• Update: Enters the specified MAC address and permission setting into the local database.

• MAC Authentication Table: Displays current entries in the local MAC database.

6-14

Advanced Configuration

6

CLI Commands for Local MAC Authentication – Use the mac-authentication server

command from the global configuration mode to enable local MAC authentication. Use the mac-authentication session-timeout command to set the authentication interval, and web-redirect command to enable web-based authentication for service billing. Set the default action for MAC addresses not in the local table using the address filter default command, then enter MAC addresses in the local table using the address filter entry command. To remove an entry from the table, use the address filter delete command. To display the current settings, use the show authentication command from the Exec mode.

7-72

7-72

7-20

7-70

7-71

Enterprise AP(config)#mac-authentication server local

Enterprise AP(config)#mac-authentication session-timeout 5

Enterprise AP(config)#web-redirect

Enterprise AP(config)#address filter default denied

Enterprise AP(config)#address filter entry

00-70-50-cc-99-1a denied

Enterprise AP(config)#address filter entry

00-70-50-cc-99-1b allowed

Enterprise AP(config)#address filter entry

00-70-50-cc-99-1c allowed

Enterprise AP(config)#address filter delete

00-70-50-cc-99-1c

Enterprise AP(config)#exit

Enterprise AP#show authentication

Authentication Information

===========================================================

MAC Authentication Server : LOCAL

MAC Auth Session Timeout Value : 0 min

802.1x supplicant : DISABLED

802.1x supplicant user : EMPTY

802.1x supplicant password : EMPTY

Address Filtering : DENIED

System Default : ALLOW addresses not found in filter table.

Filter Table

MAC Address Status

----------------- ----------

00-70-50-cc-99-1a DENIED

00-70-50-cc-99-1b ALLOWED

=========================================================

Enterprise AP#

7-71

7-68

6-15

6

System Configuration

CLI Commands for RADIUS MAC Authentication – Use the mac-authentication server

command from the global configuration mode to enable remote MAC authentication. Set the timeout value for re-authentication using the mac- authentication session-timeout command. Be sure to also configure connection settings for the RADIUS server (not shown in the following example). To display the current settings, use the show authentication command from the Exec mode.

7-72

7-72

7-68

Enterprise AP(config)#mac-authentication server remote

Enterprise AP(config)#mac-authentication

session-timeout 300

Enterprise AP(config)#exit

Enterprise AP#show authentication

Authentication Information

===========================================================

MAC Authentication Server : REMOTE

MAC Auth Session Timeout Value : 300 min

802.1x supplicant : DISABLED

802.1x supplicant user : EMPTY

802.1x supplicant password : EMPTY

Address Filtering : DENIED

System Default : DENY addresses not found in filter table.

Filter Table

MAC Address Status

----------------- ----------

00-70-50-cc-99-1a DENIED

00-70-50-cc-99-1b ALLOWED

=========================================================

Enterprise AP#

CLI Command for 802.1x Supplicant – To configure the access point to operate as a

802.1X supplicant, first use the 802.1X supplicant user command to set a user name and password for the access point, then use the 802.1X supplicant command to enable the feature. To display the current settings, use the show authentication command from the Exec mode (not shown in the following example)

Enterprise AP(config)#802.1X supplicant user SMC2555W dot1xpass

Enterprise AP(config)#802.1X supplicant

Enterprise AP(config)#

7-68

7-68

6-16

Advanced Configuration

6

Filter Control

The access point can employ network traffic frame filtering to control access to network resources and increase security. You can prevent communications between wireless clients and prevent access point management from wireless clients. Also, you can block specific Ethernet traffic from being forwarded by the access point.

Inter Client STAs Communication Filter – Sets the global mode for wireless-to-wireless communications between clients associated to Virtual AP (VAP) interfaces on the access point. (Default: Prevent Inter and Intra VAP client

Communication)

• Disabled: All clients can communicate with each other through the access point.

• Prevent Intra VAP client communication: When enabled, clients associated with a specific VAP interface cannot establish wireless communications with each other.

Clients can communicate with clients associated to other VAP interfaces.

• Prevent Inter and Intra VAP client communication: When enabled, clients cannot establish wireless communications with any other client, either those associated to the same VAP interface or any other VAP interface.

AP Management Filter – Controls management access to the access point from wireless clients. Management interfaces include the web, Telnet, or SNMP.

(Default: Disabled)

• Disabled: Allows management access from wireless clients.

• Enabled: Blocks management access from wireless clients.

Uplink Port MAC Address Filtering Status

– Prevents traffic with specified source

MAC addresses from being forwarded to wireless clients through the access point.

You can add a maximum of eight MAC addresses to the filter table. (Default:

Disabled)

6-17

6

System Configuration

• MAC Address: Specifies a MAC address to filter, in the form xx-xx-xx-xx-xx-xx.

• Permission: Adds or deletes a MAC address from the filtering table.

Ethernet Type Filter

– Controls checks on the Ethernet type of all incoming and outgoing Ethernet packets against the protocol filtering table. (Default: Disabled)

• Disabled: Access point does not filter Ethernet protocol types.

• Enabled: Access point filters Ethernet protocol types based on the configuration of protocol types in the filter table. If the status of a protocol is set to “ON,” the protocol is filtered from the access point.

Note: Ethernet protocol types not listed in the filtering table are always forwarded by the access point.

Ethernet Type Filter – Enables or disables Ethernet filtering on the port. (Default:

Disabled)

CLI Commands for Bridge Filtering – Use the filter local-bridge command from the global configuration mode to prevent wireless-to-wireless communications through the access point. Use the filter ap-manage command to restrict management access from wireless clients. To configure Ethernet protocol filtering, use the filter ethernet-type enable

command to enable filtering and the filter ethernet-type protocol command to define the protocols that you want to filter. To remove an entry from the table, use the address filter delete command. To display the current settings, use the show filters command from the Exec mode.

Enterprise AP(config)#filter local-bridge

Enterprise AP(config)#filter ap-manage

Enterprise AP(config)#filter uplink enable

Enterprise AP(config)#filter uplink add 00-12-34-56-78-9a

Enterprise AP(config)#filter ethernet-type enable

Enterprise AP(config)#filter ethernet-type protocol ARP

Enterprise AP(config)#exit

Enterprise AP#show filters

Protocol Filter Information

=========================================================

Local Bridge :ENABLED

AP Management :ENABLED

Ethernet Type Filter :ENABLED

Enabled Protocol Filters

---------------------------------------------------------

Protocol: ARP ISO: 0x0806

=========================================================

Enterprise AP#

7-73

7-74

7-74

7-75

7-74

7-76

7-77

6-18

Advanced Configuration

6

VLAN

The access point can employ VLAN tagging support to control access to network resources and increase security. VLANs separate traffic passing between the access point, associated clients, and the wired network. There can be a VLAN assigned to each associated client, a default VLAN for each VAP (Virtual Access

Point) interface, and a management VLAN for the access point.

Note the following points about the access point’s VLAN support:

• The management VLAN is for managing the access point through remote management tools, such as the web interface, SSH, SNMP, or Telnet. The access point only accepts management traffic that is tagged with the specified management VLAN ID.

• All wireless clients associated to the access point are assigned to a VLAN. If IEEE

802.1X is being used to authenticate wireless clients, specific VLAN IDs can be configured on the RADIUS server to be assigned to each client. If a client is not assigned to a specific VLAN or if 802.1X is not used, the client is assigned to the default VLAN for the VAP interface with which it is associated. The access point only allows traffic tagged with assigned VLAN IDs or default VLAN IDs to access clients associated on each VAP interface.

• When VLAN support is enabled on the access point, traffic passed to the wired network is tagged with the appropriate VLAN ID, either an assigned client VLAN

ID, default VLAN ID, or the management VLAN ID. Traffic received from the wired network must also be tagged with one of these known VLAN IDs. Received traffic that has an unknown VLAN ID or no VLAN tag is dropped.

• When VLAN support is disabled, the access point does not tag traffic passed to the wired network and ignores the VLAN tags on any received frames.

Note:

Before enabling VLAN tagging on the access point, be sure to configure the attached network switch port to support tagged VLAN frames from the access point’s management VLAN ID, default VLAN IDs, and other client VLAN IDs.

Otherwise, connectivity to the access point will be lost when you enable the VLAN feature.

Using IEEE 802.1X and a central RADIUS server, up to 64 VLAN IDs can be mapped to specific wireless clients, allowing users to remain within the same VLAN as they move around a campus site. This feature can also be used to control access to network resources from clients, thereby improving security.

A VLAN ID (1-4094) can be assigned to a client after successful IEEE 802.1X authentication. The client VLAN IDs must be configured on the RADIUS server for each user authorized to access the network. If a client does not have a configured

VLAN ID on the RADIUS server, the access point assigns the client to the configured default VLAN ID for the VAP interface.

Note: When using IEEE 802.1X to dynamically assign VLAN IDs, the access point must have 802.1X authentication enabled and a RADIUS server configured. Wireless clients must also support 802.1X client software.

6-19

6

System Configuration

When setting up VLAN IDs for each user on the RADIUS server, be sure to use the

RADIUS attributes and values as indicated in the following table.

Number

64

RADIUS Attribute

Tunnel-Type

65 Tunnel-Medium-Type

81 Tunnel-Private-Group-ID

Value

VLAN (13)

802

VLANID

(1 to 4094 as hexadecimal or string)

VLAN IDs on the RADIUS server can be entered as hexadecimal digits or a string

(see “radius-server vlan-format” on page 7-63).

Note: The specific configuration of RADIUS server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS server software.

VLAN Classification – Enables or disables VLAN tagging support on the access point.

Native VLAN ID – The VLAN ID that traffic must have to be able to manage the access point. (Range 1-4094; Default: 1)

6-20

Advanced Configuration

6

WDS Settings

Each access point radio interface can be configured to operate in a bridge or repeater mode, which allows it to forward traffic directly to other access point units.

To set up bridge links between access point units, you must configure the wireless

Distribution System (WDS) forwarding table by specifying the wireless MAC address of all units to which you want to forward traffic. Up to six WDS bridge or repeater links can be specified for each unit in the wireless bridge network.

The Spanning Tree Protocol (STP) can be used to detect and disable network loops, and to provide backup links between bridges. This allows a wireless bridge to interact with other bridging devices (that is, an STP-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.

WDS Bridge – Up to six WDS bridge or repeater links (MAC addresses) per radio interface can be specified for each unit in the wireless bridge network. One unit only must be configured as the “root bridge” in the wireless network. The root bridge is the unit connected to the main core of the wired LAN. Other bridges need to specify one “Parent” link to the root bridge or to a bridge connected to the root bridge. The other five WDS links are available as “Child” links to other bridges.

Bridge Role – Each radio interface can be set to operate in one of the following four modes: (Default: AP)

• AP (Access Point): Operates as an access point for wireless clients, providing connectivity to a wired LAN.

6-21

6

System Configuration

• Bridge: Operates as a bridge to other access points. The “Parent” link to the root bridge must be configured. Up to five other ”Child” links are available to other bridges.

• Repeater: Operates as a wireless repeater, extending the range for remote wireless clients and connecting them to the root bridge. The “Parent” link to the root bridge must be configured. In this mode, traffic is not forwarded to the

Ethernet port from the radio interface.

• Root Bridge: Operates as the root bridge in the wireless bridge network. Up to six ”Child” links are available to other bridges in the network.

Bridge Parent – The physical layer address of the root bridge unit or the bridge unit connected to the root bridge. (12 hexadecimal digits in the form

“xx-xx-xx-xx-xx-xx”)

Bridge Child – The physical layer address of other bridge units for which this unit serves as the bridge parent or the root bridge. Note that the first entry under the list of child nodes is reserved for the root bridge, and can only be configured if the role is set to “Root Bridge.” (12 hexadecimal digits in the form “xx-xx-xx-xx-xx-xx”)

Bridge Link Timer – The timeout duration for a period of non-activity on a link.

6-22

Advanced Configuration

6

Spanning Tree Protocol – STP uses a distributed algorithm to select a bridging device (STP-compliant switch, bridge or router) that serves as the root of the spanning tree network. It selects a root port on each bridging device (except for the root device) which incurs the lowest path cost when forwarding a packet from that device to the root device. Then it selects a designated bridging device from each

LAN which incurs the lowest path cost when forwarding a packet from that LAN to the root device. All ports connected to designated bridging devices are assigned as

6-23

6

System Configuration designated ports. After determining the lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops.

Once a stable network topology has been established, all bridges listen for Hello

BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the root bridge is down. This bridge will then initiate negotiations with other bridges to reconfigure the network to reestablish a valid network topology.

Bridge – Enables/disables STP on the wireless bridge or repeater.

(Default: Disabled)

Bridge Priority – Used in selecting the root device, root port, and designated port.

The device with the highest priority becomes the STP root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.)

• Range: 0-65535

• Default: 32768

Bridge Max Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STP information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (Range: 6-40 seconds)

• Default: 20

• Minimum: The higher of 6 or [2 x (Hello Time + 1)].

• Maximum: The lower of 40 or [2 x (Forward Delay - 1)]

Bridge Hello Time – Interval (in seconds) at which the root device transmits a configuration message. (Range: 1-10 seconds)

• Default: 2

• Minimum: 1

• Maximum: The lower of 10 or [(Max. Message Age / 2) -1]

Bridge Forwarding Delay – The maximum time (in seconds) this device waits before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. (Range: 4-30 seconds)

• Default: 15

• Minimum: The higher of 4 or [(Max. Message Age / 2) + 1]

• Maximum: 30

6-24

Advanced Configuration

6

Link Path Cost – This parameter is used by the STP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.)

• Range: 1-65535

• Default: Ethernet interface: 19; Wireless interface: 40

Link Port Priority – Defines the priority used for this port in the Spanning Tree

Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the spanning tree. This makes a port with higher priority less likely to be blocked if the

Spanning Tree Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.

• Default: 128

• Range: 0-240, in steps of 16

CLI Commands for WDS Settings – To set the role of the access point radio interface, use the bridge role command from the CLI wireless interface configuration mode. If the role of the radio interface is set to “Bridge” or “Repeater,” the MAC address of the parent node must also be configured using the bridge-link parent command. If the role is set to anything other than “Access Point,” then you should also configure the MAC addresses of the child nodes using the bridge-link child command. To view the current bridge link settings, use the show bridge link command.

6-96

6-98

Enterprise AP(if-wireless g)#bridge role bridge

Enterprise AP(if-wireless g)#bridge-link child 2

00-08-3e-84-bc-6d

Enterprise AP(if-wireless g)#bridge-link child 3

00-08-3e-85-13-f2

Enterprise AP(if-wireless g)#bridge-link child 4

00-08-3e-84-79-31

Enterprise AP(if-wireless g)#bridge-link parent

00-08-2d-69-3a-51

Enterprise AP(if-wireless g)#exit

Enterprise AP#show bridge link wireless a

Interface Wireless A WDS Information

====================================

AP Role: Bridge

Parent: 00-08-2d-69-3a-51

Child:

Child 2: 00-08-3e-84-bc-6d

Child 3: 00-08-3e-85-13-f2

Child 4: 00-08-3e-84-79-31

Child 5: 00-00-00-00-00-00

Child 6: 00-00-00-00-00-00

STAs:

No WDS Stations.

Enterprise AP#

6-97

6-101

6-25

6

System Configuration

CLI Commands for STP Settings – If the role of a radio interface is set to Repeater,

Bridge or Root Bridge, STP can be enabled on the access point to maintain a valid network topology. To globally enable STP, use the bridge stp enable command from the CLI configuration mode. Then configure the other global STP parameters for the bridge. The path cost and priority for each bridge link can be set using the bridge-link path-cost

and bridge-link port-priority command from the Wireless

Interface configuration mode. The path cost and priority can also be set for the

Ethernet port from the Ethernet Interface configuration mode. To view the current

STP settings, use the show bridge stp command.

Enterprise AP(config)#bridge stp enable

Enterprise AP(config)#bridge stp forwarding-delay 2500

Enterprise AP(config)#bridge stp hello-time 500

Enterprise AP(config)#bridge stp max-age 4000

Enterprise AP(config)#bridge stp priority 40000

Enterprise AP(config)#interface wireless a

Enterprise AP(if-wireless g)#bridge-link path-cost 2 40

Enterprise AP(if-wireless g)#bridge-link port-priority 2 64

Enterprise AP(if-wireless g)#exit

Enterprise AP#show bridge stp

Bridge MAC : 00:30:F1:F0:9A:9C

Status : Disabled priority : 32768 desiginated-root : priority = 0, MAC = 00:00:00:00:00:00 root-path-cost : 0 root-Port-no : 0

Hold Time : 0 Seconds

Hello Time : 0 Seconds

Maximum Age : 0 Seconds

Forward Delay : 0 Seconds bridge Hello Time : 2 Seconds bridge Maximum Age : 20 Seconds bridge Forward Delay : 5 Seconds time-since-top-change: 3168 Seconds topology-change-count: 0

Enterprise AP#

6-104

6-105

6-106

6-107

6-108

6-109

6-110

6-111

6-26

Advanced Configuration

6

AP Management

The Web, Telnet, and SNMP management interfaces are enabled and open to all IP addresses by default. To provide more security for management access to the access point, specific interfaces can be disabled and management restricted to a single IP address or a limited range of IP addresses.

Once you specify an IP address or range of addresses, access to management interfaces is restricted to the specified addresses. If anyone tries to access a management interface from an unauthorized address, the access point will reject the connection.

UI Management

– Enables or disables management access through Telnet, the Web

(HTTP), or SNMP interfaces. (Default: Enabled)

Note:

Secure Web (HTTPS) connections are not affected by the UI Management or IP

Management settings.

IP Management – Restricts management access to Telnet, Web, and SNMP interfaces to specified IP addresses. (Default: Any IP)

• Any IP: Indicates that any IP address is allowed management access.

• Single IP: Specifies a single IP address that is allowed management access.

• Multiple IP: Specifies an address range as defined by the entered IP address and subnet mask. For example, IP address 192.168.1.6 and subnet mask

255.255.255.0, defines all IP addresses from 192.168.1.1 to 192.168.1.254.

6-27

6

System Configuration

CLI Commands for AP Management features.

Enterprise AP(config)#apmgmtip multiple 192.168.1.50 255.255.255.0 7-21

Enterprise AP(config)#apmgmtui SNMP enable

7-22

Administration

Changing the Password

Management access to the web and CLI interface on the access point is controlled through a single user name and password. You can also gain additional access

security by using control filters (see “Filter Control” on page 6-17).

To protect access to the management interface, you need to configure an

Administrator’s user name and password as soon as possible. If the user name and password are not configured, then anyone having access to the access point may be able to compromise access point and network security. Once a new Administrator has been configured, you can delete the default “admin” user name from the system.

Note: Pressing the Reset button on the back of the access point for more than five seconds resets the user name and password to the factory defaults. For this reason, we recommend that you protect the access point from physical access by unauthorized persons.

Username – The name of the user. The default name is “admin.” (Length: 3-16 characters, case sensitive)

New Password – The password for management access. (Length: 3-16 characters, case sensitive)

Confirm New Password – Enter the password again for verification.

CLI Commands for the Administrator’s User Name and Password – Use the username and password commands from the CLI configuration mode.

Enterprise AP(config)#username bob

Enterprise AP(config)#password admin

Enterprise AP#

7-15

7-15

6-28

Advanced Configuration

6

Upgrading Firmware

You can upgrade new access point software from a local file on the management workstation, or from an FTP or TFTP server. New software may be provided periodically from your distributor.

After upgrading new software, you must reboot the access point to implement the new code. Until a reboot occurs, the access point will continue to run the software it was using before the upgrade started. Also note that new software that is incompatible with the current configuration automatically restores the access point to the factory default settings when first activated after a reboot.

6-29

6

System Configuration

Before upgrading new software, verify that the access point is connected to the network and has been configured with a compatible IP address and subnet mask.

If you need to download from an FTP or TFTP server, take the following additional steps:

• Obtain the IP address of the FTP or TFTP server where the access point software is stored.

• If upgrading from an FTP server, be sure that you have an account configured on the server with a user name and password.

• If VLANs are configured on the access point, determine the VLAN ID with which the FTP or TFTP server is associated, and then configure the management station, or the network port to which it is attached, with the same VLAN ID. If you are managing the access point from a wireless client, the VLAN ID for the wireless client must be configured on a RADIUS server.

Current version

– Version number of runtime code.

Firmware Upgrade Local – Downloads an operation code image file from the web management station to the access point using HTTP. Use the Browse button to locate the image file locally on the management station and click Start Upgrade to proceed.

• New firmware file: Specifies the name of the code file on the server. The new firmware file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names is 32 characters for files on the access point. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

Firmware Upgrade Remote – Downloads an operation code image file from a specified remote FTP or TFTP server. After filling in the following fields, click Start

Upgrade to proceed.

• New firmware file: Specifies the name of the code file on the server. The new firmware file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the

FTP/TFTP server is 255 characters or 32 characters for files on the access point.

(Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• IP Address: IP address or host name of FTP or TFTP server.

• Username: The user ID used for login on an FTP server.

• Password: The password used for login on an FTP server.

Restore Factory Settings

– Click the Restore button to reset the configuration settings for the access point to the factory defaults and reboot the system. Note that all user configured information will be lost. You will have to re-enter the default user name (admin) to re-gain management access to this device.

Reboot Access Point – Click the Reset button to reboot the system.

Note: If you have upgraded system software, then you must reboot the access point to implement the new operation code. New software that is incompatible with the current configuration automatically restores the access point to default values when first activated after a reboot.

6-30

Advanced Configuration

6

CLI Commands for Downloading Software from a TFTP Server – Use the copy tftp file

command from the Exec mode and then specify the file type, name, and IP address of the TFTP server. When the download is complete, the dir command can be used to check that the new file is present in the access point file system. To run the new software, use the reset board command to reboot the access point.

7-56

Enterprise AP#copy tftp file

1. Application image

2. Config file

3. Boot block image

Select the type of download<1,2,3>: [1]:1

TFTP Source file name:img.bin

TFTP Server IP:192.168.2.29

Enterprise AP#dir

File Name Type File Size

-------------------------- ---- ----------dflt-img.bin 2 1319939 img.bin 2 1629577 syscfg 5 17776 syscfg_bak 5 17776

262144 byte(s) available

Enterprise AP#reset board

Reboot system now? <y/n>: y

7-58

7-10

6-31

6

System Configuration

System Log

The access point can be configured to send event and error messages to a System

Log Server. The system clock can also be synchronized with a time server, so that all the messages sent to the Syslog server are stamped with the correct time and date.

Enabling System Logging

The access point supports a logging process that can control error messages saved to memory or sent to a Syslog server. The logged messages serve as a valuable tool for isolating access point and network problems.

System Log Setup – Enables the logging of error messages. (Default: Disable)

Server (1-4)

– Enables the sending of log messages to a Syslog server host. Up to four Syslog servers are supported on the access point. (Default: Disable)

Server Name/IP

– The IP address or name of a Syslog server. (Default: 0.0.0.0)

UDP Port – The UDP port used by a Syslog server. (Range: 514 or 11024-65535;

Default: 514)

Logging Console – Enables the logging of error messages to the console.

(Default: Disable)

6-32

Advanced Configuration

6

Logging Level – Sets the minimum severity level for event logging.

(Default: Informational)

The system allows you to limit the messages that are logged by specifying a minimum severity level. The following table lists the error message levels from the most severe (Emergency) to least severe (Debug). The message levels that are logged include the specified minimum level up to the Emergency level.

Error Level

Emergency

Alerts

Critical

Error

Warning

Notice

Informational

Debug

Description

System unusable

Immediate action needed

Critical conditions (e.g., memory allocation, or free memory error - resource exhausted)

Error conditions (e.g., invalid input, default used)

Warning conditions (e.g., return false, unexpected return)

Normal but significant condition, such as cold start

Informational messages only

Debugging messages

Note: The access point error log can be viewed using the Event Logs window in the

Status section (page 6-89). The Event Logs window displays the last 128

messages logged in chronological order, from the newest to the oldest. Log messages saved in the access point’s memory are erased when the device is rebooted.

Logging Facility Type

– Sets the facility type for remote logging of syslog messages.

The command specifies the facility type tag sent in syslog messages. (See RFC

3164.) This type has no effect on the kind of messages reported by the switch.

However, it may be used by the syslog server to sort messages or to store messages in the corresponding database. (Range: 16-23; Default: 16)

6-33

6

System Configuration

CLI Commands for System Logging – To enable logging on the access point, use the logging on command from the global configuration mode. The logging level command sets the minimum level of message to log. Use the logging console command to enable logging to the console. Use the logging host command to specify up to four Syslog servers. The CLI also allows the logging facility-type command to set the facility-type number to use on the Syslog server. To view the current logging settings, use the show logging command.

Enterprise AP(config)#logging on

Enterprise AP(config)#logging level alert

Enterprise AP(config)#logging console

Enterprise AP(config)#logging host 1 IP 10.1.0.3 514

Enterprise AP(config)#logging host 1 Port 514

Enterprise AP(config)#logging facility-type 19

Enterprise AP(config)#exit

Enterprise AP#show logging

Logging Information

============================================

Syslog State : Enabled

Logging Console State : Enabled

Logging Level : Alert

Logging Facility Type : 19

Servers

1: 10.1.0.3, UDP Port: 514, State: Enabled

2: 0.0.0.0, UDP Port: 514, State: Disabled

3: 0.0.0.0, UDP Port: 514, State: Disabled

4: 0.0.0.0, UDP Port: 514, State: Disabled

=============================================

Enterprise AP#

7-29

7-30

7-30

7-29

7-29

7-31

7-32

Configuring SNTP

Simple Network Time Protocol (SNTP) allows the access point to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the access point enables the system log to record meaningful dates and times for event entries. If the clock is not set, the access point will only record the time from the factory default set at the last bootup.

The access point acts as an SNTP client, periodically sending time synchronization requests to specific time servers. You can configure up to two time server IP addresses. The access point will attempt to poll each server in the configured sequence.

SNTP Server

– Configures the access point to operate as an SNTP client. When enabled, at least one time server IP address must be specified.

• Primary Server: The IP address of an SNTP or NTP time server that the access point attempts to poll for a time update.

• Secondary Server: The IP address of a secondary SNTP or NTP time server. The access point first attempts to update the time from the primary server; if this fails it attempts an update from the secondary server.

6-34

Advanced Configuration

6

Note: The access point also allows you to disable SNTP and set the system clock manually.

Set Time Zone – SNTP uses Coordinated Universal Time (or UTC, formerly

Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours your time zone is located before (east) or after (west)

UTC.

Enable Daylight Saving

– The access point provides a way to automatically adjust the system clock for Daylight Savings Time changes. To use this feature you must define the month and date to begin and to end the change from standard time.

During this period the system clock is set back by one hour.

CLI Commands for SNTP – To enable SNTP support on the access point, from the global configuration mode specify SNTP server IP addresses using the sntp-server ip

command, then use the sntp-server enable command to enable the service. Use the sntp-server timezone command to set the time zone for your location, and the sntp-server daylight-saving command to set daylight savings. To view the current

SNTP settings, use the show sntp command.

7-34

7-34

7-36

7-36

Enterprise AP(config)#sntp-server ip 1 10.1.0.19

Enterprise AP(config)#sntp-server enable

Enterprise AP(config)#sntp-server timezone +8

Enterprise AP(config)#sntp-server daylight-saving

Enter Daylight saving from which month<1-12>: 3 and which day<1-31>: 31

Enter Daylight saving end to which month<1-12>: 10 and which day<1-31>: 31

Enterprise AP(config)#exit

Enterprise AP#show sntp

SNTP Information

=========================================================

Service State : Enabled

SNTP (server 1) IP : 10.1.10.19

SNTP (server 2) IP : 192.43.244.18

Current Time : 19 : 35, Oct 10th, 2003

Time Zone : +8 (TAIPEI, BEIJING)

Daylight Saving : Enabled, from Mar, 31st to Oct, 31st

=========================================================

Enterprise AP#

7-37

6-35

6

System Configuration

CLI Commands for the System Clock – The following example shows how to manually set the system time when SNTP server support is disabled on the access point.

Enterprise AP(config)#no sntp-server enable

Enterprise AP(config)#sntp-server date-time

Enter Year<1970-2100>: 2003

Enter Month<1-12>: 10

Enter Day<1-31>: 10

Enter Hour<0-23>: 18

Enter Min<0-59>: 35

Enterprise AP(config)#

7-34

7-35

SNMP

Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.

Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network.

The access point includes an onboard agent that supports SNMP versions 1, 2c, and 3 clients. This agent continuously monitors the status of the access point, as well as the traffic passing to and from wireless clients. A network management station can access this information using SNMP management software that is compliant with MIB II. To implement SNMP management, the access point must first have an IP address and subnet mask, configured either manually or dynamically.

Access to the onboard agent using SNMP v1 and v2c is controlled by community strings. To communicate with the access point, the management station must first submit a valid community string for authentication.

Access to the access point using SNMP v3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling notifications that are sent to specified user targets.

6-36

SNMP

6

Configuring SNMP and Trap Message Parameters

The access point SNMP agent must be enabled to function (for versions 1, 2c, and

3 clients). Management access using SNMP v1 and v2c also requires community strings to be configured for authentication. Trap notifications can be enabled and sent to up to four management stations.

SNMP

– Enables or disables SNMP management access and also enables the access point to send SNMP traps (notifications). (Default: Disable)

Location – A text string that describes the system location. (Maximum length: 255 characters)

Contact

– A text string that describes the system contact. (Maximum length: 255 characters)

Community Name (Read Only)

– Defines the SNMP community access string that has read-only access. Authorized management stations are only able to retrieve

MIB objects. (Maximum length: 23 characters, case sensitive; Default: public)

6-37

6

System Configuration

Community Name (Read/Write) – Defines the SNMP community access string that has read/write access. Authorized management stations are able to both retrieve and modify MIB objects. (Maximum length: 23 characters, case sensitive;

Default: private)

Trap Destination (1 to 4) – Enables recipients (up to four) of SNMP notifications.

Trap Destination IP Address – Specifies the recipient of SNMP notifications. Enter the IP address or the host name. (Host Name: 1 to 63 characters, case sensitive)

Trap Destination Community Name – The community string sent with the notification operation. (Maximum length: 23 characters, case sensitive;

Default: public)

Engine ID – Sets the engine identifier for the SNMPv3 agent that resides on the access point. This engine protects against message replay, delay, and redirection.

The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets. A default engine

ID is automatically generated that is unique to the access point. (Range: 10 to 64 hexadecimal characters)

Note: If the local engine ID is deleted or changed, all SNMP users will be cleared. All existing users will need to be re-configured. If you want to change the default engine ID, change it first before configuring other SNMP v3 parameters.

6-38

SNMP

6

Trap Configuration – Allows selection of specific SNMP notifications to send. The following items are available:

• sysSystemUp - The access point is up and running.

• sysSystemDown - The access point is about to shutdown and reboot.

• sysRadiusServerChanged - The access point has changed from the primary

RADIUS server to the secondary, or from the secondary to the primary.

• sysConfigFileVersionChanged - The access point’s configuration file has been changed.

• dot11StationAssociation - A client station has successfully associated with the access point.

• dot11StationReAssociation - A client station has successfully re-associated with the access point.

• dot11StationAuthentication - A client station has been successfully authenticated.

• dot11StationRequestFail - A client station has failed association, re-association, or authentication.

• dot11InterfaceBFail - The 802.11b interface has failed.

• dot1xMacAddrAuthSuccess - A client station has successfully authenticated its

MAC address with the RADIUS server.

• dot1xMacAddrAuthFail - A client station has failed MAC address authentication with the RADIUS server.

• dot1xAuthNotInitiated - A client station did not initiate 802.1X authentication.

• dot1xAuthSuccess - A 802.1X client station has been successfully authenticated by the RADIUS server.

• dot1xAuthFail - A 802.1X client station has failed RADIUS authentication.

• dot1xSuppAuthenticated - A supplicant station has been successfully authenticated by the RADIUS server

• localMacAddrAuthSuccess - A client station has successfully authenticated its

MAC address with the local database on the access point.

• localMacAddrAuthFail - A client station has failed authentication with the local MAC address database on the access point.

• iappStationRoamedFrom - A client station has roamed from another access point

(identified by its IP address).

• iappStationRoamedTo - A client station has roamed to another access point

(identified by its IP address).

• iappContextDataSent - A client station’s Context Data has been sent to another access point with which the station has associated.

• sntpServerFail - The access point has failed to set the time from the configured

SNTP server.

• wirelessExternalAntenna - An external antenna has been enabled.

• dot11WirelessStationDeauthenticate - A client station has de-authenticated from the network.

• dot11StationDisassociate - A client station no longer associates with the network.

6-39

6

System Configuration

• dot11StationAuthenticateFail - A client station has tried and failed to authenticate to the network.

Enable All Traps - Click the button to enable all the available traps.

Disable All Traps - Click the button to disable all the available traps.

CLI Commands for SNMP and Trap Configuration – Use the snmp-server enable server

command from the global configuration mode to enable the SNMP agent.

Use the snmp-server location and snmp-server contact commands to indicate the physical location of the access point and define a system contact. To set the read-only and read/write community names, use the snmp-server community command. Use the snmp-server host command to define a trap receiver host and the snmp-server trap command to enable or disable specific traps.

Enterprise AP(config)#snmp-server enable server

Enterprise AP(config)#snmp-server community alpha rw

Enterprise AP(config)#snmp-server community beta ro

Enterprise AP(config)#snmp-server location WC-19

Enterprise AP(config)#snmp-server contact Paul

Enterprise AP(config)#snmp-server host 192.168.1.9 alpha

Enterprise AP(config)#snmp-server trap dot11StationAssociation

Enterprise AP(config)#

7-42

7-41

7-42

7-41

7-43

7-44

6-40

SNMP

6

To view the current SNMP settings, use the show snmp command.

Enterprise AP#show snmp

SNMP Information

==============================================

Service State : Enable

Community (ro) : *****

Community (rw) : *****

Location : WC-19

Contact : Paul

EngineId :80:00:07:e5:80:00:00:2e:62:00:00:00:18

EngineBoots:1

Trap Destinations:

1: 192.168.1.9, Community: *****, State: Enabled

2: 0.0.0.0, Community: *****, State: Disabled

3: 0.0.0.0, Community: *****, State: Disabled

4: 0.0.0.0, Community: *****, State: Disabled

7-54

dot11InterfaceAGFail Enabled dot11InterfaceBFail Enabled

dot11StationAssociation Enabled dot11StationAuthentication Enabled dot11StationReAssociation Enabled dot11StationRequestFail Enabled

dot1xAuthFail Enabled dot1xAuthNotInitiated Enabled

dot1xAuthSuccess Enabled dot1xMacAddrAuthFail Enabled

dot1xMacAddrAuthSuccess Enabled iappContextDataSent Enabled

iappStationRoamedFrom Enabled iappStationRoamedTo Enabled

localMacAddrAuthFail Enabled localMacAddrAuthSuccess Enabled

iappContextDataSent Enabled dot1XSuppAuthenticated Enabled

wirelessExternalAntenna Enabled dot11InterfaceAFail Enabled

dot11InterfaceGFail Enabled

pppLogonFail Enabled sntpServerFail Enabled

configFileVersionChanged Enabled radiusServerChanged Enabled

systemDown Enabled systemUp Enabled

=============================================

Enterprise AP#

6-41

6

System Configuration

Configuring SNMPv3 Users

The access point allows up to 10 SNMP v3 users to be configured. Each user must be defined by a unique name, assigned to one of three pre-defined security groups, and configured with specific authentication and encryption settings.

User – The SNMPv3 user name. (32 characters maximum)

Group

– The SNMPv3 group name. (Options: RO, RWAuth, or RWPriv; Default: RO)

• RO – Read-only access.

• RWAuth – Read/write access with user authentication.

• RWPriv – Read/write access with both user authentication and data encryption.

Auth Type

– The authentication type used for the SNMP user; either MD5 or none.

When MD5 is selected, enter a password in the corresponding Passphrase field.

Priv Type

– The data encryption type used for the SNMP user; either DES or none.

When DES is selected, enter a key in the corresponding Passphrase field.

Passphrase

– The password or key associated with the authentication and privacy settings. A minimum of eight plain text characters is required.

Action

– Click the Add button to add a new user to the list. Click the edit button to change details of an existing user. Click the Del button to remove a user from the list.

Note:

Users must be assigned to groups that have the same security levels. For example, a user who has “Auth Type” and “Priv Type” configured to MD5 and

DES respectively (that it, uses both authentication and data encryption) must be assigned to the RWPriv group. If this same user were instead assigned to the read-only (RO) group, the user would not be able to access the database.

6-42

SNMP

6

CLI Commands for Configuring SNMPv3 Users – Use the snmp-server engine-id command to define the SNMP v3 engine before assigning users to groups. Use the snmp-server user command to assign users to one of the three groups and set the appropriate authentication and encryption types to be used. To view the current

SNMP v3 engine ID, use the show snmp command. To view SNMP users and group settings, use the show snmp users or show snmp group-assignments commands.

7-46

7-46

Enterprise AP(config)#snmp-server engine-id 1a:2b:3c:4d:00:ff

Enterprise AP(config)#snmp-server user

User Name<1-32> :chris

Group Name<1-32> :RWPriv

Authtype(md5,<cr>none):md5

Passphrase<8-32>:a good secret

Privacy(des,<cr>none) :des

Passphrase<8-32>:a very good secret

Enterprise AP(config)#exit

Enterprise AP#show snmp users

=============================================

UserName :chris

GroupName :RWPriv

AuthType :MD5

Passphrase:****************

PrivType :DES

Passphrase:****************

=============================================

Enterprise AP#show snmp group-assignments

7-51

7-51

GroupName :RWPriv

UserName :chris

Enterprise AP#

6-43

6

System Configuration

Configuring SNMPv3 Trap Filters

SNMP v3 users can be configured to receive notification messages from the access point. An SNMP Target ID is created that specifies the SNMP v3 user, IP address, and UDP port. A user-defined notification filter can be created so that specific notifications can be prevented from being sent to particular targets.

The access point allows up to 10 notification filters to be created. Each filter can be defined by up to 20 MIB subtree ID entries.

To configure a new notification filter, click the New button. A new page opens to configure the filter (see below). To edit an existing filter, select the radio button next to the entry in the table and then click the Edit button. To delete a filter, select the radio button next to the entry in the table and then click the Delete button.

When you click on the New button in the SNMP Trap Filters page, a new page opens where the filter parameters are configured. Define a filter name and subtree

ID to be filtered. Select the filter type, include or exclude, from the drop-down list.

Click Apply to create the filter.

To add more subtree IDs to the filter, return to the SNMP Trap Filters page and click the Edit button. In the Edit page, click the New button to access the Add SNMP

Notification Subtree page and configure a new subtree ID to be filtered.

6-44

Note: Only the New Filter page allows the Filter ID to be configured.

SNMP

6

Filter ID – A user-defined name that identifies the filter. (Maximum length: 32 characters)

Subtree OID

– Specifies MIB subtree to be filtered. The MIB subtree must be defined in the form “.1.3.6.1” and always start with a “.”.

Filter Type – Indicates if the filter is to “include” or “exclude” the MIB subtree objects from the filter. Note that MIB objects included in the filter are not sent to the receiving target and objects excluded are sent. By default all traps are sent, so you can first use an “include” filter entry for all trap objects. Then use “exclude” entries for the required trap objects to send to the target. Note that the filter entries are applied in the sequence that they are defined.

CLI Commands for Configuring SNMPv3 Trap Filters – To create a notification filter, use the snmp-server filter command from the CLI configuration mode. Use the command more than once with the same filter ID to build a filter that includes or excludes multiple MIB objects. To view the current SNMP filters, use the show snmp filter command from the CLI Exec mode.

Enterprise AP(config)#snmp-server filter trapfilter

include .1

Enterprise AP(config)#snmp-server filter trapfilter

exclude .1.3.6.1.2.1.2.2.1.1.23

Enterprise AP(config)#exit

Enterprise AP#show snmp filter

Filter: trapfilter

Type: include

Subtree: iso

Type: exclude

Subtree: iso.3.6.1.2.1.2.2.1.1.23

=============================

Enterprise AP#

7-49

7-52

6-45

6

System Configuration

Configuring SNMPv3 Targets

An SNMP v3 notification Target ID is specified by the SNMP v3 user, IP address, and UDP port. A user-defined filter can also be assigned to specific targets to limit the notifications received to specific MIB objects. (Note that the filter must first be

configured. see “Configuring SNMPv3 Trap Filters” on page 6-44)

To configure a new notification receiver target, click the New button. A new page opens to configure the settings (see below). To edit an existing target, select the radio button next to the entry in the table and then click the Edit button. To delete targets, select the radio button next to the entry in the table and then click the Delete button.

When you click on the New or Edit button in the SNMP Targets page, a new page opens where the target parameters are configured. Define the parameters and select a filter, if required. Note that the SNMP v3 user name must first be defined

(see “Configuring SNMPv3 Users” on page 6-42). Click Apply.

Note: The Target ID cannot be changed in the Edit Target page. Only the New Target page allows the Target ID to be configured.

6-46

SNMP

6

Target ID

– A user-defined name that identifies a receiver of notifications. The access point supports up to 10 target IDs. (Maximum length: 32 characters)

IP Address

– Specifies the IP address of the receiving management station.

UDP Port – The UDP port that is used on the receiving management station for notification messages.

SNMP User – The defined SNMP v3 user that is to receive notification messages.

Assigned Filter – The name of a user-defined notification filter that is applied to the target.

CLI Commands for Configuring SNMPv3 Targets – To create a notification target, use the snmp-server targets command from the CLI configuration mode. To assign a filter to a target, use the snmp-server filter-assignment command. To view the current SNMP targets, use the show snmp target command from the CLI Exec mode. To view filter assignment to targets, use the show snmp filter-assignments command.

6-47

6

System Configuration

Enterprise AP(config)#snmp-server targets mytraps

192.168.1.33 chris

Enterprise AP(config)#snmp-server filter-assignment

mytraps trapfilter

Enterprise AP(config)#exit

Enterprise AP#show snmp target

Host ID : mytraps

User : chris

IP Address : 192.168.1.33

UDP Port : 162

=============================

Enterprise AP#show snmp filter-assignments

HostID FilterID

mytraps trapfilter

Enterprise AP#

7-48

7-50

7-52

7-53

Radio Interface

The IEEE 802.11b/g interface includes configuration options for radio signal characteristics and wireless security features.

The IEEE 802.11g standard operates within the 2.4 GHz band at up to 54 Mbps.

Also note that because the IEEE 802.11g standard is an extension of the IEEE

802.11b standard, it allows clients with 802.11b wireless network cards to associate to an 802.11g access point.

The access point can operate in three modes, IEEE 802.11b only, 802.11g only, or a mixed 802.11b/g mode. Also note that 802.11g is backward compatible with

802.11b.

Each radio supports up to eight virtual access point (VAP) interfaces numbered 0 to

7. Each VAP functions as a separate access point, and can be configured with its own Service Set Identification (SSID) and security settings. However, most radio signal parameters apply to all eight VAP interfaces.

The VAPs function similar to a VLAN, with each VAP mapped to its own VLAN ID.

Traffic to specific VAPs can be segregated based on user groups or application traffic. Each VAP can have up to 64 wireless clients, whereby the clients associate with these VAPs the same as they would with a physical access point.

Note: The radio channel settings for the access point are limited by local regulations,

which determine the number of channels that are available. Refer to “General

Specifications” on page C-1 for additional information on the maximum number

channels available.

Note: You must first enable VAP interface 0 before the other interfaces can be enabled.

6-48

Radio Interface

6

Radio Channel – The radio channel that the access point uses to communicate with wireless clients. When multiple access points are deployed in the same area, set the channel on neighboring access points at least five channels apart to avoid interference with each other. For example, in the United States you can deploy up to three access points in the same area (e.g., channels 1, 6, 11). Also note that the channel for wireless clients is automatically set to the same as that used by the access point to which it is linked. (Range: 1-11; Default: 1)

Auto Channel Select

– Enables the access point to automatically select an unoccupied radio channel. (Default: Enabled)

Transmit Power

– Adjusts the power of the radio signals transmitted from the access point. The higher the transmission power, the farther the transmission range. Power selection is not just a trade off between coverage area and maximum supported clients. You also have to ensure that high-power signals do not interfere with the operation of other radio devices in the service area. (Options: 100%, 50%, 25%,

12%, minimum; Default: 100%)

Note: When operating the access point using 5 GHz channels in a European

Community country, the end user and installer are obligated to operate the device in accordance with European regulatory requirements for Transmit Power Control

(TPC).

6-49

6

System Configuration

Maximum Station Data Rate – The maximum data rate at which the access point transmits unicast packets on the wireless interface. The maximum transmission distance is affected by the data rate. The lower the data rate, the longer the transmission distance. (Default: 54 Mbps)

Maximum Associated Clients – Sets the maximum number of clients that can be associated with a VAP interface at the same time. (Range: 1-64 per VAP interface: Default: 64)

Antenna ID – Selects the antenna to be used by the access point; either the integrated diversity antennas (the "Default Antenna") or an optional external antenna. The optional external antennas (if any) that are certified for use with the access point are listed in the drop-down menu. Selecting the correct antenna ID ensures that the access point's radio transmissions are within regulatory power limits for the country of operation. (Default: Default Antenna)

Note: The Antenna ID must be selected in conjunction with the Antenna Control Method to configure proper use of any of the antenna options.

Antenna Control Method

- Selects the use of both fixed antennas operating in diversity mode or a single antenna. (Default: Diversity)

• Diversity: The radio uses both antennas in a diversity system. Select this method when the Antenna ID is set to "Default Antenna" to use the access point's integrated antennas.

• Right: The radio only uses the antenna on the right side (the side closest to the access point LEDs). Select this method when using an optional external antenna that is connected to the right antenna connector.

• Left: The radio only uses the antenna on the left side (the side farthest from the access point LEDs). Select this method when using an optional external antenna that is connected to the left antenna connector.

Antenna Location – Selects the mounting location of the antenna in use; either

“Indoor” or “Outdoor.” Selecting the correct location ensures that the access point only uses radio channels that are permitted in the country of operation.

(Default: Indoor)

MIC Mode

– The Michael Integrity Check (MIC) is part of the Temporal Key Integrity

Protocol (TKIP) encryption used in Wi-Fi Protected Access (WPA) security. The MIC calculation is performed in the access point for each transmitted packet and this can impact throughput and performance. The access point supports a choice of software or hardware MIC calculation. The performance of the access point can be improved by selecting the best method for the specific deployment. (Default: Software)

• Hardware: Provides best performance when the number of supported clients is less than 27.

• Software: Provides the best performance for a large number of clients on one radio interface. Throughput may be reduced when the 802.11g interface is supporting a high number of clients simultaneously.

6-50

Radio Interface

6

Super G – The Atheros proprietary Super G performance enhancements are supported by the access point. These enhancements include bursting, compression, fast frames and dynamic turbo. Maximum throughput ranges between

40 to 60 Mbps for connections to Atheros-compatible clients. (Default: Disabled)

Radio Mode – Selects the operating mode for the 802.11g wireless interface.

(Default: 802.11b+g)

• 802.11b+g: Both 802.11b and 802.11g clients can communicate with the access point (up to 54 Mbps).

• 802.11b only: Both 802.11b and 802.11g clients can communicate with the access point, but 802.11g clients can only transfer data at 802.11b standard rates (up to

11 Mbps).

• 802.11g only: Only 802.11g clients can communicate with the access point (up to

54 Mbps).

Preamble

– Sets the length of the signal preamble that is used at the start of a data transmission. (Default: Long)

• Long: Sets the preamble to long (192 microseconds). Using a long preamble ensures the access point can support all 802.11b and 802.11g clients.

• Short or Long: Sets the preamble according to the capability of clients that are currently asscociated. Uses a short preamble (96 microseconds) if all associated clients can support it, otherwise a long preamble is used. The access point can increase data throughput when using a short preamble, but will only use a short preamble if it determines that all associated clients support it.

Beacon Interval – The rate at which beacon signals are transmitted from the access point. The beacon signals allow wireless clients to maintain contact with the access point. They may also carry power-management information.

(Range: 20-1000 TUs; Default: 100 TUs)

Data Beacon Rate – The rate at which stations in sleep mode must wake up to receive broadcast/multicast transmissions.

Known also as the Delivery Traffic Indication Map (DTIM) interval, it indicates how often the MAC layer forwards broadcast/multicast traffic, which is necessary to wake up stations that are using Power Save mode. The default value of 2 indicates that the access point will save all broadcast/multicast frames for the Basic Service Set

(BSS) and forward them after every second beacon. Using smaller DTIM intervals delivers broadcast/multicast frames in a more timely manner, causing stations in

Power Save mode to wake up more often and drain power faster. Using higher DTIM values reduces the power used by stations in Power Save mode, but delays the transmission of broadcast/multicast frames.

(Range: 1-255 beacons; Default: 1 beacon)

Multicast Data Rate – The maximum data rate at which the access point transmits multicast and broadcast packets on the wireless interface. (Options: 24, 12, 6

Mbps; Default: 6 Mbps)

6-51

6

System Configuration

Fragmentation Length – Configures the minimum packet size that can be fragmented when passing through the access point. Fragmentation of the PDUs

(Package Data Unit) can increase the reliability of transmissions because it increases the probability of a successful transmission due to smaller frame size. If there is significant interference present, or collisions due to high network utilization, try setting the fragment size to send smaller fragments. This will speed up the retransmission of smaller frames. However, it is more efficient to set the fragment size larger if very little or no interference is present because it requires overhead to send multiple frames. (Range: 256-2346 bytes; Default: 2346 bytes)

RTS Threshold – Sets the packet size threshold at which a Request to Send (RTS) signal must be sent to a receiving station prior to the sending station starting communications. The access point sends RTS frames to a receiving station to negotiate the sending of a data frame. After receiving an RTS frame, the station sends a CTS (clear to send) frame to notify the sending station that it can start sending data.

If the RTS threshold is set to 0, the access point always sends RTS signals. If set to

2347, the access point never sends RTS signals. If set to any other value, and the packet size equals or exceeds the RTS threshold, the RTS/CTS (Request to Send /

Clear to Send) mechanism will be enabled.

The access points contending for the medium may not be aware of each other. The

RTS/CTS mechanism can solve this “Hidden Node Problem.” (Range: 0-2347 bytes:

Default: 2347 bytes)

6-52

Radio Interface

6

CLI Commands for Radio Settings – From the global configuration mode, enter the interface wireless g

command to access the 802.11g radio interface. From the

802.11g interface mode, you can access radio settings that apply to all VAP interfaces. Use the turbo command to enable this feature before setting the radio channel with the channel command. Set any other radio setting as required before enabling the VAP interface (with the no shutdown command). To view the current

802.11g radio settings for the VAP interface, use the show interface wireless g

[0~3]

command as shown on 7-95

.

Enterprise AP(config)#interface wireless g

Enter Wireless configuration commands, one per line.

Enterprise AP(if-wireless g)#super-g

Enterprise AP(if-wireless g)#channel 42

Enterprise AP(if-wireless g)#transmit-power full

Enterprise AP(if-wireless g)#speed 9

Enterprise AP(if-wireless g)#antenna id 0000

Enterprise AP(if-wireless g)#antenna control right

Enterprise AP(if-wireless g)#antenna location indoor

Enterprise AP(if-wireless g)#mic_mode hardware

Enterprise AP(if-wireless g)#super-g

Enterprise AP(if-wireless g)#beacon-interval 150

Enterprise AP(if-wireless g)#beacon-interval 150

Enterprise AP(if-wireless g)#dtim-period 5

Enterprise AP(if-wireless g)#multicast-data-rate 6

Enterprise AP(if-wireless g)#fragmentation-length 512

Enterprise AP(if-wireless g)#rts-threshold 256

Enterprise AP(if-wireless g)#

7-88

7-104

7-97

7-97

7-96

7-100

7-99

7-101

7-120

7-104

7-101

7-101

7-102

7-96

7-102

7-103

6-53

6

System Configuration

Configuring VAP Radio Settings

To configure VAP radio settings, select the Radio Settings page.

Default VLAN ID – The VLAN ID assigned to wireless clients associated to the VAP interface that are not assigned to a specific VLAN by RADIUS server configuration.

(Default: 1)

Closed System

– When enabled, the VAP interface does not include its SSID in beacon messages. Nor does it respond to probe requests from clients that do not include a fixed SSID. (Default: Disable)

Authentication Timeout Interval

– The time within which the client should finish authentication before authentication times out. (Range: 5-60 minutes; Default: 60 minutes)

Association Timeout Interval – The idle time interval (when no frames are sent) after which a client is disassociated from the VAP interface. (Range: 5-60 minutes;

Default: 30 minutes)

6-54

Radio Interface

6

WPA2 PMKSA Life Time – WPA2 provides fast roaming for authenticated clients by retaining keys and other security settings in a cache for each VAP. In this way, when clients roam back into a VAP they had previously been using, re-authentication is not required. When a WPA2 client is first authenticated, it receives a Pairwise

Master Key (PMK) that is used to generate the other keys used for unicast data encryption. This key and other client information form a client Security Association

(SA) that the VAP holds in a cache. When the lifetime expires, the security association and keys are deleted from the cache. If the client returns to an access point after the association has been deleted, it will require full re-authentication.

(Range: 1-1440 minutes; Default: 720 minutes)

CLI Commands for the Configuring the VAPs – From the global configuration mode, enter the interface wireless g command to access the 802.11b/g radio interface.

From the 802.11b/g interface mode, you can access radio settings that apply to all

VAP interfaces. To access a specific VAP interface (numbered 0 to 7), use the vap command. You can configure a name for each interface using the description command. You can also use the closed-system command to stop sending the

SSID in beacon messages. Set any other VAP parameters and radio setting as required before enabling the VAP interface (with the no shutdown command). To view the current 802.11b/g radio settings for the VAP interface, use the show interface wireless g 0

command as shown on 7-95.

Enterprise AP(if-wireless g)#vap 0

Enterprise AP(if-wireless g: VAP[0])#description RD-AP#3

Enterprise AP(if-wireless g: VAP[0])#vlan-id 1

Enterprise AP(if-wireless g: VAP[0])#closed-system

Enterprise AP(if-wireless g: VAP[0])#authentication-timeout-

interval 30

Enterprise AP(if-wireless g: VAP[0])#association-timeout-

interval 20

Enterprise AP(if-wireless g: VAP[0])#max-association 32

Enterprise AP(if-wireless g: VAP[0])#pmksa-lifetime 900

Enterprise AP(if-wireless g: VAP[0])#

7-95

7-104

7-129

7-105

7-107

7-106

7-106

7-121

Configuring Rogue AP Detection

To configure Rouge AP detection, select the Radio Settings page, and scroll down to the “Rouge AP” section.

6-55

6

System Configuration

Rogue AP – A “rogue AP” is either an access point that is not authorized to participate in the wireless network, or an access point that does not have the correct security configuration. Rogue APs can allow unauthorized access to the network, or fool client stations into mistakenly associating with them and thereby blocking access to network resources.

The access point can be configured to periodically scan all radio channels and find other access points within range. A database of nearby access points is maintained where any rogue APs can be identified. During a scan, Syslog messages (see

“Enabling System Logging” on page 6-32) are sent for each access point detected.

Rogue access points can be identified by unknown BSSID (MAC address) or SSID configuration.

• AP Detection – Enables the periodic scanning for other access points.

(Default: Disable)

• AP Scan Interval – Sets the time between each rogue AP scan. (Range: 30 -10080 minutes; Default: 720 minutes)

• AP Scan Duration – Sets the length of time for each rogue AP scan. A long scan duration time will detect more access points in the area, but causes more disruption to client access. (Range: 100 -1000 milliseconds; Default: 350 milliseconds)

• Rogue AP Authenticate – Enables or disables RADIUS authentication. Enabling

RADIUS Authentication allows the access point to discover rogue access points.

With RADIUS authentication enabled, the access point checks the MAC address/

Basic Service Set Identifier (BSSID) of each access point that it finds against a

RADIUS server to determine whether the access point is allowed. With RADIUS authentication disabled, the access point can detect its neighboring access points only; it cannot identify whether the access points are allowed or are rogues. If you enable RADIUS authentication, you must configure a RADIUS server for this

access point (see “RADIUS” on page 6-7).

• Scan AP Now – Starts an immediate rogue AP scan on the radio interface.

(Default: Disable)

Note: While the access point scans a channel for rogue APs, wireless clients will not be able to connect to the access point. Therefore, avoid frequent scanning or scans of a long duration unless there is a reason to believe that more intensive scanning is required to find a rogue AP.

CLI Commands for Rogue AP Detection – From the global configuration mode, enter the interface wireless command to access the 802.11g radio interface. From the wireless interface mode, use the rogue-ap enable command to enable rogue

AP detection. Set the duration and interval times with the rogue-ap duration and rogue-ap interval commands. If required, start an immediate scan using the

6-56

Radio Interface

6 rogue-ap scan command. To view the database of detected access points, use the show rogue-ap

command from the Exec level.

Enterprise AP(config)#interface wireless g

Enter Wireless configuration commands, one per line.

Enterprise AP(if-wireless g)#rogue-ap enable

7-88

7-110

configure either syslog or trap or both to receive the rogue APs detected.

Enterprise AP(if-wireless g)#rogue-ap duration 200

7-111

Enterprise AP(if-wireless g)#rogue-ap interval 120

Enterprise AP(if-wireless g)#rogue-ap scan

7-112

7-112

Enterprise AP(if-wireless g)#rogueApDetect Completed (Radio G) : 5 APs detected rogueAPDetect (Radio G): refreshing ap database now

Enterprise AP(if-wireless g)#exit

Enterprise AP#show rogue-ap

802.11g Channel : Rogue AP Status

AP Address(BSSID) SSID Channel(MHz) RSSI

=======================================================

00-04-e2-2a-37-23 WLAN1AP 11(2462 MHz) 17

00-04-e2-2a-37-3d ANY 7(2442 MHz) 42

00-04-e2-2a-37-49 WLAN1AP 9(2452 MHz) 42

00-90-d1-08-9d-a7 WLAN1AP 1(2412 MHz) 12

00-30-f1-fb-31-f4 WLAN 6(2437 MHz) 16

Enterprise AP#

7-113

Configuring Wi-Fi Multimedia

Wireless networks offer an equal opportunity for all devices to transmit data from any type of application. Although this is acceptable for most applications, multimedia applications (with audio and video) are particularly sensitive to the delay and throughput variations that result from this “equal opportunity” wireless access method. For multimedia applications to run well over a wireless network, a Quality of

Service (QoS) mechanism is required to prioritize traffic types and provide an

“enhanced opportunity” wireless access method.

The access point implements QoS using the Wi-Fi Multimedia (WMM) standard.

Using WMM, the access point is able to prioritize traffic and optimize performance when multiple applications compete for wireless network bandwidth at the same time. WMM employs techniques that are a subset of the developing IEEE 802.11e

QoS standard and it enables the access point to inter operate with both WMM- enabled clients and other devices that may lack any WMM functionality.

Access Categories

— WMM defines four access categories (ACs): voice, video, best effort, and background. These categories correspond to traffic priority levels and are mapped to IEEE 802.1D priority tags (see Table 6-1). The direct mapping of the four ACs to 802.1D priorities is specifically intended to facilitate inter operability with other wired network QoS policies. While the four ACs are specified for specific types of traffic, WMM allows the priority levels to be configured to match any network-wide QoS policy. WMM also specifies a protocol that access points can use to communicate the configured traffic priority levels to QoS-enabled wireless clients.

6-57

6

System Configuration

Table 6-1. WMM Access Categories

Access Category WMM Designation Description

AC_VO (AC3) Voice Highest priority, minimum delay. Time-sensitive data such as VoIP (Voice over IP) calls.

AC_VI (AC2) Video

802.1D Tags

7, 6

High priority, minimum delay. Time-sensitive data such as streaming video.

5, 4

AC_BE (AC0)

AC_BK (AC1)

Best Effort

Background

Normal priority, medium delay and throughput.

Data only affected by long delays. Data from applications or devices that lack QoS capabilities.

0, 3

Lowest priority. Data with no delay or throughput requirements, such as bulk data transfers.

2, 1

WMM Operation — WMM uses traffic priority based on the four ACs; Voice, Video,

Best Effort, and Background. The higher the AC priority, the higher the probability that data is transmitted.

When the access point forwards traffic, WMM adds data packets to four independent transmit queues, one for each AC, depending on the 802.1D priority tag of the packet. Data packets without a priority tag are always added to the Best Effort AC queue. From the four queues, an internal “virtual” collision resolution mechanism first selects data with the highest priority to be granted a transmit opportunity. Then the same collision resolution mechanism is used externally to determine which device has access to the wireless medium.

For each AC queue, the collision resolution mechanism is dependent on two timing parameters:

• AIFSN (Arbitration Inter-Frame Space Number), a number used to calculate the minimum time between data frames

• CW (Contention Window), a number used to calculate a random backoff time

After a collision detection, a backoff wait time is calculated. The total wait time is the sum of a minimum wait time (Arbitration Inter-Frame Space, or AIFS) determined from the AIFSN, and a random backoff time calculated from a value selected from zero to the CW. The CW value varies within a configurable range. It starts at CWMin and doubles after every collision up to a maximum value, CWMax. After a successful transmission, the CW value is reset to its CWMin value.

6-58

Radio Interface

6

Tim riority AIFS

Minimum Wait Time

CWMin

Random Backoff

Random Wait Time

CWMin

CWMax riority AIFS

Minimum Wait Time

Random Backoff

Random Wait Time

Figure 6-1. WMM Backoff Wait Times

For high-priority traffic, the AIFSN and CW values are smaller. The smaller values equate to less backoff and wait time, and therefore more transmit opportunities.

To configure WMM, select the Radio Settings page, and scroll down to the WMM configuration settings.

C

6-59

6

System Configuration

WMM – Sets the WMM operational mode on the access point. When enabled, the parameters for each AC queue will be employed on the access point and QoS capabilities are advertised to WMM-enabled clients. (Default: Support)

• Disable: WMM is disabled.

• Support: WMM will be used for any associated device that supports this feature.

Devices that do not support this feature may still associate with the access point.

• Required: WMM must be supported on any device trying to associated with the access point. Devices that do not support this feature will not be allowed to associate with the access point.

WMM Acknowledge Policy

– By default, all wireless data transmissions require the sender to wait for an acknowledgement from the receiver. WMM allows the acknowledgement wait time to be turned off for each Access Category (AC).

Although this increases data throughput, it can also result in a high number of errors when traffic levels are heavy. (Default: Acknowledge)

WMM BSS Parameters – These parameters apply to the wireless clients.

WMM AP Parameters

– These parameters apply to the access point.

logCWMin (Minimum Contention Window) – The initial upper limit of the random backoff wait time before wireless medium access can be attempted. The initial wait time is a random value between zero and the CWMin value. Specify the CWMin value in the range 0-15 microseconds. Note that the CWMin value must be equal or less than the CWMax value.

logCWMax (Maximum Contention Window) – The maximum upper limit of the random backoff wait time before wireless medium access can be attempted. The contention window is doubled after each detected collision up to the CWMax value.

Specify the CWMax value in the range 0-15 microseconds. Note that the CWMax value must be greater or equal to the CWMin value.

AIFS (Arbitration Inter-Frame Space) – The minimum amount of wait time before the next data transmission attempt. Specify the AIFS value in the range

0-15 microseconds.

TXOP Limit (Transmit Opportunity Limit) – The maximum time an AC transmit queue has access to the wireless medium. When an AC queue is granted a transmit opportunity, it can transmit data for a time up to the TxOpLimit. This data bursting greatly improves the efficiency for high data-rate traffic. Specify a value in the range 0-65535 microseconds.

Admission Control – The admission control mode for the access category. When enabled, clients are blocked from using the access category. (Default: Disabled)

Key Type

– See “Wired Equivalent Privacy (WEP)” on page 6-69.

6-60

Radio Interface

6

CLI Commands for WMM – Enter interface wireless mode and type wmm required for clients that want to associate with the access point. The wmm-acknowledge-policy command is used to enable or disable a policy for each access category. The wmmparms command defines detailed WMM parameters.

Enterprise AP(if-wireless g)#wmm required

7-131

Enterprise AP(if-wireless g)#wmm-acknowledge-policy 0 noack

7-131

Enterprise AP(if-wireless g)#wmmparams ap 0 4 6 3 1 1

7-132

6-61

6

System Configuration

To view the current 802.11g radio settings for the VAP interface, use the show interface wireless g 0 command.

7-108

Enterprise AP#show interface wireless g 0

Wireless Interface Information

=============================================================

--------------------Identification---------------------------

Description : SMC 802.11g Access Point

SSID : SMC_G 0

Turbo Mode : DISABLED

Channel : 36 (AUTO)

Status : DISABLED

MAC Address : 00:12:cf:05:95:0c

----------------802.11 Parameters---------------------------

Transmit Power : FULL (16 dBm)

Max Station Data Rate : 54Mbps

Multicast Data Rate : 6Mbps

Fragmentation Threshold : 2346 bytes

RTS Threshold : 2347 bytes

Beacon Interval : 100 TUs

Authentication Timeout Interval : 60 Mins

Association Timeout Interval : 30 Mins

DTIM Interval : 1 beacon

Maximum Association : 64 stations

MIC Mode : Software

Super A : Disabled

VLAN ID : 1

----------------Security-------------------------------------

Closed System : Disabled

Multicast cipher : WEP

WPA clients : TKIP and AES

WPA Key Mgmt Mode : PRE SHARED KEY

WPA PSK Key Type : PASSPHRASE

Encryption : DISABLED

Default Transmit Key : 1

Common Static Keys : Key 1: EMPTY Key 2: EMPTY

Key 3: EMPTY Key 4: EMPTY

Authentication Type : OPEN

----------------802.1x---------------------------------------

802.1x :

Broadcast Key Refresh Rate : 30 min

Session Key Refresh Rate : 30 min

802.1x Session Timeout Value : 0 min

----------------Antenna--------------------------------------

Antenna Control method : Diversity

Antenna ID : 0x0000(Default Antenna)

Antenna Location : Indoor

6-62

Radio Interface

6

----------------Quality of Service---------------------------

WMM Mode : SUPPORTED

WMM Acknowledge Policy

AC0(Best Effort) : Ack

AC1(Background) : Acknowledge

AC2(Video) : Acknowledge

AC3(Voice) : Acknowledge

WMM BSS Parameters

AC0(Best Effort) : logCwMin: 4 logCwMax: 10 AIFSN: 3

Admission Control: No

TXOP Limit: 0.000 ms

AC1(Background) : logCwMin: 4 logCwMax: 10 AIFSN: 7

Admission Control: No

TXOP Limit: 0.000 ms

AC2(Video) : logCwMin: 3 logCwMax: 4 AIFSN: 2

Admission Control: No

TXOP Limit: 3.008 ms

AC3(Voice) : logCwMin: 2 logCwMax: 3 AIFSN: 2

Admission Control: No

TXOP Limit: 1.504 ms

WMM AP Parameters

AC0(Best Effort) : logCwMin: 4 logCwMax: 6 AIFSN: 3

Admission Control: No

TXOP Limit: 0.000 ms

AC1(Background) : logCwMin: 4 logCwMax: 10 AIFSN: 7

Admission Control: No

TXOP Limit: 0.000 ms

AC2(Video) : logCwMin: 3 logCwMax: 4 AIFSN: 1

Admission Control: No

TXOP Limit: 3.008 ms

AC3(Voice) : logCwMin: 2 logCwMax: 3 AIFSN: 1

Admission Control: No

TXOP Limit: 1.504 ms

=============================================================

Enterprise AP#

Security

The access point is configured by default as an “open system,” which broadcasts a beacon signal including the configured SSID. Wireless clients with an SSID setting of “any” can read the SSID from the beacon and automatically set their SSID to allow immediate connection to the nearest access point.

To improve wireless network security, you have to implement two main functions:

• Authentication: It must be verified that clients attempting to connect to the network are authorized users.

• Traffic Encryption: Data passing between the access point and clients must be protected from interception and eavesdropping.

For a more secure network, the access point can implement one or a combination of the following security mechanisms:

• Wired Equivalent Privacy (WEP)page 6-64

• IEEE 802.1Xpage 5-15

• Wireless MAC address filteringpage 6-13

6-63

6

System Configuration

• Wi-Fi Protected Access (WPA or WPA2)page 6-74

Both WEP and WPA security settings are configurable separately for each virtual access point (VAP) interface. MAC address filtering, and RADIUS server settings are global and apply to all VAP interfaces.

The security mechanisms that may be employed depend on the level of security required, the network and management resources available, and the software support provided on wireless clients.

A summary of wireless security considerations is listed in the following table.

Table 6-2. Wireless Security Considerations

Security

Mechanism

WEP

Client Support Implementation Considerations

Built-in support on all 802.11g devices

WEP over 802.1X Requires 802.1X client support in system or by add-in software

(support provided in Windows

2000 SP3 or later and Windows

XP)

• Provides only weak security

• Requires manual key management

• Provides dynamic key rotation for improved WEP security

• Requires configured RADIUS server

• 802.1X EAP type may require management of digital certificates for clients and server

MAC Address

Filtering

WPA over 802.1X

Mode

Uses the MAC address of client network card

Requires WPA-enabled system and network card driver

(native support provided in

Windows XP)

WPA PSK Mode Requires WPA-enabled system and network card driver

(native support provided in

Windows XP)

• Provides only weak user authentication

• Management of authorized MAC addresses

• Can be combined with other methods for improved security

• Optionally configured RADIUS server

• Provides robust security in WPA-only mode

(i.e., WPA clients only)

• Offers support for legacy WEP clients, but with increased security risk (i.e., WEP authentication keys disabled)

• Requires configured RADIUS server

• 802.1X EAP type may require management of digital certificates for clients and server

• Provides good security in small networks

• Requires manual management of pre-shared key

6-64

Radio Interface

6

Table 6-2. Wireless Security Considerations

Security

Mechanism

Client Support

WPA2 with 802.1X Requires WPA-enabled system and network card driver (native support provided in Windows

XP)

WPA2 PSK Mode Requires WPA-enabled system and network card driver (native support provided in Windows

XP)

Implementation Considerations

• Provides the strongest security in WPA2-only mode

• Provides robust security in mixed mode for WPA and WPA2 clients

• Offers fast roaming for time-sensitive client applications

• Requires configured RADIUS server

• 802.1X EAP type may require management of digital certificates for clients and server

• Clients may require hardware upgrade to be WPA2 compliant

• Provides robust security in small networks

• Requires manual management of pre-shared key

• Clients may require hardware upgrade to be WPA2 compliant

Note: You must enable data encryption through the web or CLI in order to enable all types of encryption (WEP, TKIP, or AES) in the access point.

The access point can simultaneously support clients using various different security mechanisms. The configuration for these security combinations are outlined in the following table. Note that MAC address authentication can be configured independently to work with all security mechanisms and is indicated separately in the table. Required RADIUS server support is also listed.

Client Security

Combination

Table 6-3. Security Combinations

Configuration Summary a

No encryption and no authentication

Static WEP only (with or without shared key authentication)

Dynamic WEP

(802.1x) only

Interface Detail Settings:

Authentication: Open System

Encryption: Disable

802.1x: Disable

Enter 1 to 4 WEP keys

Select a WEP transmit key for the interface

Interface Detail Settings:

Authentication: Shared Key or Open System

Encryption: Enable

802.1x: Disable

Interface Detail Settings:

Authentication: Open System

Encryption: Enable

802.1x: Required

Set 802.1x key refresh and reauthentication rates

MAC

Authentication b

Local, RADIUS, or Disabled

RADIUS

Server

Yes

3

Local, RADIUS, or Disabled

Yes c

Local, RADIUS, or Disabled

Yes c

6-65

6

System Configuration

Client Security

Combination

Table 6-3. Security Combinations

Configuration Summary a

802.1x WPA only

WPA Pre-Shared Key only

Static and dynamic

(802.1x) WEP keys

Dynamic WEP and

802.1x WPA

Static and dynamic

(802.1x) WEP keys and 802.1x WPA

802.1x WPA2 only

Interface Detail Settings:

Authentication: WPA

Encryption: Enable

WPA Clients: Required

Cipher Suite: TKIP

802.1x: Required

Set 802.1x key refresh and reauthentication rates

Interface Detail Settings:

Authentication: WPA-PSK

Encryption: Enable

WPA Clients: Required

Cipher Suite: TKIP

802.1x: Disable

WPA Pre-shared Key Type: Hexadicmal or

Alphanumeric

Enter a WPA Pre-shared key

Enter 1 to 4 WEP keys

Select a WEP transmit key

Interface Detail Settings:

Authentication: Open System

Encryption: Enable

802.1x: Supported

Set 802.1x key refresh and reauthentication rates

Interface Detail Settings:

Authentication: WPA

Encryption: Enable

WPA Clients: Supported

Cipher Suite: WEP

802.1x: Required

Set 802.1x key refresh and reauthentication rates

Enter 1 to 4 WEP keys

Select a WEP transmit key

Interface Detail Settings:

Authentication: WPA

Encryption: Enable

WPA Clients: Supported

Cipher Suite: WEP

802.1x: Supported

Set 802.1x key refresh and reauthentication rates

Interface Detail Settings:

Authentication: WPA2

Encryption: Enable

WPA Clients: Required

Cipher Suite: AES-CCMP

802.1x: Required

Set 802.1x key refresh and reauthentication rates

MAC

Authentication b

Local only

RADIUS

Server

Yes

Local only No

Local, RADIUS, or Disabled

Yes

Local or Disabled Yes

Local or Disabled Yes

Local or Disabled Yes

6-66

Radio Interface

6

Client Security

Combination

Table 6-3. Security Combinations

Configuration Summary a

WPA2 Pre-Shared

Key only

802.1x WPA-WPA2

Mixed Mode

WPA-WPA2 Mixed

Mode Pre-Shared Key

Interface Detail Settings:

Authentication: WPA2-PSK

Encryption: Enable

WPA Clients: Required

Cipher Suite: AES-CCMP

802.1x: Disable

WPA Pre-shared Key Type: Hexadicmal or

Alphanumeric

Enter a WPA Pre-shared key

Interface Detail Settings:

Authentication: WPA-WPA2-mixed

Encryption: Enable

WPA Clients: Required

Cipher Suite: TKIP

802.1x: Required

Set 802.1x key refresh and reauthentication rates

Interface Detail Settings:

Authentication: WPA-WPA2-PSK-mixed

Encryption: Enable

WPA Clients: Required

Cipher Suite: TKIP

802.1x: Disable

WPA Pre-shared Key Type: Hexadicmal or

Alphanumeric

Enter a WPA Pre-shared key

MAC

Authentication b

RADIUS

Server

Local or Disabled No

Local or Disabled Yes

Local or Disabled No a. The configuration summary does not include the set up for MAC authentication

(see page 4-15) or RADIUS server (see page 2-9).

b. The configuration of RADIUS MAC authentication together with 802.1x WPA or

WPA Pre-shared Key is not supported.

c. RADIUS server required only when RADIUS MAC authentication is configured.

Note: If you choose to configure RADIUS MAC authentication together with 802.1X, the

RADIUS MAC address authentication occurs prior to 802.1X authentication. Only when RADIUS MAC authentication succeeds is 802.1X authentication performed.

When RADIUS MAC authentication fails, 802.1X authentication is not performed.

Enabling the VAPs

Before enabling the Virtual Access Point (VAP) radio interfaces, first configure all of the relevant raido settings (see “You must first enable VAP interface 0 before the other interfaces can be enabled.” on page 6-48.)

After you have configured the radio settings, select Security under Radio G, set an

SSID to identify the wireless network service provided by each VAP you want to use, and then click Apply to save your settings.

6-67

6

System Configuration

Before enabling the radio service for any VAP, first configure the WEP, WPA, and

802.1X security settings described in the following sections. After you have finished configuring the security settings, return to the main Security page shown below, start the required VAP interfaces by clicking the Enable checkbox, and then click Apply.

6-68

Radio Interface

6

Enable – Enables radio communications on the VAP interface. (Default: Disabled)

Note: You must first enable VAP interface 0 before you can enable other VAP interfaces.

SSID

– The name of the basic service set provided by a VAP interface. Clients that want to connect to the network through the access point must set their SSID to the same as that of an access point VAP interface. (Default: SMC_G # (0 to 7); Range:

1-32 characters)

Wired Equivalent Privacy

(WEP)

WEP provides a basic level of security, preventing unauthorized access to the network, and encrypting data transmitted between wireless clients and the access point. WEP uses static shared keys (fixed-length hexadecimal or alphanumeric strings) that are manually distributed to all clients that want to use the network.

WEP is the security protocol initially specified in the IEEE 802.11 standard for wireless communications. Unfortunately, WEP has been found to be seriously flawed and cannot be recommended for a high level of network security. For more robust wireless security, the access point provides Wi-Fi Protected Access (WPA) for improved data encryption and user authentication.

Setting up shared keys enables the basic IEEE 802.11 Wired Equivalent Privacy

(WEP) on the access point to prevent unauthorized access to the network.

If you choose to use WEP shared keys instead of an open system, be sure to define at least one static WEP key for user authentication and data encryption. Also, be sure that the WEP shared keys are the same for each client in the wireless network.

Note that all clients share the same keys, which are used for user authentication and data encryption. Up to four keys can be specified. These four keys are used for all

VAP interfaces on the same radio.

To set up WEP shared keys, click Radio Settings.

Key Type

– Select the preferred method of entering WEP encryption keys on the access point and enter up to four keys:

• Hexadecimal: Enter keys as 10 hexadecimal digits (0-9 and A-F) for 64 bit keys, 26 hexadecimal digits for 128 bit keys, or 32 hexadecimal digits for 152 bit keys. This is the default setting.

6-69

6

System Configuration

• Alphanumeric: Enter keys as 5 alphanumeric characters for 64 bit keys, 13 alphanumeric characters for 128 bit keys, or 16 alphanumeric characters for 152 bit keys.

Key Number

– Selects the key number to use for encryption for each VAP interface.

If the clients have all four keys configured to the same values, you can change the encryption key to any of the eight settings without having to update the client keys.

(Default: Key 1)

Shared Key Setup – Select 64 Bit, 128 Bit, or 152 Bit key length. Note that the same size of encryption key must be supported on all wireless clients. (Default: None)

Note: Key index and type must match that configured on the clients.

Note: In a mixed-mode environment with clients using static WEP keys and WPA, select

WEP transmit key index 2, 3, or 4. The access point uses transmit key index 1 for the generation of dynamic keys.

To enable WEP shared keys for a VAP interface, click Security under Radio A or

Radio G. Then, select the VAP interface that will use WEP keys by clicking More, and configure the Authentication Type Setup and Encryption fields.

Authentication Type Setup

– Sets the access point to communicate as an open system that accepts network access attempts from any client, or with clients using pre-configured static shared keys. (Default: Open System)

• Open System: If you don’t set up any other security mechanism on the access point, the network has no protection and is open to all users. This is the default setting.

• Shared Key: Sets the access point to use WEP shared keys. If this option is selected, you must configure at least one key on the access point and all clients.

6-70

Radio Interface

6

Note: To use 802.1X on wireless clients requires a network card driver and 802.1X client software that supports the EAP authentication type that you want to use.

Windows 2000 SP3 or later and Windows XP provide 802.1X client support.

Windows XP also provides native WPA support. Other systems require additional client software to support 802.1X and WPA.

Encryption – Enable or disable the access point to use data encryption (WEP, TKIP, or AES). If this option is selected when using static WEP keys, you must configure at least one key on the access point and all clients. (Default: Disabled)

Note: You must enable data encryption through the web or CLI in order to enable all types of encryption (WEP, TKIP, or AES) in the access point.

CLI Commands for WEP Shared Key Security – To enable WEP shared key security for the 802.11g interface, use the interface wireless g command from the CLI configuration mode to access the interface mode for the 802.11g radio. First use the key command to define up to four WEP keys that can be used for all VAP interfaces on the radio. Then use the vap command to access each VAP interface to configure other security settings.

From the VAP interface configuration mode, use the authentication command to enable WEP shared-key authentication and the encryption command to enable data encryption. Then set one key as the transmit key for the VAP interface using the transmit-key command. To view the current security settings, use the show interface wireless g 0 command from the Exec mode.

6-71

6

System Configuration

Enterprise AP(config)#interface wireless g

Enter Wireless configuration commands, one per line.

Enterprise AP(if-wireless g)#key 1 128 ascii abcdeabcdeabc

Enterprise AP(if-wireless g)#vap 0

Enterprise AP(if-wireless g: VAP[0])#no 802.1X

Enterprise AP(if-wireless g: VAP[0])#authentication shared

Enterprise AP(if-wireless g: VAP[0])#encryption

Enterprise AP(if-wireless g: VAP[0])#transmit-key 1

7-88

7-117

7-95

7-65

7-117

7-116

7-118

Enterprise AP(if-wireless g: VAP[0])#exit

Enterprise AP#show interface wireless g 0

7-108

Wireless Interface Information

========================================================================

----------------Identification------------------------------------------

Description : SMC 802.11g Access Point

SSID : SMC_G 0

Channel : 11 (AUTO)

Status : DISABLED

MAC Address : 00:12:cf:05:95:08

----------------802.11 Parameters----------------------------------------

Radio Mode : b & g mixed mode

Transmit Power : FULL (5 dBm)

Max Station Data Rate : 54Mbps

Multicast Data Rate : 5.5Mbps

Fragmentation Threshold : 2346 bytes

RTS Threshold : 2347 bytes

Beacon Interval : 100 TUs

Authentication Timeout Interval : 60 Mins

Association Timeout Interval : 30 Mins

DTIM Interval : 1 beacon

Preamble Length : SHORT-OR-LONG

Maximum Association : 64 stations

MIC Mode : Software

Super G : Disabled

VLAN ID : 1

6-72

Radio Interface

6

----------------Security------------------------------------------------

Closed System : Disabled

Multicast cipher : WEP

Unicast cipher : TKIP and AES

WPA clients : DISABLED

WPA Key Mgmt Mode : PRE SHARED KEY

WPA PSK Key Type : PASSPHRASE

WPA PSK Key : EMPTY

PMKSA Lifetime : 720 minutes

Encryption : DISABLED

Default Transmit Key : 1

Common Static Keys : Key 1: EMPTY Key 2: EMPTY

Key 3: EMPTY Key 4: EMPTY

Pre-Authentication : DISABLED

Authentication Type : OPEN

----------------802.1x--------------------------------------------------

802.1x : DISABLED

Broadcast Key Refresh Rate : 30 min

Session Key Refresh Rate : 30 min

802.1x Session Timeout Value : 0 min

----------------Antenna-------------------------------------------------

Antenna Control method : Diversity

Antenna ID : 0x0000(Default Antenna)

Antenna Location : Indoor

----------------Quality of Service---------------------------------------

WMM Mode : SUPPORTED

WMM Acknowledge Policy

AC0(Best Effort) : Acknowledge

AC1(Background) : Acknowledge

AC2(Video) : Acknowledge

AC3(Voice) : Acknowledge

WMM BSS Parameters

AC0(Best Effort) : logCwMin: 4 logCwMax: 10 AIFSN: 3

Admission Control: No

TXOP Limit: 0.000 ms

AC1(Background) : logCwMin: 4 logCwMax: 10 AIFSN: 7

Admission Control: No

TXOP Limit: 0.000 ms

AC2(Video) : logCwMin: 3 logCwMax: 4 AIFSN: 2

Admission Control: No

TXOP Limit: 3.008 ms

AC3(Voice) : logCwMin: 2 logCwMax: 3 AIFSN: 2

Admission Control: No

TXOP Limit: 1.504 ms

WMM AP Parameters

AC0(Best Effort) : logCwMin: 4 logCwMax: 6 AIFSN: 3

Admission Control: No

TXOP Limit: 0.000 ms

AC1(Background) : logCwMin: 4 logCwMax: 10 AIFSN: 7

Admission Control: No

TXOP Limit: 0.000 ms

AC2(Video) : logCwMin: 3 logCwMax: 4 AIFSN: 1

Admission Control: No

TXOP Limit: 3.008 ms

AC3(Voice) : logCwMin: 2 logCwMax: 3 AIFSN: 1

Admission Control: No

TXOP Limit: 1.504 ms

========================================================================

Enterprise AP#

6-73

6

System Configuration

CLI Commands for WEP over 802.1X Security – Use the vap command to access each VAP interface to configure the security settings. First set 802.1X to required using the 802.1x command and set the 802.1X key refresh rates. Then, use the authentication command to select open system authentication and the encryption command to enable data encryption. To view the current security settings, use the show interface wireless g 0

command (not shown in example).

Enterprise AP(if-wireless g)#vap 0

Enterprise AP(if-wireless g: VAP[0])#802.1X required

Enterprise AP(if-wireless g: VAP[0])#802.1X broadcast-key-refresh-rate 5

Enterprise AP(if-wireless g: VAP[0])#802.1X session-key-refresh-rate 5

Enterprise AP(if-wireless g: VAP[0])#802.1X session-timeout 300

Enterprise AP(if-wireless g: VAP[0])#interface wireless g

Enter Wireless configuration commands, one per line.

Enterprise AP(if-wireless g: VAP[0])#authentication open

Enterprise AP(if-wireless g: VAP[0])#encryption

Enterprise AP(if-wireless g: VAP[0])#

7-65

7-66

7-67

7-67

7-88

7-117

7-116

Wi-Fi Protected Access

(WPA)

WPA employs a combination of several technologies to provide an enhanced security solution for 802.11 wireless networks.

The access point supports the following WPA components and features:

IEEE 802.1X and the Extensible Authentication Protocol (EAP): WPA employs

802.1X as its basic framework for user authentication and dynamic key management. The 802.1X client and RADIUS server should use an appropriate EAP type—such as EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled TLS), or

PEAP (Protected EAP)—for strongest authentication. Working together, these protocols provide “mutual authentication” between a client, the access point, and a

RADIUS server that prevents users from accidentally joining a rogue network. Only when a RADIUS server has authenticated a user’s credentials will encryption keys be sent to the access point and client.

Note: To implement WPA on wireless clients requires a WPA-enabled network card driver and 802.1X client software that supports the EAP authentication type that you want to use. Windows XP provides native WPA support, other systems require additional software.

Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the data encryption method to replace WEP. TKIP avoids the problems of WEP static keys by dynamically changing data encryption keys. Basically, TKIP starts with a master

(temporal) key for each user session and then mathematically generates other keys to encrypt each data packet. TKIP provides further data encryption enhancements by including a message integrity check for each packet and a re-keying mechanism, which periodically changes the master key.

6-74

Radio Interface

6

WPA Pre-Shared Key Mode (WPA-PSK, WPA2-PSK): For enterprise deployment,

WPA requires a RADIUS authentication server to be configured on the wired network. However, for small office networks that may not have the resources to configure and maintain a RADIUS server, WPA provides a simple operating mode that uses just a pre-shared password for network access. The Pre-Shared Key mode uses a common password for user authentication that is manually entered on the access point and all wireless clients. The PSK mode uses the same TKIP packet encryption and key management as WPA in the enterprise, providing a robust and manageable alternative for small networks.

Mixed WPA and WEP Client Support : WPA enables the access point to indicate its supported encryption and authentication mechanisms to clients using its beacon signal. WPA-compatible clients can likewise respond to indicate their WPA support.

This enables the access point to determine which clients are using WPA security and which are using legacy WEP. The access point uses TKIP unicast data encryption keys for WPA clients and WEP unicast keys for WEP clients. The global encryption key for multicast and broadcast traffic must be the same for all clients, therefore it restricts encryption to a WEP key.

When access is opened to both WPA and WEP clients, no authentication is provided for the WEP clients through shared keys. To support authentication for WEP clients in this mixed mode configuration, you can use either MAC authentication or 802.1X authentication.

WPA2 – WPA was introduced as an interim solution for the vulnerability of WEP pending the ratification of the IEEE 802.11i wireless security standard. In effect, the

WPA security features are a subset of the 802.11i standard. WPA2 includes the now ratified 802.11i standard, but also offers backward compatibility with WPA.

Therefore, WPA2 includes the same 802.1X and PSK modes of operation and support for TKIP encryption. The main differences and enhancements in WPA2 can be summarized as follows:

Advanced Encryption Standard (AES): WPA2 uses AES Counter-Mode encryption with Cipher Block Chaining Message Authentication Code (CBC-MAC) for message integrity. The AES Counter-Mode/CBCMAC Protocol (AES-CCMP) provides extremely robust data confidentiality using a 128-bit key. The AES-CCMP encryption cipher is specified as a standard requirement for WPA2. However, the computational intensive operations of AES-CCMP requires hardware support on client devices. Therefore to implement WPA2 in the network, wireless clients must be upgraded to WPA2-compliant hardware.

WPA2 Mixed-Mode: WPA2 defines a transitional mode of operation for networks moving from WPA security to WPA2. WPA2 Mixed Mode allows both WPA and

WPA2 clients to associate to a common SSID interface. In mixed mode, the unicast encryption cipher (TKIP or AES-CCMP) is negotiated for each client. The access point advertises its supported encryption ciphers in beacon frames and probe responses. WPA and WPA2 clients select the cipher they support and return the choice in the association request to the access point. For mixed-mode operation,

6-75

6

System Configuration the cipher used for broadcast frames is always TKIP. WEP encryption is not allowed.

Key Caching: WPA2 provides fast roaming for authenticated clients by retaining keys and other security information in a cache, so that if a client roams away from an access point and then returns, re-authentication is not required. When a WPA2 client is first authenticated, it receives a Pairwise Master Key (PMK) that is used to generate other keys for unicast data encryption. This key and other client information form a Security Association that the access point names and holds in a cache.

Preauthentication: Each time a client roams to another access point it has to be fully re-authenticated. This authentication process is time consuming and can disrupt applications running over the network. WPA2 includes a mechanism, known as pre-authentication, that allows clients to roam to a new access point and be quickly associated. The first time a client is authenticated to a wireless network it has to be fully authenticated. When the client is about to roam to another access point in the network, the access point sends pre-authentication messages to the new access point that include the client’s security association information. Then when the client sends an association request to the new access point, the client is known to be already authenticated, so it proceeds directly to key exchange and association.

6-76

Radio Interface

6

To configure WPA, click Security under Radio A or Radio G. Select one of the VAP interfaces by clicking More. Select one of the WPA options in the Authentication

Setup table, and then configure the parameters displayed beneath the table.

The WPA configuration parameters are described below:

Encryption

– You must enable data encryption in order to enable all types of encryption (WEP, TKIP, or AES) in the access point.

Pre-Authentication

– When using WPA2 over 802.1X, pre-authentication can be enabled, which allows clients to roam to a new access point and be quickly associated without performing full 802.1X authentication. (Default: Disabled)

Authentication Setup – To use WPA or WPA2, set the access point to one of the following options. If a WPA/WPA2 mode that operates over 802.1X is selected

(WPA, WPA2, or WPA-WPA2-mixed), the 802.1X settings and RADIUS server details need to be configured. Be sure you have also configured a RADIUS server on the network before enabling authentication. If a WPA/WPA2 Pre-shared Key mode is selected (WPA-PSK, WPA2-PSK, or WPA-WPA2 PSK-Mixed), be sure to specify the key string.

6-77

6

System Configuration

• WPA: Clients using WPA over 802.1X are accepted for authentication.

• WPA-PSK: Clients using WPA with a Pre-shared Key are accepted for authentication.

• WPA2: Clients using WPA2 over 802.1X are accepted for authentication.

• WPA2-PSK: Clients using WPA2 with a Pre-shared Key are accepted for authentication.

• WPA-WPA2-mixed: Clients using WPA or WPA2 over 802.1X are accepted for authentication.

• WPA-WPA2-PSK-mixed: Clients using WPA or WPA2 with a Pre-shared Key are accepted for authentication.

WPA Configuration – Each VAP interface can be configured to allow only

WPA-enabled clients to access the network (Required), or to allow access to both

WPA and WEP clients (Supported). (Default: Required)

Cipher Suite

– Selects an encryption method for the global key used for multicast and broadcast traffic, which is supported by all wireless clients.

• WEP: WEP is used as the multicast encryption cipher. You should select WEP only when both WPA and WEP clients are supported.

• TKIP: TKIP is used as the multicast encryption cipher.

• AES-CCMP: AES-CCMP is used as the multicast encryption cipher. AES-CCMP is the standard encryption cipher required for WPA2.

WPA Pre-Shared Key Type – If the WPA or WPA2 pre-shared-key mode is used, all wireless clients must be configured with the same key to communicate with the access point.

• Hexadecimal – Enter a key as a string of 64 hexadecimal numbers.

• Alphanumeric – Enter a key as an easy-to-remember form of letters and numbers.

The string must be from 8 to 63 characters, which can include spaces.

The configuration settings for WPA are summarized below:

Table 6-4. WPA Configuration Settings

WPA and WPA2 pre-shared key only

Encryption: Enabled

Authentication Setup: WPA-PSK, WPA2-PSK, or

WPA-WPA2-mixed

WPA Cipher Mode: WEP/TKIP/AES-CCMP

WPA Pre-shared Key Type: Hex/ASCII

WPA and WPA2 over 802.1X

Encryption: Enabled

Authentication Setup: WPA, WPA2,

WPA-WPA2-mixed

WPA Cipher Mode: WEP/TKIP/AES-CCMP

(requires RADIUS server to be specified)

1: You must enable data encryption in order to enable all types of encryption in the access point.

2: Select TKIP when any WPA clients do not support AES. Select AES only if all clients support AES.

6-78

Radio Interface

6

CLI Commands for WPA Using Pre-shared Key Security – Be sure to first disable

802.1X port authentication using the 802.1X command from the configuration mode.

Then, from the 802.11g interface configuration mode, use the vap command to access each VAP interface to configure other security settings.

From the VAP interface configuration mode, use the authentication command to set the access point to “Open System.” Use the encryption command to enable data encryption. To enable WPA to be required for all clients, use the wpa-clients command. Set the broadcast and multicast key encryption using the multicast-cipher command. Use the wpa-mode command to enable the

Pre-shared Key mode. To enter a key value, use the wpa-psk-type command to specify a hexadecimal or alphanumeric key, and then use the wpa-pre-shared-key command to define the key. To view the current security settings, use the show interface wireless g 0 command (not shown in example).

7-88

Enterprise AP(config)#interface wireless g

Enter Wireless configuration commands, one per line.

Enterprise AP(if-wireless g)#vap 0

Enterprise AP(if-wireless g: VAP[0])#no 802.1X

Enterprise AP(if-wireless g: VAP[0])#wpa-pre-shared-key

passphrase-key agoodsecret

Enterprise AP(if-wireless g: VAP[0])#auth wpa-psk required

Data Encryption is set to Enabled.

WPA2 Clients Mode is set to Disabled.

WPA Clients Mode is set to Required.

WPA Multicast Cipher is set to TKIP.

WPA Unicast Cipher can accept TKIP only.

WPA Authentication is set to Pre-Shared Key.

Enterprise AP(if-wireless g: VAP[0])#

Enterprise AP(if-wireless g: VAP[0])#

7-65

7-121

6-79

6

System Configuration

CLI Commands for WPA Over 802.1X Security – First set 802.1X to required using the 802.1X command and set the 802.1X key refresh rates. Then 802.11g interface configuration mode, use the vap command to access each VAP interface to configure other security settings.

From the VAP interface configuration mode, use the authentication command to select open system authentication and the encryption command to enable data encryption. Use the wpa-clients command to set WPA to be required or supported for clients. Use the wpa-mode command to enable WPA dynamic keys over 802.1X.

Set the broadcast and multicast key encryption using the multicast-cipher command. To view the current security settings use the show interface wireless g 0 command (not shown in example).

7-88

Enterprise AP(config)#interface wireless g

Enter Wireless configuration commands, one per line.

Enterprise AP(if-wireless g)#vap 0

Enterprise AP(if-wireless g: VAP[0])#802.required

Enterprise AP(if-wireless g: VAP[0])#802.1X broadcast-key-refresh-rate 5

Enterprise AP(if-wireless g: VAP[0])#802.1X session-key-refresh-rate 5

Enterprise AP(if-wireless g: VAP[0])#802.1X session-timeout 300

Enterprise AP(if-wireless g: VAP[0])#authentication open

Enterprise AP(if-wireless g: VAP[0])#encryption

Enterprise AP(if-wireless g: VAP[0])#wpa-clients required

Enterprise AP(if-wireless g: VAP[0])#multicast-cipher TKIP

Enterprise AP(if-wireless g: VAP[0])#

7-65

7-66

7-67

7-67

7-117

7-116

7-121

7-119

Configuring 802.1X

IEEE 802.1X is a standard framework for network access control that uses a central

RADIUS server for user authentication. This control feature prevents unauthorized access to the network by requiring an 802.1X client application to submit user credentials for authentication. The 802.1X standard uses the Extensible

Authentication Protocol (EAP) to pass user credentials (either digital certificates, user names and passwords, or other) from the client to the RADIUS server. Client authentication is then verified on the RADIUS server before the access point grants client access to the network.

The 802.1X EAP packets are also used to pass dynamic unicast session keys and static broadcast keys to wireless clients. Session keys are unique to each client and are used to encrypt and correlate traffic passing between a specific client and the access point. You can also enable broadcast key rotation, so the access point provides a dynamic broadcast key and changes it at a specified interval.

6-80

Radio Interface

6

Open the Security page, and click More for one of the VAP interfaces.

You can enable 802.1X as optionally supported or as required to enhance the security of the wireless network. (Default: Disable)

• Disable: The access point does not support 802.1X authentication for any wireless client. After successful wireless association with the access point, each client is allowed to access the network.

• Supported: The access point supports 802.1X authentication only for clients initiating the 802.1X authentication process (i.e., the access point does not initiate

802.1X authentication). For clients initiating 802.1X, only those successfully authenticated are allowed to access the network. For those clients not initiating

802.1X, access to the network is allowed after successful wireless association with the access point. The 802.1X supported mode allows access for clients not using

WPA or WPA2 security.

• Required: The access point enforces 802.1X authentication for all associated wireless clients. If 802.1X authentication is not initiated by a client, the access point will initiate authentication. Only those clients successfully authenticated with

802.1X are allowed to access the network.

Note: If 802.1X is enabled on the access point, then RADIUS setup must be completed

(see “RADIUS” on page 6-7).

When 802.1X is enabled, the broadcast and session key rotation intervals can also be configured.

• Broadcast Key Refresh Rate: Sets the interval at which the broadcast keys are refreshed for stations using 802.1X dynamic keying. (Range: 0-1440 minutes;

Default: 0 means disabled)

• Session Key Refresh Rate: The interval at which the access point refreshes unicast session keys for associated clients. (Range: 0-1440 minutes; Default: 0 means disabled)

6-81

6

System Configuration

• 802.1X Reauthentication Refresh Rate: The time period after which a connected client must be re-authenticated. During the re-authentication process of verifying the client’s credentials on the RADIUS server, the client remains connected the network. Only if re-authentication fails is network access blocked. (Range: 0-65535 seconds; Default: 0 means disabled)

CLI Commands for 802.1X Authentication – Use the 802.1X supported command from the VAP interface mode to enable 802.1X authentication. Set the session and broadcast key refresh rate, and the re-authentication timeout. To display the current settings, use the show authentication command from the Exec mode.

Enterprise AP(if-wireless g: VAP[0])#802.1X supported

Enterprise AP(if-wireless g: VAP[0])#802.1X broadcast-key-refresh-rate 5

Enterprise AP(if-wireless g: VAP[0])#802.1X session-key-refresh-rate 5

Enterprise AP(if-wireless g: VAP[0])#802.1X session-timeout 300

Enterprise AP(if-wireless g: VAP[0])#exit

Enterprise AP#show authentication

Authentication Information

===========================================================

MAC Authentication Server : DISABLED

MAC Auth Session Timeout Value : 0 min

802.1x supplicant : DISABLED

802.1x supplicant user : EMPTY

802.1x supplicant password : EMPTY

Address Filtering : ALLOWED

System Default : ALLOW addresses not found in filter table.

Filter Table

MAC Address Status

----------------- ----------

00-70-50-cc-99-1a DENIED

00-70-50-cc-99-1b ALLOWED

=========================================================

Enterprise AP#

7-65

7-66

7-67

7-67

7-68

6-82

Status Information

6

Status Information

The Status page includes information on the following items:

Menu

AP Status

Station Status

Event Logs

Description

Displays configuration settings for the basic system and the wireless interface

Shows the wireless clients currently associated with the access point

Shows log messages stored in memory

Page

6-83

6-86

6-89

Access Point Status

The AP Status window displays basic system configuration settings, as well as the settings for the wireless interface.

6-83

6

System Configuration

AP System Configuration

– The AP System Configuration table displays the basic system configuration settings:

• System Up Time: Length of time the management agent has been up.

• MAC Address: The physical layer address for this device.

• System Name: Name assigned to this system.

• System Contact: Administrator responsible for the system.

• IP Address: IP address of the management interface for this device.

• IP Default Gateway: IP address of the gateway router between this device and management stations that exist on other network segments.

• HTTP Server: Shows if management access via HTTP is enabled.

• HTTP Server Port: Shows the TCP port used by the HTTP interface.

• Version: Shows the version number for the runtime code.

AP Wireless Configuration – The AP Wireless Configuration tables display the radio and VAP interface settings listed below. Note that Interface Wireless G refers the

802.11b/g radio.

• SSID: The service set identifier for the VAP interface.

• Radio Channel: The radio channel through which the access point communicates with wireless clients.

• Encryption: The key size used for data encryption.

• Authentication Type: Shows the type of authentication used.

• 802.1X: Shows if IEEE 802.1X access control for wireless clients is enabled.

6-84

Status Information

6

CLI Commands for Displaying System Settings – To view the current access point system settings, use the show system command from the Exec mode. To view the current radio interface settings, use the show interface wireless g 0 command

(see page 7-108).

7-23

Enterprise AP#show system

System Information

==============================================================

Serial Number :

System Up time : 1 days, 3 hours, 41 minutes, 40 seconds

System Name : Enterprise Wireless AP

System Location :

System Contact : Contact

System Country Code : US - UNITED STATES

MAC Address : 00-13-F7-1C-33-66

MAC Address : 00-13-F7-1C-33-66

Radio G MAC Address : 00-13-F7-1C-33-67

IP Address : 192.168.2.2

Subnet Mask : 255.255.255.0

Default Gateway : 0.0.0.0

VLAN State : DISABLED

Management VLAN ID(AP): 1

IAPP State : ENABLED

DHCP Client : ENABLED

HTTP Server : ENABLED

HTTP Server Port : 80

HTTP Session Timeout : 300 sec(s)

HTTPS Server : ENABLED

HTTPS Server Port : 443

Slot Status : Single band(b/g)

Boot Rom Version : v1.1.1

Software Version : v5.0.0.0

SSH Server : ENABLED

SSH Server Port : 22

Telnet Server : ENABLED

WEB Redirect : DISABLED

DHCP Relay : DISABLED

==============================================================

Enterprise AP#

6-85

6

System Configuration

Station Status

The Station Status window shows the wireless clients currently associated with the access point.

The Station Configuration page displays basic connection information for all associated stations as described below. Note that this page is automatically refreshed every five seconds.

• Station Address: The MAC address of the wireless client.

• Authenticated: Shows if the station has been authenticated. The two basic methods of authentication supported for 802.11 wireless networks are “open system” and “shared key.” Open-system authentication accepts any client attempting to connect to the access point without verifying its identity. The

6-86

Status Information

6 shared-key approach uses Wired Equivalent Privacy (WEP) to verify client identity by distributing a shared key to stations before attempting authentication.

• Associated: Shows if the station has been successfully associated with the access point. Once authentication is completed, stations can associate with the current access point, or reassociate with a new access point. The association procedure allows the wireless system to track the location of each mobile client, and ensure that frames destined for each client are forwarded to the appropriate access point.

• Forwarding Allowed: Shows if the station has passed 802.1X authentication and is now allowed to forward traffic to the access point.

• Encryption: The data encryption method used for this client.

• Authentication Type: The authentication method used for this client; including WEP

(Open System or Pre-Shared Key), WPA, WPA2, or some combination.

• SSID: The Service Set Identifier this client used to associate with the VAP.

• Channel: The radio channel this client is using to communicate with the VAP.

• Data Rate: The data rate at which this client is communicating with the VAP.

6-87

6

System Configuration

CLI Commands for Displaying Station Status – To view status of clients currently associated with the access point, use the show station command from the Exec mode.

7-109

Enterprise AP#show station

Station Table Information

=========================================================== if-wireless G VAP [0] :

802.11g Channel : Auto

No 802.11g Channel Stations.

if-wireless G VAP [1] :

802.11g Channel : Auto

No 802.11g Channel Stations.

....

No 802.11g Channel Stations.

if-wireless g VAP [7] :

802.11g Channel : Auto

No 802.11g Channel Stations.

if-wireless G VAP [0] :

802.11g Channel : Auto

No 802.11g Channel Stations.

if-wireless G VAP [1] :

802.11g Channel : Auto

No 802.11g Channel Stations.

....

No 802.11g Channel Stations.

if-wireless G VAP [7] :

802.11g Channel : Auto

No 802.11g Channel Stations.

===========================================================

Enterprise AP#

6-88

Status Information

6

Event Logs

The Event Logs window shows the log messages generated by the access point and stored in memory.

The Event Logs table displays the following information:

• Log Time: The time the log message was generated.

• Event Level: The logging level associated with this message. For a description of

the various levels, see “logging level” on page 6-32.

• Event Message: The content of the log message.

Error Messages – An example of a logged error message is: “Station Failed to authenticate (unsupported algorithm).”

This message may be caused by any of the following conditions:

• Access point was set to “Open Authentication”, but a client sent an authentication request frame with a “Shared key.”

• Access point was set to “Shared Key Authentication,” but a client sent an authentication frame for “Open System.”

• WEP keys do not match: When the access point uses “Shared Key Authentication,” but the key used by client and access point are not the same, the frame will be decrypted incorrectly, using the wrong algorithm and sequence number.

CLI Commands for Displaying the Logging Status – From the global configuration mode, use the show logging command.

7-32

Enterprise AP#show loggging

Logging Information

============================================

Syslog State : Enabled

Logging Console State : Enabled

Logging Level : Alert

Logging Facility Type : 16

Servers

1: 192.168.1.19, UDP Port: 514, State: Enabled

2: 0.0.0.0, UDP Port: 514, State: Disabled

3: 0.0.0.0, UDP Port: 514, State: Disabled

4: 0.0.0.0, UDP Port: 514, State: Disabled

=============================================

Enterprise AP#

6-89

6

System Configuration

CLI Commands for Displaying Event Logs – To view the access point log entries, use the show event-log command from the Exec mode. To clear all log entries from the access point, use the logging clear command from the Global Configuration mode.

Enterprise AP#show event-log

Mar 09 11:57:55 Information: 802.11g:11g Radio Interface Enabled

Mar 09 11:57:55 Information: 802.11g:Radio channel updated to 8

Mar 09 11:57:34 Information: 802.11g:11g Radio Interface Enabled

Mar 09 11:57:18 Information: 802.11g:11g Radio Interface Enabled

Mar 09 11:55:52 Information: SSH task: Set SSH server port to 22

Mar 09 11:55:52 Information: SSH task: Enable SSH server.

Mar 09 11:55:52 Information: Enable Telnet.

Mar 09 11:55:40 Information: 802.11g:11g Radio Interface Disabled

Mar 09 11:55:40 Information: 802.11g:Transmit Power set to QUARTER

Press <n> next. <p> previous. <a> abort. <y> continue to end :

Enterprise AP#configure

Enter configuration commands, one per line. End with CTRL/Z

Enterprise AP(config)#logging clear

Enterprise AP#

7-33

7-32

6-90

Chapter 7: Command Line Interface

Using the Command Line Interface

Accessing the CLI

When accessing the management interface for the over a direct connection to the console port, or via a Telnet connection, the access point can be managed by entering command keywords and parameters at the prompt. Using the access point’s command-line interface (CLI) is very similar to entering commands on a

UNIX system.

Console Connection

To access the access point through the console port, perform these steps:

1.

At the console prompt, enter the user name and password. (The default user name is “admin” and the default password is “smcadmin”) When the user name is entered, the CLI displays the “Enterprise AP#” prompt.

2.

Enter the necessary commands to complete your desired tasks.

3.

When finished, exit the session with the “exit” command.

After connecting to the system through the console port, the login screen displays:

Username: admin

Password:

Enterprise AP#

Caution: Command examples shown later in this chapter abbreviate the console prompt to “AP” for simplicity.

Telnet Connection

Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion.

For example, if the access point cannot acquire an IP address from a DHCP server, the default IP address used by the access point, 192.168.2.2, consists of a network portion (192.168.2) and a host portion (2).

To access the access point through a Telnet session, you must first set the IP address for the access point, and set the default gateway if you are managing the access point from a different IP subnet. For example:

Enterprise AP#configure

Enterprise AP(config)#interface ethernet

Enterprise AP(if-ethernet)#ip address 10.1.0.1 255.255.255.0 10.1.0.254

Enterprise AP(if-ethernet)#

7-1

7

Command Line Interface

If your corporate network is connected to another network outside your office or to the Internet, you need to apply for a registered IP address. However, if you are attached to an isolated network, then you can use any IP address that matches the network segment to which you are attached.

After you configure the access point with an IP address, you can open a Telnet session by performing these steps.

1.

From the remote host, enter the Telnet command and the IP address of the device you want to access.

2.

At the prompt, enter the user name and system password. The CLI will display the “Enterprise AP#” prompt to show that you are using executive access mode

(i.e., Exec).

3.

Enter the necessary commands to complete your desired tasks.

4.

When finished, exit the session with the “quit” or “exit” command.

After entering the Telnet command, the login screen displays:

Username: admin

Password:

Enterprise AP#

Caution: You can open up to four sessions to the device via Telnet.

Entering Commands

This section describes how to enter CLI commands.

Keywords and Arguments

A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces ethernet,” show and interfaces are keywords, and ethernet

is an argument that specifies the interface type.

You can enter commands as follows:

• To enter a simple command, enter the command keyword.

• To enter commands that require parameters, enter the required parameters after the command keyword. For example, to set a password for the administrator, enter:

Enterprise AP(config)#username smith

Minimum Abbreviation

The CLI will accept a minimum number of characters that uniquely identify a command. For example, the command “configure” can be entered as con. If an entry is ambiguous, the system will prompt for further input.

7-2

Entering Commands

7

Command Completion

If you terminate input with a Tab key, the CLI will print the remaining characters of a partial keyword up to the point of ambiguity. In the “configure” example, typing con followed by a tab will result in printing the command up to “configure.”

Getting Help on Commands

You can display a brief description of the help system by entering the help command. You can also display command syntax by following a command with the

“?” character to list keywords or parameters.

Showing Commands

If you enter a “?” at the command prompt, the system will display the first level of keywords for the current configuration mode (Exec, Global Configuration, or

Interface). You can also display a list of valid keywords for a specific command. For example, the command “show ?” displays a list of possible show commands:

Enterprise AP#show ?

APmanagement Show management AP information.

authentication Show Authentication parameters

bootfile Show bootfile name

bridge Show bridge

config System snapshot for tech support

dhcp-relay Show DHCP Relay Configuration

event-log Show event log on console

filters Show filters

hardware Show hardware version

history Display the session history

interface Show interface information

line TTY line information

link-integrity Show link integrity information

logging Show the logging buffers

radius Show radius server

rogue-ap Show Rogue ap Stations

snmp Show snmp configuration

sntp Show sntp configuration

station Show 802.11 station table

system Show system information

version Show system version

Enterprise AP#show

The command “show interface ?” will display the following information:

Enterprise AP#show interface ?

ethernet Show Ethernet interface

wireless Show wireless interface

<cr>

Enterprise AP#show interface

7-3

7

Command Line Interface

Partial Keyword Lookup

If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.”

Enterprise AP#show s?

snmp sntp station system

Enterprise AP#show s

Negating the Effect of Commands

For many configuration commands you can enter the prefix keyword “no” to cancel the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands.

Using Command History

The CLI maintains a history of commands that have been entered. You can scroll back through the history of commands by pressing the up arrow key. Any command displayed in the history list can be executed again, or first modified and then executed.

Using the show history command displays a longer list of recently executed commands.

Understanding Command Modes

The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters.

Configuration commands, on the other hand, modify interface parameters or enable certain functions. These classes are further divided into different modes. Available commands depend on the selected mode. You can always enter a question mark “?” at the prompt to display a list of the commands available for the current mode. The command classes and associated modes are displayed in the following table:

Class

Exec

Configuration

Mode

Privileged

Global

Interface-ethernet

Interface-wireless

Interface-wireless-vap

7-4

Entering Commands

7

Exec Commands

When you open a new console session on an access point, the system enters Exec command mode. Only a limited number of the commands are available in this mode.

You can access all other commands only from the configuration mode. To access

Exec mode, open a new console session with the user name “admin.” The command prompt displays as “Enterprise AP#” for Exec mode.

Username: admin

Password: [system login password]

Enterprise AP#

Configuration Commands

Configuration commands are used to modify access point settings. These commands modify the running configuration and are saved in memory.

The configuration commands are organized into four different modes:

• Global Configuration (GC) - These commands modify the system level configuration, and include commands such as username and password.

• Interface-Ethernet Configuration (IC-E) - These commands modify the Ethernet port configuration, and include command such as dns and ip.

• Interface-Wireless Configuration (IC-W) - These commands modify the wireless port configuration of global parameters for the radio, and include commands such as channel and transmit-power.

• Interface-Wireless Virtual Access Point Configuration (IC-W-VAP) - These commands modify the wireless port configuration for each VAP, and include commands such as ssid and authentication.

To enter the Global Configuration mode, enter the command configure in Exec mode. The system prompt will change to “Enterprise AP(config)#” which gives you access privilege to all Global Configuration commands.

Enterprise AP#configure

Enterprise AP(config)#

To enter Interface mode, you must enter the “interface ethernet,” or “interface wireless a

,” or “interface wireless g” command while in Global Configuration mode. The system prompt will change to “Enterprise AP(if-ethernet)#,” or Enterprise

AP(if-wireless)” indicating that you have access privileges to the associated commands. You can use the end command to return to the Exec mode.

Enterprise AP(config)#interface ethernet

Enterprise AP(if-ethernet)#

7-5

7

Command Line Interface

Keystroke

Ctrl-A

Ctrl-B

Ctrl-C

Ctrl-E

Ctrl-F

Ctrl-K

Ctrl-L

Ctrl-N

Ctrl-P

Ctrl-R

Ctrl-U

Ctrl-W

Esc-B

Esc-D

Esc-F

Delete key or backspace key

Command Line Processing

Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches. You can also use the following editing keystrokes for command-line processing:

Table 7-1. Keystroke Commands

Function

Shifts cursor to start of command line.

Shifts cursor to the left one character.

Terminates a task and displays the command prompt.

Shifts cursor to end of command line.

Shifts cursor to the right one character.

Deletes from cursor to the end of the command line.

Repeats current command line on a new line.

Enters the next command line in the history buffer.

Shows the last command.

Repeats current command line on a new line.

Deletes the entire line.

Deletes the last word typed.

Moves the cursor backward one word.

Deletes from the cursor to the end of the word.

Moves the cursor forward one word.

Erases a mistake when entering a command.

Command Groups

The system commands can be broken down into the functional groups shown below.

Table 7-2. Command Groups

Command Group

General

Description

Basic commands for entering configuration mode, restarting the system, or quitting the CLI

System Management Controls user name, password, web browser management options, and a variety of other system information

System Logging Configures system logging parameters

System Clock

DHCP Relay

Configures SNTP and system clock settings

Configures the access point to send DHCP requests from clients to specified servers

Page

7-7

7-11

7-28

7-33

7-38

7-6

General Commands

7

Table 7-2. Command Groups

Command Group

SNMP

Description

Configures community access strings and trap managers

Flash/File

RADIUS

802.1X Authentication Configures 802.1X authentication

MAC Address

Authentication

Configures MAC address authentication

Filtering

Manages code image or access point configuration files

Configures the RADIUS client used with 802.1X authentication

WDS Bridge

Filters communications between wireless clients, controls access to the management interface from wireless clients, and filters traffic using specific Ethernet protocol types

Configures WDS forwarding table settings

Spanning Tree

Ethernet Interface

Wireless Interface

Wireless Security

Configures spanning tree parameters

Configures connection parameters for the Ethernet interface

Configures radio interface settings

Configures radio interface security and encryption settings

Rogue AP Detection Configures settings for the detection of rogue access points in the network

Link Integrity Configures a link check to a host device on the wired network

IAPP

VLANs

WMM

Enables roaming between multi-vendor access points

Configures VLAN membership

Configures WMM quality of service parameters

7-73

7-123

7-127

7-128

7-130

The access mode shown in the following tables is indicated by these abbreviations:

Exec (Executive Mode), GC (Global Configuration), IC-E (Interface-Ethernet

Configuration), IC-W (Interface-Wireless Configuration), and IC-W-VAP

(Interface-Wireless VAP Configuration).

Page

7-40

7-55

7-58

7-65

7-70

7-77

7-83

7-88

7-93

7-109

7-109

General Commands

Command configure end exit ping reset show history show line

Table 7-3. General Commands

Function

Activates global configuration mode

Returns to previous configuration mode

Mode

Exec

GC, IC

Page

7-8

7-8

Returns to the previous configuration mode, or exits the CLI any

Sends ICMP echo request packets to another node on the network

7-8

Exec 7-9

Restarts the system

Shows the command history buffer

Shows the configuration settings for the console port

Exec

Exec

Exec

7-10

7-10

7-11

7-7

7

Command Line Interface

configure

This command activates Global Configuration mode. You must enter this mode to modify most of the settings on the access point. You must also enter Global

Configuration mode prior to enabling the context modes for Interface Configuration.

See “Using the Command Line Interface” on page 1.

Default Setting

None

Command Mode

Exec

Example

Enterprise AP#configure

Enterprise AP(config)#

Related Commands

end (7-8)

end

This command returns to the previous configuration mode.

Default Setting

None

Command Mode

Global Configuration, Interface Configuration

Example

This example shows how to return to the Configuration mode from the Interface

Configuration mode:

Enterprise AP(if-ethernet)#end

Enterprise AP(config)#

exit

This command returns to the Exec mode or exits the configuration program.

Default Setting

None

Command Mode

Any

7-8

General Commands

7

Example

This example shows how to return to the Exec mode from the Interface

Configuration mode, and then quit the CLI session:

Enterprise AP(if-ethernet)#exit

Enterprise AP#exit

CLI session with the Access Point is now closed

Username:

ping

This command sends ICMP echo request packets to another node on the network.

Syntax ping

<host_name | ip_address>

host_name - Alias of the host.

ip_address - IP address of the host.

Default Setting

None

Command Mode

Exec

Command Usage

• Use the ping command to see if another site on the network can be reached.

• The following are some results of the ping command:

- Normal response - The normal response occurs in one to ten seconds, depending on network traffic.

- Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds.

- Destination unreachable - The gateway for this destination indicates that the destination is unreachable.

- Network or host unreachable - The gateway found no corresponding entry in the route table.

• Press <Esc> to stop pinging.

Example

Enterprise AP#ping 10.1.0.19

192.168.1.19 is alive

Enterprise AP#

7-9

7

Command Line Interface

reset

This command restarts the system or restores the factory default settings.

Syntax reset

<board | configuration>

board - Reboots the system.

configuration - Resets the configuration settings to the factory defaults, and then reboots the system.

Default Setting

None

Command Mode

Exec

Command Usage

When the system is restarted, it will always run the Power-On Self-Test.

Example

This example shows how to reset the system:

Enterprise AP#reset board

Reboot system now? <y/n>: y

show history

This command shows the contents of the command history buffer.

Default Setting

None

Command Mode

Exec

Command Usage

• The history buffer size is fixed at 10 commands.

• Use the up or down arrow keys to scroll through the commands in the history buffer.

Example

In this example, the show history command lists the contents of the command history buffer:

Enterprise AP#show history

config

exit

show history

Enterprise AP#

7-10

System Management Commands

7

show line

This command displays the console port’s configuration settings.

Command Mode

Exec

Example

The console port settings are fixed at the values shown below.

Enterprise AP#show line

Console Line Information

======================================================

databits : 8

parity : none

speed : 9600

stop bits : 1

======================================================

Enterprise AP#

System Management Commands

These commands are used to configure the user name, password, system logs, browser management options, clock settings, and a variety of other system information.

Table 7-4. System Management Commands

Command

Country Setting country

Function

Sets the access point country code

Device Designation prompt Customizes the command line prompt system name Specifies the host name for the access point snmp-server contact Sets the system contact string snmp-server location Sets the system location string

Management Access username password

Configures the user name for management access

Specifies the password for management access ip ssh-server enable Enables the Secure Shell server ip ssh-server port Sets the Secure Shell port ip telnet-server enable Enables the Telnet server

APmgmtIP Specifies an IP address or range of addresses allowed access to the management interface

APmgmtUI Enables or disables SNMP, Telnet or web management access show APmanagement Shows the AP management configuration

Mode

Exec

GC

GC

IC-E

IC-E

IC-E

GC

GC

GC

GC

GC

GC

Exec

Page

7-12

7-14

7-14

7-41

7-42

7-22

7-22

7-15

7-15

7-16

7-16

7-17

7-21

7-11

Country

Albania

Algeria

Argentina

Armenia

Australia

Austria

Azerbaijan

Bahrain

7

Command Line Interface

Command

Web Server ip http port ip http server ip https port ip https server web-redirect

System Status show system show version show config show hardware

Table 7-4. System Management Commands

Function

Specifies the port to be used by the web browser interface GC

Allows the access point to be monitored or configured from a browser

GC

Specifies the UDP port number used for a secure HTTP connection to the access point’s Web interface

Enables the secure HTTP server on the access point

Enables web authentication of clients using a public access

Internet service

GC

GC

GC

Displays system information

Displays version information for the system

Displays detailed configuration information for the system

Displays the access point’s hardware version

Mode

Exec

Exec

Exec

Exec

Page

7-17

7-18

7-18

7-19

7-20

7-23

7-24

7-24

7-28

country

This command configures the access point’s country code, which identifies the country of operation and sets the authorized radio channels.

Syntax country <country_code>

country_code - A two character code that identifies the country of operation.

See the following table for a full list of codes.

AM

AU

AT

AZ

BH

Code Country

AL Dominican

Republic

DZ

AR

Ecuador

Egypt

Estonia

Finland

France

Georgia

Germany

Table 7-5. Country Codes

Code Country

DO Kuwait

FR

GE

DE

EC

EG

EE

FI

Latvia

Lebanon

Liechtenstein

Lithuania

Macao

Macedonia

Malaysia

Code Country

KW Romania

MO

MK

MY

LI

LT

LV

LB

Code

RO

Russia

Saudi Arabia

RU

SA

Singapore SG

Slovak Republic SK

Spain

Sweden

Switzerland

ES

SE

CH

7-12

Canada

Chile

China

Colombia

Costa Rica

Croatia

Cyprus

Czech

Republic

Denmark

Country

Belarus

Belgium

Belize

Bolivia

Brazil

Brunei

Darussalam

Bulgaria BG

System Management Commands

7

BO

BR

BN

Table 7-5. Country Codes

Code Country

BY

BE

Greece

Guatemala

BZ

Honduras HN

Hong Kong HK

Code Country

GR

GT

Malta

Mexico

Monaco

Morocco

Hungary

Iceland

India

HU

IS

IN

Netherlands

New Zealand

Norway

NL

NZ

NO

Code Country

MT

MX

Syria

Taiwan

MC

MA

Thailand

Trinidad &

Tobago

Tunisia

Turkey

Ukraine

TN

TR

UA

Code

SY

TW

TH

TT

Indonesia ID Qatar QA

CR

HR

CY

CZ

CA

CL

CN

CO

Iran

Ireland

Israel

Italy

Japan

Jordan

JP

JO

Kazakhstan KZ

North Korea KP

IL

IT

IR

IE

Oman

Pakistan

Panama

Peru

Philippines

Poland

Portugal

Puerto Rico

PH

PL

PT

PR

OM

PK

PA

PE

United Arab

Emirates

AE

United Kingdom GB

United States US

Uruguay

Uzbekistan

Yemen

Venezuela

Vietnam

Zimbabwe

VN

ZW

UY

UZ

YE

VE

Elsalvador

DK

SV

Korea

Republic

KR

Luxembourg LU

Slovenia

South Africa

SI

ZA

Default Setting

US - for units sold in the United States

99 (no country set) - for units sold in other countries

Command Mode

Exec

7-13

7

Command Line Interface

Command Usage

• If you purchased an access point outside of the United States, the country code must be set before radio functions are enabled.

• The available Country Code settings can be displayed by using the country

?

command.

Example

Enterprise AP#country tw

Enterprise AP#

prompt

This command customizes the CLI prompt. Use the no form to restore the default prompt.

Syntax prompt

<string> no prompt string - Any alphanumeric string to use for the CLI prompt.

(Maximum length: 32 characters)

Default Setting

Enterprise AP

Command Mode

Global Configuration

Example

Enterprise AP(config)#prompt RD2

RD2(config)#

system name

This command specifies or modifies the system name for this device. Use the no form to restore the default system name.

Syntax system name

<name> no system name name

- The name of this host.

(Maximum length: 32 characters)

Default Setting

Enterprise AP

7-14

System Management Commands

7

Command Mode

Global Configuration

Example

Enterprise AP(config)#system name AP

Enterprise AP(config)#

username

This command configures the user name for management access.

Syntax username <name> name - The name of the user.

(Length: 3-16 characters, case sensitive)

Default Setting admin

Command Mode

Global Configuration

Example

Enterprise AP(config)#username bob

Enterprise AP(config)#

password

After initially logging onto the system, you should set the password. Remember to record it in a safe place. Use the no form to reset the default password.

Syntax

password <password > no password password - Password for management access.

(Length: 3-16 characters, case sensitive)

Default Setting smcadmin

Command Mode

Global Configuration

Example

Enterprise AP(config)#password

Enterprise AP(config)#

7-15

7

Command Line Interface

ip ssh-server enable

This command enables the Secure Shell server. Use the no form to disable the server.

Syntax ip ssh-server enable no ip ssh-server

Default Setting

Interface enabled

Command Mode

Interface Configuration (Ethernet)

Command Usage

• The access point supports Secure Shell version 2.0 only.

• After boot up, the SSH server needs about two minutes to generate host encryption keys. The SSH server is disabled while the keys are being generated. The show system command displays the status of the SSH server.

Example

Enterprise AP(if-ethernet)#ip ssh-server enable

Enterprise AP(if-ethernet)#

ip ssh-server port

This command sets the Secure Shell server port. Use the no form to disable the server.

Syntax ip ssh-server port <port-number>

port-number - The UDP port used by the SSH server. (Range: 1-65535)

Default Setting

22

Command Mode

Interface Configuration (Ethernet)

Example

Enterprise AP(if-ethernet)#ip ssh-server port 1124

Enterprise AP(if-ethernet)#

7-16

System Management Commands

7

ip telnet-server enable

This command enables the Telnet server. Use the no form to disable the server.

Syntax ip telnet-server enable no ip telnet-server

Default Setting

Interface enabled

Command Mode

Interface Configuration (Ethernet)

Example

Enterprise AP(if-ethernet)#ip telnet-server enable

Enterprise AP(if-ethernet)#

ip http port

This command specifies the TCP port number used by the web browser interface.

Use the no form to use the default port.

Syntax ip http port <port-number> no ip http port port-number - The TCP port to be used by the browser interface.

(Range: 1024-65535)

Default Setting

80

Command Mode

Global Configuration

Example

Enterprise AP(config)#ip http port 769

Enterprise AP(config)#

Related Commands

ip http server (7-18)

7-17

7

Command Line Interface

ip http server

This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.

Syntax ip http server no ip http server

Default Setting

Enabled

Command Mode

Global Configuration

Example

Enterprise AP(config)#ip http server

Enterprise AP(config)#

Related Commands

ip http port (7-17)

ip https port

Use this command to specify the UDP port number used for HTTPS/SSL connection to the access point’s Web interface. Use the no form to restore the default port.

Syntax ip https port <port_number> no ip https port port_number

– The UDP port used for HTTPS/SSL.

(Range: 80, 1024-65535)

Default Setting

443

Command Mode

Global Configuration

Command Usage

• You cannot configure the HTTP and HTTPS servers to use the same port.

• To avoid using common reserved TCP port numbers below 1024, the configurable range is restricted to 443 and between 1024 and 65535.

• If you change the HTTPS port number, clients attempting to connect to the

HTTPS server must specify the port number in the URL, in this format:

https://device:port_number

7-18

System Management Commands

7

Example

Enterprise AP(config)#ip https port 1234

Enterprise AP(config)#

ip https server

Use this command to enable the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the access point’s Web interface. Use the no form to disable this function.

Syntax ip https server no ip https server

Default Setting

Enabled

Command Mode

Global Configuration

Command Usage

• Both HTTP and HTTPS service can be enabled independently.

• If you enable HTTPS, you must indicate this in the URL:

https://device :port_number]

• When you start HTTPS, the connection is established in this way:

- The client authenticates the server using the server’s digital certificate.

- The client and server negotiate a set of security protocols to use for the connection.

- The client and server generate session keys for encrypting and decrypting data.

• The client and server establish a secure encrypted connection.

A padlock icon should appear in the status bar for Internet Explorer 5.x.

Example

Enterprise AP(config)#ip https server

Enterprise AP(config)#

7-19

7

Command Line Interface

web-redirect

Use this command to enable web-based authentication of clients. Use the no form to disable this function.

Syntax

[no] web-redirect

Default Setting

Disabled

Command Mode

Global Configuration

Command Usage

• The web redirect feature is used to support billing for a public access wireless network. After successful association to an access point, a client is

“redirected” to an access point login web page as soon as Internet access is attempted. The client is then authenticated by entering a user name and password on the web page. This process allows controlled access for clients without requiring 802.1X or MAC authentication.

• Web redirect requires a RADIUS server on the wired network with configured user names and passwords for authentication. The RADIUS server details

must also be configured on the access point. (See “show bootfile” on page 7-58.)

• Use the show system command to display the current web redirect status.

Example

Enterprise AP(config)#web-redirect

Enterprise AP(config)#

7-20

System Management Commands

7

APmgmtIP

This command specifies the client IP addresses that are allowed management access to the access point through various protocols.

Caution: Secure Web (HTTPS) connections are not affected by the UI Management or

IP Management settings.

Syntax

APmgmtIP <multiple IP_address subnet_mask | single IP_address | any>

multiple - Adds IP addresses within a specifiable range to the SNMP, web and Telnet groups.

single - Adds an IP address to the SNMP, web and Telnet groups.

any - Allows any IP address access through SNMP, web and Telnet groups.

IP_address - Adds IP addresses to the SNMP, web and Telnet groups.

subnet_mask - Specifies a range of IP addresses allowed management access.

Default Setting

All addresses

Command Mode

Global Configuration

Command Usage

• If anyone tries to access a management interface on the access point from an invalid address, the unit will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.

• IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges.

• When entering addresses for the same group (i.e., SNMP, web or Telnet), the access point will not accept overlapping address ranges. When entering addresses for different groups, the access point will accept overlapping address ranges.

• You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses.

• You can delete an address range just by specifying the start address, or by specifying both the start address and end address.

Example

This example restricts management access to the indicated addresses.

Enterprise AP(config)#apmgmtip multiple 192.168.1.50 255.255.255.0

Enterprise AP(config)#

7-21

7

Command Line Interface

APmgmtUI

This command enables and disables management access to the access point through SNMP, Telnet and web interfaces.

Caution: Secure Web (HTTPS) connections are not affected by the UI Management or

IP Management settings.

Syntax

APmgmtUI <[SNMP | Telnet | Web] enable | disable>

SNMP - Specifies SNMP management access.

Telnet - Specifies Telnet management access.

Web - Specifies web based management access.

- enable/disable - Enables or disables the selected management access method.

Default Setting

All enabled

Command Mode

Global Configuration

Example

This example restricts management access to the indicated addresses.

Enterprise AP(config)#apmgmtui SNMP enable

Enterprise AP(config)#

show apmagement

This command shows the AP management configuration, including the IP addresses of management stations allowed to access the access point, as well as the interface protocols which are open to management access.

Command Mode

Exec

Example

Enterprise AP#show apmagement

Management AP Information

=================================

AP Management IP Mode: Any IP

Telnet UI: Enable

WEB UI : Enable

SNMP UI : Enable

==================================

Enterprise AP#

7-22

System Management Commands

7

show system

This command displays basic system configuration settings.

Default Setting

None

Command Mode

Exec

Example

Enterprise AP#show system

System Information

System Information

==============================================================

Serial Number :

System Up time : 0 days, 1 hours, 34 minutes, 38 seconds

System Name : Enterprise Wireless AP

System Location :

System Contact : Contact

System Country Code : US - UNITED STATES

MAC Address : 00-13-F7-1C-33-66

Radio A MAC Address : 00-13-F7-1C-33-66

Radio G MAC Address : 00-13-F7-1C-33-67

IP Address : 192.168.2.2

Subnet Mask : 255.255.255.0

Default Gateway : 0.0.0.0

VLAN State : DISABLED

Management VLAN ID(AP): 1

IAPP State : ENABLED

DHCP Client : ENABLED

HTTP Server : ENABLED

HTTP Server Port : 80

HTTP Session Timeout : 300 sec(s)

HTTPS Server : ENABLED

HTTPS Server Port : 443

Slot Status : Single band(a/g)

Boot Rom Version : v1.1.1

Software Version : v5.0.0.0

SSH Server : ENABLED

SSH Server Port : 22

Telnet Server : ENABLED

WEB Redirect : DISABLED

DHCP Relay : DISABLED

==============================================================

Enterprise AP#

7-23

7

Command Line Interface

show version

This command displays the software version for the system.

Command Mode

Exec

Example

Enterprise AP#show version

Version Information

=========================================

Software Version : v5.0.0.0

Date : Feb 8 2006, 17:48:27

BootRom Version : v1.1.1

Hardware version : R0A

=========================================

Enterprise AP#

show config

This command displays detailed configuration information for the system.

Command Mode

Exec

Example

Enterprise AP#show config

Authentication Information

===========================================================

MAC Authentication Server : DISABLED

MAC Auth Session Timeout Value : 0 min

802.1x supplicant : DISABLED

802.1x supplicant user : EMPTY

802.1x supplicant password : EMPTY

Address Filtering : ALLOWED

System Default : ALLOW addresses not found in filter table.

Filter Table

-----------------------------------------------------------

No Filter Entries.

Bootfile Information

===================================

Bootfile : smc-img.bin

===================================

Protocol Filter Information

===========================================================

Local Bridge :DISABLED

AP Management :ENABLED

Ethernet Type Filter :DISABLED

Enabled Protocol Filters

-----------------------------------------------------------

No protocol filters are enabled

===========================================================

7-24

System Management Commands

7

Hardware Version Information

===========================================

Hardware version R01A

===========================================

Ethernet Interface Information

========================================

IP Address : 192.168.0.151

Subnet Mask : 255.255.255.0

Default Gateway : 192.168.0.1

Primary DNS : 210.200.211.225

Secondary DNS : 210.200.211.193

Speed-duplex : 100Base-TX Full Duplex

Admin status : Up

Operational status : Up

========================================

Wireless Interface 802.11g Information

===========================================================

----------------Identification-----------------------------

Description : Enterprise 802.11g Access Point

SSID : SMC_VAP_G 0

Channel : 1 (AUTO)

Antenna Mode : Fixed

Status : Enable

----------------802.11 Parameters--------------------------

Radio Mode : 802.11b+g

Transmit Power : 100% (16 dBm)

Data Rate : 54Mbps

Fragmentation Threshold : 2346 bytes

RTS Threshold : 2347 bytes

Beacon Interval : 100 TUs

DTIM Interval : 1 beacon

Maximum Association : 64 stations

Native VLAN ID : 1

----------------Security-----------------------------------

Closed System : DISABLED

Multicast cipher : WEP

Unicast cipher : TKIP and AES

WPA clients : REQUIRED

WPA Key Mgmt Mode : PRE SHARED KEY

WPA PSK Key Type : ALPHANUMERIC

Encryption : DISABLED

Default Transmit Key : 1

Static Keys :

Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY

Key Length :

Key 1: ZERO Key 2: ZERO Key 3: ZERO Key 4: ZERO

Authentication Type : OPEN

Rogue AP Detection : Disabled

Rogue AP Scan Interval : 720 minutes

Rogue AP Scan Duration : 350 milliseconds

===========================================================

Console Line Information

===========================================================

databits : 8

parity : none

speed : 9600

stop bits : 1

===========================================================

7-25

7

Command Line Interface

Logging Information

=====================================================

Syslog State : Disabled

Logging Console State : Disabled

Logging Level : Informational

Logging Facility Type : 16

Servers

1: 0.0.0.0 , UDP Port: 514, State: Disabled

2: 0.0.0.0 , UDP Port: 514, State: Disabled

3: 0.0.0.0 , UDP Port: 514, State: Disabled

4: 0.0.0.0 , UDP Port: 514, State: Disabled

======================================================

Radius Server Information

========================================

IP : 0.0.0.0

Port : 1812

Key : *****

Retransmit : 3

Timeout : 5

Radius MAC format : no-delimiter

Radius VLAN format : HEX

========================================

Radius Secondary Server Information

========================================

IP : 0.0.0.0

Port : 1812

Key : *****

Retransmit : 3

Timeout : 5

Radius MAC format : no-delimiter

Radius VLAN format : HEX

========================================

SNMP Information

==============================================

Service State : Disable

Community (ro) : ********

Community (rw) : ********

Location :

Contact : Contact

EngineId :80:00:07:e5:80:00:00:29:f6:00:00:00:0c

EngineBoots:2

Trap Destinations:

1: 0.0.0.0, Community: *****, State: Disabled

2: 0.0.0.0, Community: *****, State: Disabled

3: 0.0.0.0, Community: *****, State: Disabled

4: 0.0.0.0, Community: *****, State: Disabled

7-26

System Management Commands

7

dot11InterfaceAGFail Enabled dot11InterfaceBFail Enabled

dot11StationAssociation Enabled dot11StationAuthentication Enabled

dot11StationReAssociation Enabled dot11StationRequestFail Enabled

dot1xAuthFail Enabled dot1xAuthNotInitiated Enabled

dot1xAuthSuccess Enabled dot1xMacAddrAuthFail Enabled

dot1xMacAddrAuthSuccess Enabled iappContextDataSent Enabled

iappStationRoamedFrom Enabled iappStationRoamedTo Enabled

localMacAddrAuthFail Enabled localMacAddrAuthSuccess Enabled

pppLogonFail Enabled sntpServerFail Enabled

configFileVersionChanged Enabled radiusServerChanged Enabled

systemDown Enabled systemUp Enabled

=============================================

SNTP Information

===========================================================

Service State : Disabled

SNTP (server 1) IP : 137.92.140.80

SNTP (server 2) IP : 192.43.244.18

Current Time : 00 : 14, Jan 1st, 1970

Time Zone : -5 (BOGOTA, EASTERN, INDIANA)

Daylight Saving : Disabled

===========================================================

Station Table Information

=========================================================== if-wireless A VAP [0] :

802.11g Channel : Auto

No 802.11g Channel Stations.

.

.

if-wireless G VAP [0] :

802.11g Channel : Auto

No 802.11g Channel Stations.

.

.

System Information

==============================================================

Serial Number :

System Up time : 0 days, 0 hours, 16 minutes, 51 seconds

System Name : SMC

System Location :

System Contact : Contact

System Country Code : 99 - NO_COUNTRY_SET

MAC Address : 00-12-CF-05-B7-84

IP Address : 192.168.0.151

Subnet Mask : 255.255.255.0

Default Gateway : 192.168.0.1

VLAN State : DISABLED

Management VLAN ID(AP): 1

IAPP State : ENABLED

DHCP Client : ENABLED

HTTP Server : ENABLED

HTTP Server Port : 80

HTTPS Server : ENABLED

HTTPS Server Port : 443

Slot Status : Single band(a/g)

Boot Rom Version : v3.0.7

Software Version : v5.0.0.0

7-27

7

Command Line Interface

SSH Server : ENABLED

SSH Server Port : 22

Telnet Server : ENABLED

WEB Redirect : DISABLED

DHCP Relay : DISABLED

==============================================================

Version Information

=========================================

Version: v4.3.2.2

Date : Dec 20 2005, 18:38:12

=========================================

Enterprise AP#

show hardware

This command displays the hardware version of the system.

Command Mode

Exec

Example

Enterprise AP#show hardware

Hardware Version Information

===========================================

Hardware version R01

===========================================

Enterprise AP#

System Logging Commands

These commands are used to configure system logging on the access point.

Command logging on logging host logging console logging level logging facility-type logging clear show logging show event-log

Table 7-6. System Logging Commands

Function

Controls logging of error messages

Adds a syslog server host IP address that will receive logging messages

Initiates logging of error messages to the console GC

Defines the minimum severity level for event logging GC

Sets the facility type for remote logging of syslog messages

GC

Mode

GC

GC

Clears all log entries in access point memory

Displays the state of logging

Displays all log entries in access point memory

GC

Exec

Exec

Page

7-29

7-29

7-30

7-30

7-31

7-32

7-32

7-33

7-28

System Logging Commands

7

logging on

This command controls logging of error messages; i.e., sending debug or error messages to memory. The no form disables the logging process.

Syntax

[no] logging on

Default Setting

Disabled

Command Mode

Global Configuration

Command Usage

The logging process controls error messages saved to memory. You can use the logging level command to control the type of error messages that are stored in memory.

Example

Enterprise AP(config)#logging on

Enterprise AP(config)#

logging host

This command specifies syslog servers host that will receive logging messages. Use the no form to remove syslog server host.

Syntax logging host <1 | 2 | 3 | 4> <host_name | host_ip_address> [udp_port] no logging host <1 | 2 | 3 | 4>

1 - First syslog server.

2 - Second syslog server.

3 - Third syslog server.

4 - Fourth syslog server.

host_name - The name of a syslog server. (Range: 1-20 characters)

host_ip_address - The IP address of a syslog server.

udp_port - The UDP port used by the syslog server.

Default Setting

None

Command Mode

Global Configuration

7-29

7

Command Line Interface

Example

Enterprise AP(config)#logging host 1 10.1.0.3

Enterprise AP(config)#

logging console

This command initiates logging of error messages to the console. Use the no form to disable logging to the console.

Syntax logging console no logging console

Default Setting

Disabled

Command Mode

Global Configuration

Example

Enterprise AP(config)#logging console

Enterprise AP(config)#

logging level

This command sets the minimum severity level for event logging.

Syntax logging level

<Emergency | Alert | Critical | Error | Warning | Notice |

Informational | Debug>

Default Setting

Informational

Command Mode

Global Configuration

7-30

System Logging Commands

7

Command Usage

Messages sent include the selected level down to Emergency level.

Level Argument

Emergency

Alert

Critical

Error

Warning

Notice

Informational

Debug

Description

System unusable

Immediate action needed

Critical conditions (e.g., memory allocation, or free memory error - resource exhausted)

Error conditions (e.g., invalid input, default used)

Warning conditions (e.g., return false, unexpected return)

Normal but significant condition, such as cold start

Informational messages only

Debugging messages

Example

Enterprise AP(config)#logging level alert

Enterprise AP(config)#

logging facility-type

This command sets the facility type for remote logging of syslog messages.

Syntax logging facility-type <type> type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service. (Range: 16-23)

Default Setting

16

Command Mode

Global Configuration

7-31

7

Command Line Interface

Command Usage

The command specifies the facility type tag sent in syslog messages. (See

RFC 3164.) This type has no effect on the kind of messages reported by the access point. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.

Example

Enterprise AP(config)#logging facility 19

Enterprise AP(config)#

logging clear

This command clears all log messages stored in the access point’s memory.

Syntax logging clear

Command Mode

Global Configuration

Example

Enterprise AP(config)#logging clear

Enterprise AP(config)#

show logging

This command displays the logging configuration.

Syntax show logging

Command Mode

Exec

Example

Enterprise AP#show logging

Logging Information

============================================

Syslog State : Enabled

Logging Console State : Enabled

Logging Level : Alert

Logging Facility Type : 16

Servers

1: 192.168.1.19, UDP Port: 514, State: Enabled

2: 0.0.0.0, UDP Port: 514, State: Disabled

3: 0.0.0.0, UDP Port: 514, State: Disabled

4: 0.0.0.0, UDP Port: 514, State: Disabled

=============================================

Enterprise AP#

7-32

System Clock Commands

7

show event-log

This command displays log messages stored in the access point’s memory.

Syntax show event-log

Command Mode

Exec

Example

Enterprise AP#show event-log

Mar 09 11:57:55 Information: 802.11g:11g Radio Interface Enabled

Mar 09 11:57:55 Information: 802.11g:Radio channel updated to 8

Mar 09 11:57:34 Information: 802.11g:11g Radio Interface Enabled

Mar 09 11:57:18 Information: 802.11g:11g Radio Interface Enabled

Mar 09 11:55:52 Information: SSH task: Set SSH server port to 22

Mar 09 11:55:52 Information: SSH task: Enable SSH server.

Mar 09 11:55:52 Information: Enable Telnet.

Mar 09 11:55:40 Information: 802.11g:Transmit Power set to QUARTER

Press <n> next. <p> previous. <a> abort. <y> continue to end :

Enterprise AP#configure

Enter configuration commands, one per line. End with CTRL/Z

Enterprise AP(config)#logging clear

System Clock Commands

These commands are used to configure SNTP and system clock settings on the access point.

Command sntp-server ip sntp-server enable sntp-server date-time sntp-server daylight-saving sntp-server timezone show sntp

Table 7-7. System Clock Commands

Function

Specifies one or more time servers

Accepts time from the specified time servers

Manually sets the system date and time

Sets the start and end dates for daylight savings time

Mode

GC

GC

GC

GC

Sets the time zone for the access point’s internal clock GC

Shows current SNTP configuration settings Exec

Page

7-34

7-34

7-35

7-36

7-36

7-37

7-33

7

Command Line Interface

sntp-server ip

This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list.

Syntax sntp-server ip <1 | 2> <ip>

1 - First time server.

2 - Second time server.

ip - IP address of an time server (NTP or SNTP).

Default Setting

137.92.140.80

192.43.244.18

Command Mode

Global Configuration

Command Usage

When SNTP client mode is enabled using the sntp-server enable command, the sntp-server ip command specifies the time servers from which the access point polls for time updates. The access point will poll the time servers in the order specified until a response is received.

Example

Enterprise AP(config)#sntp-server ip 10.1.0.19

Enterprise AP#

Related Commands

sntp-server enable (7-34)

show sntp (7-37)

sntp-server enable

This command enables SNTP client requests for time synchronization with NTP or

SNTP time servers specified by the sntp-server ip command. Use the no form to disable SNTP client requests.

Syntax sntp-server enable no sntp-server enable

Default Setting

Enabled

7-34

System Clock Commands

7

Command Mode

Global Configuration

Command Usage

The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the access point only records the time starting from the factory default set at the last bootup (i.e., 00:14:00, January

1, 1970).

Example

Enterprise AP(config)#sntp-server enable

Enterprise AP(config)#

Related Commands

sntp-server ip (7-34)

show sntp (7-37)

sntp-server date-time

This command sets the system clock.

Default Setting

00:14:00, January 1, 1970

Command Mode

Global Configuration

Example

This example sets the system clock to 17:37 June 19, 2003.

Enterprise AP(config)#sntp-server date-time

Enter Year<1970-2100>: 2003

Enter Month<1-12>: 6

Enter Day<1-31>: 19

Enter Hour<0-23>: 17

Enter Min<0-59>: 37

Enterprise AP(config)#

Related Commands

sntp-server enable (7-34)

7-35

7

Command Line Interface

sntp-server daylight-saving

This command sets the start and end dates for daylight savings time. Use the no form to disable daylight savings time.

Syntax sntp-server daylight-saving no sntp-server daylight-saving

Default Setting

Disabled

Command Mode

Global Configuration

Command Usage

The command sets the system clock back one hour during the specified period.

Example

This sets daylight savings time to be used from July 1st to September 1st.

Enterprise AP(config)#sntp-server daylight-saving

Enter Daylight saving from which month<1-12>: 6 and which day<1-31>: 1

Enter Daylight saving end to which month<1-12>: 9 and which day<1-31>: 1

Enterprise AP(config)#

sntp-server timezone

This command sets the time zone for the access point’s internal clock.

Syntax sntp-server timezone <hours> hours - Number of hours before/after UTC.

(Range: -12 to +12 hours)

Default Setting

-5 (BOGOTA, EASTERN, INDIANA)

Command Mode

Global Configuration

7-36

System Clock Commands

7

Command Usage

This command sets the local time zone relative to the Coordinated Universal

Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.

Example

Enterprise AP(config)#sntp-server timezone +8

Enterprise AP(config)#

show sntp

This command displays the current time and configuration settings for the SNTP client.

Command Mode

Exec

Example

Enterprise AP#show sntp

SNTP Information

=========================================================

Service State : Enabled

SNTP (server 1) IP : 137.92.140.80

SNTP (server 2) IP : 192.43.244.18

Current Time : 08 : 04, Jun 20th, 2006

Time Zone : +8 (TAIPEI, BEIJING)

Daylight Saving : Enabled, from Jun, 1st to Sep, 1st

=========================================================

Enterprise AP#

7-37

7

Command Line Interface

DHCP Relay Commands

Dynamic Host Configuration Protocol (DHCP) can dynamically allocate an IP address and other configuration information to network clients that broadcast a request. To receive the broadcast request, the DHCP server would normally have to be on the same subnet as the client. However, when the access point’s DHCP relay agent is enabled, received client requests can be forwarded directly by the access point to a known DHCP server on another subnet. Responses from the DHCP server are returned to the access point, which then broadcasts them back to clients.

Command dhcp-relay enable dhcp-relay show dhcp-relay

Table 7-8. DHCP Relay Commands

Function

Enables the DHCP relay agent

Sets the primary and secondary DHCP server address

Shows current DHCP relay configuration settings

Mode

GC

GC

Exec

Page

7-38

7-39

7-39

dhcp-relay enable

This command enables the access point’s DHCP relay agent. Use the no form to disable the agent.

Syntax

[no] dhcp-relay enable

Default Setting

Disabled

Command Mode

Global Configuration

Command Usage

• For the DHCP relay agent to function, the primary DHCP server must be configured using the dhcp-relay primary command. A secondary DHCP server does not need to be configured, but it is recommended.

• If there is no response from the primary DHCP server, and a secondary server has been configured, the agent will then attempt to send DHCP requests to the secondary server.

Example

Enterprise AP(config)#dhcp-relay enable

Enterprise AP(config)#

7-38

DHCP Relay Commands

7

dhcp-relay

This command configures the primary and secondary DHCP server addresses.

Syntax dhcp-relay

<primary | secondary> <ip_address>

primary - The primary DHCP server.

secondary - The secondary DHCP server.

ip_address - IP address of the server.

Default Setting

Primary and secondary: 0.0.0.0

Command Mode

Global Configuration

Example

Enterprise AP(config)#dhcp-relay primary 192.168.1.10

Enterprise AP(config)#

show dhcp-relay

This command displays the current DHCP relay configuration.

Command Mode

Exec

Example

Enterprise AP#show dhcp-relay

DHCP Relay : ENABLED

Primary DHCP Server : 192.168.1.10

Secondary DHCP Server : 0.0.0.0

Enterprise AP#

7-39

7

Command Line Interface

SNMP Commands

Controls access to this access point from management stations using the Simple

Network Management Protocol (SNMP), as well as the hosts that will receive trap messages.

Table 7-9. SNMP Commands

Command snmp-server community

Function Mode

Sets up the community access string to permit access to SNMP commands

GC snmp-server contact snmp-server location

Sets the system contact string

Sets the system location string snmp-server enable server Enables SNMP service and traps snmp-server host Specifies the recipient of an SNMP notification operation

GC

GC

GC

GC snmp-server trap snmp-server engine id snmp-server user snmp-server targets snmp-server filter snmp-server filter-assignments show snmp groups show snmp users

Enables specific SNMP notifications

Sets the engine ID for SNMP v3

Sets the name of the SNMP v3 user

Configures SNMP v3 notification targets

Configures SNMP v3 notification filters

Assigns SNMP v3 notification filters to targets

Displays the pre-defined SNMP v3 groups

Displays SNMP v3 user settings

GC

GC

GC

GC

GC

GC

Exec

Exec

Displays the assignment of users to SNMP v3 groups Exec show snmp group-assignments show snmp target show snmp filter show snmp filter-assignments show snmp

Displays the SNMP v3 notification targets

Displays the SNMP v3 notification filters

Exec

Exec

Displays the SNMP v3 notification filter assignments Exec

Displays the status of SNMP communications Exec

7-50

7-51

7-51

7-52

7-52

7-53

7-44

7-46

7-46

7-48

7-49

7-50

7-54

Page

7-41

7-41

7-42

7-42

7-43

7-40

SNMP Commands

7

snmp-server community

This command defines the community access string for the Simple Network

Management Protocol. Use the no form to remove the specified community string.

Syntax snmp-server community

string [ro | rw] no snmp-server community string

string - Community string that acts like a password and permits access to the SNMP protocol. (Maximum length: 23 characters, case sensitive)

ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects.

rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects.

Default Setting

• public - Read-only access. Authorized management stations are only able to retrieve MIB objects.

• private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.

Command Mode

Global Configuration

Command Usage

If you enter a community string without the ro or rw option, the default is read only.

Example

Enterprise AP(config)#snmp-server community alpha rw

Enterprise AP(config)#

snmp-server contact

This command sets the system contact string. Use the no form to remove the system contact information.

Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact. (Maximum length: 255 characters)

Default Setting

None

7-41

7

Command Line Interface

Command Mode

Global Configuration

Example

Enterprise AP(config)#snmp-server contact Paul

Enterprise AP(config)#

Related Commands

snmp-server location (7-42)

snmp-server location

This command sets the system location string. Use the no form to remove the location string.

Syntax snmp-server location <text> no snmp-server location text - String that describes the system location.

(Maximum length: 255 characters)

Default Setting

None

Command Mode

Global Configuration

Example

Enterprise AP(config)#snmp-server location WC-19

Enterprise AP(config)#

Related Commands

snmp-server contact (7-41)

snmp-server enable server

This command enables SNMP management access and also enables this device to send SNMP traps (i.e., notifications). Use the no form to disable SNMP service and trap messages.

Syntax snmp-server enable server no snmp-server enable server

Default Setting

Enabled

7-42

SNMP Commands

7

Command Mode

Global Configuration

Command Usage

• This command enables both authentication failure notifications and link-up-down notifications.

• The snmp-server host command specifies the host device that will receive

SNMP notifications.

Example

Enterprise AP(config)#snmp-server enable server

Enterprise AP(config)#

Related Commands

snmp-server host (7-43)

snmp-server host

This command specifies the recipient of an SNMP notification. Use the no form to remove the specified host.

Syntax snmp-server host

<1 | 2 | 3 | 4> <host_ip_address | host_name>

<community-string> no snmp-server host

1 - First SNMP host.

2 - Second SNMP host.

3 - Third SNMP host.

4 - Fourth SNMP host.

host_ip_address - IP of the host (the targeted recipient).

host_name - Name of the host. (Range: 1-63 characters)

community-string - Password-like community string sent with the notification operation. Although you can set this string using the snmp-server host command by itself, we recommend that you define this string using the snmp-server community command prior to using the snmp-server host

command. (Maximum length: 23 characters)

Default Setting

Host Address: None

Community String: public

Command Mode

Global Configuration

7-43

7

Command Line Interface

Command Usage

The snmp-server host command is used in conjunction with the snmp-server enable server command to enable SNMP notifications.

Example

Enterprise AP(config)#snmp-server host 1 10.1.19.23 batman

Enterprise AP(config)#

Related Commands

snmp-server enable server (7-42)

snmp-server trap

This command enables the access point to send specific SNMP traps

(i.e., notifications). Use the no form to disable specific trap messages.

Syntax snmp-server trap

<trap> no snmp-server trap <trap>

trap - One of the following SNMP trap messages:

- sysSystemUp - The access point is up and running.

- sysSystemDown - The access point is about to shutdown and reboot.

- sysRadiusServerChanged - The access point has changed from the primary RADIUS server to the secondary, or from the secondary to the primary.

- sysConfigFileVersionChanged - The access point’s configuration file has been changed.

- dot11StationAssociation - A client station has successfully associated with the access point.

- dot11StationReAssociation - A client station has successfully re-associated with the access point.

- dot11StationAuthentication - A client station has been successfully authenticated.

- dot11StationRequestFail - A client station has failed association, re-association, or authentication.

- dot11InterfaceBFail - The 802.11b interface has failed.

- dot1xMacAddrAuthSuccess - A client station has successfully authenticated its MAC address with the RADIUS server.

- dot1xMacAddrAuthFail - A client station has failed MAC address authentication with the RADIUS server.

- dot1xAuthNotInitiated - A client station did not initiate 802.1X authentication.

- dot1xAuthSuccess - A 802.1X client station has been successfully authenticated by the RADIUS server.

7-44

SNMP Commands

7

- dot1xAuthFail - A 802.1X client station has failed RADIUS authentication.

- dot1xSuppAuthenticated - A supplicant station has been successfully authenticated by the RADIUS server

- localMacAddrAuthSuccess - A client station has successfully authenticated its MAC address with the local database on the access point.

- localMacAddrAuthFail - A client station has failed authentication with the local MAC address database on the access point.

- iappStationRoamedFrom - A client station has roamed from another access point (identified by its IP address).

- iappStationRoamedTo - A client station has roamed to another access point (identified by its IP address).

- iappContextDataSent - A client station’s Context Data has been sent to another access point with which the station has associated.

- sntpServerFail - The access point has failed to set the time from the configured SNTP server.

- wirelessExternalAntenna - An external antenna has been enabled.

- dot11WirelessStationDeauthenticate - A client station has de-authenticated from the network.

- dot11StationDisassociate - A client station no longer associates with the network.

- dot11StationAuthenticateFail - A client station has tried and failed to authenticate to the network.

Default Setting

All traps enabled

Command Mode

Global Configuration

Command Usage

This command is used in conjunction with the snmp-server host and snmp-server enable server commands to enable SNMP notifications.

Example

Enterprise AP(config)#no snmp-server trap dot11StationAssociation

Enterprise AP(config)#

7-45

7

Command Line Interface

snmp-server engine-id

This command is used for SNMP v3. It is used to uniquely identify the access point among all access points in the network. Use the no form to delete the engine ID.

Syntax snmp-server engine-id

<engine-id> no snmp-server engine-id engine-id

- Enter engine-id in hexadecimal (5-32 characters).

Default Setting

Enabled

Command Mode

Global Configuration

Command Usage

• This command is used in conjunction with the snmp-server user

command.

• Entering this command invalidates all engine IDs that have been previously configured.

• If the engineID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users

Example

Enterprise AP(config)#snmp-server engine-id 1a:2b:3c:4d:00:ff

Enterprise AP(config)#

snmp-server user

This command configures the SNMP v3 users that are allowed to manage the access point. Use the no form to delete an SNMP v3 user.

Syntax

snmp-server user <user-name > user-name - A user-defined string for the SNMP user. (32 characters maximum)

Default Setting

None

Command Mode

Global Configuration

Command Usage

• Up to 10 SNMPv3 users can be configured on the access point.

7-46

SNMP Commands

7

• The SNMP engine ID is used to compute the authentication/privacy digests from the pass phrase. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command.

• The access point enables SNMP v3 users to be assigned to three pre-defined groups. Other groups cannot be defined. The available groups are:

- RO - A read-only group using no authentication and no data encryption.

Users in this group use no security, either authentication or encryption, in

SNMP messages they send to the agent. This is the same as SNMP v1 or SNMP v2c.

- RWAuth - A read/write group using authentication, but no data encryption. Users in this group send SNMP messages that use an MD5 key/password for authentication, but not a DES key/password for encryption.

- RWPriv - A read/write group using authentication and data encryption.

Users in this group send SNMP messages that use an MD5 key/ password for authentication and a DES key/password for encryption.

Both the MD5 and DES key/passwords must be defined.

• The command prompts for the following information to configure an SNMP v3 user:

- user-name - A user-defined string for the SNMP user. (32 characters maximum)

- group-name - The name of the SNMP group to which the user is assigned (32 characters maximum). There are three pre-defined groups:

RO, RWAuth, or RWPriv.

- auth-proto - The authentication type used for user authentication: md5 or none.

- auth-passphrase - The user password required when authentication is used (8 – 32 characters).

- priv-proto - The encryption type used for SNMP data encryption: des or none.

- priv-passphrase - The user password required when data encryption is used (8 – 32 characters).

• Users must be assigned to groups that have the same security levels. If a user who has “AuthPriv” security (uses authentication and encryption) is assigned to a read-only (RO) group, the user will not be able to access the database. An AuthPriv user must be assigned to the RWPriv group with the

AuthPriv security level.

• To configure a user for the RWAuth group, you must include the auth-proto and auth-passphrase keywords.

• To configure a user for the RWPriv group, you must include the auth-proto, auth-passphrase, priv-proto, and priv-passphrase keywords.

7-47

7

Command Line Interface

Example

Enterprise AP(config)#snmp-server user

User Name<1-32> :chris

Group Name<1-32> :RWPriv

Authtype(md5,<cr>none):md5

Passphrase<8-32>:a good secret

Privacy(des,<cr>none) :des

Passphrase<8-32>:a very good secret

Enterprise AP(config)#

snmp-server targets

This command configures SNMP v3 notification targets. Use the no form to delete an SNMP v3 target.

Syntax snmp-server targets <target-id> <ip-addr> <sec-name>

[version {3}] [udp-port {port-number}] [notification-type

{TRAP}] no snmp-server

targets <target-id>

target-id - A user-defined name that identifies a receiver of SNMP notifications. (Maximum length: 32 characters)

ip-addr - Specifies the IP address of the management station to receive notifications.

sec-name - The defined SNMP v3 user name that is to receive notifications.

version - The SNMP version of notifications. Currently only version 3 is supported in this command.

udp-port - The UDP port that is used on the receiving management station for notifications.

notification-type - The type of notification that is sent. Currently only TRAP is supported.

Default Setting

None

Command Mode

Global Configuration

Command Usage

• The access point supports up to 10 SNMP v3 target IDs.

• The SNMP v3 user name that is specified in the target must first be configured using the snmp-server user command.

Example

Enterprise AP(config)#snmp-server targets mytraps 192.168.1.33 chris

Enterprise AP(config)#

7-48

SNMP Commands

7

snmp-server filter

This command configures SNMP v3 notification filters. Use the no form to delete an

SNMP v3 filter or remove a subtree from a filter.

Syntax snmp-server filter

<filter-id> <include | exclude> <subtree>

[mask {mask}] no snmp-server filter <filter-id> [subtree]

filter-id - A user-defined name that identifies an SNMP v3 notification filter.

(Maximum length: 32 characters)

include - Defines a filter type that includes objects in the MIB subtree.

exclude - Defines a filter type that excludes objects in the MIB subtree.

subtree - The part of the MIB subtree that is to be filtered.

mask - An optional hexadecimal value bit mask to define objects in the MIB subtree.

Default Setting

None

Command Mode

Global Configuration

Command Usage

• The access point allows up to 10 notification filters to be created. Each filter can be defined by up to 20 MIB subtree ID entries.

• Use the command more than once with the same filter ID to build a filter that includes or excludes multiple MIB objects. Note that the filter entries are applied in the sequence that they are defined.

• The MIB subtree must be defined in the form “.1.3.6.1” and always start with a “.”.

• The mask is a hexadecimal value with each bit masking the corresponding

ID in the MIB subtree. A “1” in the mask indicates an exact match and a “0” indicates a “wild card.” For example, a mask value of 0xFFBF provides a bit mask “1111 1111 1011 1111.” If applied to the subtree

1.3.6.1.2.1.2.2.1.1.23, the zero corresponds to the 10th subtree ID. When there are more subtree IDs than bits in the mask, the mask is padded with ones.

Example

Enterprise AP(config)#snmp-server filter trapfilter include .1

Enterprise AP(config)#snmp-server filter trapfilter exclude

.1.3.6.1.2.1.2.2.1.1.23

7-49

7

Command Line Interface

snmp-server filter-assignments

This command assigns SNMP v3 notification filters to targets. Use the no form to remove an SNMP v3 filter assignment.

Syntax snmp-server filter-assignments

<target-id> <filter-id> no snmp-server filter-assignments <target-id>

target-id - A user-defined name that identifies a receiver of SNMP notifications. (Maximum length: 32 characters)

filter-id - A user-defined name that identifies an SNMP v3 notification filter.

(Maximum length: 32 characters)

Default Setting

None

Command Mode

Global Configuration

Example

Enterprise AP(config)#snmp-server filter-assignments mytraps trapfilter

Enterprise AP(config)#exit

Enterprise AP#show snmp target

Host ID : mytraps

User : chris

IP Address : 192.168.1.33

UDP Port : 162

=============================

Enterprise AP#show snmp filter-assignments

HostID FilterID

mytraps trapfilter

Enterprise AP(config)#

show snmp groups

This command displays the SNMP v3 pre-defined groups.

Syntax show snmp groups

Command Mode

Exec

7-50

Example

Enterprise AP#show snmp groups

GroupName :RO

SecurityModel :USM

SecurityLevel :NoAuthNoPriv

GroupName :RWAuth

SecurityModel :USM

SecurityLevel :AuthNoPriv

GroupName :RWPriv

SecurityModel :USM

SecurityLevel :AuthPriv

Enterprise AP#

show snmp users

This command displays the SNMP v3 users and settings.

Syntax show snmp users

Command Mode

Exec

Example

Enterprise AP#show snmp users

=============================================

UserName :chris

GroupName :RWPriv

AuthType :MD5

Passphrase:****************

PrivType :DES

Passphrase:****************

=============================================

Enterprise AP#

show snmp group-assignments

This command displays the SNMP v3 user group assignments.

Syntax show snmp group-assignments

Command Mode

Exec

SNMP Commands

7

7-51

7

Command Line Interface

Example

Enterprise AP#show snmp group-assignments

GroupName :RWPriv

UserName :chris

Enterprise AP#

Enterprise AP#

show snmp target

This command displays the SNMP v3 notification target settings.

Syntax show snmp target

Command Mode

Exec

Example

Enterprise AP#show snmp target

Host ID : mytraps

User : chris

IP Address : 192.168.1.33

UDP Port : 162

=============================

Enterprise AP#

show snmp filter

This command displays the SNMP v3 notification filter settings.

Syntax show snmp filter [filter-id]

filter-id - A user-defined name that identifies an SNMP v3 notification filter.

(Maximum length: 32 characters)

Command Mode

Exec

Example

Enterprise AP#show snmp filter

Filter: trapfilter

Type: include

Subtree: iso.3.6.1.2.1.2.2.1

Type: exclude

Subtree: iso.3.6.1.2.1.2.2.1.1.23

=============================

Enterprise AP#

7-52

SNMP Commands

7

show snmp filter-assignments

This command displays the SNMP v3 notification filter assignments.

Syntax show snmp filter-assignments

Command Mode

Exec

Example

Enterprise AP#show snmp filter-assignments

HostID FilterID

mytraps trapfilter

Enterprise AP#

7-53

7

Command Line Interface

show snmp

This command displays the SNMP configuration settings.

Command Mode

Exec

Example

Enterprise AP#show snmp

SNMP Information

==============================================

Service State : Disable

Community (ro) : ********

Community (rw) : ********

Location : R&D 2

Contact : David

EngineId :80:00:07:e5:80:00:00:27:04:00:00:00:08

EngineBoots:3

Trap Destinations:

1: 0.0.0.0, Community: *****, State: Disabled

2: 0.0.0.0, Community: *****, State: Disabled

3: 0.0.0.0, Community: *****, State: Disabled

4: 0.0.0.0, Community: *****, State: Disabled

systemUp Enabled systemDown Enabled

radiusServerChanged Enabled configFileVersionChanged Enabled

sntpServerFail Enabled dot11StationAssociation Enabled

dot11StationReAssociation Enabled dot11StationAuthentication Enabled

dot11StationRequestFail Enabled dot1XMacAddrAuthSuccess Enabled

dot1XMacAddrAuthFail Enabled dot1XAuthNotInitiated Enabled

dot1XAuthSuccess Enabled dot1XAuthFail Enabled

localMacAddrAuthSuccess Enabled localMacAddrAuthFail Enabled

iappStationRoamedFrom Enabled iappStationRoamedTo Enabled

iappContextDataSent Enabled dot1XSuppAuthenticated Enabled

wirelessExternalAntenna Enabled dot11InterfaceAFail Enabled

dot11InterfaceGFail Enabled

=============================================

Enterprise AP#

7-54

Flash/File Commands

7

Flash/File Commands

These commands are used to manage the system code or configuration files.

Command bootfile copy delete dir show bootfile

Table 7-10. Flash/File Commands

Function Mode

Specifies the file or image used to start up the system GC

Copies a code image or configuration between flash memory and a FTP/TFTP server

Exec

Deletes a file or code image

Displays a list of files in flash memory

Exec

Exec

Displays the name of the current operation code file that booted the system

Exec

bootfile

This command specifies the image used to start up the system.

Syntax bootfile <filename> filename - Name of the image file.

Default Setting

None

Command Mode

Exec

Command Usage

• The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names is

32 characters. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• If the file contains an error, it cannot be set as the default file.

Example

Enterprise AP#bootfile -img.bin

Enterprise AP#

Page

7-55

7-56

7-57

7-58

7-58

7-55

7

Command Line Interface

copy

This command copies a boot file, code image, or configuration file between the access point’s flash memory and a FTP/TFTP server. When you save the configuration settings to a file on a FTP/TFTP server, that file can later be downloaded to the access point to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.

Syntax copy

<ftp | tftp> file copy config

<ftp | tftp>

ftp - Keyword that allows you to copy to/from an FTP server.

tftp - Keyword that allows you to copy to/from a TFTP server.

file - Keyword that allows you to copy to/from a flash memory file.

config - Keyword that allows you to upload the configuration file from flash memory.

Default Setting

None

Command Mode

Exec

Command Usage

• The system prompts for data required to complete the copy command.

• Only a configuration file can be uploaded to an FTP/TFTP server, but every type of file can be downloaded to the access point.

• The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the FTP/TFTP server is 255 characters or 32 characters for files on the access point. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)

• Due to the size limit of the flash memory, the access point supports only two operation code files.

• The system configuration file must be named “syscfg” in all copy commands.

Example

The following example shows how to upload the configuration settings to a file on the TFTP server:

Enterprise AP#copy config tftp

TFTP Source file name:syscfg

TFTP Server IP:192.168.1.19

Enterprise AP#

7-56

Flash/File Commands

7

The following example shows how to download a configuration file:

Enterprise AP#copy tftp file

1. Application image

2. Config file

3. Boot block image

Select the type of download<1,2,3>: [1]:2

TFTP Source file name:syscfg

TFTP Server IP:192.168.1.19

Enterprise AP#

delete

This command deletes a file or image.

Syntax delete

<filename> filename - Name of the configuration file or image name.

Default Setting

None

Command Mode

Exec

Caution: Beware of deleting application images from flash memory. At least one application image is required in order to boot the access point. If there are multiple image files in flash memory, and the one used to boot the access point is deleted, be sure you first use the bootfile command to update the application image file booted at startup before you reboot the access point.

Example

This example shows how to delete the test.cfg configuration file from flash memory.

Enterprise AP#delete test.cfg

Are you sure you wish to delete this file? <y/n>:

Enterprise AP#

Related Commands

bootfile (7-55)

dir (7-58)

7-57

7

Command Line Interface

dir

This command displays a list of files in flash memory.

Command Mode

Exec

Command Usage

File information is shown below:

Column Heading

File Name

Type

File Size

Description

The name of the file.

(2) Operation Code and (5) Configuration file

The length of the file in bytes.

Example

The following example shows how to display all file information:

Enterprise AP#dir

File Name File Size(Bytes)

-------------------------- ---------------syscfg_bak 53710 syscfg 53710 smc-img.bin 2499148

858112 bytes available

Enterprise AP#

show bootfile

This command displays the name of the current operation code file that booted the system.

Syntax show snmp filter-assignments

Command Mode

Exec

Example

Enterprise AP#show bootfile

Bootfile Information

===================================

Bootfile : smc-img.bin

===================================

Enterprise AP#

7-58

RADIUS Client

7

RADIUS Client

Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access for

RADIUS-aware devices to the network. An authentication server contains a database of credentials, such as users names and passwords, for each wireless client that requires access to the access point.

Command radius-server address radius-server port radius-server key radius-server retransmit radius-server timeout radius-server port-accounting radius-server timeout-interim radius-server radius-mac-format radius-server vlan-format show radius

Table 7-11. RADIUS Client

Function

Specifies the RADIUS server

Sets the RADIUS server network port

Sets the RADIUS encryption key

Sets the number of retries

Sets the interval between sending authentication requests

Sets the RADIUS Accounting server network port GC

Sets the interval between transmitting accounting updates to the RADIUS server

GC

Sets the format for specifying MAC addresses on the

RADIUS server

GC

Sets the format for specifying VLAN IDs on the

RADIUS server

GC

Shows the current RADIUS settings Exec

Mode

GC

GC

GC

GC

GC

radius-server address

This command specifies the primary and secondary RADIUS servers.

Syntax radius-server

[secondary] address <host_ip_address | host_name>

secondary - Secondary server.

host_ip_address - IP address of server.

host_name - Host name of server. (Range: 1-20 characters)

Default Setting

None

7-63

7-63

7-64

Page

7-59

7-60

7-60

7-61

7-61

7-62

7-62

7-59

7

Command Line Interface

Command Mode

Global Configuration

Example

Enterprise AP(config)#radius-server address 192.168.1.25

Enterprise AP(config)#

radius-server port

This command sets the RADIUS server network port.

Syntax radius-server

[secondary] port <port_number>

secondary - Secondary server.

port_number - RADIUS server UDP port used for authentication messages.

(Range: 1024-65535)

Default Setting

1812

Command Mode

Global Configuration

Example

Enterprise AP(config)#radius-server port 181

Enterprise AP(config)#

radius-server key

This command sets the RADIUS encryption key.

Syntax radius-server

[secondary] key <key_string>

secondary - Secondary server.

key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters)

Default Setting

DEFAULT

Command Mode

Global Configuration

Example

Enterprise AP(config)#radius-server key green

Enterprise AP(config)#

7-60

RADIUS Client

7

radius-server retransmit

This command sets the number of retries.

Syntax radius-server

[secondary] retransmit number_of_retries

secondary - Secondary server.

number_of_retries - Number of times the access point will try to authenticate logon access via the RADIUS server. (Range: 1 - 30)

Default Setting

3

Command Mode

Global Configuration

Example

Enterprise AP(config)#radius-server retransmit 5

Enterprise AP(config)#

radius-server timeout

This command sets the interval between transmitting authentication requests to the

RADIUS server.

Syntax radius-server

[secondary] timeout number_of_seconds

secondary - Secondary server.

number_of_seconds - Number of seconds the access point waits for a reply before resending a request. (Range: 1-60)

Default Setting

5

Command Mode

Global Configuration

Example

Enterprise AP(config)#radius-server timeout 10

Enterprise AP(config)#

7-61

7

Command Line Interface

radius-server port-accounting

This command sets the RADIUS Accounting server network port.

Syntax radius-server

[secondary] port-accounting <port_number>

secondary - Secondary server. If secondary is not specified, then the access point assumes you are configuring the primary RADIUS server.

port_number - RADIUS Accounting server UDP port used for accounting messages.

(Range: 0 or 1024-65535)

Default Setting

0 (disabled)

Command Mode

Global Configuration

Command Usage

• When the RADIUS Accounting server UDP port is specified, a RADIUS accounting session is automatically started for each user that is successfully authenticated to the access point.

Example

Enterprise AP(config)#radius-server port-accounting 1813

Enterprise AP(config)#

radius-server timeout-interim

This command sets the interval between transmitting accounting updates to the

RADIUS server.

Syntax radius-server [secondary] timeout-interim <number_of_seconds>

secondary - Secondary server.

number_of_seconds - Number of seconds the access point waits between transmitting accounting updates. (Range: 60-86400)

Default Setting

3600

Command Mode

Global Configuration

Command Usage

• The access point sends periodic accounting updates after every interim period until the user logs off and a “stop” message is sent.

7-62

RADIUS Client

7

Example

Enterprise AP(config)#radius-server timeout-interim 500

Enterprise AP(config)#

radius-server radius-mac-format

This command sets the format for specifying MAC addresses on the RADIUS server.

Syntax radius-server radius-mac-format

<multi-colon | multi-dash | no-delimiter | single-dash >

multi-colon - Enter MAC addresses in the form xx:xx:xx:xx:xx:xx.

multi-dash - Enter MAC addresses in the form xx-xx-xx-xx-xx-xx.

no-delimiter - Enter MAC addresses in the form xxxxxxxxxxxx.

single-dash - Enter MAC addresses in the form xxxxxx-xxxxxx.

Default Setting

No delimiter

Command Mode

Global Configuration

Example

Enterprise AP(config)#radius-server radius-mac-format multi-dash

Enterprise AP(config)#

radius-server vlan-format

This command sets the format for specifying VLAN IDs on the RADIUS server.

Syntax radius-server vlan-format <hex | ascii>

hex - Enter VLAN IDs as a hexadecimal number.

ascii - Enter VLAN IDs as an ASCII string.

Default Setting

Hex

Command Mode

Global Configuration

Example

Enterprise AP(config)#radius-server vlan-format ascii

Enterprise AP(config)#

7-63

7

Command Line Interface

show radius

This command displays the current settings for the RADIUS server.

Default Setting

None

Command Mode

Exec

Example

Enterprise AP#show radius

Radius Server Information

========================================

Status : Disabled

IP : 0.0.0.0

Port : 1812

Key : *****

Retransmit : 3

Timeout : 5

Accounting Port : 0 (Disabled)

InterimUpdate : 3600

Accounting Server State : DOWN

Radius MAC format : no-delimiter

Radius VLAN format : HEX

========================================

Radius Secondary Server Information

========================================

Status : Disabled

IP : 0.0.0.0

Port : 1812

Key : *****

Retransmit : 3

Timeout : 5

Accounting Port : 0 (Disabled)

InterimUpdate : 3600

Accounting Server State : DOWN

Radius MAC format : no-delimiter

Radius VLAN format : HEX

========================================

Enterprise AP#

7-64

802.1X Authentication

7

802.1X Authentication

The access point supports IEEE 802.1X access control for wireless clients. This control feature prevents unauthorized access to the network by requiring an 802.1X client application to submit user credentials for authentication. Client authentication is then verified by a RADIUS server using EAP (Extensible Authentication Protocol) before the access point grants client access to the network. The 802.1X EAP packets are also used to pass dynamic unicast session keys and static broadcast keys to wireless clients.

Table 7-12. 802.1X Authentication

Command

802.1x

802.1x broadcast-key- refresh-rate

802.1x session-key- refresh-rate

Function

Configures 802.1X as disabled, supported, or required

Sets the interval at which the primary broadcast keys are refreshed for stations using 802.1X dynamic keying

Sets the interval at which unicast session keys are refreshed for associated stations using dynamic keying

Mode

IC-W-VAP

IC-W-VAP

IC-W-VAP

802.1x session-timeout Sets the timeout after which a connected client must be re-authenticated

IC-W-VAP

802.1x-supplicant enable Enables the access point to operate as a 802.1X supplicant

GC

802.1x-supplicant user show authentication

Sets the supplicant user name and password for the access point

GC

Shows all 802.1X authentication settings, as well as the address filter table

Exec

Page

7-65

7-66

7-67

7-67

7-68

7-68

7-68

802.1x

This command configures 802.1X as optionally supported or as required for wireless clients. Use the no form to disable 802.1X support.

Syntax

802.1x

<supported | required> no 802.1x

supported - Authenticates clients that initiate the 802.1X authentication process. Uses standard 802.11 authentication for all others.

required - Requires 802.1X authentication for all clients.

Default Setting

Disabled

7-65

7

Command Line Interface

Command Mode

Global Configuration

Command Usage

• When 802.1X is disabled, the access point does not support 802.1X authentication for any station. After successful 802.11 association, each client is allowed to access the network.

• When 802.1X is supported, the access point supports 802.1X authentication only for clients initiating the 802.1X authentication process

(i.e., the access point does NOT initiate 802.1X authentication). For stations initiating 802.1X, only those stations successfully authenticated are allowed to access the network. For those stations not initiating 802.1X, access to the network is allowed after successful 802.11 association.

• When 802.1X is required, the access point enforces 802.1X authentication for all 802.11 associated stations. If 802.1X authentication is not initiated by the station, the access point will initiate authentication. Only those stations successfully authenticated with 802.1X are allowed to access the network.

• 802.1X does not apply to the 10/100Base-TX port.

Example

Enterprise AP(config)#802.1x supported

Enterprise AP(config)#

802.1x broadcast-key-refresh-rate

This command sets the interval at which the broadcast keys are refreshed for stations using 802.1X dynamic keying.

Syntax

802.1x

broadcast-key-refresh-rate <rate> rate - The interval at which the access point rotates broadcast keys.

(Range: 0 - 1440 minutes)

Default Setting

0 (Disabled)

Command Mode

Global Configuration

Command Usage

• The access point uses Enterprise APOL (Extensible Authentication

Protocol Over LANs) packets to pass dynamic unicast session and broadcast keys to wireless clients. The 802.1x broadcast-key-refresh-rate command specifies the interval after which the broadcast keys are changed. The 802.1x session-key-refresh-rate

7-66

802.1X Authentication

7 command specifies the interval after which unicast session keys are changed.

• Dynamic broadcast key rotation allows the access point to generate a random group key and periodically update all key-management capable wireless clients.

Example

Enterprise AP(config)#802.1X broadcast-key-refresh-rate 5

Enterprise AP(config)#

802.1x session-key-refresh-rate

This command sets the interval at which unicast session keys are refreshed for associated stations using dynamic keying.

Syntax

802.1x

session-key-refresh-rate <rate> rate - The interval at which the access point refreshes a session key.

(Range: 0 - 1440 minutes)

Default Setting

0 (Disabled)

Command Mode

Global Configuration

Command Usage

Session keys are unique to each client, and are used to authenticate a client connection, and correlate traffic passing between a specific client and the access point.

Example

Enterprise AP(config)#802.1x session-key-refresh-rate 5

Enterprise AP(config)#

802.1x session-timeout

This command sets the time period after which a connected client must be re-authenticated. Use the no form to disable 802.1X re-authentication.

Syntax

802.1x session-timeout <seconds> no 802.1x session-timeout seconds - The number of seconds. (Range: 0-65535)

Default

0 (Disabled)

7-67

7

Command Line Interface

Command Mode

Global Configuration

Example

Enterprise AP(config)#802.1x session-timeout 300

Enterprise AP(config)#

802.1x-supplicant enable

This command enables the access point to operate as an 802.1X supplicant for authentication. Use the no form to disable 802.1X authentication of the access point.

Syntax

802.1x-supplicant enable no 802.1x-supplicant

Default

Disabled

Command Mode

Global Configuration

Command Usage

A user name and password must be configured first before the 802.1X supplicant feature can be enabled.

Example

Enterprise AP(config)#802.1x-supplicant enable

Enterprise AP(config)#

802.1x-supplicant user

This command sets the user name and password used for authentication of the access point when operating as a 802.1X supplicant. Use the no form to clear the supplicant user name and password.

Syntax

802.1x-supplicant user

<username> <password> no 802.1x-supplicant user

username - The access point name used for authentication to the network.

(Range: 1-32 alphanumeric characters)

password - The MD5 password used for access point authentication.

(Range: 1-32 alphanumeric characters)

Default

None

7-68

802.1X Authentication

7

Command Mode

Global Configuration

Command Usage

The access point currently only supports EAP-MD5 CHAP for 802.1X supplicant authentication.

Example

Enterprise AP(config)#802.1x-supplicant user WA6102 dot1xpass

Enterprise AP(config)#

show authentication

This command shows all 802.1X authentication settings, as well as the address filter table.

Command Mode

Exec

Example

Enterprise AP#show authentication

Authentication Information

===========================================================

MAC Authentication Server : DISABLED

MAC Auth Session Timeout Value : 0 min

802.1x supplicant : DISABLED

802.1x supplicant user : EMPTY

802.1x supplicant password : EMPTY

Address Filtering : ALLOWED

System Default : ALLOW addresses not found in filter table.

Filter Table

MAC Address Status

----------------- ----------

00-70-50-cc-99-1a DENIED

00-70-50-cc-99-1b ALLOWED

=========================================================

Enterprise AP(config)#

7-69

7

Command Line Interface

MAC Address Authentication

Use these commands to define MAC authentication on the access point. For local

MAC authentication, first define the default filtering policy using the address filter default command. Then enter the MAC addresses to be filtered, indicating if they are allowed or denied. For RADIUS MAC authentication, the MAC addresses and filtering policy must be configured on the RADIUS server.

Table 7-13. MAC Address Authentication

Command address filter default address filter entry

Function

Sets filtering to allow or deny listed addresses

Enters a MAC address in the filter table

Mode

GC

GC address filter delete Removes a MAC address from the filter table mac- authentication server Sets address filtering to be performed with local or remote options mac- authentication session-timeout show authentication

Sets the interval at which associated clients will be re-authenticated with the RADIUS server authentication database

GC

GC

GC

Shows all 802.1X authentication settings, as well as the address filter table

Exec

7-68

address filter default

This command sets filtering to allow or deny listed MAC addresses.

Syntax address filter default

<allowed | denied>

allowed - Only MAC addresses entered as “denied” in the address filtering table are denied.

denied - Only MAC addresses entered as “allowed” in the address filtering table are allowed.

Default allowed

Command Mode

Global Configuration

Example

Enterprise AP(config)#address filter default denied

Enterprise AP(config)#

Page

7-70

7-71

7-71

7-72

7-72

7-70

MAC Address Authentication

7

Related Commands

address filter entry (7-71)

802.1x-supplicant user (7-68)

address filter entry

This command enters a MAC address in the filter table.

Syntax address filter entry <mac-address> <allowed | denied>

mac-address - Physical address of client. (Enter six pairs of hexadecimal digits separated by hyphens; e.g., 00-90-D1-12-AB-89.)

allowed - Entry is allowed access.

denied - Entry is denied access.

Default

None

Command Mode

Global Configuration

Command Mode

• The access point supports up to 1024 MAC addresses.

• An entry in the address table may be allowed or denied access depending on the global setting configured for the address entry default command.

Example

Enterprise AP(config)#address filter entry 00-70-50-cc-99-1a allowed

Enterprise AP(config)#

Related Commands

address filter default (7-70)

802.1x-supplicant user (7-68)

address filter delete

This command deletes a MAC address from the filter table.

Syntax address filter delete <mac-address> mac-address

- Physical address of client. (Enter six pairs of hexadecimal digits separated by hyphens.)

Default

None

7-71

7

Command Line Interface

Command Mode

Global Configuration

Example

Enterprise AP(config)#address filter delete 00-70-50-cc-99-1b

Enterprise AP(config)#

Related Commands

802.1x-supplicant user (7-68)

mac-authentication server

This command sets address filtering to be performed with local or remote options.

Use the no form to disable MAC address authentication.

Syntax mac-authentication server [local | remote]

local - Authenticate the MAC address of wireless clients with the local authentication database during 802.11 association.

remote - Authenticate the MAC address of wireless clients with the

RADIUS server during 802.1X authentication.

Default

Disabled

Command Mode

Global Configuration

Example

Enterprise AP(config)#mac-authentication server remote

Enterprise AP(config)#

Related Commands

address filter entry (7-71)

radius-server address (7-59)

802.1x-supplicant user (7-68)

mac-authentication session-timeout

This command sets the interval at which associated clients will be re-authenticated with the RADIUS server authentication database. Use the no form to disable reauthentication.

Syntax mac-authentication session-timeout <minutes> minutes - Re-authentication interval. (Range: 0-1440)

7-72

Default

0 (disabled)

Command Mode

Global Configuration

Example

Enterprise AP(config)#mac-authentication session-timeout 1

Enterprise AP(config)#

Filtering Commands

7

Filtering Commands

The commands described in this section are used to filter communications between wireless clients, control access to the management interface from wireless clients, and filter traffic using specific Ethernet protocol types.

Table 7-14. Filtering Commands

Command filter local-bridge filter ap-manage filter uplink enable filter uplink

Function

Disables communication between wireless clients

Prevents wireless clients from accessing the management interface

Ethernet port MAC address filtering

Adds or deletes a MAC address from the filtering table

Mode

GC

GC

GC

GC filter ethernet-type enable Checks the Ethernet type for all incoming and outgoing

Ethernet packets against the protocol filtering table

GC filter ethernet-type protocol

Sets a filter for a specific Ethernet type GC show filters Shows the filter configuration Exec

filter local-bridge

This command disables communication between wireless clients. Use the no form to disable this filtering.

Syntax filter local-bridge no filter local-bridge

Default

Disabled

Command Mode

7-73

Page

7-73

7-74

7-74

7-75

7-74

7-76

7-77

7

Command Line Interface

Global Configuration

Command Usage

This command can disable wireless-to-wireless communications between clients via the access point. However, it does not affect communications between wireless clients and the wired network.

Example

Enterprise AP(config)#filter local-bridge

Enterprise AP(config)#

filter ap-manage

This command prevents wireless clients from accessing the management interface on the access point. Use the no form to disable this filtering.

Syntax filter ap-manage no filter ap-manage

Default

Enabled

Command Mode

Global Configuration

Example

Enterprise AP(config)#filter AP-manage

Enterprise AP(config)#

filter uplink enable

This command enables filtering of MAC addresses from the Ethernet port.

Syntax

[no] filter uplink enable

Default

Disabled

Command Mode

Global Configuration

Example

Enterprise AP(config)#filter uplink enable

Enterprise AP(config)#

7-74

Filtering Commands

7

filter uplink

This command adds or deletes MAC addresses from the uplink filtering table.

Syntax

filter uplink <add | delete> MAC address

MAC address - Specifies a MAC address in the form xx-xx-xx-xx-xx-xx.

A maximum of eight addresses can be added to the filtering table.

Default

Disabled

Command Mode

Global Configuration

Example

Enterprise AP(config)#filter uplink add 00-12-34-56-78-9a

Enterprise AP(config)#

filter ethernet-type enable

This command checks the Ethernet type on all incoming and outgoing Ethernet packets against the protocol filtering table. Use the no form to disable this feature.

Syntax filter ethernet-type enable no filter ethernet-type enable

Default

Disabled

Command Mode

Global Configuration

Command Usage

This command is used in conjunction with the filter ethernet-type protocol command to determine which Ethernet protocol types are to be filtered.

7-75

7

Command Line Interface

Example

Enterprise AP(config)#filter ethernet-type enable

Enterprise AP(config)#

Related Commands

filter ethernet-type protocol (7-76)

filter ethernet-type protocol

This command sets a filter for a specific Ethernet type. Use the no form to disable filtering for a specific Ethernet type.

Syntax filter ethernet-type protocol <protocol> no filter ethernet-type protocol

<protocol> protocol - An Ethernet protocol type. (Options: ARP, RARP,

Berkeley-Trailer-Negotiation, LAN-Test, X25-Level-3, Banyan, CDP, DEC

XNS, DEC-MOP-Dump-Load, DEC-MOP, DEC-LAT, Ethertalk,

Appletalk-ARP, Novell-IPX(old), Novell-IPX(new), EAPOL, Telxon-TXP,

Aironet-DDP, Enet-Config-Test, IP, IPv6, NetBEUI, PPPoE_Discovery,

PPPoE_PPP_Session)

Default

None

Command Mode

Global Configuration

Command Usage

Use the filter ethernet-type enable command to enable filtering for Ethernet types specified in the filtering table, or the no filter ethernet-type enable command to disable all filtering based on the filtering table.

Example

Enterprise AP(config)#filter ethernet-type protocol ARP

Enterprise AP(config)#

Related Commands filter ethernet-type enable (7-74)

7-76

WDS Bridge Commands

7

show filters

This command shows the filter options and protocol entries in the filter table.

Command Mode

Exec

Example

Enterprise AP#show filters

Protocol Filter Information

=========================================================

Local Bridge :ENABLED

AP Management :ENABLED

Ethernet Type Filter :ENABLED

Enabled Protocol Filters

---------------------------------------------------------

Protocol: ARP ISO: 0x0806

=========================================================

Enterprise AP#

WDS Bridge Commands

The commands described in this section are used to set the operation mode for each access point interface and configure WIreless Distribution System (WDS) forwarding table settings.

Command bridge role bridge-link parent bridge-link child bridge dynamic-entry age-time show bridge aging-time show bridge filter-entry show bridge link

Function Mode

Selects the bridge operation mode for a radio interface IC-W

Configures the MAC addresses of the parent bridge node

IC-W

IC-W Configures MAC addresses of connected child bridge nodes

Sets the aging time for dynamic entries in the WDS forwarding table

GC

Displays the current WDS forwarding table aging time Exec

Displays current entries in the bridge MAC address table

Exec

Displays current bridge settings for specified interfaces Exec

Page

7-78

7-78

7-79

7-79

7-80

7-81

7-81

7-77

7

Command Line Interface

bridge role (WDS)

This command selects the bridge operation mode for the radio interface.

Syntax bridge role

<ap | repeater | bridge | root-bridge >

ap - Operates only as an access point for wireless clients.

repeater - Operates as a wireless repeater, extending the range for remote wireless clients and connecting them to the root bridge. The “Parent” link to the root bridge must be configured. In this mode, traffic is not forwarded to the Ethernet port from the radio interface.

bridge - Operates as a bridge to other access points also in bridge mode.

root-bridge - Operates as the root bridge in the wireless bridge network.

Default Setting

AP

Command Mode

Interface Configuration (Wireless)

Command Usage

• When the bridge role is set to “repeater,” the “Parent” link to the root bridge

must be configured (see “bridge-link parent” on page 7-78). When the

access point is operating in this mode, traffic is not forwarded to the

Ethernet port from the radio interface.

• Up to four WDS bridge links (MAC addresses) per radio interface can be specified for each unit in the wireless bridge network. One unit only must be configured as the “root bridge” in the wireless network. The root bridge is the unit connected to the main core of the wired LAN. Other bridges need to specify one “Parent” link to the root bridge or to a bridge connected to the root bridge. The other seven WDS links are available as “Child” links to other bridges.

• The bridge link on the radio interface always uses the default VAP interface.

In any bridge mode, VAP interfaces 1 to 7 are not available for use.

Example

Enterprise AP(if-wireless a)#bridge role root-bridge

Enterprise AP(if-wireless a)#

bridge-link parent

This command configures the MAC address of the parent bridge node.

Syntax bridge-link parent

<mac-address> mac-address - The wireless MAC address of the parent bridge unit.

(12 hexadecimal digits in the form “xx-xx-xx-xx-xx-xx”).

7-78

WDS Bridge Commands

7

Default Setting

None

Command Mode

Interface Configuration (Wireless)

Command Usage

Every bridge (except the root bridge) in the wireless bridge network must specify the MAC address of the parent bridge that is linked to the root bridge, or the root bridge itself.

Example

Enterprise AP(if-wireless a)#bridge-link parent 00-08-2d-69-3a-51

Enterprise AP(if-wireless a)#

bridge-link child

This command configures the MAC addresses of child bridge nodes.

Syntax bridge-link child <index> <mac-address>

- index - The link index number of the child node. (Range: 1 - 6)

- mac-address - The wireless MAC address of a child bridge unit.

(12 hexadecimal digits in the form “xx-xx-xx-xx-xx-xx”).

Default Setting

None

Command Mode

Interface Configuration (Wireless)

Command Usage

• In root bridge mode, up to six child bridge links can be specified using link index numbers 1 to 6.

• In bridge mode, up to five child links can be specified using link index numbers 2 to 6. Index number 1 is reserved for the parent link, which must be set using the bridge parent command.

Example

Enterprise AP(if-wireless a)#bridge-link child 2 00-08-3e-84-bc-6d

Enterprise AP(if-wireless a)#bridge-link child 3 00-08-3e-85-13-f2

Enterprise AP(if-wireless a)#bridge-link child 4 00-08-3e-84-79-31

Enterprise AP(if-wireless a)#

bridge dynamic-entry age-time

This command sets the time for aging out dynamic entries in the WDS forwarding table.

7-79

7

Command Line Interface

Syntax bridge dynamic-entry age-time <seconds> seconds - The time to age out an address entry. (Range: 10-10000 seconds).

Default Setting

300 seconds

Command Mode

Global Configuration

Command Usage

If the MAC address of an entry in the address table is not seen on the associated interface for longer than the aging time, the entry is discarded.

Example

Enterprise AP(config)#bridge dynamic-entry age-time 100

Enterprise AP(config)#

show bridge aging-time

This command displays the current WDS forwarding table aging time setting.

Command Mode

Exec

Example

Enterprise AP#show bridge aging-time

Aging time: 300

Enterprise AP#

7-80

WDS Bridge Commands

7

show bridge filter-entry

This command displays current entries in the WDS forwarding table.

Command Mode

Exec

Example

Enterprise AP#show bridge filter-entry max entry numbers =512 current entry nums =13

*****************************************************************************

*********************** Bridge MAC Addr Table *******************************

*****************************************************************************

| MAC | Port |Fwd_type| VlanID|origin life|remain Life| Type |

01 80 c2 00 00 00 0 5 4095 300 300 Static

01 80 c2 00 00 03 0 5 4095 300 300 Static

00 30 f1 f0 9b 20 1 0 1 300 300 Static

00 30 f1 f0 9b 21 1 0 1 300 300 Static

00 30 f1 f0 9b 22 1 0 1 300 300 Static

00 30 f1 f0 9b 23 1 0 1 300 300 Static

00 30 f1 f0 9b 24 1 0 1 300 300 Static

00 30 f1 f0 9b 25 1 0 1 300 300 Static

00 30 f1 f0 9b 26 1 0 1 300 300 Static

00 30 f1 f0 9b 27 1 0 1 300 300 Static

00 30 f1 2f be 30 1 3 0 300 175 Dynamic

00 30 f1 f0 9a 9c 1 0 1 300 300 Static

ff ff ff ff ff ff 0 4 4095 300 300 Static

Enterprise AP#

show bridge link

This command displays WDS bridge link and spanning tree settings for specified interfaces.

Syntax show bridge link <ethernet | wireless <g> [index]>

ethernet - Specifies the Ethernet interface.

wireless - Specifies a wireless interface.

- g - The 802.11g radio interface.

- index - The index number of a bridge link. (Range: 1 - 6)

Command Mode

Exec

7-81

7

Command Line Interface

Example

Enterprise AP#show bridge link wireless a

Interface Wireless A WDS Information

====================================

AP Role: Bridge

Parent: 00-12-34-56-78-9a

Child:

Child 2: 00-08-12-34-56-de

Child 3: 00-00-00-00-00-00

Child 4: 00-00-00-00-00-00

Child 5: 00-00-00-00-00-00

Child 6: 00-00-00-00-00-00

STAs:

No WDS Stations.

Enterprise AP#

Enterprise AP#show bridge link wireless a 2

Port-No : 11 status : Enabled state : Disabled priority : 0 path cost : 19 message age Timer : Inactive message age : 4469 designated-root : priority = 32768, MAC = 00:30:F1:F0:9A:9C designated-cost : 0 designated-bridge : priority = 32768, MAC = 00:30:F1:F0:9A:9C designated-port : priority = 0, port No = 11 forward-transitions : 0

Enterprise AP#

Enterprise AP#show bridge link ethernet status : Enabled state : Forwarding priority : 0 path cost : 19 message age Timer : Inactive message age : 4346 designated-root : priority = 32768, MAC = 00:30:F1:F0:9A:9C designated-cost : 0 designated-bridge : priority = 32768, MAC = 00:30:F1:F0:9A:9C designated-port : priority = 0, port No = 1 forward-transitions : 1

Enterprise AP#

7-82

Spanning Tree Commands

7

Spanning Tree Commands

The commands described in this section are used to set the MAC address table aging time and spanning tree parameters for both the Ethernet and wireless interfaces.

Command bridge stp enable bridge stp forwarding-delay bridge stp hello-time bridge stp max-age bridge stp priority bridge-link path-cost bridge-link port-priority show bridge stp show bridge link

Table 7-15. Bridge Commands

Function

Enables the Spanning Tree feature

Configures the spanning tree bridge forward time

Configures the spanning tree bridge hello time

Configures the spanning tree bridge maximum age

Configures the spanning tree bridge priority

Configures the spanning tree path cost of a port

Configures the spanning tree priority of a port

Displays the global spanning tree settings

IC

Exec

Displays current bridge settings for specified interfaces Exec

GC

GC

GC

IC

Mode

GC

GC

Page

7-83

7-84

7-84

7-85

7-85

7-86

7-86

7-87

7-81

bridge stp enable

This command enables the Spanning Tree Protocol. Use the no form to disable the

Spanning Tree Protocol.

Syntax bridge stp enable no bridge stp enable

Default Setting

Enabled

Command Mode

Global Configuration

Example

This example globally enables the Spanning Tree Protocol.

Enterprise AP(config)bridge stp enable

Enterprise AP(config)

7-83

7

Command Line Interface

bridge stp forwarding-delay

Use this command to configure the spanning tree bridge forward time globally for the wireless bridge. Use the no form to restore the default.

Syntax bridge stp forwarding-delay <seconds> no bridge stp forwarding-delay seconds - Time in seconds. (Range: 4 - 30 seconds)

The minimum value is the higher of 4 or [(max-age / 2) + 1].

Default Setting

15 seconds

Command Mode

Global Configuration

Command Usage

This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.

Example

Enterprise AP(config)#bridge stp forwarding-delay 20

Enterprise AP(config)#

bridge stp hello-time

Use this command to configure the spanning tree bridge hello time globally for the wireless bridge. Use the no form to restore the default.

Syntax bridge stp hello-time <time> no bridge stp hello-time time - Time in seconds. (Range: 1-10 seconds).

The maximum value is the lower of 10 or [(max-age / 2) -1].

Default Setting

2 seconds

Command Mode

Global Configuration

Command Usage

This command sets the time interval (in seconds) at which the root device transmits a configuration message.

7-84

Spanning Tree Commands

7

Example

Enterprise AP(config)#bridge stp hello-time 5

Enterprise AP(config)#

bridge stp max-age

Use this command to configure the spanning tree bridge maximum age globally for the wireless bridge. Use the no form to restore the default.

Syntax bridge stp max-age <seconds> no bridge stp max-age seconds - Time in seconds. (Range: 6-40 seconds)

The minimum value is the higher of 6 or [2 x (hello-time + 1)].

The maximum value is the lower of 40 or [2 x (forward-time - 1)].

Default Setting

20 seconds

Command Mode

Global Configuration

Command Usage

This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STP information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.

Example

Enterprise AP(config)#bridge stp max-age 40

Enterprise AP(config)#

bridge stp priority

Use this command to configure the spanning tree priority globally for the wireless bridge. Use the no form to restore the default.

Syntax bridge stp priority <priority> no bridge stp priority priority - Priority of the bridge. (Range: 0 - 65535)

Default Setting

32768

7-85

7

Command Line Interface

Command Mode

Global Configuration

Command Usage

Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STP root device.

However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.

Example

Enterprise AP(config)#bridge stp-bridge priority 40000

Enterprise AP(config)#

bridge-link path-cost

Use this command to configure the spanning tree path cost for the specified port.

Syntax bridge-link path-cost <index> <cost>

index - Specifies the bridge link number on the wireless bridge. (Range: 1-6 required on wireless interface only)

cost - The path cost for the port. (Range: 1-65535)

Default Setting

19

Command Mode

Interface Configuration

Command Usage

• This command is used by the Spanning Tree Protocol to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.

• Path cost takes precedence over port priority.

Example

Enterprise AP(if-wireless a)#bridge-link path-cost 1 50

Enterprise AP(if-wireless a)#

bridge-link port-priority

Use this command to configure the priority for the specified port.

Syntax bridge-link port-priority <index> <priority>

index - Specifies the bridge link number on the wireless bridge. (Range: 1-6 required on wireless interface only)

priority - The priority for a port. (Range: 1-255)

7-86

Spanning Tree Commands

7

Default Setting

128

Command Mode

Interface Configuration

Command Usage

• This command defines the priority for the use of a port in the Spanning Tree

Protocol. If the path cost for all ports on a wireless bridge are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.

• Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.

Example

Enterprise AP(if-wireless a)#bridge-link port-priority 1 64

Enterprise AP(if-wireless a)#

Related Commands

bridge-link path-cost (7-86)

show bridge stp

This command displays aging time and spanning tree settings for the Ethernet and wireless interfaces.

Syntax show bridge stp

Command Mode

Exec

Example

Enterprise AP#show bridge stp

Bridge MAC : 00:12:CF:05:B7:84

Status : Disabled priority : 0 designated-root : priority = 0, MAC = 00:00:00:00:00:00 root-path-cost : 0 root-Port-no : 0

Hold Time : 1 Seconds

Hello Time : 2 Seconds

Maximum Age : 20 Seconds

Forward Delay : 15 Seconds bridge Hello Time : 2 Seconds bridge Maximum Age : 20 Seconds bridge Forward Delay : 15 Seconds time-since-top-change: 89185 Seconds topology-change-count: 0

Enterprise AP#

7-87

7

Command Line Interface

Ethernet Interface Commands

The commands described in this section configure connection parameters for the

Ethernet port and wireless interface.

Command interface ethernet dns primary- server dns secondary- server ip address ip dhcp speed-duplex shutdown show interface ethernet

Table 7-16. Ethernet Interface Commands

Function

Enters Ethernet interface configuration mode

Specifies the primary name server

Specifies the secondary name server

Sets the IP address for the Ethernet interface

Submits a DHCP request for an IP address

Configures speed and duplex operation on the

Ethernet interface

Disables the Ethernet interface

Shows the status for the Ethernet interface

Mode

GC

IC-E

IC-E

IC-E

IC-E

IC-E

IC-E

Exec

interface ethernet

This command enters Ethernet interface configuration mode.

Default Setting

None

Command Mode

Global Configuration

Example

To specify the 10/100Base-TX network interface, enter the following command:

Enterprise AP(config)#interface ethernet

Enterprise AP(if-ethernet)#

Page

7-88

7-89

7-89

7-89

7-90

7-91

7-92

7-92

7-88

Ethernet Interface Commands

7

dns server

This command specifies the address for the primary or secondary domain name server to be used for name-to-address resolution.

Syntax dns primary-server

<server-address> dns secondary-server <server-address>

primary-server - Primary server used for name resolution.

secondary-server - Secondary server used for name resolution.

server-address - IP address of domain-name server.

Default Setting

None

Command Mode

Global Configuration

Command Usage

The primary and secondary name servers are queried in sequence.

Example

This example specifies two domain-name servers.

Enterprise AP(if-ethernet)#dns primary-server 192.168.1.55

Enterprise AP(if-ethernet)#dns secondary-server 10.1.0.55

Enterprise AP(if-ethernet)#

Related Commands

show interface ethernet (7-92)

ip address

This command sets the IP address for the access point. Use the no form to restore the default IP address.

Syntax ip address <ip-address> <netmask> <gateway> no ip address

ip-address - IP address

netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.

gateway - IP address of the default gateway

Default Setting

IP address: 192.168.1.1

Netmask: 255.255.255.0

7-89

7

Command Line Interface

Command Mode

Interface Configuration (Ethernet)

Command Usage

• DHCP is enabled by default. To manually configure a new IP address, you must first disable the DHCP client with the no ip dhcp command.

• You must assign an IP address to this device to gain management access over the network or to connect the access point to existing IP subnets. You can manually configure a specific IP address using this command, or direct the device to obtain an address from a DHCP server using the ip dhcp command. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the configuration program.

Example

Enterprise AP(config)#interface ethernet

Enter Ethernet configuration commands, one per line.

Enterprise AP(if-ethernet)#ip address 192.168.1.2 255.255.255.0

192.168.1.253

Enterprise AP(if-ethernet)#

Related Commands

ip dhcp (7-90)

ip dhcp

This command enables the access point to obtain an IP address from a DHCP server. Use the no form to restore the default IP address.

Syntax ip dhcp no ip dhcp

Default Setting

Enabled

Command Mode

Interface Configuration (Ethernet)

Command Usage

• You must assign an IP address to this device to gain management access over the network or to connect the access point to existing IP subnets. You can manually configure a specific IP address using the ip address command, or direct the device to obtain an address from a DHCP server using this command.

7-90

Ethernet Interface Commands

7

• When you use this command, the access point will begin broadcasting

DHCP client requests. The current IP address (i.e., default or manually configured address) will continue to be effective until a DHCP reply is received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (DHCP values can include the IP address, subnet mask, and default gateway.)

Example

Enterprise AP(config)#interface ethernet

Enter Ethernet configuration commands, one per line.

Enterprise AP(if-ethernet)#ip dhcp

Enterprise AP(if-ethernet)#

Related Commands

ip address (7-89)

speed-duplex

This command configures the speed and duplex mode of a given interface when autonegotiation is disabled. Use the no form to restore the default.

Syntax speed-duplex <auto | 10MH | 10MF | 100MF | 100MH>

auto - autonegotiate speed and duplex mode

10MH - Forces 10 Mbps, half-duplex operation

10MF - Forces 10 Mbps, full-duplex operation

100MH - Forces 100 Mbps, half-duplex operation

100MF - Forces 100 Mbps, full-duplex operation

Default Setting

Auto-negotiation is enabled by default.

Command Mode

Interface Configuration (Ethernet)

Command Usage

If autonegotiation is disabled, the speed and duplex mode must be configured to match the setting of the attached device.

Example

The following example configures the Ethernet port to 100 Mbps, full-duplex operation.

Enterprise AP(if-ethernet)#speed-duplex 100mf

Enterprise AP(if-ethernet)#

7-91

7

Command Line Interface

shutdown

This command disables the Ethernet interface. To restart a disabled interface, use the no form.

Syntax shutdown no shutdown

Default Setting

Interface enabled

Command Mode

Interface Configuration (Ethernet)

Command Usage

This command allows you to disable the Ethernet port due to abnormal behavior (e.g., excessive collisions), and reenable it after the problem has been resolved. You may also want to disable the Ethernet port for security reasons.

Example

The following example disables the Ethernet port.

Enterprise AP(if-ethernet)#shutdown

Enterprise AP(if-ethernet)#

show interface ethernet

This command displays the status for the Ethernet interface.

Syntax show interface [ethernet]

Default Setting

Ethernet interface

Command Mode

Exec

7-92

Wireless Interface Commands

7

Example

Enterprise AP#show interface ethernet

Ethernet Interface Information

========================================

IP Address : 192.168.2.2

Subnet Mask : 255.255.255.0

Default Gateway : 192.168.1.253

Primary DNS : 192.168.1.55

Secondary DNS : 10.1.0.55

Speed-duplex : 100Base-TX Half Duplex

Admin status : Up

Operational status : Up

========================================

Enterprise AP#

Command interface wireless vap speed turbo multicast-data-rate channel transmit-power radio-mode preamble antenna control antenna id antenna location

Wireless Interface Commands

The commands described in this section configure connection parameters for the wireless interfaces.

Table 7-17. Wireless Interface Commands

Function

Enters wireless interface configuration mode

Provides access to the VAP interface configuration mode

Configures the maximum data rate at which the access point transmits unicast packets

Configures turbo mode to use a faster data rate

Configures the maximum rate for transmitting multicast packets on the wireless interface

Configures the radio channel

Adjusts the power of the radio signals transmitted from the access point

Forces the operating mode of the 802.11g radio

Sets the length of the 802.11g signal preamble

Selects the antenna control method to use for the radio

Selects the antenna ID to use for the radio

Selects the location of the antenna

Mode

GC

IC-W

IC-W

IC-W (a)

IC-W

IC-W

IC-W

IC-W (b/g)

IC-W (b/g)

IC-W

IC-W

IC-W

Page

7-95

7-95

7-97

7-97

7-98

7-99

7-99

7-96

7-96

7-96

7-100

7-101

7-93

7

Command Line Interface

Command beacon-interval dtim-period fragmentation- length rts-threshold super-a super-g description ssid closed system max-association assoc- timeout-interval auth- timeout-value shutdown show interface wireless show station

Table 7-17. Wireless Interface Commands

Function

Configures the rate at which beacon signals are transmitted from the access point

Configures the rate at which stations in sleep mode must wake up to receive broadcast/multicast transmissions

Mode

IC-W

IC-W

Configures the minimum packet size that can be fragmented

IC-W

Sets the packet size threshold at which an RTS must be sent to the receiving station prior to the sending station starting communications

IC-W

IC-W (a) Enables Atheros proprietary Super A performance enhancements

Enables Atheros proprietary Super G performance enhancements

Adds a description to the wireless interface

Configures the service set identifier

IC-W (b/g)

IC-W-VAP

IC-W-VAP

Opens access to clients without a pre-configured

SSID

IC-W-VAP

Configures the maximum number of clients that can be associated with the access point at the same time

IC-W-VAP

Configures the idle time interval (when no frames are sent) after which a client is disassociated from the

VAP interface

IC-W-VAP

Configures the time interval after which clients must be re-authenticated

IC-W-VAP

Disables the wireless interface

Shows the status for the wireless interface

IC-W-VAP

Exec

Shows the wireless clients associated with the access point

Exec

Page

7-101

7-102

7-102

7-103

7-107

7-107

7-108

7-109

7-105

7-104

7-104

7-105

7-105

7-106

7-106

7-94

Wireless Interface Commands

7

interface wireless

This command enters wireless interface configuration mode.

Syntax interface

wireless <g>

g - 802.11g radio interface.

Default Setting

None

Command Mode

Global Configuration

Example

To specify the 802.11g interface, enter the following command:

Enterprise AP(config)#interface wireless a

Enterprise AP(if-wireless a)#

vap

This command provides access to the VAP (Virtual Access Point) interface configuration mode.

Syntax vap

<vap-id> vap-id - The number that identifies the VAP interface. (Options: 0-7)

Default Setting

None

Command Mode

Interface Configuration (Wireless)

Example

Enterprise AP(if-wireless g)#vap 0

Enterprise AP(if-wireless g: VAP[0])#

7-95

7

Command Line Interface

speed

This command configures the maximum data rate at which the access point transmits unicast packets.

Syntax speed

<speed> speed - Maximum access speed allowed for wireless clients.

(Options for 802.11b/g: 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps)

Default Setting

54 Mbps

Command Mode

Interface Configuration (Wireless)

Command Usage

• The maximum transmission distance is affected by the data rate. The lower the data rate, the longer the transmission distance. Please refer to the table

for maximum distances on page C-6.

Example

Enterprise AP(if-wireless g)#speed 6

Enterprise AP(if-wireless g)#

multicast-data-rate

This command configures the maximum data rate at which the access point transmits multicast and management packets (excluding beacon packets) on the wireless interface.

Syntax multicast-data-rate <speed> speed

- Maximum transmit speed allowed for multicast data.

(Options for 802.11b/g; 1, 2, 5.5, 11 Mbps)

Default Setting

1 Mbps for 802.11b/g

Command Mode

Interface Configuration (Wireless)

Example

Enterprise AP(if-wireless g)#multicast-data-rate 5.5

Enterprise AP(if-wireless g)#

7-96

Wireless Interface Commands

7

channel

This command configures the radio channel through which the access point communicates with wireless clients.

Syntax channel

<channel | auto>

channel - Manually sets the radio channel used for communications with wireless clients. (Range for 802.11b/g: 1 to 11)

auto - Automatically selects an unoccupied channel (if available).

Otherwise, the lowest channel is selected.

Default Setting

Automatic channel selection

Command Mode

Interface Configuration (Wireless)

Command Usage

• The available channel settings are limited by local regulations, which determine the number of channels that are available.

• When multiple access points are deployed in the same area, be sure to choose a channel separated by at least five channels for 802.11b/g. You can deploy up to three access points for 802.11b/g (e.g., channels 1, 6, 11).

• For most wireless adapters, the channel for wireless clients is automatically set to the same as that used by the access point to which it is linked.

Example

Enterprise AP(if-wireless g)#channel 1

Enterprise AP(if-wireless g)#

transmit-power

This command adjusts the power of the radio signals transmitted from the access point.

Syntax transmit-power <signal-strength> signal-strength

- Signal strength transmitted from the access point.

(Options: full, half, quarter, eighth, min)

7-97

7

Command Line Interface

Default Setting full

Command Mode

Interface Configuration (Wireless)

Command Usage

• The “min” keyword indicates minimum power.

• The longer the transmission distance, the higher the transmission power required. But to support the maximum number of users in an area, you must keep the power as low as possible. Power selection is not just a trade off between coverage area and maximum supported clients. You also have to ensure that high strength signals do not interfere with the operation of other radio devices in your area.

Example

Enterprise AP(if-wireless g)#transmit-power half

Enterprise AP(if-wireless g)#

radio-mode

This command forces the operating mode for the 802.11g wireless interface.

Syntax radio-mode

<b | g | b+g>

b - b-only mode: Both 802.11b and 802.11g clients can communicate with the access point, but 802.11g clients can only transfer data at 802.11b standard rates (up to 11 Mbps).

g - g-only mode: Only 802.11g clients can communicate with the access point (up to 54 Mbps).

b+g - b & g mixed mode: Both 802.11b and 802.11g clients can communicate with the access point (up to 54 Mbps).

Default Setting b+g mode

Command Mode

Interface Configuration (Wireless - 802.11g)

Command Usage

• For Japan, only 13 channels are available when set to g or b+g modes.

When set to b mode, 14 channels are available.

• Both the 802.11g and 802.11b standards operate within the 2.4 GHz band.

If you are operating in g mode, any 802.11b devices in the service area will contribute to the radio frequency noise and affect network performance.

7-98

Wireless Interface Commands

7

Example

Enterprise AP(if-wireless g)#radio-mode g

Enterprise AP(if-wireless g)#

preamble

This command sets the length of the signal preamble that is used at the start of a

802.11b/g data transmission.

Syntax preamble [long | short]

long - Sets the preamble to long (192 microseconds).

short - Sets the preamble to short (96 microseconds).

Default Setting

Short-or-Long

Command Mode

Interface Configuration (Wireless - 802.11b/g)

Command Usage

• Using a short preamble instead of a long preamble can increase data throughput on the access point, but requires that all clients can support a short preamble.

• Set the preamble to long to ensure the access point can support all 802.11b and 802.11g clients.

Example

Enterprise AP(if-wireless g)#preamble short

Enterprise AP(if-wireless g)#

antenna control

This command selects the use of two diversity antennas or a single antenna for the radio interface.

Syntax antenna control

<diversity | left | right>

diversity - The radio uses both antennas in a diversity system. Select this method when the Antenna ID is set to “Default Antenna” to use the access point's integrated antennas. The access point does not support external diversity antennas.

left - The radio only uses the antenna on the left side (the side farthest from the access point LEDs). The access point does not support an external antenna connection on its left antenna. Therefore, this method is not valid for the access point.

right - The radio only uses the antenna on the right side (the side closest

7-99

7

Command Line Interface to the access point LEDs). Select this method when using an optional external antenna that is connected to the right antenna connector.

Default Setting

Diversity

Command Mode

Interface Configuration (Wireless)

Command Usage

The antenna ID must be selected in conjunction with the antenna control method to configure proper use of any of the antenna options.

Example

Enterprise AP(if-wireless g)#antenna control right

Enterprise AP(if-wireless g)#

antenna id

This command specifies the antenna type connected to the access point represented by a four-digit hexadecimal ID number, either the integrated diversity antennas (the "Default Antenna") or an optional external antenna.

Syntax antenna id <antenna-id>

antenna-id - Specifies the ID number of an approved antenna that is connected to the access point

(Range: 0x0000 - 0xFFFF)

Default Setting

0x0000 (built-in antennas)

Command Mode

Interface Configuration (Wireless)

Command Usage

• The optional external antennas (if any) that are certified for use with the access point are listed by typing antenna control id ?. Selecting the correct antenna ID ensures that the access point's radio transmissions are within regulatory power limits for the country of operation.

• The antenna ID must be selected in conjunction with the antenna control method to configure proper use of any of the antenna options.

7-100

Wireless Interface Commands

7

Example

Enterprise AP(if-wireless g)#antenna id 0000

Enterprise AP(if-wireless g)#

antenna location

This command selects the antenna mounting location for the radio interface.

Syntax antenna location

<indoor | outdoor>

indoor - The antenna is mounted indoors.

outdoor - The antenna is mounted outdoors.

Default Setting

Indoor

Command Mode

Interface Configuration (Wireless)

Command Usage

• When an external antenna is selected, the antenna control must be set to

“right.”

• Selecting the correct location ensures that the access point only uses radio channels that are permitted in the country of operation.

Example

Enterprise AP(if-wireless g)#antenna location indoor

Enterprise AP(if-wireless g)#

beacon-interval

This command configures the rate at which beacon signals are transmitted from the access point.

Syntax beacon-interval <interval> interval

- The rate for transmitting beacon signals.

(Range: 20-1000 milliseconds)

Default Setting

100

Command Mode

Interface Configuration (Wireless)

Command Usage

7-101

7

Command Line Interface

The beacon signals allow wireless clients to maintain contact with the access point. They may also carry power-management information.

Example

Enterprise AP(if-wireless g)#beacon-interval 150

Enterprise AP(if-wireless g)#

dtim-period

This command configures the rate at which stations in sleep mode must wake up to receive broadcast/multicast transmissions.

Syntax dtim-period <interval> interval - Interval between the beacon frames that transmit broadcast or multicast traffic. (Range: 1-255 beacon frames)

Default Setting

1

Command Mode

Interface Configuration (Wireless)

Command Usage

• The Delivery Traffic Indication Map (DTIM) packet interval value indicates how often the MAC layer forwards broadcast/multicast traffic. This parameter is necessary to wake up stations that are using Power Save mode.

• The DTIM is the interval between two synchronous frames with broadcast/ multicast information. The default value of 2 indicates that the access point will save all broadcast/multicast frames for the Basic Service Set (BSS) and forward them after every second beacon.

• Using smaller DTIM intervals delivers broadcast/multicast frames in a more timely manner, causing stations in Power Save mode to wake up more often and drain power faster. Using higher DTIM values reduces the power used by stations in Power Save mode, but delays the transmission of broadcast/multicast frames.

Example

Enterprise AP(if-wireless g)#dtim-period 100

Enterprise AP(if-wireless g)#

fragmentation-length

This command configures the minimum packet size that can be fragmented when passing through the access point.

7-102

Wireless Interface Commands

7

Syntax fragmentation-length <length> length - Minimum packet size for which fragmentation is allowed.

(Range: 256-2346 bytes)

Default Setting

2346

Command Mode

Interface Configuration (Wireless)

Command Usage

• If the packet size is smaller than the preset Fragment size, the packet will not be segmented.

• Fragmentation of the PDUs (Package Data Unit) can increase the reliability of transmissions because it increases the probability of a successful transmission due to smaller frame size. If there is significant interference present, or collisions due to high network utilization, try setting the fragment size to send smaller fragments. This will speed up the retransmission of smaller frames. However, it is more efficient to set the fragment size larger if very little or no interference is present because it requires overhead to send multiple frames.

Example

Enterprise AP(if-wireless g)#fragmentation-length 512

Enterprise AP(if-wireless g)#

rts-threshold

This command sets the packet size threshold at which a Request to Send (RTS) signal must be sent to the receiving station prior to the sending station starting communications.

Syntax rts-threshold

<threshold> threshold

- Threshold packet size for which to send an RTS.

(Range: 0-2347 bytes)

Default Setting

2347

Command Mode

Interface Configuration (Wireless)

Command Usage

• If the threshold is set to 0, the access point always sends RTS signals. If set

7-103

7

Command Line Interface to 2347, the access point never sends RTS signals. If set to any other value, and the packet size equals or exceeds the RTS threshold, the RTS/CTS

(Request to Send / Clear to Send) mechanism will be enabled.

• The access point sends RTS frames to a receiving station to negotiate the sending of a data frame. After receiving an RTS frame, the station sends a

CTS frame to notify the sending station that it can start sending data.

• Access points contending for the wireless medium may not be aware of each other. The RTS/CTS mechanism can solve this “Hidden Node” problem.

Example

Enterprise AP(if-wireless g)#rts-threshold 256

Enterprise AP(if-wireless g)#

super-g

This command enables Atheros proprietary Super G performance enhancements.

Use the no form to disable this function.

Syntax

[no] super-g

Default Setting

Disabled

Command Mode

Interface Configuration (Wireless - 802.11g)

Command Usage

These enhancements include bursting, compression, fast frames and dynamic turbo. Maximum throughput ranges between 40 to 60 Mbps for connections to

Atheros-compatible clients.

Example

Enterprise AP(if-wireless a)#super g

Enterprise AP(if-wireless a)#

description

This command adds a description to a the wireless interface. Use the no form to remove the description.

Syntax description <string> no description string - Comment or a description for this interface.

(Range: 1-80 characters)

7-104

Wireless Interface Commands

7

Default Setting

None

Command Mode

Interface Configuration (Wireless-VAP)

Example

Enterprise AP(if-wireless g: VAP[0])#description RD-AP#3

Enterprise AP(if-wireless g: VAP[0])#

ssid

This command configures the service set identifier (SSID).

Syntax ssid

<string> string - The name of a basic service set supported by the access point.

(Range: 1 - 32 characters)

Default Setting

802.11g Radio: VAP_TEST_11G (0 to 3)

Command Mode

Interface Configuration (Wireless-VAP)

Command Usage

Clients that want to connect to the wireless network via an access point must set their SSIDs to the same as that of the access point.

Example

Enterprise AP(if-wireless g: VAP[0])#ssid RD-AP#3

Enterprise AP(if-wireless g)#

closed-system

This command prohibits access to clients without a pre-configured SSID. Use the no form to disable this feature.

Syntax

closed-system no closed-system

Default Setting

Disabled

Command Mode

Interface Configuration (Wireless-VAP)

7-105

7

Command Line Interface

Command Usage

When closed system is enabled, the access point will not include its SSID in beacon messages. Nor will it respond to probe requests from clients that do not include a fixed SSID.

Example

Enterprise AP(if-wireless g: VAP[0])#closed-system

Enterprise AP(if-wireless g)#

max-association

This command configures the maximum number of clients that can be associated with the access point at the same time.

Syntax max-association <count> count - Maximum number of associated stations. (Range: 0-64)

Default Setting

64

Command Mode

Interface Configuration (Wireless-VAP)

Example

Enterprise AP(if-wireless g: VAP[0])#max-association 32

Enterprise AP(if-wireless g)#

assoc-timeout-interval

This command configures the idle time interval (when no frames are sent) after which the client is disassociated from the VAP interface.

Syntax assoc-timeout-interval <minutes> minutes

- The number of minutes of inactivity before disassociation.

(Range: 5-60)

Default Setting

30

7-106

Wireless Interface Commands

7

Command Mode

Interface Configuration (Wireless-VAP)

Example

Enterprise AP(if-wireless g: VAP[0])#association-timeout-interval 20

Enterprise AP(if-wireless g: VAP[0])#

auth-timeout-value

This command configures the time interval within which clients must complete authentication to the VAP interface.

Syntax auth-timeout-value

<minutes> minutes

- The number of minutes before re-authentication. (Range: 5-60)

Default Setting

60

Command Mode

Interface Configuration (Wireless-VAP)

Example

Enterprise AP(if-wireless g: VAP[0])#auth-timeout-value 40

Enterprise AP(if-wireless g: VAP[0])#

shutdown

This command disables the wireless interface. Use the no form to restart the interface.

Syntax shutdown no shutdown

Default Setting

Interface enabled

Command Mode

Interface Configuration (Wireless-VAP)

Command Usage

You must first enable VAP interface 0 before you can enable VAP interfaces 1,

2, 3, 4, 5, 6, or 7.

7-107

7

Command Line Interface

Example

Enterprise AP(if-wireless g: VAP[0])#shutdown

Enterprise AP(if-wireless g)#

show interface wireless

This command displays the status for the wireless interface.

Syntax show interface wireless

<a | g> vap-id

g - 802.11g radio interface.

vap-id - The number that identifies the VAP interface. (Options: 0~7)

Command Mode

Exec

Example

Enterprise AP#show interface wireless g 0

Wireless Interface Information

===========================================================

----------------Identification-----------------------------

Description : Enterprise 802.11g Access Point

SSID : VAP_TEST_11G 0

Turbo Mode : OFF

Channel : 1 (AUTO)

Status : Disable

----------------802.11 Parameters--------------------------

Transmit Power : FULL (13 dBm)

Max Station Data Rate : 54Mbps

Multicast Data Rate : 5.5Mbps

Fragmentation Threshold : 2346 bytes

RTS Threshold : 2347 bytes

Beacon Interval : 100 TUs

Authentication Timeout Interval : 60 Mins

Association Timeout Interval : 30 Mins

DTIM Interval : 1 beacon

Preamble Length : LONG

Maximum Association : 64 stations

VLAN ID : 1

----------------Security------------------------------------

Closed System : DISABLED

Multicast cipher : WEP

WPA clients : WEP-ONLY

WPA Key Mgmt Mode : PRE SHARED KEY

WPA PSK Key Type : ALPHANUMERIC

Encryption : DISABLED

Default Transmit Key : 1

Common Static Keys : Key 1: EMPTY Key 2: EMPTY

Key 3: EMPTY Key 4: EMPTY

Authentication Type : OPEN

==========================================================

Enterprise AP#

7-108

Rogue AP Detection Commands

7

show station

This command shows the wireless clients associated with the access point.

Command Mode

Exec

Example

Enterprise AP#show station

Station Table Information

======================================================== if-wireless G VAP [1] :

802.11g Channel : 1

No 802.11g Channel Stations.

.

.

.

Enterprise AP#

Rogue AP Detection Commands

A “rogue AP” is either an access point that is not authorized to participate in the wireless network, or an access point that does not have the correct security configuration. Rogue APs can potentially allow unauthorized users access to the network. Alternatively, client stations may mistakenly associate to a rogue AP and be prevented from accessing network resources. Rogue APs may also cause radio interference and degrade the wireless LAN performance.

The access point can be configured to periodically scan all radio channels and find other access points within range. A database of nearby access points is maintained where any rogue APs can be identified.

Command rogue-ap enable rogue-ap authenticate rogue-ap duration rogue-ap interval rogue-ap scan show rogue-ap

Table 7-18. Rogue AP Detection Commands

Function Mode

Enables the periodic detection of other nearby access points

GC

Enables identification of all access points

Sets the duration that all channels are scanned

Sets the time between each scan

Forces an immediate scan of all radio channels

GC

GC

GC

GC

Shows the current database of detected access points Exec

Page

7-110

7-111

7-111

7-112

7-112

7-113

7-109

7

Command Line Interface

rogue-ap enable

This command enables the periodic detection of nearby access points. Use the no form to disable periodic detection.

Syntax

[no] rogue-ap enable

Default Setting

Disabled

Command Mode

Interface Configuration (Wireless)

Command Usage

• While the access point scans a channel for rogue APs, wireless clients will not be able to connect to the access point. Therefore, avoid frequent scanning or scans of a long duration unless there is a reason to believe that more intensive scanning is required to find a rogue AP.

• A “rogue AP” is either an access point that is not authorized to participate in the wireless network, or an access point that does not have the correct security configuration. Rogue access points can be identified by unknown

BSSID (MAC address) or SSID configuration. A database of nearby access points should therefore be maintained on a RADIUS server, allowing any rogue APs to be identified (see

“rogue-ap authenticate” on page 7-111).

The rogue AP database can be viewed using the show rogue-ap command.

• The access point sends Syslog messages for each detected access point during a rogue AP scan.

7-110

Rogue AP Detection Commands

7

Example

Enterprise AP(if-wireless g)#rogue-ap enable configure either syslog or trap or both to receive the rogue APs detected.

Enterprise AP(if-wireless g)#

rogue-ap authenticate

This command forces the unit to authenticate all access points on the network. Use the no form to disable this function.

Syntax

[no] rogue-ap authenticate

Default Setting

Disabled

Command Mode

Interface Configuration (Wireless)

Command Usage

Enabling authentication in conjunction with a database of approved access points stored on a RADIUS server allows the access point to discover rogue

APs. With authentication enabled and a configure RADIUS server, the access point checks the MAC address/Basic Service Set Identifier (BSSID) of each access point that it finds against a RADIUS server to determine whether the access point is allowed. With authentication disabled, the access point can identify its neighboring access points only; it cannot identify whether the access points are allowed or are rogues. If you enable authentication, you

should also configure a RADIUS server for this access point (see “RADIUS” on page 6-7).

Example

Enterprise AP(if-wireless g)#rogue-ap authenticate

Enterprise AP(if-wireless g)#

rogue-ap duration

This command sets the scan duration for detecting access points.

Syntax rogue-ap duration

<milliseconds> milliseconds - The duration of the scan. (Range: 100-1000 milliseconds)

7-111

7

Command Line Interface

Default Setting

350 milliseconds

Command Mode

Interface Configuration (Wireless)

Command Usage

• During a scan, client access may be disrupted and new clients may not be able to associate to the access point. If clients experience severe disruption, reduce the scan duration time.

• A long scan duration time will detect more access points in the area, but causes more disruption to client access.

Example

Enterprise AP(if-wireless g)#rogue-ap duration 200

Enterprise AP(if-wireless g)#

Related Commands

rogue-ap interval (7-112)

rogue-ap interval

This command sets the interval at which to scan for access points.

Syntax rogue-ap interval

<minutes> minutes - The interval between consecutive scans. (Range: 30-10080 minutes)

Default Setting

720 minutes

Command Mode

Interface Configuration (Wireless)

Command Usage

This command sets the interval at which scans occur. Frequent scanning will more readily detect other access points, but will cause more disruption to client access.

Example

Enterprise AP(if-wireless g)#rogue-ap interval 120

Enterprise AP(if-wireless g)#

Related Commands

rogue-ap duration (7-111)

7-112

Rogue AP Detection Commands

7

rogue-ap scan

This command starts an immediate scan for access points on the radio interface.

Default Setting

Disabled

Command Mode

Interface Configuration (Wireless)

Command Usage

While the access point scans a channel for rogue APs, wireless clients will not be able to connect to the access point. Therefore, avoid frequent scanning or scans of a long duration unless there is a reason to believe that more intensive scanning is required to find a rogue AP.

Example

Enterprise AP(if-wireless g)#rogue-ap scan

Enterprise AP(if-wireless g)#rogueApDetect Completed (Radio G) : 9 APs detected rogueAPDetect (Radio G): refreshing ap database now

Enterprise AP(if-wireless g)#

show rogue-ap

This command displays the current rogue AP database.

Command Mode

Exec

Example

Enterprise AP#show rogue-ap

802.11g Channel : Rogue AP Status

AP Address(BSSID) SSID Channel(MHz) RSSI Type Privacy RSN

======================================================================

00-04-e2-2a-37-23 WLAN1AP 11(2462 MHz) 17 ESS 0 0

00-04-e2-2a-37-3d ANY 7(2442 MHz) 42 ESS 0 0

00-04-e2-2a-37-49 WLAN1AP 9(2452 MHz) 42 ESS 0 0

00-90-d1-08-9d-a7 WLAN1AP 1(2412 MHz) 12 ESS 0 0

00-30-f1-fb-31-f4 WLAN 6(2437 MHz) 16 ESS 0 0

Enterprise AP#

7-113

7

Command Line Interface

Wireless Security Commands

The commands described in this section configure parameters for wireless security on the 802.11g interface.

Command auth encryption key transmit-key cipher-suite mic_mode wpa-pre-shared- key pmksa-lifetime pre-authentication

Table 7-19. Wireless Security Commands

Function

Sets the keys used for WEP encryption

Sets the index of the key to be used for encrypting data frames sent between the access point and wireless clients

Mode

Defines the 802.11 authentication type allowed by the access point

IC-W-VAP

Defines whether or not WEP encryption is used to provide privacy for wireless communications

IC-W-VAP

IC-W

IC-W-VAP

Selects an encryption method for the global key used for multicast and broadcast traffic

IC-W-VAP

Specifies how to calculate the Message Integrity

Check (MIC)

IC-W

Defines a WPA preshared-key value

Sets the lifetime PMK security associations

Enables WPA2 pre-authentication for fast roaming

IC-W-VAP

IC-W-VAP

IC-W-VAP

auth

This command defines the 802.11 authentication type allowed by the VAP interface.

Syntax auth

<open-system | shared-key | wpa | wpa-psk | wpa2 | wpa2-psk | wpa-wpa2-mixed | wpa-wpa2-psk-mixed | > <required | supported>

open-system - Accepts the client without verifying its identity using a shared key. “Open” authentication means either there is no encryption (if encryption is disabled) or WEP-only encryption is used (if encryption is enabled).

shared-key - Authentication is based on a shared key that has been distributed to all stations. If encryption is enabled, “shared” authentication uses WEP-only encryption.

wpa - Clients using WPA are accepted for authentication.

wpa-psk - Clients using WPA with a Pre-shared Key are accepted for authentication.

wpa2 - Clients using WPA2 are accepted for authentication.

7-114

7-119

7-120

7-121

7-121

7-122

Page

7-117

7-116

7-117

7-118

Wireless Security Commands

7

wpa2-psk - Clients using WPA2 with a Pre-shared Key are accepted for authentication.

wpa-wpa2-mixed - Clients using WPA or WPA2 are accepted for authentication.

wpa-wpa2-psk-mixed - Clients using WPA or WPA2 with a Pre-shared

Key are accepted for authentication

required - Clients are required to use WPA or WPA2.

supported - Clients may use WPA or WPA2, if supported.

Default Setting open-system

Command Mode

Interface Configuration (Wireless-VAP)

Command Usage

• To use WEP, set the authentication method to either “open-system” or

“shared-key.” Shared key authentication can only be used when WEP is enabled with the encryption command, and at least one static WEP key has been defined with the key command.

• When any WPA or WPA2 option is selected, clients are authenticated using

802.1X via a RADIUS server. Each client must be WPA-enabled or support

802.1X client software. The 802.1X settings (see “802.1X Authentication”

on page 7-65) and RADIUS server details (see “RADIUS Client” on page 7-59) must be configured on the access point. A RADIUS server must

also be configured and be available in the wired network.

• If a WPA/WPA2 mode that operates over 802.1X is selected (WPA, WPA2,

WPA-WPA2-mixed, or WPA-WPA2-PSK-mixed), the 802.1X settings (see

“802.1X Authentication” on page 7-65) and RADIUS server details (see

“RADIUS Client” on page 7-59) must be configured. Be sure you have also

configured a RADIUS server on the network before enabling authentication.

Also, note that each client has to be WPA-enabled or support 802.1X client software. A RADIUS server must also be configured and be available in the wired network.

• If a WPA/WPA2 Pre-shared Key mode is selected (WPA-PSK, WPA2-PSK or WPA-WPA2-PSK-mixed), the key must first be generated and distributed to all wireless clients before they can successfully associate with the access

point. Use the wpa-preshared-key command to configure the key (see “key”

on page 7-117 and “transmit-key” on page 7-118).

• WPA2 defines a transitional mode of operation for networks moving from

WPA security to WPA2. WPA2 Mixed Mode allows both WPA and WPA2 clients to associate to a common VAP interface. When the encryption cipher suite is set to TKIP, the unicast encryption cipher (TKIP or

AES-CCMP) is negotiated for each client. The access point advertises it’s supported encryption ciphers in beacon frames and probe responses. WPA and WPA2 clients select the cipher they support and return the choice in the

7-115

7

Command Line Interface association request to the access point. For mixed-mode operation, the cipher used for broadcast frames is always TKIP. WEP encryption is not allowed.

• The “required” option places the VAP into TKIP only mode. The “supported” option places the VAP into TKIP+AES+WEP mode. The “required” mode is used in WPA-only environments.

• The “supported” mode can be used for mixed environments with legacy

WPA products, specifically WEP. (For example, WPA+WEP. The

WPA2+WEP environment is not available because WPA2 does not support

WEP). To place the VAP into AES only mode, use “required” and then select the “cipher-ccmp” option for the cipher-suite command.

Example

Enterprise AP(if-wireless g: VAP[0])#auth shared-key

Enterprise AP(if-wireless g)#

Related Commands

encryption (7-116)

key (7-117)

encryption

This command enables data encryption for wireless communications. Use the no form to disable data encryption.

Syntax encryption no encryption

Default Setting disabled

Command Mode

Interface Configuration (Wireless-VAP)

Command Usage

• Wired Equivalent Privacy (WEP) is implemented in this device to prevent unauthorized access to your wireless network. For more secure data transmissions, enable encryption with this command, and set at least one static WEP key with the key command.

• The WEP settings must be the same on each client in your wireless network.

• Note that WEP protects data transmitted between wireless nodes, but does not protect any transmissions over your wired network or over the Internet.

• You must enable data encryption in order to enable all types of encryption

(WEP, TKIP, and AES-CCMP) in the access point.

7-116

Wireless Security Commands

7

Example

Enterprise AP(if-wireless g: VAP[0])#encryption

Enterprise AP(if-wireless g)#

Related Commands

key (7-117)

key

This command sets the keys used for WEP encryption. Use the no form to delete a configured key.

Syntax key <index> <size> <type> <value>

no key index

index - Key index. (Range: 1-4)

size - Key size. (Options: 64, 128, or 152 bits)

type - Input format. (Options: ASCII, HEX)

value - The key string.

- For 64-bit keys, use 5 alphanumeric characters or 10 hexadecimal digits.

- For 128-bit keys, use 13 alphanumeric characters or 26 hexadecimal digits.

- For 152-bit keys, use 16 alphanumeric characters or 32 hexadecimal digits.

Default Setting

None

Command Mode

Interface Configuration (Wireless)

Command Usage

• To enable Wired Equivalent Privacy (WEP), use the auth shared-key command to select the “shared key” authentication type, use the encryption command to enable data encryption, use the key command to configure at least one key, and use the transmit-key command to assign a key to one of the VAP interfaces.

• If you enable Wi-Fi Protected Access (WPA/WPA2) with a pre-shared key option, use the encryption command to enable data encryption, use the key

command to configure at least one key, and use the transmit-key command to assign a key to one of the VAP interfaces.

• If WEP or WPA/WPA2 with a pre-shared key option is enabled, all wireless clients must be configured with the same shared keys to communicate with the access point.

• The encryption index, length and type configured in the access point must

7-117

7

Command Line Interface match those configured in the clients.

Example

Enterprise AP(if-wireless g)#key 1 64 hex 1234512345

Enterprise AP(if-wireless g)#key 2 128 ascii asdeipadjsipd

Enterprise AP(if-wireless g)#key 3 64 hex 12345123451234512345123456

Enterprise AP(if-wireless g)#

Related Commands

key (7-117)

encryption (7-116)

transmit-key (7-118)

transmit-key

This command sets the index of the key to be used for encrypting data frames for broadcast or multicast traffic transmitted from the VAP to wireless clients.

Syntax transmit-key <index> index

- Key index. (Range: 1-4)

Default Setting

1

Command Mode

Interface Configuration (Wireless-VAP)

Command Usage

• If you use WEP key encryption or WPA/WPA2 with a pre-shared key option, the access point uses the transmit key to encrypt multicast and broadcast data signals that it sends to client devices. Other keys can be used for decryption of data from clients.

• When using IEEE 802.1X, the access point uses a dynamic key to encrypt unicast and broadcast messages to 802.1X-enabled clients. However, because the access point sends the keys during the 802.1X authentication process, these keys do not have to appear in the client’s key list.

• In a mixed-mode environment with clients using static keys and WPA, select transmit key index 2, 3, or 4. The access point uses transmit key index 1 for the generation of dynamic keys.

Example

Enterprise AP(if-wireless g: VAP[0])#transmit-key 2

Enterprise AP(if-wireless g)#

7-118

Wireless Security Commands

7

cipher-suite

This command defines the cipher algorithm used to encrypt the global key for broadcast and multicast traffic when using Wi-Fi Protected Access (WPA) security.

Syntax multicast-cipher

<aes-ccmp | tkip | wep>

aes-ccmp - Use AES-CCMP encryption for the unicast and multicast cipher.

tkip - Use TKIP encryption for the multicast cipher. TKIP or AES-CCMP can be used for the unicast cipher depending on the capability of the client.

wep - Use WEP encryption for the multicast cipher. TKIP or AES-CCMP can be used for the unicast cipher depending on the capability of the client.

Default Setting wep

Command Mode

Interface Configuration (Wireless-VAP)

Command Usage

• WPA enables the access point to support different unicast encryption keys for each client. However, the global encryption key for multicast and broadcast traffic must be the same for all clients.

• If any clients supported by the access point are not WPA enabled, the multicast-cipher algorithm must be set to WEP.

• WEP is the first generation security protocol used to encrypt data crossing the wireless medium using a fairly short key. Communicating devices must use the same WEP key to encrypt and decrypt radio signals. WEP has many security flaws, and is not recommended for transmitting highly sensitive data.

• TKIP provides data encryption enhancements including per-packet key hashing (i.e., changing the encryption key on each packet), a message integrity check, an extended initialization vector with sequencing rules, and a re-keying mechanism. Select TKIP if there are clients in the network that are not WPA2 compliant.

• TKIP defends against attacks on WEP in which the unencrypted initialization vector in encrypted packets is used to calculate the WEP key.

TKIP changes the encryption key on each packet, and rotates not just the unicast keys, but the broadcast keys as well. TKIP is a replacement for

WEP that removes the predictability that intruders relied on to determine the

WEP key.

7-119

7

Command Line Interface

• AES-CCMP (Advanced Encryption Standard Counter-Mode/CBCMAC

Protocol): WPA2 is backward compatible with WPA, including the same

802.1X and PSK modes of operation and support for TKIP encryption. The main enhancement is its use of AES Counter-Mode encryption with Cipher

Block Chaining Message Authentication Code (CBC-MAC) for message integrity. The AES Counter-Mode/CBCMAC Protocol (AES-CCMP) provides extremely robust data confidentiality using a 128-bit key. The

AES-CCMP encryption cipher is specified as a standard requirement for

WPA2. However, the computational intensive operations of AES-CCMP requires hardware support on client devices. Therefore to implement WPA2 in the network, wireless clients must be upgraded to WPA2-compliant hardware.

Example

Enterprise AP(if-wireless g: VAP[0])#multicast-cipher TKIP

Enterprise AP(if-wireless g)#

mic_mode

This command specifies how to calculate the Message Integrity Check (MIC).

Syntax mic_mode

<hardware | software>

hardware - Uses hardware to calculate the MIC.

software - Uses software to calculate the MIC.

Default Setting software

Command Mode

Interface Configuration (Wireless)

Command Usage

• The Michael Integrity Check (MIC) is part of the Temporal Key Integrity

Protocol (TKIP) encryption used in Wi-Fi Protected Access (WPA) security.

The MIC calculation is performed in the access point for each transmitted packet and this can impact throughput and performance. The access point supports a choice of hardware or software for MIC calculation. The performance of the access point can be improved by selecting the best method for the specific deployment.

• Using the “hardware” option provides best performance when the number of supported clients is less than 27.

• Using the “software” option provides the best performance for a large number of clients on one radio interface. Throughput may be reduced when interfaces are supporting a high number of clients simultaneously.

7-120

Wireless Security Commands

7

Example

Enterprise AP(if-wireless g)#mic_mode hardware

Enterprise AP(if-wireless g)#

wpa-pre-shared-key

This command defines a Wi-Fi Protected Access (WPA/WPA2) preshared-key.

Syntax wpa-pre-shared-key

<hex | passphrase-key> <value>

hex - Specifies hexadecimal digits as the key input format.

passphrase-key - Specifies an ASCII pass-phrase string as the key input format.

value - The key string. For ASCII input, specify a string between 8 and 63 characters. For HEX input, specify exactly 64 digits.

Command Mode

Interface Configuration (Wireless-VAP)

Command Usage

• To support WPA or WPA2 for client authentication, use the auth command to specify the authentication type, and use the wpa-preshared-key command to specify one static key.

• If WPA or WPA2 is used with pre-shared-key mode, all wireless clients must be configured with the same pre-shared key to communicate with the access point’s VAP interface.

Example

Enterprise AP(if-wireless g: VAP[0])#wpa-pre-shared-key ASCII agoodsecret

Enterprise AP(if-wireless g)#

Related Commands

auth (7-114)

pmksa-lifetime

This command sets the time for aging out cached WPA2 Pairwise Master Key

Security Association (PMKSA) information for fast roaming.

Syntax pmksa-lifetime <minutes> minutes - The time for aging out PMKSA information.

(Range: 0 - 14400 minutes)

Default Setting

720 minutes

7-121

7

Command Line Interface

Command Mode

Interface Configuration (Wireless-VAP)

Command Usage

• WPA2 provides fast roaming for authenticated clients by retaining keys and other security information in a cache, so that if a client roams away from an access point and then returns reauthentication is not required.

• When a WPA2 client is first authenticated, it receives a Pairwise Master Key

(PMK) that is used to generate other keys for unicast data encryption. This key and other client information form a Security Association that the access point names and holds in a cache. The lifetime of this security association can be configured with this command. When the lifetime expires, the client security association and keys are deleted from the cache. If the client returns to the access point, it requires full reauthentication.

• The access point can store up to 256 entries in the PMKSA cache.

Example

Enterprise AP(if-wireless g: VAP[0])#wpa-pre-shared-key ASCII agoodsecret

Enterprise AP(if-wireless g: VAP[0])#

pre-authentication

This command enables WPA2 pre-authentication for fast secure roaming.

Syntax pre-authentication <enable | disable>

enable - Enables pre-authentication for the VAP interface.

disable - Disables pre-authentication for the VAP interface.

Default Setting

Disabled

Command Mode

Interface Configuration (Wireless-VAP)

Command Usage

• Each time a client roams to another access point it has to be fully re-authenticated. This authentication process is time consuming and can disrupt applications running over the network. WPA2 includes a mechanism, known as pre-authentication, that allows clients to roam to a new access point and be quickly associated. The first time a client is authenticated to a wireless network it has to be fully authenticated. When the client is about to roam to another access point in the network, the access point sends pre-authentication messages to the new access point that include the client’s security association information. Then when the client sends an association request to the new access point the client is

7-122

Link Integrity Commands

7 known to be already authenticated, so it proceeds directly to key exchange and association.

• To support pre-authentication, both clients and access points in the network must be WPA2 enabled.

• Pre-authentication requires all access points in the network to be on the same IP subnet.

Example

Enterprise AP(if-wireless g: VAP[0])#wpa-pre-shared-key ASCII agoodsecret

Enterprise AP(if-wireless g: VAP[0])#

Link Integrity Commands

The access point provides a link integrity feature that can be used to ensure that wireless clients are connected to resources on the wired network. The access point does this by periodically sending Ping messages to a host device in the wired

Ethernet network. If the access point detects that the connection to the host has failed, it disables the radio interfaces, forcing clients to find and associate with another access point. When the connection to the host is restored, the access point re-enables the radio interfaces.

Table 7-20. Link Integrity Commands

Command link-integrity ping-detect link-integrity ping-host link-integrity ping-interval

Function

Enables link integrity detection

Specifies the IP address of a host device in the wired network

Specifies the time between each Ping sent to the link host link-integrity ping-fail-retry Specifies the number of consecutive failed Ping counts before the link is determined as lost link-integrity ethernet-detect Enables integrity check for Ethernet link show link-integrity Displays the current link integrity configuration

Mode

GC

GC

GC

GC

GC

Exec

Page

7-124

7-124

7-125

7-125

7-125

7-126

7-123

7

Command Line Interface

link-integrity ping-detect

This command enables link integrity detection. Use the no form to disable link integrity detection.

Syntax

[no] link-integrity ping-detect

Default Setting

Disabled

Command Mode

Global Configuration

Command Usage

• When link integrity is enabled, the IP address of a host device in the wired network must be specified.

• The access point periodically sends an ICMP echo request (Ping) packet to the link host IP address. When the number of failed responses (either the host does not respond or is unreachable) exceeds the limit set by the link-integrity ping-fail-retry command, the link is determined as lost.

Example

Enterprise AP(config)#link-integrity ping-detect

Enterprise AP(config)#

link-integrity ping-host

This command configures the link host name or IP address. Use the no form to remove the host setting.

Syntax link-integrity ping-host <host_name | ip_address> no link-integrity ping-host

host_name - Alias of the host.

ip_address - IP address of the host.

Default Setting

None

Command Mode

Global Configuration

Example

Enterprise AP(config)#link-integrity ping-host 192.168.1.10

Enterprise AP(config)#

7-124

Link Integrity Commands

7

link-integrity ping-interval

This command configures the time between each Ping sent to the link host.

Syntax link-integrity ping-interval

<interval> interval - The time between Pings. (Range: 5 - 60 seconds)

Default Setting

30 seconds

Command Mode

Global Configuration

Example

Enterprise AP(config)#link-integrity ping-interval 20

Enterprise AP(config)#

link-integrity ping-fail-retry

This command configures the number of consecutive failed Ping counts before the link is determined as lost.

Syntax link-integrity ping-fail-retry <counts> counts

- The number of failed Ping counts before the link is determined as lost. (Range: 1 - 10)

Default Setting

6

Command Mode

Global Configuration

Example

Enterprise AP(config)#link-integrity ping-fail-retry 10

Enterprise AP(config)#

link-integrity ethernet-detect

This command enables an integrity check to determine whether or not the access point is connected to the wired Ethernet.

Syntax

[no] link-integrity ethernet-detect

Default Setting

DISA

7-125

7

Command Line Interface

Command Mode

Global Configuration

Example

Enterprise AP(config)#link-integrity ethernet-detect

Notification : Ethernet Link Detect SUCCESS - RADIO(S) ENABLED

Enterprise AP(config)#

show link-integrity

This command displays the current link integrity configuration.

Command Mode

Exec

Example

Enterprise AP#show link-integrity

Link Integrity Information

===========================================================

Ethernet Detect : Enabled

Ping Detect : Enabled

Target IP/Name : 192.168.0.140

Ping Fail Retry : 6

Ping Interval : 30

===========================================================

Enterprise AP#

7-126

IAPP Commands

7

IAPP Commands

The command described in this section enables the protocol signaling required to ensure the successful handover of wireless clients roaming between different

802.11f-compliant access points. In other words, the 802.11f protocol can ensure successful roaming between access points in a multi-vendor environment.

iapp

This command enables the protocol signaling required to hand over wireless clients roaming between different 802.11f-compliant access points. Use the no form to disable 802.11f signaling.

Syntax

[no] iapp

Default

Enabled

Command Mode

Global Configuration

Command Usage

The current 802.11 standard does not specify the signaling required between access points in order to support clients roaming from one access point to another. In particular, this can create a problem for clients roaming between access points from different vendors. This command is used to enable or disable 802.11f handover signaling between different access points, especially in a multi-vendor environment.

Example

Enterprise AP(config)#iapp

Enterprise AP(config)#

7-127

7

Command Line Interface

VLAN Commands

The access point can enable the support of VLAN-tagged traffic passing between wireless clients and the wired network. Up to 64 VLAN IDs can be mapped to specific wireless clients, allowing users to remain within the same VLAN as they move around a campus site.

When VLAN is enabled on the access point, a VLAN ID (a number between 1 and

4094) can be assigned to each client after successful authentication using IEEE

802.1X and a central RADIUS server. The user VLAN IDs must be configured on the

RADIUS server for each user authorized to access the network. If a user does not have a configured VLAN ID, the access point assigns the user to its own configured native VLAN ID.

Caution: When VLANs are enabled, the access point’s Ethernet port drops all received traffic that does not include a VLAN tag. To maintain network connectivity to the access point and wireless clients, be sure that the access point is connected to a device port on a wired network that supports IEEE 802.1Q VLAN tags.

The VLAN commands supported by the access point are listed below.

Command vlan managementvlanid vlan-id

Table 7-21. VLAN Commands

Function Mode

Enables a single VLAN for all traffic GC

Configures the management VLAN for the access point GC

Configures the default VLAN for the VAP interface IC-W-VAP

vlan

This command enables VLANs for all traffic. Use the no form to disable VLANs.

Syntax

[no] vlan enable

Default

Disabled

Command Mode

Global Configuration

Command Description

• When VLANs are enabled, the access point tags frames received from wireless clients with the VLAN ID configured for each client on the RADIUS server. If the VLAN ID has not been configured for a client on the RADIUS server, then the frames are tagged with the access point’s native VLAN ID.

7-128

Page

7-128

7-129

7-129

VLAN Commands

7

• Traffic entering the Ethernet port must be tagged with a VLAN ID that matches the access point’s native VLAN ID, or with a VLAN tag that matches one of the wireless clients currently associated with the access point.

Example

Enterprise AP(config)#vlan enable

Reboot system now? <y/n>: y

Related Commands

management-vlanid (7-129)

management-vlanid

This command configures the management VLAN ID for the access point.

Syntax management-vlanid <vlan-id> vlan-id - Management VLAN ID. (Range: 1-4094)

Default Setting

1

Command Mode

Global Configuration

Command Usage

The management VLAN is for managing the access point. For example, the access point allows traffic that is tagged with the specified VLAN to manage the access point via remote management, SSH, SNMP, Telnet, etc.

Example

Enterprise AP(config)#management-vlanid 3

Enterprise AP(config)#

Related Commands

vlan (7-128)

vlan-id

This command configures the default VLAN ID for the VAP interface.

Syntax vlan-id <vlan-id> vlan-id - Native VLAN ID. (Range: 1-4094)

7-129

7

Command Line Interface

Default Setting

1

Command Mode

Interface Configuration (Wireless-VAP)

Command Usage

• To implement the default VLAN ID setting for VAP interface, the access point must enable VLAN support using the vlan command.

• When VLANs are enabled, the access point tags frames received from wireless clients with the default VLAN ID for the VAP interface. If IEEE

802.1X is being used to authenticate wireless clients, specific VLAN IDs can be configured on the RADIUS server to be assigned to each client.

Using IEEE 802.1X and a central RADIUS server, up to 64 VLAN IDs can be mapped to specific wireless clients.

• If the VLAN ID has not been configured for a client on the RADIUS server, then the frames are tagged with the default VLAN ID of the VAP interface.

Example

Enterprise AP(if-wireless g: VAP[0])#vlan-id 3

Enterprise AP(if-wireless g: VAP[0])#

WMM Commands

The access point implements QoS using the Wi-Fi Multimedia (WMM) standard.

Using WMM, the access point is able to prioritize traffic and optimize performance when multiple applications compete for wireless network bandwidth at the same time. WMM employs techniques that are a subset of the developing IEEE 802.11e

QoS standard and it enables the access point to inter-operate with both WMM- enabled clients and other devices that may lack any WMM functionality.

The WMM commands supported by the access point are listed below.

Command wmm wmm-acknowledge- policy wmmparam

Table 7-22. WMM Commands

Function

Configures detailed WMM parameters that apply to the access point (AP) or the wireless clients (BSS)

Mode

Sets the WMM operational mode on the access point IC-W

Allows the acknowledgement wait time to be enabled or disabled for each Access Category (AC)

IC-W

IC-W

Page

7-131

7-131

7-132

7-130

WMM Commands

7

wmm

This command sets the WMM operational mode on the access point. Use the no form to disable WMM.

Syntax

[no] wmm <supported | required>

supported - WMM will be used for any associated device that supports this feature. Devices that do not support this feature may still associate with the access point.

required - WMM must be supported on any device trying to associated with the access point. Devices that do not support this feature will not be allowed to associate with the access point.

Default supported

Command Mode

Interface Configuration (Wireless)

Example

Enterprise AP(if-wireless a)#wmm required

Enterprise AP(if-wireless a)#

wmm-acknowledge-policy

This command allows the acknowledgement wait time to be enabled or disabled for each Access Category (AC).

Syntax wmm-acknowledge-policy

<ac_number> <ack | noack>

ac_number - Access categories. (Range: 0-3)

ack - Require the sender to wait for an acknowledgement from the receiver.

noack - Does not require the sender to wait for an acknowledgement from the receiver.

Default ack

Command Mode

Interface Configuration (Wireless)

Command Usage

• WMM defines four access categories (ACs) – voice, video, best effort, and background. These categories correspond to traffic priority levels and are

mapped to IEEE 802.1D priority tags (see Table 6-1). The direct mapping

of the four ACs to 802.1D priorities is specifically intended to facilitate

7-131

7

Command Line Interface interpretability with other wired network QoS policies. While the four ACs are specified for specific types of traffic, WMM allows the priority levels to be configured to match any network-wide QoS policy. WMM also specifies a protocol that access points can use to communicate the configured traffic priority levels to QoS-enabled wireless clients.

• Although turning off the requirement for the sender to wait for an acknowledgement can increases data throughput, it can also result in a high number of errors when traffic levels are heavy.

Example

Enterprise AP(if-wireless a)#wmm-acknowledge-policy 0 noack

Enterprise AP(if-wireless a)#

wmmparam

This command configures detailed WMM parameters that apply to the access point

(AP) or the wireless clients (BSS).

Syntax wmmparam <AP | BSS> <ac_number> <LogCwMin> <LogCwMax> <AIFS>

<TxOpLimit> <admission_control>

AP - Access Point

BSS - Wireless client

ac_number - Access categories (ACs) – voice, video, best effort, and background. These categories correspond to traffic priority levels and are

mapped to IEEE 802.1D priority tags as shown in Table 6-1. (Range: 0-3)

LogCwMin - Minimum log value of the contention window. This is the initial upper limit of the random backoff wait time before wireless medium access can be attempted. The initial wait time is a random value between zero and the LogCwMin value. Specify the LogCwMin value. Note that the LogCwMin value must be equal or less than the LogCwMax value.

(Range: 1-15 microseconds)

LogCwMax - Maximum log value of the contention window. This is the maximum upper limit of the random backoff wait time before wireless medium access can be attempted. The contention window is doubled after each detected collision up to the LogCwMax value. Note that the CWMax value must be greater or equal to the LogCwMin value.

(Range: 1-15 microseconds)

AIFS - Arbitrary InterFrame Space specifies the minimum amount of wait time before the next data transmission attempt.

(Range: 1-15 microseconds)

TXOPLimit - Transmission Opportunity Limit specifies the maximum time an AC transmit queue has access to the wireless medium. When an AC queue is granted a transmit opportunity, it can transmit data for a time up to the TxOpLimit. This data bursting greatly improves the efficiency for high data-rate traffic. (Range: 0-65535 microseconds)

7-132

Default

WMM Commands

7

admission_control - The admission control mode for the access category.

When enabled, clients are blocked from using the access category.

(Options: 0 to disable, 1 to enable)

AP Parameters

WMM Parameters AC0 (Best Effort) AC1 (Background) AC2 (Video)

LogCwMin

LogCwMax

4

10

4

10

3

4

AIFS

TXOP Limit 0

3

Admission Control Disabled

7

0

Disabled

2

94

Disabled

AC3 (Voice)

2

3

2

47

Disabled

BSS Parameters

WMM Parameters AC0 (Best Effort) AC1 (Background) AC2 (Video)

LogCwMin 4 4 3

LogCwMax

AIFS

6

3

TXOP Limit 0

Admission Control Disabled

10

7

0

Disabled

4

1

94

Disabled

Command Mode

Interface Configuration (Wireless)

Example

Enterprise AP(if-wireless a)#wmmparams ap 0 4 6 3 1 1

Enterprise AP(if-wireless a)#

3

1

AC3 (Voice)

2

47

Disabled

7-133

7

Command Line Interface

7-134

Appendix A: Troubleshooting

Check the following items before you contact local Technical Support.

1.

If wireless clients cannot access the network, check the following:

• Be sure the access point and the wireless clients are configured with the same

Service Set ID (SSID).

• If authentication or encryption are enabled, ensure that the wireless clients are properly configured with the appropriate authentication or encryption keys.

• If authentication is being performed through a RADIUS server, ensure that the clients are properly configured on the RADIUS server.

• If authentication is being performed through IEEE 802.1X, be sure the wireless users have installed and properly configured 802.1X client software.

• If MAC address filtering is enabled, be sure the client’s address is included in the local filtering database or on the RADIUS server database.

• If the wireless clients are roaming between access points, make sure that all the access points and wireless devices in the Extended Service Set (ESS) are configured to the same SSID, and authentication method.

2.

If the access point cannot be configured using the Telnet, a web browser, or

SNMP software:

• Be sure to have configured the access point with a valid IP address, subnet mask and default gateway.

• If VLANs are enabled on the access point, the management station should be configured to send tagged frames with a VLAN ID that matches the access

point’s management VLAN (default VLAN 1, page 6-17). However, to manage

the access point from a wireless client, the AP Management Filter should be

disabled (page 6-17).

• Check that you have a valid network connection to the access point and that the Ethernet port or the wireless interface that you are using has not been disabled.

• If you are connecting to the access point through the wired Ethernet interface, check the network cabling between the management station and the access point. If you are connecting to access point from a wireless client, ensure that you have a valid connection to the access point.

• If you cannot connect using Telnet, you may have exceeded the maximum number of concurrent Telnet sessions permitted (i.e, four sessions). Try connecting again at a later time.

A-1

A

Troubleshooting

3.

If you cannot access the on-board configuration program via a serial port connection:

• Be sure you have set the terminal emulator program to VT100 compatible, 8 data bits, 1 stop bit, no parity and 9600 bps.

• Check that the null-modem serial cable conforms to the pin-out connections

provided on page B-3.

4.

If you forgot or lost the password:

• Set the access point to its default configuration by pressing the reset button on the back panel for 5 seconds or more. Then use the default user name

“admin” and a null password to access the management interface.

5.

If all other recovery measure fail, and the access point is still not functioning properly, take any of these steps:

• Reset the access point’s hardware using the console interface, web interface, or through a power reset.

• Reset the access point to its default configuration by pressing the reset button on the back panel for 5 seconds or more. Then use the default user name

“admin” and a null password to access the management interface.

A-2

Appendix B: Cables and Pinouts

Twisted-Pair Cable Assignments

For 10/100BASE-TX connections, a twisted-pair cable must have two pairs of wires.

Each wire pair is identified by two different colors. For example, one wire might be green and the other, green with white stripes. Also, an RJ-45 connector must be attached to both ends of the cable.

Caution: Each wire pair must be attached to the RJ-45 connectors in a specific

orientation. (See “Straight-Through Wiring” on page B-2 and “Crossover

Wiring” on page B-3 for an explanation.)

Caution: DO NOT plug a phone jack connector into the RJ-45 port. Use only twisted-pair cables with RJ-45 connectors that conform with FCC standards.

The following figure illustrates how the pins on the RJ-45 connector are numbered.

Be sure to hold the connectors in the same orientation when attaching the wires to the pins.

8

1

8

1

10/100BASE-TX Pin Assignments

Use unshielded twisted-pair (UTP) or shielded twisted-pair (STP) cable for RJ-45 connections: 100-ohm Category 3 or better cable for 10 Mbps connections, or

100-ohm Category 5 or better cable for 100 Mbps connections. Also be sure that the length of any twisted-pair connection does not exceed 100 meters (328 feet).

The RJ-45 port on the access point is wired with MDI pinouts. This means that you must use crossover cables for connections to PCs or servers, and straight-through cable for connections to switches or hubs. However, when connecting to devices that support automatic MDI/MDI-X pinout configuration, you can use either straight-through or crossover cable.

B-1

B

Cables and Pinouts

Table B-1. 10/100BASE-TX MDI Port Pinouts

6

7

4

5

2

3

Pin

1

MDI Signal Name

Transmit Data plus (TD+)

Transmit Data minus (TD-)

Receive Data plus (RD+)

GND (Positive Vport)

GND (Positive Vport)

Receive Data minus (RD-)

-48V feeding power (Negative- Vport)

8 -48V feeding power (Negative- Vport)

Note: The “+” and “-” signs represent the polarity of the wires that make up each wire pair.

Straight-Through Wiring

Because the 10/100 Mbps port on the access point uses an MDI pin configuration, you must use “straight-through” cable for network connections to hubs or switches that only have MDI-X ports. However, if the device to which you are connecting supports auto-MDIX operation, you can use either “straight-through” or “crossover” cable.

End A

5

6

7

8

3

4

1

2

EIA/TIA 568B RJ-45 Wiring Standard

10/100BASE-TX Straight-through Cable

White/Orange Stripe

Orange

White/Green Stripe

Blue

White/Blue Stripe

Green

White/Brown Stripe

Brown

5

6

7

8

3

4

1

2 End B

B-2

Console Port Pin Assignments

B

Crossover Wiring

Because the 10/100 Mbps port on the access point uses an MDI pin configuration, you must use “crossover” cable for network connections to PCs, servers or other end nodes that only have MDI ports. However, if the device to which you are connecting supports auto-MDIX operation, you can use either “straight-through” or

“crossover” cable.

End A

7

8

5

6

3

4

1

2

EIA/TIA 568B RJ-45 Wiring Standard

10/100BASE-TX Crossover Cable

White/Orange Stripe

Orange

White/Green Stripe

Blue

White/Blue Stripe

Green

White/Brown Stripe

Brown

7

8

5

6

3

4

1

2 End B

Console Port Pin Assignments

The DB-9 console port on the front panel of the access point is used to connect to the access point for out-of-band console configuration. The command-line configuration program can be accessed from a terminal, or a PC running a terminal emulation program. The pin assignments and cable wiring used to connect to the console port are provided in the following table.

1 5

6 9

B-3

B

Cables and Pinouts

Wiring Map for Serial Cable

Table B-2. Wiring Map for Serial Cable

5

6

3

4

Pin

1

2

DB9 Male (AP Console)

Function

GND (ground)

Unused

RXD (receive data)

TXD (transmit data)

Unused

Unused

Pin

5

4

3

2

1

9

DB9 Male (PC DTE)

Function

GND (ground)

Unused

TXD (transmit data)

RXD (receive data)

Unused

Unused

7

8

RTS (request to send)

CTS (clear or send)

8

7

CTS (clear to send)

RTS (request to send)

9 Unused 6 Unused

Note: The left hand column pin assignments are for the male DB-9 connector on the access point. Pin 4

(TXD or “transmit data”) must emerge on the management console’s end of the connection as RXD

(“receive data”). Pin 8 (CTS or “clear to send”) must emerge on the management console’s end of the connection as RTS (“request to send”)

B-4

Appendix C: Specifications

General Specifications

Maximum Channels

802.11g:

US & Canada: 13 (normal mode), 5 (turbo mode)

Japan: 4 (normal mode), 1 (turbo mode)

ETSI: 11 channels (normal mode), 4 (turbo mode)

Taiwan: 8 (normal mode), 3 (turbo mode)

802.11b/g:

FCC/IC: 1-11

ETSI: 1-13

France: 10-13

MKK: 1-14

Taiwan: 1-11

Maximum Clients

64 per VAP interface

Operating Range

See “Operating Range” on page C-6

Data Rate

802.11g: 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps per channel

802.11b: 1, 2, 5.5, 11 Mbps per channel

Modulation Type

802.11g: CCK, BPSK, QPSK, OFDM

802.11b: CCK, BPSK, QPSK

Network Configuration

Infrastructure

Operating Frequency

802.11b:

2.4 ~ 2.4835 GHz (US, Canada, ETSI)

2.4 ~ 2.497 GHz (Japan)

2.400 ~ 2.4835 GHz (Taiwan)

C-1

C

Specifications

AC Power Adapter

Input: 100-240 AC, 50-60 Hz

Output: 5.1 VDC, 3A

Power consumption: 13.2 watts

Unit Power Supply

DC Input: 5 VDC, 2 A maximum

PoE input: -48 VDC, 0.2 A maximum

Power consumption: 9.6 W maximum

PoE (DC)

Input voltage: 48 volts, 0.2 A, 12.96 watts

Note: Power can also be provided to the access point through the Ethernet port based on IEEE 802.3af Power over Ethernet (PoE) specifications. When both PoE is provided and the adapter is plugged in, PoE will be turned off.

Physical Size

21.83 x 13.73 x 3.27 cm (8.60 x 5.40 x 1.29 in)

Weight

0.745 kg (1.642 lbs)

LED Indicators

PWR (Power), Link (Ethernet Link/Activity), 11g (Wireless Link/Activity)

Network Management

Web-browser, RS232 console, Telnet, SSH, SNMP

Temperature

Operating: 0 to 50

°

C (32 to 122

°

F)

Storage: 0 to 70

°

C (32 to 158

°

F)

Humidity

15% to 95% (non-condensing)

Compliances

FCC Class B (US)

ICES-003 (Canada)

RTTED 1999/5/EC

VCCI (Japan)

RCR STD-33A

Radio Signal Certification

FCC Part 15C 15.247, 15.207 (2.4 GHz)

FCC part 15E 15.407 (5 GHz)

RSS-210 (Canada)

EN 301.893, EN 300.328, EN 301.489-1, EN 301.489-17

C-2

MPT RCR std.33 (D33 1~13 Channel, T66 Channel 14)

Safety cCSAus(CSA 22.2 No. 60950-1 & UL60950-1)

EN60950-1 (T Ü V/GS), IEC60950-1 (CB)

Standards

IEEE 802.3 10BASE-T, IEEE 802.3u 100BASE-TX,

IEEE 802.11b, g

General Specifications

C

C-3

C

Specifications

Sensitivity

IEEE 802.11g

Data Rate

6 Mbps

9 Mbps

12 Mbps

17 Mbps

24 Mbps

36 Mbps

48 Mbps

54 Mbps

IEEE 802.11b

Data Rate

1 Mbps

2 Mbps

5.5 Mbps

11 Mbps

-85

-81

-77

-72

-70

Sensitivity (dBm)

-88

-87

-86

Sensitivity (dBm)

-93

-90

-90

-87

Transmit Power

IEEE 802.11g

Data Rate

6 Mbps

9 Mbps

12 Mbps

18 Mbps

24 Mbps

36 Mbps

48 Mbps

54 Mbps

Maximum Output Power (GHz - dBm)

18

17

20

20

15

20

20

2.412

20

2.417~2.467

20

20

20

20

20

19

16

14

C-4

17

15

18

18

13

18

18

2.472

18

IEEE 802.11b

Data Rate

1 Mbps

2 Mbps

5.5 Mbps

11 Mbps

Maximum Output Power (GHz - dBm)

15

15

2.412

15

15

2.417~2.467

16

16

16

16

15

15

2.472

15

15

Transmit Power

C

C-5

C

Specifications

Operating Range

Important Notice

Maximum distances posted below are actual tested distance thresholds. However, there are many variables such as barrier composition and construction and local environmental interference that may impact your actual distances and cause you to experience distance thresholds far lower than those posted below.

Table C-1 802.11g Wireless Distance Table

Speed and Distance Ranges

Environment 54

Outdoors

Indoors 2

1

Mbps

82 m

269 ft

100 m

328 ft

300 m

984 ft

330 m

1082 ft

350 m

1148 ft

450 m

1475 ft

470 m

1541 ft

485 m

1590 ft

495 m

1623 ft

510 m

1672 ft

520 m

1705 ft

525 m

1722 ft

20 m

66 ft

48

Mbps

25 m

82 ft

36

Mbps

35 m

115 ft

24

Mbps

43 m

141 ft

18

Mbps

50 m

164 ft

12

Mbps

57 m

187 ft

11

Mbps

66 m

216 ft

9

Mbps

71 m

233 ft

6

Mbps

80 m

262 ft

5

Mbps

85 m

279 ft

2

Mbps

90 m

295 ft

1

Mbps

93 m

305 ft

Environment 11 Mbps

Outdoors 1 300 m

984 ft

Indoors 2

Table C-2 802.11b Wireless Distance Table

Speed and Distance Ranges

60 m

197 ft

5.5 Mbps

465 m

1525 ft

70 m

230 ft

2 Mbps

500 m

1639 ft

83 m

272 ft

1 Mbps

515 m

1689 ft

85 m

279 ft

Notes: 1.

Outdoor Environment: A line-of-sight environment with no interference or obstruction between the access point and clients.

2.

Indoor Environment: A typical office or home environment with floor to ceiling obstructions between the access point and clients.

C-6

Glossary

10BASE-T

IEEE 802.3 specification for 10 Mbps Ethernet over two pairs of Category 3 or better UTP cable.

100BASE-TX

IEEE 802.3u specification for 100 Mbps Fast Ethernet over two pairs of Category 5 or better UTP cable.

Access Point

An internetworking device that seamlessly connects wired and wireless networks. Access points attached to a wired network, support the creation of multiple radio cells that enable roaming throughout a facility.

Ad Hoc

A group of computers connected as an independent wireless network, without an access point.

Advanced Encryption Standard (AES)

An encryption algorithm that implements symmetric key cryptography. AES provides very strong encryption using a completely different ciphering algorithm to TKIP and WEP.

Authentication

The process to verify the identity of a client requesting network access. IEEE 802.11 specifies two forms of authentication: open system and shared key.

Backbone

The core infrastructure of a network. The portion of the network that transports information from one central location to another central location where it is unloaded onto a local system.

Basic Service Set (BSS)

A set of 802.11-compliant stations and an access point that operate as a fully-connected wireless network.

Beacon

A signal periodically transmitted from the access point that is used to identify the service set, and to maintain contact with wireless clients.

Glossary-1

Glossary

Broadcast Key

Broadcast keys are sent to stations using 802.1X dynamic keying. Dynamic broadcast key rotation is often used to allow the access point to generate a random group key and periodically update all key-management capable wireless clients.

CSMA/CA

Carrier Sense Multiple Access with Collision Avoidance.

Dynamic Host Configuration Protocol (DHCP)

Provides a framework for passing configuration information to hosts on a TCP/IP network. DHCP is based on the Bootstrap Protocol (BOOTP), adding the capability of automatic allocation of reusable network addresses and additional configuration options.

Encryption

Data passing between the access point and clients can use encryption to protect from interception and evesdropping.

Extended Service Set (ESS)

More than one wireless cell can be configured with the same Service Set Identifier to allow mobile users can roam between different cells with the Extended Service Set.

Extensible Authentication Protocol (EAP)

An authentication protocol used to authenticate network clients. EAP is combined with

IEEE 802.1X port authentication and a RADIUS authentication server to provide “mutual authentication” between a client, the access point, and the a RADIUS server

Ethernet

A popular local area data communications network, which accepts transmission from computers and terminals.

File Transfer Protocol (FTP)

A TCP/IP protocol used for file transfer.

Hypertext Transfer Protocol (HTTP)

HTTP is a standard used to transmit and receive all data over the World Wide Web.

IEEE 802.11b

A wireless standard that supports wireless communications in the 2.4 GHz band using

Direct Sequence Spread Spectrum (DSSS). The standard provides for data rates of 1, 2,

5.5, and 11 Mbps.

Glossary-2

Glossary

IEEE 802.11g

A wireless standard that supports wireless communications in the 2.4 GHz band using using Orthogonal Frequency Division Multiplexing (OFDM). The standard provides for data rates of 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps. IEEE 802.11g is also backward compatible with IEEE 802.11b.

IEEE 802.1X

Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication.

Infrastructure

An integrated wireless and wired LAN is called an infrastructure configuration.

Inter Access Point Protocol (IAPP)

A protocol that specifies the wireless signaling required to ensure the successful handover of wireless clients roaming between different 802.11f-compliant access points.

Local Area Network (LAN)

A group of interconnected computer and support devices.

MAC Address

The physical layer address used to uniquely identify network nodes.

Network Time Protocol (NTP)

NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.

Open System

A security option which broadcasts a beacon signal including the access point’s configured SSID. Wireless clients can read the SSID from the beacon, and automatically reset their SSID to allow immediate connection to the nearest access point.

Orthogonal Frequency Division Multiplexing (ODFM)

OFDM/ allows multiple users to transmit in an allocated band by dividing the bandwidth into many narrow bandwidth carriers.

Power over Ethernet (PoE)

A specification for providing both power and data to low-power network devices using a single Category 5 Ethernet cable. PoE provides greater flexibility in the locating of access point’s and network devices, and significantly decreased installation costs.

Glossary-3

Glossary

RADIUS

A logon authentication protocol that uses software running on a central server to control access to the network.

Roaming

A wireless LAN mobile user moves around an ESS and maintains a continuous connection to the infrastructure network.

RTS Threshold

Transmitters contending for the medium may not be aware of each other. RTS/CTS mechanism can solve this “Hidden Node Problem.” If the packet size is smaller than the preset RTS Threshold size, the RTS/CTS mechanism will NOT be enabled.

Service Set Identifier (SSID)

An identifier that is attached to packets sent over the wireless LAN and functions as a password for joining a particular radio cell; i.e., Basic Service Set (BSS).

Session Key

Session keys are unique to each client, and are used to authenticate a client connection, and correlate traffic passing between a specific client and the access point.

Shared Key

A shared key can be used to authenticate each client attached to a wireless network.

Shared Key authentication must be used along with the 802.11 Wireless Equivalent

Privacy algorithm.

Simple Network Management Protocol (SNMP)

The application protocol in the Internet suite of protocols which offers network management services.

Simple Network Time Protocol (SNTP)

SNTP allows a device to set its internal clock based on periodic updates from a Network

Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers.

Temporal Key Integrity Protocol (TKIP)

A data encryption method designed as a replacement for WEP. TKIP avoids the problems of WEP static keys by dynamically changing data encryption keys.

Trivial File Transfer Protocol (TFTP)

A TCP/IP protocol commonly used for software downloads.

Glossary-4

Glossary

Virtual Access Point (VAP)

Virtual AP technology multiplies the number of Access Points present within the RF footprint of a single physical access device. With Virtual AP technology, WLAN users within the device’s footprint can associate with what appears to be different access points and their associated network services. All the services are delivered using a single radio channel, enabling Virtual AP technology to optimize the use of limited WLAN radio spectrum.

Virtual LAN (VLAN)

A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.

Wi-Fi Protected Access

WPA employs 802.1X as its basic framework for user authentication and dynamic key management to provide an enhanced security solution for 802.11 wireless networks.

Wired Equivalent Privacy (WEP)

WEP is based on the use of security keys and the popular RC4 encryption algorithm.

Wireless devices without a valid WEP key will be excluded from network traffic.

WPA Pre-shared Key (PSK)

PSK can be used for small office networks that may not have the resources to configure and maintain a RADIUS server, WPA provides a simple operating mode that uses just a pre-shared password for network access.

Glossary-5

Glossary

Glossary-6

Index

Numerics

802.11g 7-95

A

AES 6-75

antennas, positioning 2-2

authentication 6-12, 7-114

cipher suite 6-78, 7-115

closed system 7-106

configuring 6-12, 7-114

MAC address 6-13, 7-70, 7-71

type 6-63, 7-106

web redirect 6-14, 7-20

B

Basic Service Set See BSS

beacon

interval 6-51, 7-101

rate 6-51, 7-102

BOOTP 7-89, 7-90

BPDU 6-24

BSS 4-3

C cable

assignments B-1

crossover B-3

straight-through B-2

CCK 1-1

channel 7-97

channels, maximum C-1

Clear To Send See CTS

CLI 7-1

command modes 7-4

clients, maximum C-1

closed system 6-54, 7-105

command line interface See CLI

community name, configuring 7-41 community string 6-38, 7-41

configuration settings, saving or

restoring 6-30, 7-56

configuration, initial setup 5-1

console port 1-4

connecting 2-2

pin assignments B-3

required settings 5-1

country code

configuring 5-3, 7-12

crossover cable B-3

CSMA/CA 1-1

CTS 6-52, 7-104

D data rate

maximum distances C-6

data rate, options C-1

default settings 1-6

device status, displaying 6-83, 7-23

DHCP 6-5, 7-89, 7-90

distances, maximum C-6

DNS 6-6, 7-89

Domain Name Server See DNS

downloading software 6-29, 7-56

DSSS 1-1

DTIM 6-51, 7-102

Dynamic Host Configuration Protocol

See DHCP

E

EAP 6-74

encryption 6-63, 6-69, 6-74

Ethernet

cable 2-2

port 1-4

event logs 6-89, 7-32

Extensible Authentication Protocol See

EAP

F factory defaults

restoring 6-30, 7-10

Index-1

Index

filter 6-17, 7-70 address 6-12, 7-70

between wireless clients 6-17, 7-73 local bridge 6-17, 7-73

local or remote 6-12, 7-72

management access 6-17, 7-74

protocol types 6-18, 7-75

VLANs 6-54, 7-128

firmware

displaying version 6-30, 7-24

upgrading 6-29, 6-30, 7-56

fragmentation 7-103

G

gateway address 5-2, 6-6, 7-1, 7-89

H

hardware version, displaying 7-24

HTTP, secure server 7-19

HTTPS 7-19

I

IAPP 7-127

IEEE 802.11a 1-1, 6-48, 7-95 configuring interface 7-95

maximum data rate 7-96

radio channel 7-97

IEEE 802.11b 6-48

IEEE 802.11f 7-127

IEEE 802.11g 6-48

configuring interface 6-48, 7-95

maximum data rate 7-96

radio channel 6-49, 7-97

IEEE 802.1x 6-74, 7-65, 7-70

configuring 6-80, 7-65

infrastructure

wireless bridge 4-5

wireless repeater 4-6

initial setup 5-1

installation

hardware 2-1, 3-1

location considerations 3-1

mounting 2-1

IP address

BOOTP/DHCP 7-89, 7-90

configuring 5-2, 6-5, 7-89, 7-90

L

LED indicators 1-3

location for the access point, considerations 3-1

lock, Kensington 2-1

log

messages 6-33, 6-89, 7-29

server 6-32, 7-29

login

CLI 7-1

web 5-3

logon authentication

RADIUS client 6-14, 7-59

M

MAC address, authentication 6-13,

7-70, 7-71

maximum associated clients 6-51

maximum data rate 7-96

802.11a interface 7-96

802.11g interface 7-96

maximum distances C-6

mounting the access point 2-1

N network topologies

infrastructure 4-3

infrastructure for roaming 4-4

O

OFDM 1-1

open system 6-63, 7-105

operating frequency C-1

P

package checklist 1-2

password

configuring 6-28, 7-15

management 6-28, 7-15

pin assignments

console port B-3

DB-9 port B-3

Index-2

PoE 1-4

specifications C-2

port priority

STA 7-86

power connection 2-2

Power over Ethernet See PoE

power supply, specifications C-2

PSK 6-75

R radio channel

802.11a interface 7-97

802.11g interface 6-49, 7-97

RADIUS 6-7, 6-74, 7-59

RADIUS, logon authentication 6-14,

7-59

Remote Authentication Dial-in User

Service See RADIUS

Request to Send See RTS

reset 6-30, 7-10

reset button 1-5, 6-30

resetting the access point 6-30, 7-10 restarting the system 6-30, 7-10

RJ-45 port

configuring duplex mode 7-91 configuring speed 7-91

RTS

threshold 6-52, 7-103

S

Secure Socket Layer See SSL

security, options 6-63, 6-64

session key 6-80, 6-81, 7-67

shared key 6-70, 7-117

Simple Network Time Protocol See

SNTP

SNMP 6-37, 7-40

community name 7-41 community string 7-41

enabling traps 6-38, 7-42

trap destination 6-38, 7-43 trap manager 6-38, 7-43

Index

SNTP 6-34, 7-34 enabling client 6-34, 7-34 server 6-34, 7-34

software

displaying version 6-29, 6-83, 7-24

downloading 6-30, 7-56

specifications C-1

SSH

server Status 6-11

SSID 6-69, 7-105

SSL 7-19

STA

interface settings 7-86–??

path cost 7-86 port priority 7-86

startup files, setting 7-55

station status 6-86, 7-109

status

displaying device status 6-83, 7-23

displaying station status 6-86, 7-109

straight-through cable B-2

system clock, setting 6-34, 7-35

system log

enabling 6-32, 7-29

server 6-32, 7-29

system software, downloading from

server 6-29, 7-56

T

Telnet

for managenet access 7-1

Temporal Key Integrity Protocol See

TKIP

time zone 6-35, 7-36

TKIP 6-74

transmit power, configuring 6-51, 7-97

trap destination 6-38, 7-43 trap manager 6-38, 7-43

troubleshooting A-1

U

upgrading software 6-29, 7-56

user name, manager 6-28, 7-15 user password 6-28, 7-15

Index-3

Index

V

VLAN

configuration 6-54, 7-128

native ID 6-54

W

WEP 6-69 configuring 6-69

shared key 6-70, 7-117

Wi-Fi Multimedia See WMM

Wi-Fi Protected Access See WPA

Wired Equivalent Protection See WEP

WPA 6-74

pre-shared key 6-78, 7-121

WPA, pre-shared key See PSK

Index-4

Model Number: SMC2552W-G2-17

Pub. Number: 150000030500E

E052006-DT-R01

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

Download PDF

advertisement

Table of contents